LiveZilla Live Help

You are here

Distributing Internet Access to users

Client Side Configuration

Transparent proxying allows you to redirect client requests transparently to the proxy.
But you cannot transparently redirect HTTPS or CONNECT requests.
Hence it is always better to configure browsers and other applications to use a proxy.

Networks with directory services can push proxy settings to clients using group policies.
Other networks that do not have such facility, can opt for the following methods -


Manual Configuration

Users can manually configure browsers and other applications to use SafeSquid Proxy.
For example, in Internet Explorer, you can specify the IP:PORT the proxy is listening on, by selecting -
Tools >> Internet Options >> Connections >> LAN Settings >> Use a proxy server for your LAN

Similarly, the proxy settings in Firefox can be specified from -
Tools >> Options >> Advanced >> Network >> Settings >> Manual proxy configuration.


Using PAC (Proxy Auto Configuration) file

The PROXY.PAC file

The PAC (Proxy Auto Configuration) file is a function written in JavaScript that acts as a request routing control file for browsers and other applications that access Internet.
The proxy.pac file can not only be used to automatically configure proxy settings, but also for various other complex functions.
It can be used to either route a request through a proxy or allow a DIRECT access, or distribute requests between multiple proxies, based on Protocol, IP address of the client, requested URLs, etc.
Hence it can even perform functions like Load-Balancing and Fail-Over for redundancy.

Although you still need to manually configure each client to use the PAC file initially, it gives you the flexibility of changing proxy setting for all / specific clients, or bypassing the proxy for specific IPs, URLs or domains, just by editing the PAC file.

For a detailed explanation, see - http://www.craigjconsulting.com/proxypac.html

Accessing proxy.pac file in SafeSquid

SafeSquid produces proxy.pac file in real-time.
If you configure your browser proxy settings to point to SafeSquid Proxy, you will be able to access this file with the URL -

http://safesquid.cfg/template/proxy.pac

Note: Most browsers might either give an error when you access the above URL, or prompt you to download the file, which is normal.

To be able to access the SafeSquid proxy.pac file without configuring the browser proxy settings, you will have to change the value of HOST parameter in the startup.conf file (Linux), to the IP address on which SafeSquid is listening (requires a restart of SafeSquid service).
This can also be done by executing the command - /etc/init.d/safesquid adjust

Windows users can change this parameter by editing the following registry key -

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SafeSquid\Parameters

After changing the HOST parameter and restarting SafeSquid, you will be able to access the proxy.pac file without configuring the browser proxy settings with the URL -

http://IP:PORT/safesquid.cfg/template/proxy.pac
where IP:PORT is the IP address and Port on which SafeSquid is listening, for example -
http://10.0.0.5:8080/safesquid.cfg/template/proxy.pac


The proxy.pac file simply returns the IP:PORT of the SafeSquid Proxy, for example -
Content of http://safesquid.cfg/template/proxy.pac
function FindProxyForURL(url, host) {
      return "PROXY 10.0.0.5:8080;DIRECT"
}

This function instructs the browser to use the SafeSquid Proxy that is listening on 10.0.0.5:8080, and if it is not accessible, to attempt a DIRECT access.


Using SafeSquid's  default proxy.pac file

Initially, you will have to manually configure client browsers and other applications to use proxy.pac file.
For example, in Internet Explorer, you can specify the location of the file (e.g. http://10.0.0.5:8080/safesquid.cfg/template/proxy.pac), by selecting -

Tools >> Internet Options >> Connections >> LAN Settings >> Use automatic configuration script

Similarly, the proxy settings in Firefox can be specified from -

Tools >> Options >> Advanced >> Network >> Settings >> Automatic proxy configuration URL

After making the above changes, the client browsers will access the proxy.pac file from the specified URL, and will set their proxy as specified in the proxy.pac file.


Using a customized proxy.pac file in SafeSquid

The default proxy.pac file that is served by SafeSquid is not editable.
But you might want to use a customized pac file for various reasons, like bypassing local hosts from proxy, configuring clients to use a secondary proxy if the primary fails, load-balancing between multiple proxy servers, etc. (check out the details and a few sample scripts from the links provided at the beginning of this article ).

You can use a customized proxy.pac file, by creating a 'Template' of the file in the SafeSquid Customizable Templates section, as explained below:

Create a customized pac file, which we will call myproxy.pac in this example, and copy it to the template path that is specified in the SafeSquid Interface Config >> Templates section.
The default path in the Linux Edition is /opt/safesquid/safesquid/templates
The Windows Edition does not have a default path specified, and you can set the path to any suitable location, like C:\Program Files\SafeSquid Personal\Templates

After copying the myproxy.pac file to the template path, click on Add under the Template subsection and add the following rule -

Now, to use the customized pac file myproxy.pac in client browsers, instead of specifying http://10.0.0.5:8080/safesquid.cfg/template/proxy.pac, specify http://10.0.0.5:8080/safesquid.cfg/template/myproxy
This will allow the client browsers to fetch the customized PAC file instead of the default file.


Using PAC file in SafeSquid with authentication enabled

When user authentication is enabled in SafeSquid, users will be asked to authenticate, even when a request is made for the default or customized PAC file.
This can be avoided by -

1.   Making SafeSquid listen on an additional port

2.   Making the PAC file available without authentication on this additional port

3.   Configuring the PAC file to redirect requests to the authenticated port

 

1. Making SafeSquid listen on an additional port

To make SafeSquid listen on an additional port, apart from the one that it is configured to listen on (say 8080), in the SafeSquid Interface, go to Config >> Network Settings, click on Add under Listen subsection, and add the following rule:

The above rule will make SafeSquid listen on Port 8081, and also on the port that it was configured to listen on during installation (Default - Port 8080).
Save the changes by clicking on Save setting from the top menu in the Interface and restart SafeSquid.
After restarting, SafeSquid will start listening on both ports, 8080 and 8081 in this example.

 2. Making the PAC file available without authentication on this additional port
Now since SafeSquid is listening of both 8080 and 8081 Ports, you will be able to access the proxy on both the ports.
Similarly, you will also be able to access your customized PAC file on Port 8081, with the URL http://10.0.0.5:8081/safesquid.cfg/template/myproxy, but it will be authenticated too.

What you need to do now is to disable authentication on Port 8081, so that clients are able to access the PAC file without authentication challenge, and deny Internet access on Port 8081, so that users are only able to access the PAC file, and not use it for surfing.

After restarting SafeSquid, in the Interface, go to Config >> Access restrictions, click on Add under Allow subsection (presuming Policy=Deny) and add this rule:

The above rule allows access to the proxy without authentication (username / password is blank and PAM is false) on the interface 10.0.0.5:8081
Push this rule to the top of all other rules in the Access restriction section by clicking on Top under the rule, so that this is the first rule in the section.


Note that the Access field is missing in the above rule.
This is because all the options in the Access section of the rule (Web interface, Proxy requests, HTTP requests, Transparent proxying, CONNECT requests, Allow bypassing, URL commands)  was removed, or un-ticked, so that users are not able access anything on this Interface.
This does not deny them from accessing the default, or any custom templates, and hence they will be able to access the PAC files.

3. Configuring the PAC file to redirect requests to the authenticated port
Next, configure the customized PAC file to redirect requests to 10.0.0.5: 8080, which is the default authenticated Interface that is supposed to be used for accessing Internet.

Simple example of myproxy.pac to redirect requests to 10.0.0.5:8080

function FindProxyForURL(url, host) {
      return "PROXY 10.0.0.5:8080;DIRECT";
}

Configure the clients to use the custom PAC file at http://10.0.0.5:8081/safesquid.cfg/template/myproxy
The clients will be able to access the PAC file without authenticating, and the PAC file will redirect them the authenticated interface at 10.0.0.5:8080


Using WPAD (Web Proxy Auto Detection)

If you have a DHCP or DNS server and a Web Server in your network, you can make use of WPAD (Web Proxy Auto Discovery) protocol, to automatically configure the clients. WPAD is a proxy.pac file renamed as wpad.dat, located on a Web server, and resolved for the client either by DHCP or DNS server in the network. The clients are configured to use 'Automatically detect settings' in Internet Explorer and 'Auto-Detect proxy settings for this network' in Firefox.

For details, see - Configure Wpad Through DNS or http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol