Better Proxy Settings… Bluecoat, wpad, proxy.pac & dhcp option 252

Recently I’ve been involved with a bluecoat install; one of the requirements I’ve been faced with was helping the client with was removing fixed proxy settings within their browsers.

For how-to references a combination of google, wikipedia and this post are good places to start; I intend to document my experience you may find some overlap.

The 1st thing to understand is that Firefox (FF) and Internet Explorer (IE) both support an “automatically detect proxy” setting, but they are implement in different ways. Both FF & IE use a proxy.pac (also known as wpad.dat) for their configuration, they just “look for it” in different ways.

The proxy pac file is a java script that tells the browsers (both FF & IE) how to connect, there’s some good pac file examples here, this is what I did…

function FindProxyForURL(url, host)
{
	// The 1st if function tests if the URI should be by-passed…
	// Proxy By-Pass List
	if (
		// ignore RFC 1918 internal addreses
		isInNet(host, "10.0.0.0", "255.0.0.0") ||
		isInNet(host, "172.16.0.0", "255.240.0.0") ||
		isInNet(host, "192.168.0.0", "255.255.0.0") ||

		// is url is like http://server by-pass
		isPlainHostName(host) ||

		// localhost!!
		localHostOrDomainIs(host, "127.0.0.1") ||

		// by-pass internal URLS
		dnsDomainIs(host, ".mycompany.com") ||
		dnsDomainIs(host, ".mycompany.local")
		)

		// If True, tell the browser to go direct…
		return "DIRECT";

		// If False, it’s not on the by-pass then Proxy the request… if you fail to connect to the proxy, try direct.

return "PROXY 10.10.10.10:8080;DIRECT";

}

Once you’re happy with what you’ve written you need to “publish” the pac file on a webserver for your clients to download it… I’ve decided to use the bluecoat proxy SG.

Now you can’t upload the pac file via the GUI, you need to get down and dirty with the command line, below is an example ssh session…

Proxy> enable
Proxy# conf t
Proxy# inline accelerated-pac 123
....... Paste the contents of proxy.pac .......
123
Proxy#

Before going any further log into you’re bluecoat, make sure that under Services -> Proxy Services, HTTP 80 & 8080 are set to Intercept. Next check that Services -> Management services, HTTP-Console 8081 is enabled… this service will be used to get the pac file, leave HTTPS-Console 8082 on as using the 8081 for administrator access would be a bad idea.

You will now hopefully be able to download your pac file from the following url http://10.10.10.10:8081/accelerated_pac_base.pac .. change the IP as necessary.

Once that works we’re going to add some proxy policy to make that url (a) nicer (b) compatible with Firefox. In the Bluecoat GUI under policy (not the visual policy manager) make sure that the local policy is read 1st… at the top of the file list. The following ssh session of policy, re-writes the pac file for a variety of names, basically I’ve tried to capture every combination that a user might try…..

Proxy> enable
Proxy# conf t
Proxy# inline policy local 123
<proxy>
url=http://proxy.mycompany.local/proxy.pac authenticate(no)
url=http://proxy.mycompany.local/wpad.dat authenticate(no)
url=http://wpad.mycompany.local/wpad.dat authenticate(no)
url=http://www.wpad.com/wpad.dat authenticate(no)
url=http://proxy.mycompany.local:8081/accelerated_pac_base.pac authenticate(no)
url=http://10.10.10.10:8081/accelerated_pac_base.pac authenticate(no)

<cache>
url.domain=http://proxy.mycompany.local/proxy.pac cache(no)
url.domain=http://proxy.mycompany.local/wpad.dat cache(no)
url.domain=http://wpad.mycompany.local/wpad.dat cache(no)
url.domain=http://www.wpad.com/wpad.dat cache(no)
url.domain=http://proxy.mycompany.local:8081/accelerated_pac_base.pac cache(no)
url.domain=http://10.10.10.10:8081/accelerated_pac_base.pac cache(no)

<proxy>
url=http://proxy.mycompany.local/proxy.pac action.rewrite_pac(yes)
url=http://proxy.mycompany.local/wpad.dat action.rewrite_pac(yes)
url=http://wpad.mycompany.local/wpad.dat action.rewrite_pac(yes)
url=http://www.wpad.com/wpad.dat action.rewrite_pac(yes)
url=/wpad.dat action.rewrite_pac(yes)

define action rewrite_pac
rewrite(url,"(.*)","http://10.10.10.10:8081/accelerated_pac_base.pac")
end

123
Proxy#

Phew, thats the bluecoat side of things sorted, now we need to get clients to download the file! This is where the browser have different approaches….

Internet explorer uses DCHP Option 252 to detect the proxy, you can set the option of any of the URLS you’re re-writing on the bluecoat, I chose http://wpad.mycompany.local/wpad.dat .

Firefox uses DNS to detect the proxy, so you’re going to need to create some records… The bluecoat was called “proxy” so an A record for proxy.mycompany.local already existed, we created a CNAME record for wpad.mycompany.local pointing to proxy.mycompany.local … if your dns domain is something like uk.mycomany.local you’ll need to add cname records wpad.uk.mycompany.local & wpad.mycompany.local and add the necessary lines to the bluecoat rewire code above.

Once done you can set either browser to “automatically detect” and finger’s cross all will work!

Allowing RFC1918 – 192.168, 10. , 172.16-32 address with NoScript

I’ve recently started installed the firefox add-on NoScript to improve my online security.

One of the things that’s been a little frustrating has been having to manually accept/white list internal 192.168.1.1 type addresses. After a fruitless google, I’ve managed to find the answer here in the NoScript Forum.

There is one major limitation and that is the NoScript white list only accepts entries of more than one byte, this means that you cannot whitelist the whole of 10.*.*.* (10/8) as inputting 10. is only one byte. On the upside you can however whitelist a whole /16 (255.255.0.0) subnet, which works out nicely for the 192.168.0.0/16 set off addresses but for the 10′s & 172′s you’re a bit stuffed.

Now you may find that when you try to white list 10.123.0.0/16 that you have issues, I know I did! The trick is to read the forum post carefully. If you want to white list 10.123.0.0 through 10.123.255.255 then add the following:

http://10.123

https://10.123

That should allow both http & ssl traffic to all those internal addresses to be permitted by NoScript!

Dear googler, I hope this was of some help :)

UGHRRG, ie6!!!! Should I support it?

I’m in the process the process of writing a whole new look for linickx.com, I think I’m about there so I’ve decided it was about time to give the other browsers a spin. All of my development has been with Firefox on linux (with a little epiphany for testing non logged in users) and I’ve got the look and feel pretty much as I like.

I reboot into windows cause according to google analytics 70% of my visitors in the last month are windows people; Firefox on windows passes the test, all the same, so I’ve downloaded a copy of safari for windows, good news there too and I finish off with Internet Explorer 6, crap I forgot that ie6 cannot render transparent .png files, although the layout is alright my new header is screwed and I’ve used .png icons in my /files/ section so that’s going to look rubbish.

This leaves me with a dilemma, do I re-do all of my images as .gifs to account for the 10% of ie6 users? And is it possible to dual install ie6 & ie7 ? … I still haven’t tested that and 20% of visitors use that…I’ve never bothered upgrading to ie7 since I new I was never going to use it, why waste the disk space & bandwidth?

I’m toying with having a browse happy banner appear for ie6 and a disclaimer saying this site will look awful use a proper browser; the banner will be easy to do within the WordPress powered section, but the /files/ section which is driven by apache may be more of an issue.

The whole thing is just irritating, I was really looking forward to getting the new look up soon, ho-hum off to make a decision!

P.s. In case you were wondering, yes 60% of vistors are firefox, 5% are safari and the other 5% is made up of random stuff (hello to the 2 users on the PSP!!!)

Firefox Add-on: Remember The Milk for Gmail

I’ve been playing with Remember the milk for some time now, I thought with my n800 it would be really useful…BUT… Actually I’ve found that the firefox extension they have released has really upped my usage, as soon as I can get my tasks synced with my n800 I’ll definitively be upgrading to their pro version.

I’ve recommended this plugin to a few friends and they love it, so if you’re looking for a new personal task managment solution then this is for you!

Remember The Milk – Services / Remember The Milk for Gmail
Remember The Milk for Gmail is a Firefox extension that allows you to manage your tasks in Gmail (complete, postpone, and edit tasks), add new tasks (and connect them with your emails, contacts, and Google Calendar events), automatically add tasks for starred messages or specific labels, and much more!

My firefox page is now back online, so check it out for a list of other useful plugins/addons.

Firefox 3, Secure Updating

I saw this digg article the other day and it lead me to something interesting. …

All Firefox add-ons must now use a secure method for auto-updating (see bug 378216 and this guide for more details)

Reference: Mozilla Gran Paradiso Alpha 8 Release Notes

In general this is a good thing, and I’m 100% behind any security improvements the mozilla team make….I just hope they make this amenable to the newbies, I recently had a go at writing a small “status bar” firefox addon, and the 1st thing I spotted when installing it was that it was “unsigned”… I looked into the documentation and found it very confusing, and when I finally got it to work I ran into the age old issue that I didn’t have a certificate that was signed by a main stream CA, as such I would need to distribute that as well.

I’m going to put looking at the new “secure update” solution on my todo list in hope that I can get some real insight into what they are planning, fingers crossed its good, it works and makes a real difference to the firefox community at large.

Firefox Extension – Flashblock

I’m not a great fan of flash, it seems to eat up bandwith, processor and memory very quickly.. not to mention the hassle of trying it working on a linux x86_64 machine ! I recently came across this great plug-in..

Flashblock :: Firefox Add-ons
Never be annoyed by a Flash animation again! Blocks Flash so it won’t get in your way, but if you want to see it, just click on…

The white-list functionality is nice… i.e block all except “blah”.. the option to run it in a black-list mode would be good for those who are only offended by flash on certain sites.

Colorful Tabs – Firefox Extension

Some times the simple solutions, make the biggest difference to a user experience….

Colorful Tabs | Firefox Add-ons | Mozilla Corporation
The most beautiful yet the simplest add-on that makes a strong colorful appeal. Colors every tab in a different color and makes them easy to distinguish while beautifying the overall appearance of the interface. An essential.

UPDATE: It seems that the Colorful Tabs authors homepage is down, as a result I appear to be getting hits from google and comments about features. I’d like to stress that I have nothing to do with the development of Colorful Tabs and you have my apologies if my post appeared that way. You have stumbled across a post from my firefox recommendations category where by I post links to firefox add-ons I like have installed and recommend to my friends.

Nagios Checker – Firefox Extension

Been looking for something like this for a while…..

Nagios Checker | Firefox Add-ons | Mozilla Corporation
The statusbar indicator of the events from the network monitoring system Nagios. Information is parsed from Nagios web interface. In the extension settings dialog simply fill the start page URL of your Nagios web interface, eg. http://www.yourfirm.com/nagios/ and let the button to locate status script url.

Have Firefox & Google Toolbar Merged ?

Firefox Spell Checker

So firefox 2 was released yesterday , and I’ve just been browsing through the features list. The fact that some of the google toolbar features have sneaked in as default functionality doesn’t surprise me, for example the google spellcheckerspell checker from the google plugin is an obvious feature for mozilla to include in the core.

What surprised me was how the anti phishing feature was just lifted:

google anti-phisinig Mozilla anti-phising
Google Anti-Phising Mozilla Anti-Phising

This is an excellent example of open source, and it’s really good to see google sharing their work , I just hope that anti customize google doesn’t sneak in or worse still targeted adversting !

Gmail File Space Extension (gSpace)

For those who can’t wait for the fabled gdrive, this is worth a look, you get like an FTP style interface to gmail within firefox, I’ve found it useful for quick backups.

Gmail File Space
his extension allows you to use your Gmail Space (2 GB) for file storage. It acts as a remote machine. You can transfer files between your hard drive and gmail. This is similar to “Gmail Drive” on windows platform. Your gmail account looks like a FTP host and you can upload and download your files. After you install, you get an option called “GSpace” in your “tools” menu clicking on which opens the window for transfer of folders/files. Works great for photos and music files less than 14MB.

Download Statusbar :Firefox extension

This extension is probably more of a personal thing than actually useful, if you download a lot like me, then the download man ager can get in the way a bit, so this is a good alternative….

Download Statusbar
View and manage downloads from a tidy statusbar – without the download window getting in the way of your web browsing.