I have a laptop with Linux (currently Ubuntu) which I use both at home and at work. The corporate security policy requires everyone to use the HTTP proxy server with authentication for web access, so when I come to work I had to manually enable it, and then disable again at home - not very convenient.
As a side note, Firefox 3+ is great in respecting the global or system-wide proxy configuration (System->Preferences->Network proxy or gnome-network-preferences) as well as gnome-terminal is very nice to set the http_proxy environment variable automatically when proxy is configured, making most command-line tools respect the global proxy setting as well, which is very cool.
So, before network profiles have arrived to Gnome or NetworkManager (I have seen some related commits in Gnome SVN), I still want to enable the proxy automatically depending on my location. Thankfully, NetworkManager supports execution of scripts when it brings interfaces up or down, so this is not difficult at all.
At least on Ubuntu, NetworkManager executes the scripts that are located in /etc/NetworkManager/dispatcher.d/ when it brings interfaces up. Inside of the script I can detect whether I am at work by checking the domain name in /etc/resolv.conf provided by the corporate DHCP server, or the beginning of the assigned IP address if domain can't be used for any reason.
OK, here is the working script for Ubuntu Karmic, Jaunty and Intrepid (Gnome 2.24+), see notes below for older versions. I have this script in /etc/NetworkManager/dispatcher.d/02proxy, because 01ifupdown already exists there.
It is an updated version, attempting to make the script suitable for more general use, eg in our company we now provide it in a .deb package for all Ubuntu-based laptops.
#!/bin/bash
# The script for automatically setting the proxy server depending on location.
# Put it under /etc/NetworkManager/dispatcher.d/02proxy
# Create also the /etc/NetworkManager/proxy_domains.conf, specifying the mapping of
# DHCP domains to proxy server addresses, eg "example.com proxy.example.com:3128"
# Written by Anton Keks
PROXY_DOMAINS="/etc/NetworkManager/proxy_domains.conf"
# provided by NetworkManager
INTERFACE=$1
COMMAND=$2
function gconf() {
sudo -E -u $USER gconftool-2 "$@"
}
function saveUserConfFile() {
echo "DOMAIN_USER=$DOMAIN_USER" > $CONF_FILE;
echo "DOMAIN_PWD_BASE64="`echo $DOMAIN_PWD | base64` >> $CONF_FILE;
echo "PROXY_HOST=$PROXY_HOST" >> $CONF_FILE;
echo "PROXY_PORT=$PROXY_PORT" >> $CONF_FILE;
}
function enableProxy() {
PROXY_HOST=`cat $PROXY_DOMAINS | grep $DOMAIN | sed 's/.* \+//' | sed 's/:.*//'`
PROXY_PORT=`cat $PROXY_DOMAINS | grep $DOMAIN | sed 's/.*://'`
# check if authentication is required
http_proxy=http://$PROXY_HOST:$PROXY_PORT/ wget com 2>&1 | grep "ERROR 407"
if [ $? -eq 0 ]; then
AUTH_REQUIRED="true"
CONF_FILE=$HOME/.proxy:$DOMAIN
if [ ! -e $CONF_FILE ]; then
DOMAIN_USER=`sudo -E -u $USER zenity --entry --text "Login name for domain $DOMAIN"`
DOMAIN_PWD=`sudo -E -u $USER zenity --entry --text "Password for domain $DOMAIN" --hide-text`
saveUserConfFile
fi
# load user proxy settings
. $CONF_FILE
# decode password
DOMAIN_PWD=`echo $DOMAIN_PWD_BASE64 | base64 -d`
# get Kerberos ticket (if it's configured)
if echo $DOMAIN_PWD | sudo -E -u $USER kinit $DOMAIN_USER; then
KLIST_INFO=`sudo -E -u $USER klist | fgrep Default`
sudo -E -u $USER notify-send -i gtk-info "Domain login" "Kerberos ticket retrieved successfully: $KLIST_INFO"
fi
else
AUTH_REQUIRED="false"
fi
# setup proxy
gconf --type string --set /system/proxy/mode "manual"
gconf --type bool --set /system/http_proxy/use_http_proxy "true"
gconf --type string --set /system/http_proxy/host $PROXY_HOST
gconf --type int --set /system/http_proxy/port $PROXY_PORT
gconf --type bool --set /system/http_proxy/use_same_proxy "true"
gconf --type bool --set /system/http_proxy/use_authentication $AUTH_REQUIRED
gconf --type string --set /system/http_proxy/authentication_user $DOMAIN_USER
gconf --type string --set /system/http_proxy/authentication_password $DOMAIN_PWD
# notify
sudo -E -u $USER notify-send -i gtk-info "Proxy configuration" "Your proxy settings have been set to: $DOMAIN_USER@$PROXY_HOST:$PROXY_PORT"
}
function disableProxy() {
gconf --type string --set /system/proxy/mode "none"
gconf --type bool --set /system/http_proxy/use_http_proxy "false"
gconf --type string --set /system/http_proxy/host ""
gconf --type bool --set /system/http_proxy/use_authentication "false"
gconf --type string --set /system/http_proxy/authentication_user ""
gconf --type string --set /system/http_proxy/authentication_password ""
}
# wait for gnome-settings-daemon to appear, ie until user logs in
for i in {1..100}; do
if [ ! `pidof gnome-settings-daemon` ]; then
sleep 5;
echo "Waiting for gnome-settings-daemon to appear..."
else
break
fi
done
if [ ! `pidof gnome-settings-daemon` ]; then
echo "gnome-settings-daemon is not running. exiting."
exit 1
fi
# steal environment from the current non-root user
XENV=`xargs -n 1 -0 echo </proc/$(pidof gnome-settings-daemon)/environ`
# init DBUS connection string in order to reach gconfd
eval export `echo "$XENV" | fgrep DBUS_SESSION_BUS_ADDRESS=`
eval export `echo "$XENV" | fgrep USER=`
eval export `echo "$XENV" | fgrep HOME=`
eval export `echo "$XENV" | fgrep DISPLAY=`
eval export `echo "$XENV" | fgrep XAUTHORITY=`
if [ $COMMAND != 'up' ]; then
disableProxy;
exit
fi
DOMAIN=`cat /etc/resolv.conf | grep domain | sed 's/domain \+//'`
# check if we need to set proxy settings for this domain
if [[ -e $PROXY_DOMAINS && ! `cat $PROXY_DOMAINS | grep $DOMAIN` ]]; then
echo "Proxy is not required for domain $DOMAIN"
disableProxy
else
echo "Setting proxy for domain $DOMAIN"
enableProxy
fi
Don't forget to:
- give this script execute permissions
- have gconftool-2, zenity and kinit installed (gconf2, zenity, krb5-user packages in Ubuntu). Install gconf-editor as well for a graphical config editor.
- create /etc/NetworkManager/proxy_domains.conf, specifying the mapping of DHCP domains to proxy server addresses, eg "example.com proxy.example.com:3128". Specify each domain on a new line.
For more functionality, it even tries to retrieve the Kerberos ticket for you, if the kerberos is configured properly in /etc/krb5.conf. You can check if this is the case by running this on the command-line:
This works very well for me and saves several mouse clicks every morning :-)kinit your-user-name; klist
Note to Gnome 2.22 and older users (Ubuntu Hardy, etc): I had this script initially done in Hardy, but after upgrading to Intrepid (Gnome 2.24) it stopped working. The reason was that starting from Gnome 2.24, the gconf setting of /system/http_proxy/use_http_proxy is not the primary one and has been replaced by /system/proxy/mode, which takes one of three values: 'auto', 'manual' and 'none'. In Intrepid, if you set only /system/http_proxy/use_http_proxy as before - it has no effect, you need to set /system/proxy/mode to manual, and this will set the value of the old setting to 'true' automatically.
Another thing introduced with Intrepid is the need to set the DBUS_SESSION_BUS_ADDRESS environment variable (the script steals it from the x-session-manager process) - this is because gconfd has switched to DBUS from CORBA for a communication protocol. If you have older Gnome, then you may omit these 2 lines involving DBUS.
Enjoy!
27 comments:
Hey, thanks for that, just what I was in need!
By the way for me it worked only if I set in the gconf function on the "sudo" line the DBUS.. variable.
I'd suggest using more creative variable names than PWD and USER in such script, since they are widely used throughout the system for other purpose :)
Now, this is pretty hard-core for a grandma. Can we expect a nice gui in syssetting menu in the future?
T
minzu, sorry I forgot to give sudo the -E options (I have corrected the post now).
-E tells sudo to pass environment to the command - that should do it!
Toomas, I think that grandma doesn't need this stuff - she propably doesn't have to move between strict corporate locations with her laptop all the time :-)
But I really expect a nice GUI for that in the next version of NetworkManager - there are some bits of code to support configuration profiles in the SVN already.
I don't want my password to be visible in the script, so I encoded it with base64. It is not a real security solution as anyone can decode it, but at least your work colleagues wouldn't see it on your monitor while you edit the script. I feel a bit safer this way.
Endoce:
perl -MMIME::Base64 -e 'print encode_base64("myC00lpa55word")'
Decode:
perl -MMIME::Base64 -e 'print decode_base64("YXNkZmdoago=")'
So the script beginning looks something like this:
USER=my_user
# encoded base64
PWD_ENC="YXNkZmdoago="
PWD=`perl -MMIME::Base64 -e 'print decode_base64($PWD_ENC)'`
WORK_IP=172.28.
Good example, I needed to write a script to change from using proxy when connected to lan, to direct connection while using a cell modem. I was missing the /system/proxy/mode settings. Thanks.
thanks - great script, i finally got around to adding some extra lines to update apt & environment settings, as well as support for multiple different proxied addresses (lan & wifi @ work)
i add these to the non-proxy code block:
#update environment (might be too late by now though)
sed -i -e 's/[#]{0}http_proxy/#http_proxy/' /etc/environment
sed -i -e 's/[#]{0}https_proxy/#https_proxy/' /etc/environment
sed -i -e 's/[#]{0}ftp_proxy/#ftp_proxy/' /etc/environment
#update apt config
sed -i -e 's/Acquire::http::proxy .*$//' /etc/apt/apt.conf
and for multiple addresses i used -E in the grep, with a WORK_IP setting like:
WORK_IP_EXP="(Address\:.*132\.0)|(Address\:.*172\.16)"
I updated the script for it to be useful directly without modifications by about anyone.
Changing of apt conf directly is not needed, imo, because update-manager picks the proxy from Gnome system settings. apt-get and aptitude will work also from gnome-terminal, because it sets the http_proxy environment variable automatically.
Hey I am using Gnome 2.26 in Ubuntu 9.04
I set the proxy settings with authentication in network-proxy. But when I echo $http_proxy it shows the url but not the authentication. Can you tell me how t solve this problem?
I’d sweetie to ascertain that too!
Can anyone recommend the best Endpoint Security tool for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: [url=http://www.n-able.com] N-able N-central configuration management
[/url] ? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!
To start earning money with your blog, initially use Google Adsense but gradually as your traffic increases, keep adding more and more money making programs to your site.
rH3uYcBX
It agree, this amusing message
This valuable opinion
There is a site, with an information large quantity on a theme interesting you Hot Health
I want not agree on it. I assume warm-hearted post. Expressly the appellation attracted me to review the intact story.
Amiable brief and this fill someone in on helped me alot in my college assignement. Say thank you you on your information.
Cheap ceclor Buy astelin Online wellbutrin 50mg cozaar Canadian liv52 ED symmetrel
Super-Duper site! I am loving it!! Will come back again - taking you feeds also, Thanks.
rH3uYcBX
I truly believe that we have reached the point where technology has become one with our lives, and I am fairly confident when I say that we have passed the point of no return in our relationship with technology.
I don't mean this in a bad way, of course! Societal concerns aside... I just hope that as memory becomes less expensive, the possibility of transferring our memories onto a digital medium becomes a true reality. It's a fantasy that I daydream about every once in a while.
(Posted on Nintendo DS running [url=http://knol.google.com/k/anonymous/-/9v7ff0hnkzef/1]R4i SDHC[/url] DS FFBrows)
[b]Buy [url=http://www.webjam.com/viagra100]Generic Viagra[/url] Online - No Prior Prescription Required (Price from $1 per Tablet!)[/b]
http://www.webjam.com/viagra100
http://www.jugindex.org/display/~livitra167
We Accept All Major Credit Cards (Visa, Mastercard, Amex, JCB, Diners Club), EuroCard (Online Check for European Countries), ACH (USA Online Check), Western Union, Money Gram and Wire Transfer!
Buy Generic Viagra (Sildenafil Citrate 100mg) for Only $1 / pill - No Prescription Required - We add 20 gift Generic Viagra pills to every order for more than 100 pills of any Erectile Dysfunction drug.
blog.azib.net; You saved my day again.
It sounds like you're creating problems yourself by trying to solve this issue instead of looking at why their is a problem in the first place.
I do think this is a most incredible website for proclaiming great wonders of Our God!
Good work and excellent theme! Cheers!
This is the best blog I have ever read thank you!
Nice post, thanks!
Amiable dispatch and this enter helped me alot in my college assignement. Thank you as your information.
Post a Comment