Univention Bugzilla – Bug 35219
Configuring proxy.pac by UCR
Last modified: 2016-01-12 12:43:39 CET
At the moment, if you want to exclude sites from going through the proxy, you have to edit /var/www/proxy.pac by hand. It would be an asset, if the proxy.pac file is configurable by UCR Variables.
Requested via Ticket#2015021121000195 This is quite annoying if you run services on clients that can't handle proxy authentication properly (e.g. update services for third party applications etc.) or you just want to exclude local webservices.
Also Ticket#2014112021000242 Caused quite some trouble there, because proxy.pac was distributed via WPAD (UCS@school). This broke the communication between Windows clients and a Windows Server with WSUS. The Windows Update Service on the clients always used the settings from proxy.pac (distributed via DHPC/WPAD) and ignored all exceptions given via IE/Internet options. Being able to exclude sites/servers via proxy.pac would be a real benefit here.
A customer implementation exists. Alternatively we could make it a Multifile, so extending the template would not require to fork ucs-school-webproxy?
(In reply to Michael Grandjean from comment #3) > Alternatively we could make it a Multifile, so extending the template would > not require to fork ucs-school-webproxy? I would like to use a mechanism that does not require the registration of an additional UCR sub-template. (Without having looked at the customer solution) Is it possible to always include a proxy.local.pac by the UCR template? This way, the threshold is kept low for customers.
(In reply to Sönke Schwardt-Krummrich from comment #4) > Is it possible to always > include a proxy.local.pac by the UCR template? This way, the threshold is > kept low for customers. AFAIR that should be fine.
The configuration of the customer package has been merged into the package ucs-school-webproxy. The proxy.pac settings are customizable via UCR: ucr set squid/parent/host=parent.foo.bar squid/parent/port=3128 → set FQDN of parent proxy (used later on) ucr set proxy/pac/exclude/localhost=yes → use DIRECT connection for access to "127.0.0.1" resp. "localhost" ucr set proxy/pac/exclude/networks/enabled=yes\ proxy/pac/exclude/networks/networklist="192.168.0.0/255.255.0.0 \ 10.200.18.0" → use DIRECT connection for access to certain networks. The list uses space as delimiter. If no netmask ist specified, the default subnet mask "255.255.255.0" is used. ucr set proxy/pac/exclude/networks/parentproxy/enabled=yes → use the parent proxy instead of the DIRECT connection ucr set proxy/pac/exclude/domains/enabled=yes \ proxy/pac/exclude/domains/domainnames=".univention.de .kernel.org" → use DIRECT connection for access to certain domain names. The list uses space as delimiter. ucr set proxy/pac/exclude/domains/parentproxy/enabled=yes → use the parent proxy instead of the DIRECT connection ucr set proxy/pac/exclude/expressions/enabled=yes \ proxy/pac/exclude/expressions/expressionlist="*://software-univention.de/ \ *://(js|static).ad.example.com/img/* ftp://*" → use DIRECT connection for access to certain URLs. The list if shell patterns uses space as delimiter. ucr set proxy/pac/exclude/domains/parentproxy/enabled=yes → use the parent proxy instead of the DIRECT connection Please note: """The shExpMatch function is used in .pac files to match the current URL against any shell expression. In addition, shExpMatch is usually used to decide which proxy to use depending on the URL that is entered. In Internet Explorer, the support for shell expressions is limited to "?" and "*" in the expressions. This is by design. Because .pac files support the entire JavaScript language, you can use a regular expression object and the test method to test a string against a regular expression.""" (source: https://support.microsoft.com/en-us/kb/274204) Successful build Package: ucs-school-webproxy Version: 12.0.1-7.107.201601081642 User: sschwardt Branch: ucs_4.1-0 Scope: ucs-school-4.1 ucs-school-webproxy (12.0.1-7): r66679 | Bug #35219: fixed proxy.pac and updated UCR variable descriptions r66673 | Bug #35219: typo fixes for "UCS@school" r66672 | Bug #35219: added ucslint.overrides r66671 | Bug #35219: added additional UCR variables for proxy.pac configuration
Version: 12.0.1-8.108.201601081658 r66680 | Bug #35219: updated UCR variable descriptions
ucs-school-webproxy (12.0.2-1): r66691 | Bug #35219: fix possible attack vector due to unescaped UCR variables
ucs-school-webproxy (12.0.2-2): r66693 | Bug #35219: make proxy.pac more javascript conform / prevent hanging postinst during update
OK: proxy.pac can be used by browsers OK: all mentioned combinations
UCS@school 4.1 v3 has been released. If this error occurs again, please use "Clone This Bug".