File: FAQ-5.html

package info (click to toggle)
squid 2.6.5-6etch5
links: PTS
area: main
in suites: etch
size: 12,540 kB
ctags: 13,801
sloc: ansic: 105,278; sh: 6,083; makefile: 1,297; perl: 1,245; awk: 40
file content (514 lines) | stat: -rw-r--r-- 21,730 bytes
parent folder | download | duplicates (2)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21">
 <TITLE>SQUID Frequently Asked Questions: Communication between browsers and Squid</TITLE>
 <LINK HREF="FAQ-6.html" REL=next>
 <LINK HREF="FAQ-4.html" REL=previous>
 <LINK HREF="FAQ.html#toc5" REL=contents>
</HEAD>
<BODY>
<A HREF="FAQ-6.html">Next</A>
<A HREF="FAQ-4.html">Previous</A>
<A HREF="FAQ.html#toc5">Contents</A>
<HR>
<H2><A NAME="s5">5.</A> <A HREF="FAQ.html#toc5">Communication between browsers and Squid</A></H2>

<P>Most web browsers available today support proxying and are easily configured
to use a Squid server as a proxy.  Some browsers support advanced features
such as lists of domains or URL patterns that shouldn't be fetched through
the proxy, or JavaScript automatic proxy configuration.</P>

<H2><A NAME="ss5.1">5.1</A> <A HREF="FAQ.html#toc5.1">Netscape manual configuration</A>
</H2>

<P>Select <B>Network Preferences</B> from the
<B>Options</B> menu.  On the <B>Proxies</B>
page, click the radio button next to <B>Manual Proxy
Configuration</B> and then click on the <B>View</B>
button.  For each protocol that your Squid server supports (by default,
HTTP, FTP, and gopher) enter the Squid server's hostname or IP address
and put the HTTP port number for the Squid server (by default, 3128) in
the <B>Port</B> column.  For any protocols that your Squid
does not support, leave the fields blank.</P>
<P>Here is a
<A HREF="/Doc/FAQ/navigator.jpg">screen shot</A> of the Netscape Navigator manual proxy
configuration screen.</P>


<H2><A NAME="netscape-pac"></A> <A NAME="ss5.2">5.2</A> <A HREF="FAQ.html#toc5.2">Netscape automatic configuration</A>
</H2>

<P>Netscape Navigator's proxy configuration can be automated with
JavaScript (for Navigator versions 2.0 or higher).  Select
<B>Network Preferences</B> from the <B>Options</B>
menu.  On the <B>Proxies</B> page, click the radio button
next to <B>Automatic Proxy Configuration</B> and then
fill in the URL for your JavaScript proxy configuration file in the
text box.  The box is too small, but the text will scroll to the
right as you go.</P>
<P>Here is a
<A HREF="/Doc/FAQ/navigator-auto.jpg">screen shot</A>
of the Netscape Navigator automatic proxy configuration screen.</P>
<P>You may also wish to consult Netscape's documentation for the Navigator
<A HREF="http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html">JavaScript proxy configuration</A></P>

<P>Here is a sample auto configuration JavaScript from Oskar Pearson:
<HR>
<PRE>
//We (www.is.co.za) run a central cache for our customers that they
//access through a firewall - thus if they want to connect to their intranet
//system (or anything in their domain at all) they have to connect
//directly - hence all the "fiddling" to see if they are trying to connect
//to their local domain.

//Replace each occurrence of company.com with your domain name
//and if you have some kind of intranet system, make sure
//that you put it's name in place of "internal" below.

//We also assume that your cache is called "cache.company.com", and
//that it runs on port 8080. Change it down at the bottom.

//(C) Oskar Pearson and the Internet Solution (http://www.is.co.za)

    function FindProxyForURL(url, host)
        {
            //If they have only specified a hostname, go directly.
            if (isPlainHostName(host))
                    return "DIRECT";

            //These connect directly if the machine they are trying to
            //connect to starts with "intranet" - ie http://intranet
            //Connect  directly if it is intranet.*
            //If you have another machine that you want them to
            //access directly, replace "internal*" with that
            //machine's name
            if (shExpMatch( host, "intranet*")||
                            shExpMatch(host, "internal*"))
                return "DIRECT";

            //Connect directly to our domains (NB for Important News)
            if (dnsDomainIs( host,"company.com")||
            //If you have another domain that you wish to connect to
            //directly, put it in here
                            dnsDomainIs(host,"sistercompany.com"))
                return "DIRECT";

            //So the error message "no such host" will appear through the
            //normal Netscape box - less support queries :)
            if (!isResolvable(host))
                    return "DIRECT";

            //We only cache http, ftp and gopher
            if (url.substring(0, 5) == "http:" ||
                            url.substring(0, 4) == "ftp:"||
                            url.substring(0, 7) == "gopher:")

            //Change the ":8080" to the port that your cache
            //runs on, and "cache.company.com" to the machine that
            //you run the cache on
                    return "PROXY cache.company.com:8080; DIRECT";

            //We don't cache WAIS
            if (url.substring(0, 5) == "wais:")
                    return "DIRECT";

            else
                    return "DIRECT";
        }
</PRE>
<HR>
</P>

<H2><A NAME="ss5.3">5.3</A> <A HREF="FAQ.html#toc5.3">Lynx and Mosaic configuration</A>
</H2>

<P>For Mosaic and Lynx, you can set environment variables
before starting the application.  For example (assuming csh or tcsh):</P>
<P>
<PRE>
        % setenv http_proxy http://mycache.example.com:3128/
        % setenv gopher_proxy http://mycache.example.com:3128/
        % setenv ftp_proxy http://mycache.example.com:3128/
</PRE>
</P>
<P>For Lynx you can also edit the <EM>lynx.cfg</EM> file to configure
proxy usage.  This has the added benefit of causing all Lynx users on
a system to access the proxy without making environment variable changes
for each user.  For example:
<PRE>
        http_proxy:http://mycache.example.com:3128/
        ftp_proxy:http://mycache.example.com:3128/
        gopher_proxy:http://mycache.example.com:3128/
</PRE>
</P>

<H2><A NAME="ss5.4">5.4</A> <A HREF="FAQ.html#toc5.4">Redundant Proxy Auto-Configuration</A>
</H2>

<P>There's one nasty side-effect to using auto-proxy scripts: if you start
the web browser it will try and load the auto-proxy-script.</P>

<P>If your script isn't available either because the web server hosting the
script is down or your workstation can't reach the web server (e.g.
because you're working off-line with your notebook and just want to
read a previously saved HTML-file) you'll get different errors depending
on the browser you use.</P>

<P>The Netscape browser will just return an error after a timeout (after
that it tries to find the site 'www.proxy.com' if the script you use is
called 'proxy.pac').</P>

<P>The Microsoft Internet Explorer on the other hand won't even start, no
window displays, only after about 1 minute it'll display a window asking
you to go on with/without proxy configuration.</P>

<P>The point is that your workstations always need to locate the
proxy-script. I created some extra redundancy by hosting the script on
two web servers (actually Apache web servers on the proxy servers
themselves) and adding the following records to my primary nameserver:
<PRE>
proxy    IN A    10.0.0.1 ; IP address of proxy1
         IN A    10.0.0.2 ; IP address of proxy2
</PRE>

The clients just refer to 'http://proxy/proxy.pac'.  This script looks like this:</P>
<P>
<PRE>
function FindProxyForURL(url,host)
{
        // Hostname without domainname or host within our own domain?
        // Try them directly:
        // http://www.domain.com actually lives before the firewall, so
        // make an exception:
        if ((isPlainHostName(host)||dnsDomainIs( host,".domain.com")) &amp;&amp;
                !localHostOrDomainIs(host, "www.domain.com"))
                return "DIRECT";

        // First try proxy1 then proxy2. One server mostly caches '.com'
        // to make sure both servers are not
        // caching the same data in the normal situation. The other
        // server caches the other domains normally.
        // If one of 'm is down the client will try the other server.
        else if (shExpMatch(host, "*.com"))
                return "PROXY proxy1.domain.com:8080; PROXY proxy2.domain.com:8081; DIRECT";
        return "PROXY proxy2.domain.com:8081; PROXY proxy1.domain.com:8080; DIRECT";
}
</PRE>
</P>

<P>I made sure every client domain has the appropriate 'proxy' entry.
The clients are automatically configured with two nameservers using
DHCP.</P>
<P>
<BLOCKQUOTE>
--
<A HREF="mailto:RvdOever@baan.nl">Rodney van den Oever</A></BLOCKQUOTE>
</P>

<H2><A NAME="ss5.5">5.5</A> <A HREF="FAQ.html#toc5.5">Proxy Auto-Configuration with URL Hashing</A>
</H2>

<P>The
<A HREF="http://naragw.sharp.co.jp/sps/">Sharp Super Proxy Script page</A>
contains a lot of good information about hash-based proxy auto-configuration
scripts.  With these you can distribute the load between a number
of caching proxies.</P>

<H2><A NAME="ss5.6">5.6</A> <A HREF="FAQ.html#toc5.6">Microsoft Internet Explorer configuration</A>
</H2>

<P>Select <B>Options</B> from the <B>View</B>
menu.  Click on the <B>Connection</B> tab.  Tick the
<B>Connect through Proxy Server</B> option and hit the
<B>Proxy Settings</B> button.  For each protocol that
your Squid server supports (by default, HTTP, FTP, and gopher)
enter the Squid server's hostname or IP address and put the HTTP
port number for the Squid server (by default, 3128) in the
<B>Port</B> column.  For any protocols that your Squid
does not support, leave the fields blank.</P>
<P>Here is a
<A HREF="/Doc/FAQ/msie.jpg">screen shot</A> of the Internet Explorer proxy
configuration screen.</P>
<P>Microsoft is also starting to support Netscape-style JavaScript
automated proxy configuration.  As of now, only MSIE version 3.0a
for Windows 3.1 and Windows NT 3.51 supports this feature (i.e.,
as of version 3.01 build 1225 for Windows 95 and NT 4.0, the feature
was not included).</P>
<P>If you have a version of MSIE that does have this feature, elect
<B>Options</B> from the <B>View</B> menu.
Click on the <B>Advanced</B> tab.  In the lower left-hand
corner, click on the <B>Automatic Configuration</B>
button.  Fill in the URL for your JavaScript file in the dialog
box it presents you.  Then exit MSIE and restart it for the changes
to take effect.  MSIE will reload the JavaScript file every time
it starts.</P>

<H2><A NAME="ss5.7">5.7</A> <A HREF="FAQ.html#toc5.7">Netmanage Internet Chameleon WebSurfer configuration</A>
</H2>

<P>Netmanage WebSurfer supports manual proxy configuration and exclusion
lists for hosts or domains that should not be fetched via proxy
(this information is current as of WebSurfer 5.0).  Select
<B>Preferences</B> from the <B>Settings</B>
menu.  Click on the <B>Proxies</B> tab.  Select the
<B>Use Proxy</B> options for HTTP, FTP, and gopher.  For
each protocol that enter the Squid server's hostname or IP address
and put the HTTP port number for the Squid server (by default,
3128) in the <B>Port</B> boxes.  For any protocols that
your Squid does not support, leave the fields blank.</P>
<P>Take a look at this
<A HREF="/Doc/FAQ/netmanage.jpg">screen shot</A>
if the instructions confused you.</P>
<P>On the same configuration window, you'll find a button to bring up
the exclusion list dialog box, which will let you enter some hosts
or domains that you don't want fetched via proxy.  It should be
self-explanatory, but you might look at this
<A HREF="/Doc/FAQ/netmanage-exclusion.jpg">screen shot</A>
just for fun anyway.</P>

<H2><A NAME="ss5.8">5.8</A> <A HREF="FAQ.html#toc5.8">Opera 2.12 proxy configuration</A>
</H2>

<P>Select <EM>Proxy Servers...</EM> from the <EM>Preferences</EM> menu.  Check each
protocol that your Squid server supports (by default, HTTP, FTP, and
Gopher) and enter the Squid server's address as hostname:port (e.g.
mycache.example.com:3128 or 123.45.67.89:3128).  Click on <EM>Okay</EM> to accept the
setup.</P>

<P>Notes:
<UL>
<LI>Opera 2.12 doesn't support gopher on its own, but requires a proxy; therefore
Squid's gopher proxying can extend the utility of your Opera immensely.</LI>
<LI>Unfortunately, Opera 2.12 chokes on some HTTP requests, for example
<A HREF="http://spam.abuse.net/spam/">abuse.net</A>.
At the moment I think it has something to do with cookies.  If you have
trouble with a site, try disabling the HTTP proxying by unchecking
that protocol in the <EM>Preferences</EM>|<EM>Proxy Servers...</EM> dialogue.  Opera will
remember the address, so reenabling is easy.</LI>
</UL>
</P>
<P>
<BLOCKQUOTE>
--
<A HREF="mailto:hclsmith@tallships.istar.ca">Hume Smith</A></BLOCKQUOTE>
</P>

<H2><A NAME="ss5.9">5.9</A> <A HREF="FAQ.html#toc5.9">How do I tell Squid to use a specific username for FTP urls?</A>
</H2>

<P>Insert your username in the host part of the URL, for example:
<PRE>
        ftp://joecool@ftp.foo.org/
</PRE>

Squid should then prompt you for your account password.  Alternatively,
you can specify both your username and password in the URL itself:
<PRE>
        ftp://joecool:secret@ftp.foo.org/
</PRE>

However, we certainly do not recommend this, as it could be very
easy for someone to see or grab your password.</P>

<H2><A NAME="ss5.10">5.10</A> <A HREF="FAQ.html#toc5.10">Configuring Browsers for WPAD</A>
</H2>

<P>by 
<A HREF="mailto:mark@rts.com.au">Mark Reynolds</A></P>
<P>You may like to start by reading the
<A HREF="http://www.web-cache.com/Writings/Internet-Drafts/draft-ietf-wrec-wpad-01.txt">Expired Internet-Draft</A>
that describes WPAD.</P>

<P>After reading the 8 steps below, if you don't understand any of the
terms or methods mentioned, you probably shouldn't be doing this.
Implementing wpad requires you to <B>fully</B> understand:
<OL>
<LI> web server installations and modifications.</LI>
<LI>squid proxy server (or others) installation etc.</LI>
<LI>Domain Name System maintenance etc.</LI>
</OL>

Please don't bombard the squid list with web server or dns questions. See
your system administrator, or do some more research on those topics.</P>

<P>This is not a recommendation for any product or version. As far as I
know IE5 is the only browser out now implementing wpad. I think wpad
is an excellent feature that will return several hours of life per month.
Hopefully, all browser clients will implement it as well. But it will take
years for all the older browsers to fade away though.</P>

<P>I have only focused on the domain name method, to the exclusion of the
DHCP method. I think the dns method might be easier for most people.
I don't currently, and may never, fully understand wpad and IE5, but this
method worked for me. It <B>may</B> work for you.</P>

<P>But if you'd rather just have a go ...
<OL>
<LI>Create a standard 
<A HREF="#netscape-pac">netscape auto    proxy config file</A>.  The sample provided there is more than
adequate to get you going.  No doubt all the other load balancing
and backup scripts will be fine also.
</LI>
<LI>Store the resultant file in the document root directory of a
handy web server as <EM>wpad.dat</EM> (Not <EM>proxy.pac</EM> as you
may have previously done.)

<P>
<A HREF="mailto:ira at racoon.riga.lv">Andrei Ivanov</A>
notes that you should be able to use an HTTP redirect if you
want to store the wpad.dat file somewhere else.  You can probably
even redirect <EM>wpad.dat</EM> to <EM>proxy.pac</EM>:
<PRE>
Redirect /wpad.dat http://racoon.riga.lv/proxy.pac
</PRE>
</P>

</LI>
<LI>If you do nothing more, a url like
<CODE>http://www.your.domain.name/wpad.dat</CODE> should bring up
the script text in your browser window.
</LI>
<LI>Insert the following entry into your web server <EM>mime.types</EM> file.
Maybe in addition to your pac file type, if you've done this before.
<PRE>
        application/x-ns-proxy-autoconfig       dat
</PRE>

And then restart your web server, for new mime type to work.
</LI>
<LI>Assuming Internet Explorer 5, under <EM>Tools</EM>, <EM>Internet
Options</EM>, <EM>Connections</EM>, <EM>Settings</EM> <B>or</B> <EM>Lan
Settings</EM>, set <B>ONLY</B> <EM>Use Automatic Configuration Script</EM>
to be the URL for where your new <EM>wpad.dat</EM> file can be found.
i.e.  <CODE>http://www.your.domain.name/wpad.dat</CODE> Test that
that all works as per your script and network.  There's no point
continuing until this works ...
</LI>
<LI>Create/install/implement a DNS record so that
<CODE>wpad.your.domain.name</CODE> resolves to the host above where
you have a functioning auto config script running. You should
now be able to use <CODE>http://wpad.your.domain.name/wpad.dat</CODE>
as the Auto Config Script location in step 5 above.
</LI>
<LI>And finally, go back to the setup screen detailed in 5 above,
and choose nothing but the <EM>Automatically Detect Settings</EM>
option, turning everything else off. Best to restart IE5, as
you normally do with any Microsoft product... And it should all
work. Did for me anyway.
</LI>
<LI>One final question might be 'Which domain name does the client
(IE5) use for the wpad... lookup?' It uses the hostname from
the control panel setting.  It starts the search by adding the
hostname "WPAD" to current fully-qualified domain name.  For
instance, a client in a.b.Microsoft.com would search for a WPAD
server at wpad.a.b.microsoft.com. If it could not locate one,
it would remove the bottom-most domain and try again; for
instance, it would try wpad.b.microsoft.com next. IE 5 would
stop searching when it found a WPAD server or reached the
third-level domain, wpad.microsoft.com.

</LI>
</OL>
</P>

<P>Anybody using these steps to install and test, please feel free to make
notes, corrections or additions for improvements, and post back to the
squid list...</P>

<P>There are probably many more tricks and tips which hopefully will be
detailed here in the future. Things like <EM>wpad.dat</EM> files being served
from the proxy server themselves, maybe with a round robin dns setup
for the WPAD host.</P>

<H2><A NAME="ss5.11">5.11</A> <A HREF="FAQ.html#toc5.11">Configuring Browsers for WPAD with DHCP</A>
</H2>

<P>You can also use DHCP to configure browsers for WPAD.
This technique allows you to set any URL as the PAC
URL.  For ISC DHCPD, enter a line like this in your
<EM>dhcpd.conf</EM> file:
<PRE>
        option wpad code 252 = text;
        option wpad "http://www.example.com/proxy.pac";
</PRE>
</P>
<P>Replace the hostname with the name or address of your
own server.</P>
<P>Ilja Pavkovic notes that the DHCP mode does not work reliably with
every version of Internet Explorer. The DNS name method to find
wpad.dat is more reliable.</P>
<P>Another user adds that IE 6.01 seems to strip the last character
from the URL.  By adding a trailing newline, he is able to make
it work with both IE 5.0 and 6.0:&lt;
<PRE>
        option wpad "http://www.example.com/proxy.pac\n";
</PRE>
</P>


<H2><A NAME="ss5.12">5.12</A> <A HREF="FAQ.html#toc5.12">IE 5.0x crops trailing slashes from FTP URL's</A>
</H2>

<P>by 
<A HREF="mailto:reuben at reub dot net">Reuben Farrelly</A></P>
<P>There was a bug in the 5.0x releases of Internet Explorer in which IE 
cropped any trailing slash off an FTP URL.  The URL showed up correctly in 
the browser's ``Address:'' field, however squid logs show that the trailing 
slash was being taken off.</P>
<P>An example of where this impacted squid if you had a setup where squid 
would go direct for FTP directory listings but forward a request to a 
parent for FTP file transfers.  This was useful if your upstream proxy was 
an older version of Squid or another vendors software which displayed 
directory listings with broken icons and you wanted your own local version 
of squid to generate proper FTP directory listings instead.
The workaround for this is to add a double slash to any directory listing 
in which the slash was important, or else upgrade to IE 5.5.  (Or use Netscape)</P>

<H2><A NAME="ss5.13">5.13</A> <A HREF="FAQ.html#toc5.13">IE 6.0 SP1 fails when using authentication</A>
</H2>

<P>When using authentication with Internet Explorer 6 SP1, you may 
encounter issues when you first launch Internet Explorer.
The problem will show itself when you first authenticate, you will
receive a "Page Cannot Be Displayed" error. However, if you click
refresh, the page will be correctly displayed. </P>

<P>This only happens immediately after you authenticate.</P>

<P>This is not a Squid error or bug.   Microsoft broke the Basic
Authentication when they put out IE6 SP1.</P>

<P>There is a knowledgebase article 
(
<A HREF="http://support.microsoft.com/default.aspx?id=kb;en-us;331906">KB 331906</A>)
regarding this issue, which contains a link to a downloadable 
"hot fix." They do warn that this code is not "regression tested"
but so far there have not been any reports of this breaking anything
else. The problematic file is wininet.dll. Please note that this
hotfix is included in the latest security update.</P>

<P>Lloyd Parkes notes that the article references another article,
<A HREF="http://support.microsoft.com/default.aspx?scid=kb;EN-US;312176">KB 312176</A>.
He says that you must <B>not</B> have the registry entry that KB
312176 encourages users to add to their registry.</P>

<P>According to Joao Coutinho, this simple solution also corrects the problem:
<UL>
<LI>Go to Tools/Internet</LI>
<LI>Go to Options/Advanced</LI>
<LI>UNSELECT "Show friendly HTTP error messages" under Browsing.</LI>
</UL>
</P>

<P>Another possible workaround to these problems is to make the
ERR_CACHE_ACCESS_DENIED larger than 1460 bytes. This should trigger
IE to handle the authentication in a slightly different manner.</P>


<HR>
<A HREF="FAQ-6.html">Next</A>
<A HREF="FAQ-4.html">Previous</A>
<A HREF="FAQ.html#toc5">Contents</A>
</BODY>
</HTML>