bind squid and apache for pac file

Question

EDIT It was some interne rules on FW, sorry for the inconvenience and thanks for your advices

I have a server with Squid (2.7.STABLE9) on a Debian (Wheezy 7.1) and I add an Apache2 (2.2.22) for send PAC file to all my user.

Both are setup and works but I can't get the pac file if I'm not already connect to the Squid server (only if I use a local PAC file with FoxyProxy).

In fact, I can download the pac file if I request the IP address of the server in my browser when I setup FoxyProxy for my proxy with a local copy of the pac file. But if i didn't setuo the orixy on my browser, I have an error (ERR_CONNECTION_REFUSED on Chrome for example).

there is my /etc/squid/squid.conf

#################### SQUID CONF FILE
#################### Version 2.7.STABLE9

########################################
# AUTHENTICATE
#See http://wiki.squid-cache.org/ConfigExamples/Authenticate/
## NTLM Authentification
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
auth_param ntlm children 5
auth_param ntlm keep_alive on


# See http://www.odrakir.com/blog/2009/11/19/integrating-squid-with-active-directory/
external_acl_type ADS %LOGIN /usr/lib/squid/wbinfo_group.pl


########################################
# SECURITY
forwarded_for off                   # Hide self.IP
httpd_suppress_version_string on    # Hide squid version
#chroot on                          # Chroot squid deamon
debug_options ALL,1




########################################
# Acces List
#Global:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443        # HTTPS
acl Safe_ports port 80 8080 # HTTP(s)
acl purge method PURGE
acl CONNECT method CONNECT

acl my_lab src 172.30.24.0/24

# authentification
acl ntlm proxy_auth REQUIRED
acl user_group external ADS my_user



########################################
# HTTP_ACCES
# Default HTTP Access
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow localnet
http_access allow localhost

# Hack for no popups (See: http://wiki.squid-cache.org/Features/Authentication#How_do_I_prevent_Login_Popups.3F )
http_access deny !ntlm all
# Check user come from right OU from AD
http_access deny !user_group all

# Allow subnet acces with HTTP ports
http_access allow my_lab Safe_ports all
# No Connect method on other port than 443
http_access deny CONNECT !SSL_ports

# At last but not the least !
http_access deny all



########################################
# HEADER_ACCESS
# http_anonymizer paranoid, see http://www.foo.be/scripts/anonymizer/squid.conf
via off     # RFC2616 HTTP header Via
forwarded_for off
# return fail on some website
#header_access Allow allow all
#header_access Authorization allow all
#header_access WWW-Authenticate allow all
#header_access Proxy-Authorization allow all
#header_access Proxy-Authenticate allow all
#header_access Cache-Control allow all
#header_access Content-Encoding allow all
#header_access Content-Length allow all
#header_access Content-Type allow all
#header_access Date allow all
#header_access Expires allow all
#header_access Host allow all
#header_access If-Modified-Since allow all
#header_access Last-Modified allow all
#header_access Location allow all
#header_access Pragma allow all
#header_access Accept allow all
#header_access Accept-Charset allow all
#header_access Accept-Encoding allow all
#header_access Accept-Language allow all
#header_access Content-Language allow all
#header_access Mime-Version allow all
#header_access Retry-After allow all
#header_access Title allow all
#header_access Connection allow all
#header_access Proxy-Connection allow all
#header_access Referer allow all
#header_access All deny all



########################################
# ICP_ACCES
icp_access allow localnet
icp_access deny all



########################################
# GLOBAL SQUID CONF (port, cache, ...)
http_port 3128
icp_port 0  # 0 for diseable
htcp_port 0 # Same...

cache_mem 80 MB
cache_effective_group winbindd_priv

hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log squid
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern .   0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid
cache_dir ufs /var/spool/squid 500 16 256

and /etc/apache2/sites-available/proxy

NameVirtualHost *:80
<VirtualHost 172.30.10.113:80 127.0.0.1:80>
    ServerAdmin titi@tata.fr

    DocumentRoot /var/www/pac
    DirectoryIndex proxy.pac

    <Directory /var/www/pac/>
        ForceType application/x-ns-proxy-autoconfig
        Options -Indexes -FollowSymLinks -MultiViews -ExecCGI
        Order allow,deny
        Allow from all
        RedirectMatch ^/$ /proxy.pac
    </Directory>
#   <LimitExcept GET>
#       Require ip 10.0.0.0 172.16.0.0 192.168.0.0
#   </LimitExcept>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

and the /var/www/pac/proxy.pac

function FindProxyForURL(url, host)
{
    // Let them go home !!
    if (shExpMatch (url, "localhost*") || isInNet(host, "127.0.0.1", "255.255.255.255"))
        return "DIRECT";
    // See https://support.mozilla.org/sv/questions/804868#answer-166476
    else if (!dnsResolve('my.domain.fr'))
        return "DIRECT";
    else
        return "PROXY 172.30.10.113:3128";
}

I have already see this but he use Squid3 option in configuration file.

EDIT

~~And there is no iptables on the server~~ Maybe I only need an iptables redirection on ip:3128 to ip:80 ?

Thanks for your help or any advice.

Perhaps there is a FW between your clients and your apache preventing them to connect to apache? How do you configure clients to retrieve the PAC file? — alphamikevictor, Jun 03 '15 at 09:37
In what manner can't you get your proxy.pac file? Have you set up DHCP with the option to advertise a particular PAC file? Do you have wpad.YOURDOMAIN configured in DNS? http://findproxyforurl.com/ is a really great resource for this understanding this topic. — Cameron Kerr, Jun 03 '15 at 09:41
@alphamikevictor I don't think the FW drop anything because I can acces to the pac fie from my client if I setup FoxyProxy (I give him the absolut link of a local copy of the pac file like file://C:/User/...) — user63946, Jun 03 '15 at 10:51
@CameronKerr When I setup the pac file in firefox with FoxyProxy, if I ask for http://172.30.10.113 I can download the file. If i didn't setup FoxyProxy, it give me an error . For findproxyforurl.com, I make my pac file with it (and it's very good as you say). Finaly, I want to deploy the pac file with a GPO — user63946, Jun 03 '15 at 10:58
And what error does it give you? (you should always give those in your original question). — Cameron Kerr, Jun 03 '15 at 11:27
@CameronKerr, I juste change original post, the error is `ERR_CONNECTION_REFUSED` on Chrome — user63946, Jun 03 '15 at 11:44
@CameronKerr In _error.log_ I have : `[notice] caught SIGTERM, shutting down` and `[notice] Apache/2.2.22 (Debian) configured -- resuming normal operations` but in _acces.log_ i have a line for any acces (oblivious) from setup browser with proxy and some wget (local request). Last, `invoke-rc.d apache2 status` seems good. — user63946, Jun 03 '15 at 12:22

Paolo · Accepted Answer · 2015-06-03T15:45:03.327

1

not sure if it is just a cut&paste mistake but i read:

ForceType applivation/x-ns-proxy-autoconfig

that should be:

ForceType application/x-ns-proxy-autoconfig

another thing i see missing is the exclusion of your subnet in the pac file; i would add that to the first check:

isInNet(dnsResolve(host), "172.30.10.0", "255.255.255.0")

as a step to simplify your setup you may implement the proxy auto discovery: that is a simple configuration and should eliminate the need to make any client side configuration and hopefully all your issues.

regardless of the above i would remove any rewriting from your pac site (default page & RedirectMatch): the access to the pac file is an automated process (there are no users browsing for that file) and any rewrite or redirect is not required but adds a layer of uncertainty to any debug activity and this is not a good thing.

maybe removing the redirects the actual issue/error could finally get written into some log file.

edited Jun 03 '15 at 15:45

answered Jun 03 '15 at 15:04

Paolo

262
1
11

Thanks for the correction. For the pac file every connection have to pass by the proxy except when your are not inside the subnet (for user with laptop especialy, when the go home) and that why the firt instruction of pac file. But I am going to try to change my pac to wpad – user63946 Jun 03 '15 at 15:25
@user63946 i can't quite get the part _every connection have to pass by the proxy except when your are not inside the subnet_: you refer to che client machine accessing the proxy? you have no way to know the client ip/subnet/whatever in the pac file... the check `isInNet(dnsResolve(host), "172.30.10.0", "255.255.255.0")` is performed on the server host name (made a correction to my answer...). – Paolo Jun 03 '15 at 15:39
I'm not english born, what I understood is (in pac file) the first if statement is for no proxy when user request his localhost, the 2nd is an hack for know if you can resolve a domain name from your location and your if statement is for know if host is in 172.30.10.0/24, am I wrong ? – user63946 Jun 03 '15 at 16:15
In the pac file you have no information about the client; all the information you have is related to the target url and host name. In your firsta statement you are telling to the browser to bypass the proxy whne the target is localhost – Paolo Jun 03 '15 at 16:44
ok. So with the fist statement a user can't go on the Internet (with another local proxy made by the user for example), did he ? Because i juste want to log user action when they go on the Internet &/or Intranet from host connected to my network – user63946 Jun 03 '15 at 16:57
if your goal is to log user action when surfing internet and/or intranet then a pac file is not the right solution. to log internet activity you have to act on the gateway (maybe a transparent proxy could do). to log intranet activity the solution is bound to the topology of your network, to the number of sites and servers and clients. – Paolo Jun 03 '15 at 20:10

bind squid and apache for pac file

1 Answers1