As usual, we put to themselves a problem.
We have: much users pc, the environment mixed, is less than Windows, it is more than any mac’s/linux, therefore thoughts about «domain» disappear by itself. All (well or nearly so all) go to the Internet through proxy as there can be «guest pc» (upon it the people which clings to ours hotspot).
It is necessary: quickly and at once to adjust a proxy-server by all pc in given subnet, thus not forgetting about «guest». And already it is de facto clear what to distribute this all owe an individual server. As we should have a possibility imperceptibly for the end user to change proxy parametres (as ip or port).
We study traces of tails of dinosaurs
The history, its nobility never will be superfluous. Under the olden time legend, the proxy-server autoconfiguration has appeared already in Microsoft Internet Explorer 3.0 in a year 1997, but the pioneer of the given area became Netscape Navigator 2.0 in 1995. The browser in the web session beginning requests URL a file of an autoconfiguration and reads out from it parametres. I wish to notice, that the given file contains a code similar on JavaScript. Actually, it also is Proxy Auto-configuration file (pac) technology. At first browsers wished to see violently registered by it in options URL to a file or file://c:/windows/proxy.pac, but then all became even more transparent for the end user.
Let’s rummage in interiors of the given process.
I think, any user at adjustment of a modern browser (Opera it is not touched yet) saw point «Automatically to define options» in dialogue of adjustment of a proxy-server. You have already exposed «Automatically to define options»? Well. Now request any site. It was loaded? At the moment of inquiry the user of a site the browser searched in DNS for a host wpad in the domain, has not found and has decided to work without a proxy. Now we will present, that the browser has found in a network a host wpad, further it is knocked on it on 80 port and requests that file of an autoconfiguration wpad.dat from a web server root. wpad record in DNS usually is CNAME. Something навроде
main IN A 192.168.0.1
wpad IN CNAME main
And as a result the browser finds a pac-file to 192.168.0.1/wpad.dat address
Here and the technology works Web Proxy Automatic Discovery (wpad), you can esteem her IETF the specification.
The kid, and we will go to walk on roofs!
Has come to collect time all puzzle together. As is known, is better a statics give lighttpd and nginx, I choose nginx. About its installation it is written too much material, allow, I will not quote. Now we should create a pac-file wpad.dat.
function FindProxyForURL (url, host) {
if (shExpMatch (url, «*.domain.ru/*») ||
shExpMatch (url, «*.domain.ru:*/*») ||
isPlainHostName (host) || dnsDomainIs (host, «.local.domain») ||
isInNet (host, «192.168.1.0», «255.255.255.0») ||
isInNet (host, «%our net%»,»255.255.255.0″)) {
return «DIRECT»;
} else {
if (url.substring (0, 5) == «http:» ||
url.substring (0, 6) == «https:»)
return «PROXY 192.168.0.1:3128; DIRECT»;
}
return «DIRECT»;
}
I have given an example my file, in it to a browser in accessible language any host without domain instructions is told, that on any site in the domain domain.ru, in subnet internal and external to go it is necessary directly, in other cases on http and https to go it is necessary through proxy.
Simply? Certainly simply 🙂 About these mysterious functions it is possible to read in http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html
Last two strokes to a portrait — we fasten distribution of options on DHCP and it is told to users how to adjust their browser, if to adjust the automatic machine it has not turned out.
In dhcpd.conf it is finished next lines:
option wpad-curl code 252 = text;
option wpad-curl «http://192.168.0.1/wpad.dat»;
I wish to notice, that the given options understands only isc-dhcp3, but not usual dhcpd.
The basic part of idea — not to start up in the Internet if the user wishes to go by a proxy, and thus it is not authorised to it. More than once I said, that at me by experimental pc OpenBSD. Can throw now in me tomatoes, but I will defend the point of view, that by the current moment the most perfect faervol / the package filter/NAT it pf, not there was its attempt портировать on Windows for nothing. Even in Ubuntu 8.04 for ufw which is the CLI-interface for iptables, syntax is borrowed corrected pf.
So, we should create the table in which will be ip pc and whole подсети that should go to the Internet through proxy, and in it we can allow to go to separate cars by a proxy addition of a sign on negation! Before ip or subnet. Then to create a rule of a redirection which will turn the client on a page with the description that it has made not and that it is necessary to make:
self_ip = «192.168.0.1»
table
rdr on $int_if proto tcp from
pf.proxy Contains the following:
192.168.0.0/24
!192.168.0.72
It is possible to guess, that all subnet 192.168.0.0 should go only through proxy, 192.168.0.72 can go by it.
Pretty great post. I just stumbled upon your blog and wanted to say that I have extremely enjoyed reading your blog posts. Any way I am going to be subscribing for the feed and I hope you write-up again soon.