Proxy configuration using DHCP and WPAD

To: debian-edu@lists.debian.org
Subject: Proxy configuration using DHCP and WPAD
From: Petter Reinholdtsen <pere@hungry.com>
Date: Mon, 5 Jul 2010 00:10:22 +0200
Message-id: <[🔎] 20100704221022.GC30542@login1.uio.no>

This weekend I finally found time to look into the proxy configuration
in Debian Edu.  In Debian Edu/Lenny, some services used the hardcoded
proxy setting http://webcache:3128/, while other used the WPAD file
available from http://wpad/wpad.dat.  The goal was to make all
services use the setting from the WPAD file, but this was not ready in
time for Lenny.

Yesterday, I drafted the DHCP hook to use the wpad-url option from
DHCP to update proxy settings in /etc/environment and
/etc/apt/apt.conf using the WPAD setings in http://wpad/wpad.dat.
This seem to work well in squeeze-test.

This allow a site to change its proxy configuration for all clients by
editing the WPAD file on the main-server, if they want to move the
proxy to a different machine or disable proxying completely.

It only take effect for DHCP clients, so the proxy settings on the
main-server is not affected (it is using static IP configuration).
All other hosts should get this dynamic setup now.

Not quite sure how it will work for diskless workstations, but suspect
it will work there too, as /etc/ is made writable during boot.

This is implemented by adding a hook in
/etc/dhcp3/dhclient-exit-hooks.d/ to call
/usr/share/debian-edu-config/tools/update-proxy-from-wpad, which in
turn calls /usr/share/debian-edu-config/tools/wpad-extract to run the
javascript in the WPAD file to extract the proxy settings for
http://www.debian.org/ and ftp://ftp.debian.org/ and use these as the
proxy settings for /etc/environment and /etc/apt/apt.conf.

It might be a good idea to split this functionallity out into a
separate package, both to allow non-debian-edu users to use it, but
also to allow sites to disable this feature by removing such package.

Any comments on this feature?

I did concider if this introduces new security problems, and concluded
that it does not.  We already trusted the DNS setting fetched from
DHCP to locate the proxy server, and for this the DHCP replies need to
be trusted as well.  If we can't trust DHCP, most of the security in
Debian Edu breaks down anyway. :(

Anyone got comments on this way of doing it?

I did consider fetching the proxy settings from LDAP, and that migth
be a better option.  But for that we need to create our own LDAP
schemas and probably add some cron job to query LDAP regularly.  Not
sure if that is a good idea.  Could also assume the wpad DNS name
always point to the WPAD distribution server, but find it more
flexible to set it using a DHCP option.

Happy hacking,
-- 
Petter Reinholdtsen

Reply to:

Prev by Date: debian-edu-config_1.442~svn65759_i386.changes ACCEPTED
Next by Date: debian-edu-artwork_0.0.31-3~svn65770_i386.changes is NEW
Previous by thread: debian-edu-config_1.442~svn65759_i386.changes ACCEPTED
Next by thread: debian-edu-artwork_0.0.31-3~svn65770_i386.changes is NEW
Index(es):
- Date
- Thread