From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alexander Koch <ipfire@starkstromkonsument.de>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] squid / WPAD: Add exception-files for generation of proxy.pac
Date: Mon, 15 Apr 2019 22:12:19 +0200
Message-ID: <ddc27340-1dbb-ea5d-3e8c-09fd467cbbcb@starkstromkonsument.de>
In-Reply-To: <82CC20D5-7ACF-449C-A067-921271DBEAE8@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4500417659486819253=="
List-Id: <development.lists.ipfire.org>

--===============4500417659486819253==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Michael,

my motivation for the patch is to provide a possibility to make exceptions su=
rvive an update of squid, as I'm repatching proxy.cgi by myself after each up=
grade. I suppose there are more people out there with the same issue. I agree=
 that it would by very nice to have it on the GUI as well, but unfortunately =
I don't have any experience with CGI yet and I don't have the time to learn i=
t right now. I think patching the integration of the exception files into pro=
xy.cgi is a good first step. It can be used as the base for extending the GUI=
. Maybe somebody else with CGI experience can help out? It's "just" two texta=
reas and some file i/o basically...

As far as I know, the WPAD-Feature does not have any GUI support in general (=
e.g. checkboxes for enabled, enabled on a per subnet basis, etc.) until now. =
Additionally the WPAD-Feature requires the user to set up the extra apache-vh=
ost or haproxy-frontend for port 80 (for http://wpad.<IPFire-Network-Domain>/=
wpad.dat) via CLI by himself anyway (another ToDo for a future patch ;-).

Having this said, I think it is reasonable for the users to maintain their ex=
ceptions via CLI in the first instance until a GUI is available. Usually thes=
e things are not changed very often. It is still better than having to fix th=
em after each upgrade of proxy.cgi If nobody else grabs this, I might possibl=
y come back to it by myself at a later date.

Should I write a bug report for the WPAD-GUI feature request?

Best regards,
Alex=20


Am 15.04.2019 um 11:43 schrieb Michael Tremer:
> Hello Alex,
>=20
> Thanks for submitting the patch.
>=20
> I guess the code looks fine, but where is the UI?
>=20
> Why should this not be configurable on the web interface?
>=20
> -Michael
>=20
>> On 14 Apr 2019, at 11:08, Alexander Koch <ipfire(a)starkstromkonsument.de>=
 wrote:
>>
>> This patch extends the script /srv/web/ipfire/cgi-bin/proxy.cgi by additio=
nal code for reading exceptions for URL's and IP's/Subnets from two new files:
>>
>> - /var/ipfire/proxy/advanced/acls/dst_noproxy_url.acl
>> - /var/ipfire/proxy/advanced/acls/dst_noproxy_ip.acl
>>
>> as described in: https://wiki.ipfire.org/configuration/network/proxy/exten=
d/add_distri
>>
>> These can be used to define additional URL's, IP's and Subnets that should=
 be retrieved "DIRECT" and not via the proxy. The files have to be created by=
 the user, as the WPAD-Feature is not enabled by default anyway. If the files=
 are not present or their size is 0, nothing is done. I'll revise the wiki-pa=
ge, after the patch is merged and the core update is released.
>>
>> Signed-off-by: Alexander Koch <ipfire(a)starkstromkonsument.de>
>> ---
>> html/cgi-bin/proxy.cgi | 39 +++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 39 insertions(+)
>>
>> diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
>> index 6daa7fb..369a5cb 100644
>> --- a/html/cgi-bin/proxy.cgi
>> +++ b/html/cgi-bin/proxy.cgi
>> @@ -124,6 +124,9 @@ my $acl_ports_safe =3D "$acldir/ports_safe.acl";
>> my $acl_ports_ssl  =3D "$acldir/ports_ssl.acl";
>> my $acl_include =3D "$acldir/include.acl";
>>
>> +my $acl_dst_noproxy_url =3D "$acldir/dst_noproxy_url.acl";
>> +my $acl_dst_noproxy_ip =3D "$acldir/dst_noproxy_ip.acl";
>> +
>> my $updaccelversion  =3D 'n/a';
>> my $urlfilterversion =3D 'n/a';
>>
>> @@ -2763,6 +2766,42 @@ END
>> 		print FILE "     (isInNet(host, \"$netsettings{'ORANGE_NETADDRESS'}\", \=
"$netsettings{'ORANGE_NETMASK'}\")) ||\n";
>> 	}
>>
>> +	# Additional exceptions for URLs
>> +	# The file has to be created by the user and should contain one entry pe=
r line
>> +	# Line-Format: <URL incl. wildcards>
>> +	# e.g. *ipfire.org*
>> +	if (-s "$acl_dst_noproxy_url") {
>> +		undef @templist;
>> +
>> +		open(NOPROXY,"$acl_dst_noproxy_url");
>> +		@templist =3D <NOPROXY>;
>> +		close(NOPROXY);
>> +		chomp (@templist);
>> +
>> +		foreach (@templist)
>> +		{
>> +			print FILE "     (shExpMatch(url, \"$_\")) ||\n";
>> +		}
>> +	}
>> +
>> +	# Additional exceptions for Subnets
>> +	# The file has to be created by the user and should contain one entry pe=
r line
>> +	# Line-Format: "<IP>", "<SUBNET MASK>"
>> +	# e.g. "192.168.0.0", "255.255.255.0"
>> +	if (-s "$acl_dst_noproxy_ip") {
>> +		undef @templist;
>> +
>> +		open(NOPROXY,"$acl_dst_noproxy_ip");
>> +		@templist =3D <NOPROXY>;
>> +		close(NOPROXY);
>> +		chomp (@templist);
>> +
>> +		foreach (@templist)
>> +		{
>> +			print FILE "     (isInNet(host, $_)) ||\n";
>> +		}
>> +	}
>> +
>> 	print FILE <<END
>>      (isInNet(host, "169.254.0.0", "255.255.0.0"))
>>    )
>> --=20
>> 2.7.4
>>
>=20

--===============4500417659486819253==--