RE: Wiki help for WPAD/PAC stuff (was Re: [squid-users] proxy.pac config)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Wiki help for WPAD/PAC stuff (was Re: [squid-users] proxy.pac config)

SSCR Internet Admin
That is great Adrian.  Ill keep visiting you wiki, and lets see what I could
help out.  Anyway about your Q about redirecting port 80 to a site, iptables
will redirect all browsers connecting to port 80 to a local site where a
script can be fired automatically to configure the browser to use the PAC.
(of course it should check if it's a valid ip).  I don't know if Php or
javascript can do this.

Regards

-----Original Message-----
From: Adrian Chadd [mailto:[hidden email]]
Sent: Saturday, May 12, 2007 4:47 PM
To: [hidden email]
Subject: [squid-users] Wiki help for WPAD/PAC stuff (was Re: [squid-users]
proxy.pac config)

I've started building the WPAD and ProxyPac sections in the Wiki and
I'd really, really appreciate any help I can get in fleshing out the
content.
I've implemented both of them enough in a small-sized network to know
they mostly work but I've not got the operational experience some of
you have.

I'd really appreciate some help here. I might even organise the helpers to
get sent some CafePress Squid shirts when its done.




Adrian


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Wiki help for WPAD/PAC stuff (was Re: [squid-users] proxy.pac config)

Jeff Smith-14
It has been a few years since I played with PAC files
in browsers. I think redirecting  a request from
browser to automatically configure the browser will
only work if the browser is first configured to use a
PAC file. When the browser starts up and it is
configured to use a PAC file, its first request goes
to the URL the PAC file is located at and the file is
downloaded. Subsequent requests use the information
contained in the PAC file to go DIRECT or to a PROXY
etc.

However, if the browser is not configured to use a PAC
file but a PAC file is delivered it brings up a
Security Alert because the browser never requested it.
I know the old Netscape browsers did this but am not
sure about IE.

Jeff Smith



--- SSCR Internet Admin <[hidden email]> wrote:

> That is great Adrian.  Ill keep visiting you wiki,
> and lets see what I could
> help out.  Anyway about your Q about redirecting
> port 80 to a site, iptables
> will redirect all browsers connecting to port 80 to
> a local site where a
> script can be fired automatically to configure the
> browser to use the PAC.
> (of course it should check if it's a valid ip).  I
> don't know if Php or
> javascript can do this.
>
> Regards
>
> -----Original Message-----
> From: Adrian Chadd [mailto:[hidden email]]
> Sent: Saturday, May 12, 2007 4:47 PM
> To: [hidden email]
> Subject: [squid-users] Wiki help for WPAD/PAC stuff
> (was Re: [squid-users]
> proxy.pac config)
>
> I've started building the WPAD and ProxyPac sections
> in the Wiki and
> I'd really, really appreciate any help I can get in
> fleshing out the
> content.
> I've implemented both of them enough in a
> small-sized network to know
> they mostly work but I've not got the operational
> experience some of
> you have.
>
> I'd really appreciate some help here. I might even
> organise the helpers to
> get sent some CafePress Squid shirts when its done.
>
>
>
>
> Adrian
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>



 
____________________________________________________________________________________
8:00? 8:25? 8:40? Find a flick in no time
with the Yahoo! Search movie showtime shortcut.
http://tools.search.yahoo.com/shortcuts/#news
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Wiki help for WPAD/PAC stuff (was Re: [squid-users] proxy.pac config)

SSCR Internet Admin
>>However, if the browser is not configured to use a PAC
>>file but a PAC file is delivered it brings up a
>>Security Alert because the browser never requested it.
>>I know the old Netscape browsers did this but am not
>>sure about IE.

Well, im sure local users will accept it happily by clicking OK, if not they
don't have access.. :)

-----Original Message-----
From: Jeff Smith [mailto:[hidden email]]
Sent: Wednesday, May 16, 2007 7:56 AM
To: [hidden email]
Subject: RE: [squid-users] Wiki help for WPAD/PAC stuff (was Re:
[squid-users] proxy.pac config)

It has been a few years since I played with PAC files
in browsers. I think redirecting  a request from
browser to automatically configure the browser will
only work if the browser is first configured to use a
PAC file. When the browser starts up and it is
configured to use a PAC file, its first request goes
to the URL the PAC file is located at and the file is
downloaded. Subsequent requests use the information
contained in the PAC file to go DIRECT or to a PROXY
etc.

However, if the browser is not configured to use a PAC
file but a PAC file is delivered it brings up a
Security Alert because the browser never requested it.
I know the old Netscape browsers did this but am not
sure about IE.

Jeff Smith



--- SSCR Internet Admin <[hidden email]> wrote:

> That is great Adrian.  Ill keep visiting you wiki,
> and lets see what I could
> help out.  Anyway about your Q about redirecting
> port 80 to a site, iptables
> will redirect all browsers connecting to port 80 to
> a local site where a
> script can be fired automatically to configure the
> browser to use the PAC.
> (of course it should check if it's a valid ip).  I
> don't know if Php or
> javascript can do this.
>
> Regards
>
> -----Original Message-----
> From: Adrian Chadd [mailto:[hidden email]]
> Sent: Saturday, May 12, 2007 4:47 PM
> To: [hidden email]
> Subject: [squid-users] Wiki help for WPAD/PAC stuff
> (was Re: [squid-users]
> proxy.pac config)
>
> I've started building the WPAD and ProxyPac sections
> in the Wiki and
> I'd really, really appreciate any help I can get in
> fleshing out the
> content.
> I've implemented both of them enough in a
> small-sized network to know
> they mostly work but I've not got the operational
> experience some of
> you have.
>
> I'd really appreciate some help here. I might even
> organise the helpers to
> get sent some CafePress Squid shirts when its done.
>
>
>
>
> Adrian
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>



 
____________________________________________________________________________
________
8:00? 8:25? 8:40? Find a flick in no time
with the Yahoo! Search movie showtime shortcut.
http://tools.search.yahoo.com/shortcuts/#news

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

K K
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Wiki help for WPAD/PAC stuff (was Re: [squid-users] proxy.pac config)

K K
I'll take a look at the updated Wiki later today.

On 5/15/07, SSCR Internet Admin <[hidden email]> wrote:
> >>However, if the browser is not configured to use a PAC
> >>file but a PAC file is delivered it brings up a
> >>Security Alert because the browser never requested it.
> >>I know the old Netscape browsers did this but am not
> >>sure about IE.
>
> Well, im sure local users will accept it happily by clicking OK, if not they
> don't have access.. :)

The Netscape alert doesn't give the option to accept the PAC, it just
gives a warning that an unsolicited PAC was received.   If there was a
trivial way to reconfigure browsers to use a PAC just by returning the
right Active-X or Java, then we'd see all sorts of malicious sites
using that technique to force random Internet users to use the
attacker's proxy.

So how do you force your users to use the PAC?


What you can do is make sure your DHCP server and DNS are set up to be
fully compatible with WPAD, and then if any clients do make an attempt
to go DIRECT, return a web page containing:

1) Text instructing how to correctly enable WPAD and/or how to
configure PAC in the most popular browsers.
2) A link to a .REG file which forces the registry settings for IE to
use PAC on Microsoft Windows clients.
3) Instructions for manual configuration, for UNIX and for ancient
MacOS clients.

Even with all of this, expect to get plenty of support calls from
confused users.

I manage an environment with tens of thousands of internal customers,
and all default route HTTP/HTTPS/SMTP/etc traffic is denied, the only
exception being for a couple of really braindead clients that are
downright proxy-hostile, maybe a half dozen workstations total have an
exception to the policy.


Kevin

(P.S. Think carefully before conditioning users to accept REG files
from strangers).
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Wiki help for WPAD/PAC stuff (was Re: [squid-users] proxy.pac config)

Henrik Nordström
In reply to this post by Jeff Smith-14
tis 2007-05-15 klockan 16:56 -0700 skrev Jeff Smith:

> However, if the browser is not configured to use a PAC
> file but a PAC file is delivered it brings up a
> Security Alert because the browser never requested it.
> I know the old Netscape browsers did this but am not
> sure about IE.

What they do varies. Some just show an error page, some asks you where
to save the file. Some displays it on the screen.

To do the automatic configuration thing this way you need to write a
program to automatically reconfigure the client. It's not possible via
javascript or similar (at least not when fetched over the network, not
sure when loaded from file:///)

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Loading...