NAME
Apache::ProxyConf - Generate Proxy Configuration for browsers.
SYNOPSIS
# In httpd.conf:
<Location />
SetHandler perl-script
PerlHandler Apache::ProxyConf
PerlSetVar ProxyConfConfig "/some/location/proxyconf.ini"
</Location>
DESCRIPTION
The Apache::ProxyConf is used to configure the proxy settings in
browsers automatically. The modules returns a script that conforms to
the Navigator Proxy Auto-Config File Format. The module is suitable for
large scale installations that have multiple (cascading) proxies. It can
be used to return 'the closest proxy' based on the network topology.
Failover and load distribution is also provided.
Browser configuration
The (virtual) webserver must be entered in the 'Autoconfigure URL' of
the browser to make use of the ProxyConf script.
http://proxyconf.some.domain/
In IE the URL must be specified in the 'Address' field, just below the
'Use automatic configuration script' tickbox.
THE CONFIGURATION FILE
The ProxyConf module first reads a .ini-style configuration file to
determine the proxy settings of the network. The configuration file
contains three sections: proxy, noproxy and https.
The proxy section
The sections proxy and https have an identical format. They contain
lines of the form "subnet=proxyip:port".
Single proxy
[proxy]
172.16.32.0/20=172.16.32.10:3128
The subnet 172.16.32.0/20 has a single proxy defined. The proxy
server is 172.16.32.10 and it listens on port 3128.
Multiple proxies
[proxy]
172.16.0.0/20=172.16.0.10:3128,172.16.0.20:3128
Multiple proxy servers are defined in a comma separated list. In
this example clients in the 172.16.0.0/20 subnet use 172.16.0.10 as
their primary proxy server. When this server becomes unavailable,
the clients will move over to 172.16.0.20 for their proxy requests.
Multiple proxies with load distribution
[proxy]
172.16.0.0/20=(172.16.0.10:3128,172.16.0.20:3128)
When proxy servers are placed between brackets, the load is
distribution amongst the proxies. Some clients will have the first
proxy as primary and some clients will have the second proxy as
primary. The other proxy is used as a backup. The order in which the
proxies are tried depends on the IP address of the client. The
script is deterministic, so for a given IP address the priority list
is always the same.
To determine the proxy list for a given IP address multiple rules may be
applied. Subnets are tried from the highest to the lowest mask. The
module puts all proxies that are found in a list.
The noproxy section
The noproxy section contains hosts that should be contacted by the
clients directly. Noticeably, web servers that use NTLM authentication
will not work when clients connect to them via a proxy server. The
syntax for specifying noproxy hosts is "subnet=fqhn1,fqhn2,..".
Alternatively, the multiline syntax can be used, as shown in this
example.
[noproxy]
0.0.0.0/0=<<EOT
webserver1.some.domain
webserver2.some.domain
EOT
This section defines webservers that are non-proxyable for all networks.
The https section
The https section works like the proxy section. It is used to define
other proxies for secure HTTP traffic than for the normal HTTP traffic.
If this section is missing, or for a specific IP address there are no
https rules, then the normal proxy rules apply.
EXAMPLE
Consider the network in figure 1.
Network A: 172.16.0.0/20
_.-"""""""""""""""""-._
.' `.
/ \
| Proxy A1: 172.16.0.10 |
| |
| Proxy A2: 172.16.0.20 |
\ /
`._ _.'\
`-.................-' \
\
\ Network B: 172.16.16.0/20
\
\ _.-"""""""""""""""""-._
.' `.
/ \
| |
| Proxy B: 172.16.16.10 |
| |
\ /
`._ _.'
/ `-.................-'
/
/
Network C: 172.16.32.0/20 /
/
_.-"""""""""""""""""-._ /
.' `.
/ \
| |
| Proxy C: 172.16.32.10 |
| |
\ /
`._ _.'
`-.................-'
Figure 1.
The proxies have the following connectivity:
Proxy A1 Internet connectivity
Proxy A2 Internet connectivity
Proxy B parents with proxy A1 and A2
Proxy C parents with proxy B and A1
Clients in the three networks need to get the following proxy
configuration:
172.16.0.0/20 Half of the clients connect to proxy A1 and use proxy A2
as fallback, the other half use proxy A2 with A1 as
fallback.
172.16.16.0/20 Clients use proxy B with proxy A2 as fallback.
172.16.32.0/20 Clients use proxy C with proxy B as fallback.
For secure HTTP traffic special rules apply. Because this traffic is not
cached all clients connect to proxy A1 and A2 directly spreading the
load equally.
This is how the proxyconf.ini looks:
[proxy]
172.16.0.0/20=(172.16.0.10:3128,172.16.0.20:3128)
172.16.16.0/20=172.16.16.10:3128,172.16.0.20:3128
172.16.32.0/20=172.16.32.10:3128,172.16.16.10:3128
[https]
172.16.0.0/16=(172.16.0.10:3128,172.16.0.20:3128)
EXTRA OPTIONS
It is possible to add additional noproxy hosts in the 'Autoconfigure
URL' in the browser. This way a local webserver can be tested without
losing the benefits of the proxy config. The following string must be
entered in the 'Autoconfigure URL'.
http://proxyconf.some.domain/?noproxy=hostname.some.domain
Multiple hostnames are specified using a comma as separator.
http://proxyconf.some.domain/?noproxy=fqhn1,fqhn2
DEBUGGING
The proxy config service can be called with a debug option. Type the
following URL in a browser:
http://proxyconf.some.domain/?debug=1&ipaddr=172.16.0.100
The script will generate a html page which contains the settings of all
variables and displays the script it sends to the browser for the
specified IP address.
AUTHOR
Patrick Schoo <pschoo@playbeing.com>
Originally written by Bert Driehuis <driehuis@playbeing.org>