Think your DHCP options may be off...
From: http://www.wlug.org.nz/WPAD
Add the following to your
/etc/dhcpd.conf:
option option-252
"http://wpad.host.co.nz/proxy.pac";
With ISC DHCP v3+, option-# options
don't work. You have to do this in the
global section of your configuration:
option wpad-url code 252 = text;
(define a new option)
And add this in either the global or
appropriate subnet section(s) of your
configuration:
option wpad-url
"http://wpad.my.domain.tld/proxy.pac\n";
(use new option)
Also, you will find that auth in transparent mode in squid is not really possible. Some commercial web filters do work around this (indeed I work for SmoothWall, one such filter).
Not exactly: it depends on how the client is configured. Let's use IE as the basic example.
If you configure IE with an explicit proxy: e.g. no other options ticked, proxy set to something:8080.
User types an address
IE checks the address for a string match against the IE proxy exceptions list (i.e. "Bypass proxy for these addresses:")
a. If it matches an entry in the Bypass list, the client uses its own DNS to resolve the name, and then the client connects directly to the target IP address on port 80 (assumed), then sends a request like:
GET /something.htm HTTP/1.1
Host: fulldomainame.example.com
b. If no bypass list entries match, continue:
IE connects to its configured proxy, and sends a request of the form:
GET http://fulldomainname.example.com/something.htm HTTP/1.1
Bonus factoid: this use of the FQDN in the URL is one way you can tell that a client thinks it's talking to a proxy instead of a real web server
The proxy resolves that host name using its own DNS, and then connects to the target site (acts like the client in step 2 above), etc, etc.
When using WPAD/PAC:
In the case of using a Web Proxy Auto Discovery (WPAD) or Proxy Auto Configuration (PAC or Autoconfig) script, such as those provided by ISA/TMG when autoconfiguration is enabled, it's different:
User types an address
Client downloads the current wpad.dat/autoproxy.js/.pac file from its configured location
Client looks for the function "FindProxyForUrl" in the js file, and executes it
The Autoproxy script processes the hostname and URL. This is a limited-function javascript file, but lots of things are still possible:
a. this may include name resolution (IsInNet, DnsResolve)
b. this may include string matching (ShExpMatch)
c. this may include counting to a million (i++)
d. this may include narky alert popup messages if the admin's a jerk
- (or just funny)
- ((or debugging))
The FindProxyForUrl function returns at least one string: an ordered list of the best proxies to use (semicolon separated)
a. either "DIRECT", in which case the client then needs to resolve the name itself and connect directly, as per the Bypass case above
b. or "PROXY proxyname:8080" or similar, in which case the client connects to that port on that proxy, tells it to GET the full URL, and the proxy performs name resolution.
- As an example: if the script function returned "PROXY yourProxy:8080;DIRECT" that tells the client to connect to yourproxy on TCP port 8080 to request this URL, and if that connection can't be established, try going direct.
Note that TCP session setup failure isn't exactly quick, so this isn't likely to be a pleasant failover experience for a user, but beats nothing. Maybe.
There are occasionally glitches, subtleties and unexplained behaviours, but for the most part when things aren't broken in weird and interesting ways, the above is how I've seen it work over many years. Newer browsers are optimizing behaviour, and parallelizing stuff, and trying interesting things all the time, so check out the most recent docs for your given browser to understand the fine detail.
WinSock Proxy / ISA Firewall Client / TMG Client:
If you're interested in the Winsock Proxy Client (from TMG/ISA Server), that's a different story, with more flexibility and moving parts. Too much to go into here, but there are docs around which describe how it works. In short: it plugs into Windows Sockets, and can intercept both TCP/UDP based traffic and name resolution requests on a per-app and per-user basis. Very powerful, but also deprecated now, and hasn't been updated in several years.
Clients can be Really Clingy:
One final note: Once an HTTP client has decided to talk to a proxy for a given site/url, there's no way for the proxy to tell it not to.
There is no HTTP status code or header for "I don't serve that, you should just go directly to it instead"...
Once the client decides a particular URL is proxy-served, proxy-death-grip ensues.
The only way to avoid it is by getting the selection logic right before the client makes its connection, in the PAC or Bypass list.
A final note on Zones and PAC files
IE treats sites which are DIRECT connected - even if they have dots in the URL - to be part of the Local Intranet Zone (by default - settable in Zone properties), and so will do things like allow Integrated Windows Authentication to those sites (i.e. Kerberos and/or NTLM authentication, transparently). So controlling whether something's in the Local Intranet Zone defines how trusted it is in terms of automatic authentication. Again, at least, by default.
Best Answer
@Palmin I had the same problem, and thankfully stumbled upon a solution in this social.technet thread! The priority of adapter IPs that Windows returns to a browser's
myIpAddress()implementation can be modified by changing the IP metrics.I manually set the metrics for my physical adapters to 1, 2, etc, and put the VirtualBox Host-Only Network at the end. It works like a charm now.
My specific configuration/journey for others struggling with the same issue:
Accessing web pages on the Internet when on wireless always failed. When on a wired connection they worked just fine, and intranet pages were always accessible. Disabling the VirtualBox Host-Only Network adapter resolved the issue. Manually configuring my browser to always use a proxy (versus auto-detect) also resolved the issue.
To confirm the nature of the PAC problem, I used the pactester utility to test the behavior of
wpad.datwith my physical addresses versus the VirtualBox one. As expected, the proxy script returns direct connections for private IPv4 addresses. The default VirtualBox Host-Only IPv4 address is in the192.168.x.xrange.Modifying the adapter priority did not resolve the issue for me. It was not fully (and cleanly) resolved until I modified the metrics for each adapter.