Loading
The Web Proxy Autodiscovery Protocol
WPAD certainly isn't new technology. In fact, it's been around for many years. However, it seems that many system administrators are unaware of its magic. Simply put, WPAD allows you to offer proxy information to users in your network without ever touching their computers. The feature is supported by most browsers, and in general, it "just works".
Although proxy information can be sent over DHCP, unfortunately, not all clients honor those settings. For maximum compatibility, it's best to have a local DNS record that points the domain "wpad" to a Web server. You put a configuration file named wpad.dat in the root level of that Web server, and clients get proxy information automatically, assuming they're configured to do so. (Most are by default; this is what your browser refers to as automatically detecting proxy settings.)
Here's a simple wpad.dat file:
function FindProxyForURL(url, host)
{
if (isPlainHostName(host) ||
dnsDomainIs(host, "my.local.network.domain.org") ||
(host=="127.0.0.1") )
return "DIRECT";
else
return "PROXY my.proxy.server.address:8080";
}
For more detailed information on how to configure your custom wpad.dat file, check out http://en.wikipedia.org/wiki/Proxy_auto-config.
And, for more information on the Web Proxy Autodiscovery Protocol itself, see http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol.
______________________
Shawn Powers is an Associate Editor for Linux Journal. You might find him chatting on the IRC channel, or Twitter
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- New Products
- Linux Systems Administrator
- Senior Perl Developer
- Technical Support Rep
- UX Designer
- Web & UI Developer (JavaScript & j Query)
- Designing Electronics with Linux
- Dynamic DNS—an Object Lesson in Problem Solving
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- Nice article, thanks for the
8 hours 29 min ago - I once had a better way I
14 hours 15 min ago - Not only you I too assumed
14 hours 32 min ago - another very interesting
16 hours 25 min ago - Reply to comment | Linux Journal
18 hours 19 min ago - Reply to comment | Linux Journal
1 day 1 hour ago - Reply to comment | Linux Journal
1 day 1 hour ago - Favorite (and easily brute-forced) pw's
1 day 3 hours ago - Have you tried Boxen? It's a
1 day 9 hours ago - seo services in india
1 day 13 hours ago
Enter to Win an Adafruit Pi Cobbler Breakout Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Pi Cobbler Breakout Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- 5-21-13, Prototyping Pi Plate Kit: Philip Kirby
- Next winner announced on 5-27-13!
Featured Jobs
| Linux Systems Administrator | Houston and Austin, Texas | Host Gator |
| Senior Perl Developer | Austin, Texas | Host Gator |
| Technical Support Rep | Houston and Austin, Texas | Host Gator |
| UX Designer | Austin, Texas | Host Gator |
| Web & UI Developer (JavaScript & j Query) | Austin, Texas | Host Gator |
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
Developer Poll
Comments
security risk
WPAD is a security risk!
On a windows (AD) network it is a risk not to implement it. Or not add a dns entry called wpad.
If ordinary users are allowed to add computers to AD, it is possible to add a computer with the name wpad. Then it would get a entry in dns pointing to that computer. If the user of that computer sets up a hack proxy, he can monitor all web access (even https), without users noticing anything... Man-in-the-middle-attack!
Windows also have (or had, don't know if it is fixed) the flaw that if it didn't find address wpad.companydomain.co.uk it would try wpad.co.uk...
security of wpad implementation really depends on the admin
While that may be true, the question becomes this: why are ordinary users allowed to add computers to AD? If you have a compromised sys admin account, that's a totally different thing. Btw, the only reason why this (what you mentioned) would work is because the AD implementation is so open: not only are ordinary users able to add hosts, but the name resolution (dns/netbios) is also foobared. For example, dynamic DNS of whatever DNS service you run is enabled (it is enabled by default on Windows DNS). Any formidable admin can fix name resolution issues, as well as ordinary users being able to add to AD - though these issues are separate and you can fix them independently of each other (one should think that adding stuff to AD is related to name resolution, but not the same topic).
And, on those last few lines, I personally don't think that's a flaw: thats how you implement department/sub-domain proxies too.
If one allows name resolution incorrectly, then that stuff you mentioned can happen. Then again, it really depends how you designed your infra.
Advanced playground
Only a few gotcha's:
For maximunm compatibility you should provide that the url
http://wpad.mydomain.com/wpad.dat
is active and has to be a "application/x-ns-proxy-autoconfig" mime-type.
You can achieve some redundancy using:
return "PROXY 10.0.10.10:8080; PROXY 10.0.10.20:8080; DIRECT;"
It means that if 10.0.10.10 does not respond (not squid itself, but it seams to be wether or not the proxy host responds to icmp pings - for most implementations), use it. If not use 10.0.10.20, else go directly to the destination.
beware of pitfalls with
beware of pitfalls with regards to IPv6 implementations on different systems and browsers. ie: firefox might return the 128bit ip6-address from myIpAddress()
Personally agree with this.
Personally agree with this. WPAD method for proxy implementation is great. Ever tried to work with Linux GW implementation + SQUID + Windows Desktops? It's a headache when you need to tell the Windows Update clients to go through proxies if all other connections need to GW is blocked with exception of the proxy IP address. With WPAD, this is seamless ... and the updates are faster since they're cached by SQUID!