Autodetect Proxy settings using PAC and WPAD files

There is a GPO way of doing this and a more far reaching and flexible way of setting up proxy settings for all your LAN users. This is just my jurney into learning how to us .pac, .dat, .da files to automate proxy settings.

First of all I want to thank everyone out there that has posted so much information on this topic. Really if you want to find out more just google “Proxy WPAD” you are going to find more results and information then you can read on a Saturday morning.

The file is very easy to work with, and anyone comfortable with javascript can figure out how it works in seconds. Plus a PAC file can do way more then just setting the proxy server. you can setup all kinds of exceptions. For your laptop users you can setup a .pac file so that it will automatically know when to use the proxy based on their IP address. This is all possible through the use of simple scripting if, else, and and or statements.

An Example PAC file:

function FindProxyForURL(url, host)
{
        
        // Direct connections to non-FQDN hosts
        if (isPlainHostName(host) ||
        (host == "127.0.0.1") ||
        (host == "*.localdomain.com") ||
        (host == ".com") ||
        (shExpMatch(host, "*.somedomain.com")) ||
        (shExpMatch(host, "90.0.0.*")) ||
        (shExpMatch(host, "10.*"))) {
          return "DIRECT"
        } else {
          return "PROXY proxy.localdomain.com:8080"
        }
}

The biggest gotchas for me were DNS issues on Server 2008, and how IE 8 interacted with DNS and retrieving the dat file.

  • First Server 2008 blocks DNS WPAD records by default for security reasons
  • You need to make an A record not a Cname record in the the dns server for IE to even work with it
  • Even after all of that IE still may have issues pulling it off, I’m still testing this.
  • Make sure to ping wpad from a client – if you can you may have to remove wpad from Server 2008 block list

I found the best place to test your PAC file is on your local machine. I like to place my PAC file next to the host file “c:\windows\systems32\drivers\etc\wpad.pac”. Then point IE to FILE://windows/system32/drivers/etc/wpad.pac

For Firefox it is FILE:///windows/system32/drivers/etc/wpad.pac

 Once you have a working pac file just save as and change the  extension to .dat and .da, and place all three of the new files on the root of your webserver. You may allso need to add the MIME file type for each file type to your webserver. In apache2 it is just a matter of adding a few lines to the mime.conf file. You should be able to put wpad.localdomain.com/wpad.dat in your browser and it should ask you if you want to download the file. if you just see text, then you need to add the mime type.

Then set IE and firefox to autodetect. I found two things to check are local domain webservers where you might type “webservername” vs “webserver.localdomain.com”. If you have problems try seeing if placing the ip and wpad in your host file. If it works this we jsut fine it is probably a DNS issue.

At this point it is working perfect or not at all. One thing that is nice is at least being able to use a pac file localy on laptops. I may start using this way for now, until I figure out IE’s issues with wpad DNS records.

Your non-windows users should start pulling these new proxy settings quickly, as most browsers are set to autodetect.

More to come on this post: I plan to test this out more this week.

References:

http://blogs.technet.com/b/isablog/archive/2008/02/19/windows-server-2008-dns-block-feature.aspx

Create a GPO that is processed based on the location of the Computer object (Loopback Processing mode)

I must have missed the ban wagon on this nice little GPO feature. I kind of ran into it by accident this morning.

Sometimes it would be nice to setup a policy that runs a printer script, or in my case changes the timing on a screen saver based on the location of the computer and not the user within Active directory.

The setting your looking for is under: Computer Settings -> Administrative Template -> System -> Group Policy -> “User Group Policy loopback processing mode”

Here you have two settings:

Replace: This completely ignores the processing of GPO’s based on the user location, and just processes the policies based on the computers location.

Merge: This processes all the policies based on the user location first, then overrides these settings with any changes based on the computers location.

The below link explaines this in more detail, I hope someone finds this as helpful as I found it.

reference:

http://grouppolicy.editme.com/Loopback

Blocking and Allowing Sites in Squid

Well, ran into a config issue on the new squid server I’m working on. Still working out all the kinks, but I did learn something new.

You can create a site list and then setup and acl, and block sites within this list. This was not new to me, but it was the way it was done that got me thinking.

acl allowsites url_regex -i "/etc/squid3/allowed-sites"
http_access allow allowsites

By using url_regex, squid will look through the whole url to see if any of the strings i the file match and deal with them accordingly.  Seems to be working well so far.

Limiting Access to a directory from apache based on IP Address

I figured I would post this, as it could be use full in the future. This is an example of how to limit access to a web enabled directory in apache by ip address. There are a number of great web based tools for linux, but it is important to lock them down. Add this to your apatche.conf file, or which ever config file you have already included with apache. For example I added this to the apache.conf file that phpmyadmin installs in “/etc/phpmyadmin/”

<Directory “/etc/phpmyadmin/”>
           AllowOverride All
            Order deny,allow 
            Deny from all  
            Allow from 127 
            Allow from 192.168.0.62 
            # office
            Allow from 64.220.17.205 
</Directory>

Using Robocopy to Migrate Windows Shares to NetApp

Recently at work we installed a new NetApp FAS2020 and after playing with CIFs share found that it would be great, but one problem held us back, file permissions on thousands of files, as well as Modify Date/Time information would be lost in a simple file copy. Not so with robocopy. The “/copyall” switch ensures that all file info is copied including permissions (ACLs). There are many options to execute robocopy. I ran the following in syntax in a bat file which output a log file. I ran one of these for each share, and was able to look through the log file to see if any files were missed.

robocopy "\\UNC\PATH\To\SOURCE" "\\UNC\PATH\TO\DESTINATION\"  /E /copyall /R:1 /W:3 /v /log:C:\log.txt

Reference:

http://www.mydigitallife.info/2007/05/07/robocopy-syntax-command-line-switches-and-examples/

Installing PHP for Ubuntu

Installing PHP5

sudo apt-get install apache2
sudo apt-get install php5 php5-cli
sudo apt-get install libapache2-mod-php5
sudo /etc/init.d/apache2 restart

Installing MySQL on Linux

I know there is already how tos out there but I figured I would post my own, just to make it easier for me to find it if I need it in the future.

To install MySQL run the following command in Terminal

$sudo apt-get install mysql-server

During the install you will be prompted to enter the root password, you can later change this.

MySQL should now be running to check this type:

sudo netstat -tap | grep mysql

You should see the following output:

tcp        0      0 localhost:mysql         *:*                     LISTEN      2556/mysqld

You can edit the /etc/mysql/my.cnf file to configure the basic settings — log file, port number, etc. For example, to configure MySQL to listen for connections from network hosts, change the bind-address directive to the server’s IP address:

bind-address  = 192.168.0.5

er making a change to /etc/mysql/my.cnf the mysql daemon will need to be restarted:

sudo /etc/init.d/mysql restart

If you would like to change the MySQL root password, in a terminal enter:

sudo dpkg-reconfigure mysql-server-5.1

The mysql daemon will be stopped, and you will be prompted to enter a new password.