From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alexander Koch <ipfire@starkstromkonsument.de>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] squid / WPAD: Add exception-files for generation of proxy.pac
Date: Thu, 18 Apr 2019 03:41:52 +0200
Message-ID: <db119c27-de2e-03c5-7888-d5ce618aa721@starkstromkonsument.de>
In-Reply-To: <F9D9DDA6-EEC2-43F5-A3AC-2754DEC8DC76@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3630395558869764129=="
List-Id: <development.lists.ipfire.org>

--===============3630395558869764129==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

Am 17.04.2019 um 16:08 schrieb Michael Tremer:
> Hi,
>=20
>> On 15 Apr 2019, at 21:12, Alexander Koch <ipfire(a)starkstromkonsument.de>=
 wrote:
>>
>> Hello Michael,
>>
>> my motivation for the patch is to provide a possibility to make exceptions=
 survive an update of squid, as I'm repatching proxy.cgi by myself after each=
 upgrade. I suppose there are more people out there with the same issue. I ag=
ree that it would by very nice to have it on the GUI as well, but unfortunate=
ly I don't have any experience with CGI yet and I don't have the time to lear=
n it right now. I think patching the integration of the exception files into =
proxy.cgi is a good first step. It can be used as the base for extending the =
GUI. Maybe somebody else with CGI experience can help out? It's "just" two te=
xtareas and some file i/o basically=E2=80=A6
>=20
> You can literally just copy and paste that. Give it a try!

Have a look at it please, I just sent in an additional patch ... the translat=
ions for all languages except en and de need to be revised, how is this usual=
ly done? I copied the english versions into the language files I'm not able t=
o translate by myself to avoid empty texts in the frontend.

>=20
>> As far as I know, the WPAD-Feature does not have any GUI support in genera=
l (e.g. checkboxes for enabled, enabled on a per subnet basis, etc.) until no=
w. Additionally the WPAD-Feature requires the user to set up the extra apache=
-vhost or haproxy-frontend for port 80 (for http://wpad.<IPFire-Network-Domai=
n>/wpad.dat) via CLI by himself anyway (another ToDo for a future patch ;-).
>=20
> It is available on http://<ipfire>:81/wpad.dat. No need for an extra host.

This only provides WPAD via DHCP (if option 252 is configured by the user). F=
irefox for example does not support this (see http://findproxyforurl.com/brow=
ser-support/) and it alternatively uses WPAD via DNS. This requires one of th=
e following URL's to work: http://wpad.<IPFire-Network-Domain>/wpad.dat or ht=
tp://wpad/wpad.dat

Port 80 does not seem to be in use on a new IPFire-Host by default. I could p=
rovide a patch for an additional apache-vhost. I'm not sure whether this is a=
 good idea though. If users are running a haproxy on port 80/443 for example,=
 this could break their running setup ... shipping some working example lines=
 for haproxy.cfg to provide a frontend/backend-pair for wpad on port 80 is al=
so a possibility. Or a Checkbox in the GUI to enable the vhost. Or just leave=
 it as it is and provide the infos on the Wiki.

What do you think?

Best regards, Alex

>=20
>> Having this said, I think it is reasonable for the users to maintain their=
 exceptions via CLI in the first instance until a GUI is available. Usually t=
hese things are not changed very often. It is still better than having to fix=
 them after each upgrade of proxy.cgi If nobody else grabs this, I might poss=
ibly come back to it by myself at a later date.
>>
>> Should I write a bug report for the WPAD-GUI feature request?
>=20
> If you want to track it, why not.
>=20
> -Michael
>=20
>>
>> Best regards,
>> Alex=20
>>
>>
>> Am 15.04.2019 um 11:43 schrieb Michael Tremer:
>>> Hello Alex,
>>>
>>> Thanks for submitting the patch.
>>>
>>> I guess the code looks fine, but where is the UI?
>>>
>>> Why should this not be configurable on the web interface?
>>>
>>> -Michael
>>>
>>>> On 14 Apr 2019, at 11:08, Alexander Koch <ipfire(a)starkstromkonsument.d=
e> wrote:
>>>>
>>>> This patch extends the script /srv/web/ipfire/cgi-bin/proxy.cgi by addit=
ional code for reading exceptions for URL's and IP's/Subnets from two new fil=
es:
>>>>
>>>> - /var/ipfire/proxy/advanced/acls/dst_noproxy_url.acl
>>>> - /var/ipfire/proxy/advanced/acls/dst_noproxy_ip.acl
>>>>
>>>> as described in: https://wiki.ipfire.org/configuration/network/proxy/ext=
end/add_distri
>>>>
>>>> These can be used to define additional URL's, IP's and Subnets that shou=
ld be retrieved "DIRECT" and not via the proxy. The files have to be created =
by the user, as the WPAD-Feature is not enabled by default anyway. If the fil=
es are not present or their size is 0, nothing is done. I'll revise the wiki-=
page, after the patch is merged and the core update is released.
>>>>
>>>> Signed-off-by: Alexander Koch <ipfire(a)starkstromkonsument.de>
>>>> ---
>>>> html/cgi-bin/proxy.cgi | 39 +++++++++++++++++++++++++++++++++++++++
>>>> 1 file changed, 39 insertions(+)
>>>>
>>>> diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
>>>> index 6daa7fb..369a5cb 100644
>>>> --- a/html/cgi-bin/proxy.cgi
>>>> +++ b/html/cgi-bin/proxy.cgi
>>>> @@ -124,6 +124,9 @@ my $acl_ports_safe =3D "$acldir/ports_safe.acl";
>>>> my $acl_ports_ssl  =3D "$acldir/ports_ssl.acl";
>>>> my $acl_include =3D "$acldir/include.acl";
>>>>
>>>> +my $acl_dst_noproxy_url =3D "$acldir/dst_noproxy_url.acl";
>>>> +my $acl_dst_noproxy_ip =3D "$acldir/dst_noproxy_ip.acl";
>>>> +
>>>> my $updaccelversion  =3D 'n/a';
>>>> my $urlfilterversion =3D 'n/a';
>>>>
>>>> @@ -2763,6 +2766,42 @@ END
>>>> 		print FILE "     (isInNet(host, \"$netsettings{'ORANGE_NETADDRESS'}\",=
 \"$netsettings{'ORANGE_NETMASK'}\")) ||\n";
>>>> 	}
>>>>
>>>> +	# Additional exceptions for URLs
>>>> +	# The file has to be created by the user and should contain one entry =
per line
>>>> +	# Line-Format: <URL incl. wildcards>
>>>> +	# e.g. *ipfire.org*
>>>> +	if (-s "$acl_dst_noproxy_url") {
>>>> +		undef @templist;
>>>> +
>>>> +		open(NOPROXY,"$acl_dst_noproxy_url");
>>>> +		@templist =3D <NOPROXY>;
>>>> +		close(NOPROXY);
>>>> +		chomp (@templist);
>>>> +
>>>> +		foreach (@templist)
>>>> +		{
>>>> +			print FILE "     (shExpMatch(url, \"$_\")) ||\n";
>>>> +		}
>>>> +	}
>>>> +
>>>> +	# Additional exceptions for Subnets
>>>> +	# The file has to be created by the user and should contain one entry =
per line
>>>> +	# Line-Format: "<IP>", "<SUBNET MASK>"
>>>> +	# e.g. "192.168.0.0", "255.255.255.0"
>>>> +	if (-s "$acl_dst_noproxy_ip") {
>>>> +		undef @templist;
>>>> +
>>>> +		open(NOPROXY,"$acl_dst_noproxy_ip");
>>>> +		@templist =3D <NOPROXY>;
>>>> +		close(NOPROXY);
>>>> +		chomp (@templist);
>>>> +
>>>> +		foreach (@templist)
>>>> +		{
>>>> +			print FILE "     (isInNet(host, $_)) ||\n";
>>>> +		}
>>>> +	}
>>>> +
>>>> 	print FILE <<END
>>>>     (isInNet(host, "169.254.0.0", "255.255.0.0"))
>>>>   )
>>>> --=20
>>>> 2.7.4
>>>>
>>>
>=20

--===============3630395558869764129==--