¿Configuracion automatica de un Proxy Server transparente con wpad y dhcp en Debian GNU/Linux 4.0?

Jueves, 05 de Noviembre de 2009 15:07

WPAD (Web Proxy Automatic Discovery), es un metodo usado por Internet Explorer y otros navegadores de Internet, sirve para ubicar configuraciones automáticas para detectar servidores Proxy, esto se puede hacer a traves de DHCP o de DNS.

Aquí evitaremos tanto rollo y nos avocaremos a escribir las configuraciones que realmente nos interesan. Por tanto los requisitos para hacer esto son:

Un servidor Apache (web)
Servidor DHCPD
Servidor DNS
Iptables (para el Proxy transparente)

Para iniciar, vamos a ingresar las partes mas importantes de la configuración del WPAD tanto en el dhcpd y en el dns, tal como se muestra a continuación

WPAD en el DNS

Archivo midominio.com.mx.zone.db

…
…
…

wpad            IN      A       192.168.1.248
                     IN      TXT     "service: wpad:!http://wpad.midominio.com.mx:8081/apache2-default/config.pac";
wpad.tcp        IN      SRV     0 0 8081 wpad.midominio.com.mx.
…
…
…

WPAD en el DHCPD

Archivo dhcpd.conf

# #############################################################
#
#Linux as a DCHP SERVER for more networks
# option definitions common to all supported networks...

server-identifier 192.168.1.248;
authoritative;
one-lease-per-client on;

#ddns-update-style ad-hoc;
#authoritative;
#ddns-updates off; ## Dynamic DNS Enabled ##

default-lease-time 600;
max-lease-time 3600;
get-lease-hostnames true;
use-host-decl-names on;

option subnet-mask 255.255.255.0;
option broadcast-address 192.168.3.255;
option routers 192.168.3.1;
option domain-name-servers 192.168.1.250;
option netbios-name-servers 192.168.1.1;
option ntp-servers 66.187.224.4, 66.187.233.4;

option domain-name "midominio.com.mx";
option smtp-server smtp.midominio.com.mx;
option pop-server pop. midominio.com.mx;
option interface-mtu 1500;

#option wpad-url code 252 = text;
#option wpad-url "http://192.168.3.1:8081/apache2-default/config.pac";
#option option-252 "http://192.168.3.1:8081/apache2-default/config.pac";
option option-252 "http://wpad. midominio.com.mx:8081/apache2-default/config.pac\n";
#option option-252 "http://wpad. midominio.com.mx:8081/apache2-default/config.pac ";

# Lan Principal
subnet 192.168.3.0 netmask 255.255.255.0 {

range 192.168.3.2 192.168.3.254;
allow unknown-clients;
# option wpad "http://192.168.3.1:8081/apache2-default/config.pac\n";
}

Configuracion del servidor Apache para el archivo autoconfig.pac y el archivo WPAD

Archivo apache2.conf

…
…
…

AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

# For proxy config
AddType application/x-ns-proxy-autoconfig .pac
AddType application/x-ns-proxy-autoconfig .dat
AddType application/x-javascript-config dat

…
…
…

Archivo config.pac, este debera de estar en el servidor proxy, y el archivo wpad es una liga al archivo config.pac.

ie
lrwxrwxrwx 1 dvarela dvarela 10 Nov 5 08:39 wpad.dat -> config.pac

function FindProxyForURL(url, host)
{
    if (isPlainHostName(host) ||
      dnsDomainIs(host, ".linuxsc.net") ||
      isInNet(host, "127.0.0.1", "255.255.255.255"))
      return "DIRECT";
       else
            return "PROXY proxy.midominio.com.mx:8080";
}

Configuracion del Iptables para hacer funcionar el proxy transparente

Archivo proxy-trans.sh

#!/bin/sh
# Start proxy transparent
#

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
/sbin/iptables -t nat -A POSTROUTING -s 192.168.3.0/255.255.255.0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

Opciones mas importantes del archivo de configuración Squid en Debian 4

http_port 8080 transparent
cache_mem 64 MB
cache_dir ufs /usr/local/squid/logs 100 16 256
access_log /usr/local/squid/logs/access.log squid
cache_log /usr/local/squid/logs/cache.log
log_fqdn on
ftp_user happy@yahoo.com.mx

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED

#dovay
acl web_negadas url_regex -i "/etc/squid/web-negadas"
acl web_permitidas url_regex -i "/etc/squid/web-permitidas"
acl denegado url_regex -i "/etc/squid/denegados"

#acl busquedas_negadas url_regex -i "/etc/squid/busquedas-negadas"
#acl ext_negadas urlpath_regex -i "/etc/squid/ext-negadas"

acl ip_negadas dst "/etc/squid/ip-negadas"

#Bloquear tunnel
acl tunnel urlpath_regex \.mpl
#acl ldomain dstdomain .midominio.com.mx
acl radio port 1024-5000
acl FTP proto FTP

#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl redlocal src 192.168.3.0/255.255.255.0
acl redlocal2 src 192.168.2.0/255.255.255.0

#acl redlocal3 src 192.168.3.0/255.255.255.0
#acl redlocal4 src 192.168.4.0/255.255.255.0

acl to_localhost dst 127.0.0.0/8
….
….

acl msn_url url_regex -i gateway.dll
acl msn_port port 1863
acl msn_method method POST
acl msn1 req_mime_type -i ^application/x-msn-messenger$
…
…

acl SSL_ports port 443          # https
acl SSL_ports port 563          # snews
acl SSL_ports port 873          # rsync
acl SSL_ports port 8080         # https
acl SSL_ports port 8081-8099    # INFONAVIT
acl SSL_ports port 5052         # INFONAVIT
acl SSL_ports port 5060         # SIP PHONE
acl SSL_ports port 5004         # SIP PHONE
acl SSL_ports port 731          # sesweb
acl SSL_ports port 21           # ftp
acl Safe_ports port 8081-8099   # infonavit
acl Safe_ports port 5052        # infonavit
acl Safe_ports port 5060        # sip phone
acl Safe_ports port 5004        # sip phone
acl Safe_ports port 80 8080     # http https
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais

#acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl Safe_ports port 731         # sesweb
acl purge method PURGE
acl CONNECT method CONNECT
…
…

#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost

http_access allow purge localhost
http_access deny purge

# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks

http_access allow localhost
# viento
http_access deny web_negadas
http_access deny denegado
#http_access deny ext_negadas
#http_access deny busquedas_negadas
http_access deny ip_negadas
http_access deny radio
http_access deny tunnel

http_access deny msn_method msn_url
http_access deny msn_port
http_access deny CONNECT msn_port
http_access deny msn1
http_access allow FTP
http_access allow web_permitidas !web_negadas !ip_negadas
#http_access allow ldomain
#http_access allow redlocal !denegado

http_access allow redlocal !denegado
http_access allow redlocal2

# And finally deny all other access to this proxy
http_access deny all

…
…
cache_effective_group proxy
…
…
#Default: tranparente :
# httpd_accel_no_pmtu_disc off

httpd_accel_no_pmtu_disc on

#httpd_accel_host 192.168.1.248
#httpd_accel_port 80
#httpd_accel_with_proxy on
#httpd_accel_uses_host_header on

ie_refresh on

archivo de Denegados

207.46.245.222
207.46.245.214
messenger.hotmail.com
messenger.msn.com
messenger.microsoft.com
echo-v1.msgr.hotmail.com
echo-v2.msgr.hotmail.com
login.passport.net
messenger.t1msn.com.mx

Archivo de ext-negadas

\.bat$
\.exe$
\.pif$
\.scr$
\.sys$
\.iso$
\.mp3$
\.mp4$
\.flv$
\.avi$
\.wmv$
\.wma$
\.mpeg$
\.mpg$
\.mov$

Archivo de ips-negadas

64.131.77.96
60.191.250.23
64.13.152.67
66.197.241.54
207.44.237.144
66.98.130.235
66.98.131.103
67.15.77.222
67.15.77.224
70.84.56.186
70.85.195.236

Archivo de web-negadas

unlock-sites
3qr
secure-uk
zettabytes
stupidbypass
dressupwho.net
azdressup.com
bypasschool.com
proxy

Archivo de web-permitidas

.*.*

Hasta aqui es la configuracion de los archivos mas importantes para la configuracion automatica de un Proxy Server transparente con wpad y dhcp en Debian GNU/Linux 4.0.

Suerte!!!

dvarela at linuxsc.net