Comment 1 Christian Völker 2020-04-17 16:18:56 CEST

Note: I tried to use the exclude statements to download the proxy.pac but I have not been successful. It always rewrites it to https://

ucr set apache2/force_https/exclude/server_name/proxy="edusrv.schulen.ucs"

If set to force_https it should set the exclude statements in an ucs@school environment automatically.

Comment 2 Daniel Tröder 2020-04-20 09:13:46 CEST

Would it work, if the DHCP option would send a https URL to the clients?

Comment 3 Christian Völker 2020-04-20 09:39:06 CEST

As I did not know how to change the proxy URL I did not do any further troubleshooting.

I tried with excludes from UCRV but did not succeed do to unknown syntax of those entries.
These both did not work (still redirecting to https):
apache2/force_https/exclude/request_uri/proxy: http://lenaedu.schulen.ucs/proxy.pac*
apache2/force_https/exclude/server_name/proxy: lenaedu

For customer we switched back to http for everything to get it working.

Comment 4 Daniel Tröder 2020-04-20 10:55:39 CEST

You can change the DHCP option using UDM: https://docs.software-univention.de/ucsschool-handbuch-4.4.html#school:proxy

Comment 5 Christian Völker 2020-04-20 11:04:13 CEST

As this is a "feature" which is for sure not expected by customers it should be handled automatically by ucs@school.

If we offer a variable to redirect every traffic to https// all related services should get updates of the configuration change.

Comment 6 Daniel Tröder 2020-04-20 11:24:15 CEST

I concur.

Can you please check, if changing the DHCP option via UDM fixes the problem for the customer?

Comment 7 Christian Völker 2020-05-08 09:08:16 CEST

Customer solved it by:
 udm dhcp/service modify --dn="cn=ou1,cn=dhcp,ou=OU1,dc=schulen,dc=multi,dc=ucs" --append-option options --remove option="wpad \"http://proxy.multi.ucs/proxy.pac\""

udm dhcp/service modify --dn="cn=ou1,cn=dhcp,ou=OU1,dc=schulen,dc=multi,dc=ucs" --append-option options --append option="wpad \"https://proxy.multi.ucs/proxy.pac\""

As this is not really customer friendly we should at least make sure the udm setting matches the UCRV (if the latest only allows https:// the udm setting should switch to https:// automatically).

Comment 8 Ingo Steuwer 2020-07-21 15:46:36 CEST

I'd prefer to define an exclude for the wpad URL to allow a download via HTTPS.

Rewrite the DHCP option without interaction with the administrator might fail as long as the PKI user for HTTPS is not known to the clients - which is the default due to our self signed PKI.

Comment 10 Nico Gulden 2020-12-01 13:02:55 CET

There has not been any recent activity on this bug. Has the problem been seen somewhere else as well in the meantime or has its assessment changed?

Comment 11 Christian Völker 2020-12-01 13:13:30 CET

I guess not all customers have both setting enabled.
1. Getting proxy file from DHCP option
AND
2. Disabling unencrypted http traffic to UCS

But as my test has shown it will happen on all customers enabling both options. Which will likely happen more and more as security is getting higher priority.

Comment 13 Arvid Requate 2022-06-01 13:15:09 CEST

This bug should probably go to the school team.

It seems that the suggested UCR variables are not correct. Juan Carlos tested it in his environment and the following variable allows downloading the pac file using http when the ucr variable apache2/force_https is enabled:

ucr set apache2/force_https/exclude/request_uri/proxy?"/proxy.pac"

There's a feature branch proposing a fix for ucs-school-webproxy:
  https://git.knut.univention.de/univention/ucsschool/-/commits/jgarcia/51115-proxy-pac-with-force-https

Comment 14 Daniel Tröder 2022-06-01 14:07:59 CEST

I have moved the issue into the school teams kanban board.