Version used: nethserver 7.3
Suppose the Nethserver host has:
- IP address: 192.168.1.1. LAN IP subnet is 192.168.1.0/24
- FQDN (set at install time or modified via the nethserver web admin interface):
proxy.lan.example.com
Nethserver 7.3 creates this wpad.dat
file on /var/www/html/
:
function FindProxyForURL(url, host)
{
// Direct access to localhost
if (isInNet(host, "127.0.0.1", "255.255.255.255"))
return "DIRECT";
// Direct access to local hosts
if (isPlainHostName(host))
return "DIRECT";
// eno1:192.168.1.0 green authenticated
if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
return "PROXY 192.168.1.1:3128";
// DEFAULT
return "PROXY 192.168.1.1:3128";
}
Notice it uses PROXY
return values containing the server LAN IP address.
When a user whose workstation web browser has been configured (in a way or another) to use http://proxy.lan.example.com/wpad.dat
as a proxy auto configuration script then he/she is:
- Presented a proxy authentication dialog
- The credentials, even when correctly entered, aren’t accepted
The /var/log/squid/cache.log
log file records:
2017/06/12 11:19:50 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
Which indicates the browser is trying to negotiate NTLM (which is unsupported by Nethserver’s Squid as of Netherver 7.x) instead of Kerberos.
The switching or fallback to NTLM by the browser is caused by the fact that the proxy specification sent by the WPAD file is a IP address.
This contradicts Nethserver own documentation:
http://docs.nethserver.org/en/v7/web_proxy.html#authenticated-mode
If I modify the wpad.dat
file and set the PROXY
lines to return proxy proxy.lan.example.com:3128
things start to work. But, as you know, this will only work until Nethserver overwrites it automatically at some point.
Regards,