Mozilla Firefox: Fixing the proxer server settings for all users
Mark Hobley
Mozilla Firefox. I want to globally configure the browser so that the proxy
server address is fixed for all users and cannot be overwritten.
I have added the following entries to the /etc/iceweasel/pref/iceweasel.js
configuration file, but the settings do not seem to be having any effect:
lockPref("network.proxy.http", neptune.markhobley.yi.org);
lockPref("network.proxy.http_port", 8888);
lockPref("network.proxy.no_proxies_on", localhost, 127.0.0.1, 10.0.0.0/8, markhobley.yi.org);
lockPref("network.proxy.type", 1);
Is there some additional configuration parameters, that I need to add in
order to set and lock the proxy server address?
Thanks in advance to anyone who can help.
Mark.
--
Mark Hobley
Linux User: #370818 http://markhobley.yi.org/
Balwinder S Dheeman
I think, is better you run/setup a transparent proxy with the help of
netfileter/iptables and point all your machines to use your
proxy/netfilter machine as a gateway, a DHCP Server on same machine can
do this.
OTOH, I'm unable to guess what proxy server in running at your 8888
port; squid comes into mind, it is versatile and mature, but polipo can
also be a good alternative. The later does not have an ftp support though.
--
Balwinder S "bdheeman" Dheeman Registered Linux User: #229709
Anu'z Linux@HOME (Unix Shoppe) Machines: #168573, 170593, 259192
Chandigarh, UT, 160062, India Plan9, T2, Arch/Debian/FreeBSD/XP
Home: http://werc.homelinux.net/ Visit: http://counter.li.org/
Mark Hobley
> I think, is better you run/setup a transparent proxy with the help of
> netfileter/iptables and point all your machines to use your
> proxy/netfilter machine as a gateway, a DHCP Server on same machine can
> do this.
I can do this, but I would still like to be able to fix the settings
in the browser. There are some packages on the machines, which use http
but are not browsers which do not need to go through the proxy.
> OTOH, I'm unable to guess what proxy server in running at your 8888
> port
Currently, it is just a filtering proxy, but I might switch to a dynamic
on the fly page editing proxy at a later date.
Balwinder S Dheeman
I'm quite impressed with the functionality of *AdBlock Plus*
(http://adblockplus.org/en/), but I still don't like the way they do it
via a Firefox/IceWesel/Conquerer extension; The idea is good, but the
implementation is not in Unix/Linux way.
I think, is better you fix your filtering proxy server; you may add one
feature or more on entertaining/forwarding the requests based on
'User-Agent', Remote-Address and, or other headers.
IHMO, the system wide default IceWeasel or such settings is not good,
because competent users will/can still bye-pass your setup quite easily
via Edit->Preferences->Advanced->Network-Settings->(*)No Proxy option.
Mark Hobley
> I think, is better you fix your filtering proxy server; you may add one
> feature or more on entertaining/forwarding the requests based on
> 'User-Agent', Remote-Address and, or other headers.
The filter works fine, but I would like to bypass it for applications
other than Mozilla Firefox. I don't think that the filter offers
different facilities for different user-agents.
> IHMO, the system wide default IceWeasel or such settings is not good,
> because competent users will/can still bye-pass your setup quite easily
> via Edit->Preferences->Advanced->Network-Settings->(*)No Proxy option.
The LockPref facility is supposed to prevent this. I think maybe there
is a bug in Mozilla Firefox, which is preventing this from working.
Cheers,
Balwinder S Dheeman
> In comp.infosystems.www.browsers.x Balwinder S Dheeman <bsd.S...@cto.homelinux.net> wrote:
>
>> I think, is better you fix your filtering proxy server; you may add one
>> feature or more on entertaining/forwarding the requests based on
>> 'User-Agent', Remote-Address and, or other headers.
>
> The filter works fine, but I would like to bypass it for applications
> other than Mozilla Firefox. I don't think that the filter offers
> different facilities for different user-agents.
It can be extended, if it is an open source project; and that seems to
be right way to me.
>> IHMO, the system wide default IceWeasel or such settings is not good,
>> because competent users will/can still bye-pass your setup quite easily
>> via Edit->Preferences->Advanced->Network-Settings->(*)No Proxy option.
>
> The LockPref facility is supposed to prevent this. I think maybe there
> is a bug in Mozilla Firefox, which is preventing this from working.
Firefox/IceWeasel can be fixed or tweaked in either custom.
I hope so, but what if someone installs a personal version of Firefox,
Arora, Chromium or other one in his/her home directory which does not
read your system wide prefs?
IMHO, after reading
http://werc.homelinux.net/links/reference/unix_prog_design.pdf, you will
that today's Unix, Linux, *BSD, FF, KDE, GNOME and other programs of
software heading far away from the original concepts of Unix.
Cheers,
Mark Hobley
> I hope so, but what if someone installs a personal version of Firefox,
> Arora, Chromium or other one in his/her home directory which does not
> read your system wide prefs?
The /home directory is mounted noexec to prevent this.
Mark Hobley
> Is there some additional configuration parameters, that I need to add in
> order to set and lock the proxy server address?
I have managed to solve this. To lock the proxy server, a full set of
configuration entries are required. Add the following lines to the
/etc/iceweasel/pref/iceweasel.js configuration file:
// Proxy server settings
lockPref("network.proxy.backup.ftp", "proxy.foobar.lan");
lockPref("network.proxy.backup.ftp_port", 9999);
lockPref("network.proxy.backup.gopher", "proxy.foobar.lan");
lockPref("network.proxy.backup.gopher_port", 9999);
lockPref("network.proxy.backup.socks", "proxy.foobar.lan");
lockPref("network.proxy.backup.socks_port", 9999);
lockPref("network.proxy.backup.ssl", "proxy.foobar.lan");
lockPref("network.proxy.backup.ssl_port", 9999);
lockPref("network.proxy.ftp", "proxy.foobar.lan");
lockPref("network.proxy.ftp_port", 9999);
lockPref("network.proxy.gopher", "proxy.foobar.lan");
lockPref("network.proxy.gopher_port", 9999);
lockPref("network.proxy.http", "proxy.foobar.lan");
lockPref("network.proxy.http_port", 9999);
lockPref("network.proxy.no_proxies_on", "localhost, 127.0.0.1, 10.0.0.0/8, 192.168.0.0/8, foobar.lan");
lockPref("network.proxy.share_proxy_settings", true);
lockPref("network.proxy.socks", "proxy.foobar.lan");
lockPref("network.proxy.socks_port", 9999);
lockPref("network.proxy.ssl", "proxy.foobar.lan");
lockPref("network.proxy.ssl_port", 9999);
lockPref("network.proxy.type", 1);
Regards,
Balwinder S Dheeman
That's good.
But, what if the users use something other than IceWeasel?
Hope it works for you, but this IMHO is not the right way. I for one
shall never ever recommend such a weak setup. The best way to control
use of network is control it from your gateway/router possibly with the
help of filtering proxy sever. I have not checked, but am sure Squid can
do it by add-on scripts (adblocker comes into mind.
OTOH, If Squid seems too big and, or resource hungry to you, the Polipo
is an open source, tiny caching web (only http, but supports HTTP/1.1)
proxy designed to be used as a personal cache or a cache shared among a
few users. I think, it would good to add hooks for running scripts or
adding plug-ins to it for filtering.
Joe Beanfish
From previous posts it sounds like he's setting up a kiosk or similar
system where the users won't be able to get a shell or install software
so they probably won't have much choice about what to run.
Mark Hobley
> The best way to control use of network is control it from your
> gateway/router possibly with the help of filtering proxy sever.
I use tinyproxy for filtering.
Balwinder S Dheeman
> In comp.infosystems.www.browsers.x Balwinder S Dheeman <bsd.S...@cto.homelinux.net> wrote:
>
>> The best way to control use of network is control it from your
>> gateway/router possibly with the help of filtering proxy sever.
>
> I use tinyproxy for filtering.
"* Easily modified: If you're looking to build a custom web proxy,
Tinyproxy is very easy to modify to your custom needs. The source is
straightforward, adhering to the KISS principle. As such, it can be used
as a foundation for anything you may need a web proxy to do."
The above is quote from https://www.banu.com/tinyproxy/, home page of
Tinyproxy; though I never had a chance to try it, but it seems promising
and useful for your use case.
Hope you will add a requisite routine to bypass client requests based on
User-Agent header to it and be able to run it as a transparent proxy
behind a firewall.
On most of the school, college, cyber-cafe and, or Internet kiosk sites
which I manage, we either use Squid or Polipo as transparent proxy.
On other sites, where we want a relaxed control we provide an auto_proxy
configuration script for most of the browsers, down-loaders and, or
other such tools:
-------- 8< --------
function FindProxyForURL(url, host)
{
/* If user have specified only a hostname, go directly. */
if (isPlainHostName(host))
return "DIRECT";
/* If user have specified on an ipaddr, go directly. */
if (isInNet(host, "192.168.1.0", "255.255.255.0")
|| isInNet(host, "192.168.2.0", "255.255.255.0")
...
)
return "DIRECT";
/* Connect directly to our domains and, or vhosts */
if (dnsDomainIs(host, "local")
|| dnsDomainIs(host, "example.com")
...
)
return "DIRECT";
/* We only cache http, https, ftp and, or gopher */
if (url.substring(0, 5) == "http:"
|| url.substring(0, 6) == "https:"
...
)
/* Change the ":8123" to the port that your cache runs on, and point
* the "proxy.sebs.org.in" to a machine that runs the caching
server */
return "PROXY proxy.example.com:8123; DIRECT";
return "DIRECT";
}
-------- 8< --------
Which the clients may or may not use. Or it is useful only for
non-technical users and, or those who don't want to set a proxy by hand.