Automating Browser Proxy Setting Through Proxy Configuration Script

I had a requirement to write a script for a browser so that it automatically by-passes few local servers and for other addresses it goes though the proxy. There has been several technology through which this can be done.

I used a configuration file type with ‘.pac’ extension which is widely accepted by today’s standard browsers. A simple script which instruct the browser depending on the address requested by it whether to use the proxy or not. Here’s how the script looks:

 

function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = "PROXY 192.168.1.100:8080";
var proxy_no = "DIRECT";

if (shExpMatch(url, "http://192.168.1.10*")) { return proxy_no; }
if (shExpMatch(url, "http://192.168.1.100*")) { return proxy_no; }
if (shExpMatch(url, "*192.168.1.12*")) { return proxy_no; }

return proxy_yes;
}

 

The function takes the URL requested and host’s IP address. Then I’m taking two variable among them in the first variable assigning the address of the proxy server and on the other one telling to use direct connection, meaning don’t use the proxy. In the first three “If condition” for a match i’m telling to use direct connection, in other words don’t use any proxy server. For everything else use proxy.

I put the script in a local webserver and told all the browsers to use this script.

Chroot-BIND on CentOS

I heard about CentOS long before as it gives all the enterprise level softwares for free those one have to buy when using Red Hat Enterprise Linux.  So why not use CentOS and get Red Hat Enterprise like experience for free. Just as I planned, installed CentOS 5.5 on VMWare platform (my ultimate testing platform, kudos to virtualization) to carry out the DNS mission. Now the question is what DNS related configuration someone can make in a Linux box? A few minute of googeling revealed all the mystery. So here’s the thing:

• When one need to browse the internet, s/he need to tell his machine the address of DNS server. Which can be configured in “/etc/resolv.conf” file by simply adding the line “nameserver IP address of the DNS server”. e.g “nameserver 192.168.1.1”.  or if i put any IPv6 address then it’ll look like this “nameserver fe80::918b:9348:c07:5afe”
• Making the linux box to work as caching nameserver. What’ll happen here is all other machines in the vicinity (mostly within the LAN) can use this machine as their nameserver to browse the internet.
• Finally, a nameserver can forward my “zone files” if I’m hosting any website of my own so that someone on the Internet can find the location (which is eventually the IP address) of my website. Zone files basically contains records of my domain / sub-domain names and their corresponding IP addresses.

Installing Chroot-BIND with caching-nameserver:

yum install bind bind-chroot bind-libs bind-utils caching-nameserver

By default caching-nameserver is not installed on the system but other packages are supposed to be there. Still we can use yum to check whether they are updated or not.

BIND read configuration files from .conf files and then processes it accordingly. These .conf files are nothing but simple text files and can be copied  from anywhere. Then all I did was modified it according to my need.

Initially I couldn’t find ‘named.conf’ in either “/etc/named.conf” or in “/var/named/chroot/etc/named.conf ” as those two locations are mentioned in most of the online articles. So this is how I located the “named.conf” file.

Commands used to locate “named.conf”:

# updatedb

# locate named.conf

Output:

/usr/share/doc/bind-9.3.6/sample/etc/named.conf

/usr/share/logwatch/default.conf/services/named.conf

/usr/share/man/man5/named.conf.5.gz

So I copied “/usr/share/doc/bind-9.3.6/sample/etc/named.conf” to “/var/named/chroot/etc/named.conf”:

# cp /usr/share/doc/bind-9.3.6/sample/etc/named.conf  /var/named/chroot/etc/

 

The named.conf file who talks with bind after my modification( /var/named/chroot/etc/named.conf )

//

// Sample named.conf BIND DNS server ‘named’ configuration file

// for the Red Hat BIND distribution.

//

// See the BIND Administrator’s Reference Manual (ARM) for details, in:

// file:///usr/share/doc/bind-*/arm/Bv9ARM.html

// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and

// its manual.

//

options

{

// Those options should be used carefully because they disable port

// randomization

query-source port 53;

query-source-v6 port 53;

// Put files that named is allowed to write in the data/ directory:

directory "/var/named"; // the default

dump-file "data/cache_dump.db";

statistics-file "data/named_stats.txt";

memstatistics-file "data/named_mem_stats.txt";

listen-on port 53 { any; };

listen-on-v6 port 53 { any; };

allow-query { any; };

allow-query-cache { any; };

forwarders {

8.8.8.8; //ip of dns server to forward requests to

};

};

logging

{

/* If you want to enable debugging, eg. using the ‘rndc trace’ command,

* named will try to write the ‘named.run’ file in the $directory (/var/named).

* By default, SELinux policy does not allow named to modify the /var/named directory,

* so put the default debug log file in data/ :

*/

channel default_debug {

file "data/named.run";

severity dynamic;

};

};

view “external” { // What the Internet will see

/* This view will contain zones you want to serve only to "external"

* clients that have addresses that are not on your directly attached

* LAN interface subnets:

*/

match-clients { any; };

match-destinations { any; };

// you’d probably want to deny recursion to external clients, so you don’t

// end up providing free DNS service to all takers

recursion no;

// These are your "authoritative" external zones. This part provides the  

// reverse lookup meaning, to find your domain name from your IP address.

// I didn’t configure my dns for reverse lookup as I didn’t need it. So they are

//commented.

//zone "xxx.xxx.xxx.in-addr.arpa" IN {

//type master;

//file "/var/named/zones/external/xxx.xxx.xxx.zone";

//allow-update { none; };

//};

// This is the forward zone section

zone "lemonnetworks.net" IN {

type master;

file "/var/named/zones/external/lemonnetworks.net.zone";

allow-update { none; };

};

//Root server hints

zone "." {

type hint;

file "/var/named/root.hint";

};

};

// This part responds to the local machines’ dns queries

view localhost_resolver {

match-clients { any; };

match-destinations { any; };

recursion yes;

include "/etc/named.rfc1912.zones";

};

 

Forward zone file for “lemonnetworks.net”  (/var/named/chroot/var/named/zones/external/lemonnetworks.net.zone)

$TTL 86400
@       IN      SOA     ns1.lemonnetworks.net. lemon.lemonnetworks.net. (
                       2010081804      ; serial #
                       4H              ; refresh
                       1H              ; retry
                       1W              ; expiry
                       1D )            ; minimum

                                            NS            www
                                            NS            ns1
                                            NS            ns2
lemonnetworks.net.        MX            10 mail            ; Primary Mail Exchanger

localhost                           A               127.0.0.1
cdn                                     A               xxx.xxx.xxx.xxx
cdn                                    AAAA         xxxx:xxxx:xxxx:xxxx::xxxx                                     mail                                   AAAA         xxxx:xxxx:xxxx:xxxx::xxxx
mail                                   A                xxx.xxx.xxx.xxx
ns1                                    CNAME    cdn
ns2                                    CNAME    cdn
www                                  CNAME    cdn

 

Every time I made any changes in either “named.conf” or in “lemonnetworks.net.zone” I had to restart my name server as BIND put everything on RAM. So the new configurations has to be reloaded onto RAM after any changes. Commands I used:

/etc/rc.d/init.d/named stop

/etc/rc.d/init.d/named start

/etc/rc.d/init.d/named restart

or

service named stop

service named start

service named restart

and

 

And finally make bind to start on system boot:

chkconfig –level 345 named on

 

References:

• http://crazytoon.com/2007/06/21/bind-quick-install-guide-to-install-and-setup-bind-dns-server-in-secure-chroot-environment-in-linux-centos-redhat-enterprise-rhel-fedora/
• http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS
• http://www.howtoforge.com/forums/showthread.php?t=17029
• http://www.wains.be/index.php/2007/12/13/centos-5-chroot-dns-with-bind/

HE.net’s Certification and my learning

Alright, this is the second post on Hurricane Electric’s (he.net) certification on IPv6. Like i said it’s not anything hard but i learned a few things on the process. They basically tests your experience on IPv6 Internet. I Started tunneling from my IPv4 end to their IPv4 end to reach IPv6 internet, then serving my webserver to a request made via IPv6 internet, in the same fashion had to make my email and DNS server IPv6 capable. These are the things I had to make work as per their requirement and beside those in each of the seven stages I had to answer lots of MCQ questions on other topics such as IPv6 addressing itself, IPv6 routing, etc as well. After finishing the final stage, which they call Sage, I was allowed to select the size of the T-shirt they are giving away freely, for myself I selected the M size 🙂

 

Anyway, among all the stages the DNS thing gave me most painful experience as I never worked with it before. I could’ve used other hosted free DNS services but preferred to have my own one. So I’m going to write about my experience on chrooted Bind(the name of the DNS software) on CentOS 5.5 on the next post.

Cleared HE.net’s Free IPv6 Certification!

I was reading an article online and suddenly stuck on a flash advertisement saying something like “Get HE.net’s free IPv6 Certification!”. Out of curiosity clicked on the advertisement and reached their certification page. They’ve basically designed an online test to judge your IPv6 knowledge. The test consists of six major steps with several sub-parts on each steps with some other IPv6 ping, dig, traceroute and whois output submission sections as well. The good part of the test is you actually have to deploy IPv6 environment to pass. With all the steps I would say it’s very straight forward and simple test. One thing I missed here is IPv6 routing, inclusion of v6 routing would’ve made it more perfect. I hope they are considering this and will add another stage to it. Oh and yes the final attraction of the test is after completion of all the stages they’ll give you a free T-shirt as a symbol of gratitude to your geekyness 🙂 I would say it’s a nice initiative to promote the adoption of IPv6 worldwide. I’ll add another post covering more about the test and what I’ve learned on the way to the touch line.

Problem with Network Card in Ubuntu 8.10

Gigabyte motherboards are using a new network card family called Artheros AR81 family. Interestingly they don’t include the driver for linux with the DVD provided with the motherboard neither Ubuntu 8.10 can recognize it. After searching online found the driver here:

http://partner.atheros.com/Drivers.aspx

Install method:

1. tar –xzvf AR81Family-Linux-v1.0.1.9.tar.gz

2. cd src

3. make

4. sudo make install

5. sudo insmod atl1e.ko

 

There’ll be few errors while installing but still works like a charm 🙂

IGMP: Configurations

(Config)#ip multicast-routing : enables support for IP multicast on a router.

(Config-if)#ip pim sparse-mode: enables PIM-SM operation on the selected interface.

(Config-if)#ip pim sparse-dense-mode: enables the interface on the router to operate in PIM-SM for sparse-mode groups (those with known RPs) and in dense mode for other groups.

(Config)#ip pim send-rp-announce {interface type} scope {ttl} group-list {acl}: issued on the router to make it an RP.

(Config)#ip pim send-rp-discovery {interface type} scope {ttl}: configures the router as an RP mapping agent.

(Config)#ip pim spt-threshold {rate | infinity}: controls the switchover from the shared distribution tree to the SPT in sparse mode. The keyword infinity means the switchover will never occur.

#The show ip mroute: generally represents a part of the multicast distribution tree.

IGMP Snooping

As its name implies, switches become IGMP-aware and listen in on the IGMP conversations between hosts and routers.

If care is not taken as to how IGMP snooping is implemented, a switch may have to intercept all Layer 2 multicast packets to identify IGMP packets. This action can have a significant impact on switch performance.

Switches mustbe Layer 3-aware to avoid serious performance problems because of IGMP snooping.

Leave group message:IGMPv2

While leaving any multicast group the “Leave group message” from the hosts help the routers to reduce the latency of detecting the last host in my multicast group, hence the multicast group is deleted faster which saves bandwidth.