Re: [gentoo-user] wget with http proxy
On Wed, 12 February 2014, at 9:00 am, Raffaele BELARDI raffaele.bela...@st.com wrote: I'm setting up a dedicated firewall / http proxy-cache (Squid) for my home network, with user authentication in 'digest' mode. Works fine with browsers but sometimes emerge fails. If I'm understanding correctly, users will have to enter a password to access the internet. My experience was that some whitelisting was necessary quite aside from Gentoo emerges, so I'd just add some Gentoo mirrors in there as allow all sites. Stroller.
Re: [gentoo-user] wget with http proxy
Stroller wrote: On Wed, 12 February 2014, at 9:00 am, Raffaele BELARDI raffaele.bela...@st.com wrote: I'm setting up a dedicated firewall / http proxy-cache (Squid) for my home network, with user authentication in 'digest' mode. Works fine with browsers but sometimes emerge fails. If I'm understanding correctly, users will have to enter a password to access the internet. My experience was that some whitelisting was necessary quite aside from Gentoo emerges, so I'd just add some Gentoo mirrors in there as allow all sites. By whitelisting you mean allowing access to some sites without authenticating the user on the proxy? In what cases did you find this necessary? I plan to deploy on the same server also a content filter (DansGuardian) and all of this is new for me. I understood whitelisting can be done on DansGuardian to bypass URL filtering but here you are suggesting a different approach (bypass proxy authentication), right? raffaele
Re: [gentoo-user] wget with http proxy
On Thu, 13 February 2014, at 4:28 pm, Raffaele BELARDI raffaele.bela...@st.com wrote: ... If I'm understanding correctly, users will have to enter a password to access the internet. My experience was that some whitelisting was necessary quite aside from Gentoo emerges, so I'd just add some Gentoo mirrors in there as allow all sites. By whitelisting you mean allowing access to some sites without authenticating the user on the proxy? In what cases did you find this necessary? It's been several years since I did this, so my memory may be hazy on the details. Desktop PCs were running Windows XP, and there was an SBS 2003 server that provided roaming profiles, so the demanding part was getting Squid to do auth via a Samba winbind PAM module. As I recall the office admin staff, or certain of them, had been spending too much time pissing about on Facebook and were too busy to answer the phone. I think the original claim that that these pen-pushers didn't need internet access to do their jobs so all sites would be blocked, and the boss wanted unlimited web access, unlocked by his password (actually winbind saved him doing that, because he was already logged into the domain). It turned out that the clerical staff had all been regularly and legitimately using Google Maps, gov.uk sites and a bunch of others in the course of their duties, so these had to be whitelisted. I plan to deploy on the same server also a content filter (DansGuardian) and all of this is new for me. I understood whitelisting can be done on DansGuardian to bypass URL filtering but here you are suggesting a different approach (bypass proxy authentication), right? I don't really care where you do it, TBH. In the case I've described above, I'm not sure that the boss handled it so well - he went for this draconian filter everything approach because he let himself get too annoyed at his staff instead of saying listen guys, you can't be on Facebook when the work's not getting done. So I think in this case, we simply had a couple of directives in /etc/squid/squid.conf which said users in the web group = allow all, otherwise deny. Then when we added the whitelist, we inserted a statement (before or between those previous two) that allowed any URLs or domains in a /etc/squid/whitelist.txt file we created. Maybe this example, of the boss going overboard, isn't the best one, but IMO it doesn't pay to treat your employees like children. If someone's surfing hardcore porn at work then everyone knows about it and the answer isn't to stop a bad employee doing this one particular thing you disapprove of (because he's sure to be doing other things you don't know about; you stop that one bad behaviour, and he goes and does something else), it's to get rid of or rehabilitate bad employees. There's always more than one way of doing things, and there are always going to be exceptions to any rule you create. You can find some way to make Portage / wget / curl authenticate against the proxy, or you can just whitelist the Gentoo box's URL (if it's a single server inside the LAN). You can do a network shared DISTDIR / PKGDIR / PORTDIR, or you can just whitelist anything you put in GENTOO_MIRRORS. I found whitelisting very easy and straightforward, though. Stroller.
Re: [gentoo-user] wget with http proxy
On Wed, Feb 12, 2014 at 3:00 AM, Raffaele BELARDI raffaele.bela...@st.com wrote: I'm setting up a dedicated firewall / http proxy-cache (Squid) for my home network, with user authentication in 'digest' mode. Works fine with browsers but sometimes emerge fails. Turns out that some downloads are done with wget and wget supports only 'basic' authentication with proxy servers. So now I see the following options: 1. use 'basic' authentication on the proxy, or 2. bypass the authentication for non-browser requests (e.g. using a 'browser' ACL element?), or 3. convince emerge to use a different http downloader that supports 'digest' authentication. I'll probably go with 1 or 2 but nevertheless is there any possibility to pursue 3? man 5 make.conf, search for FETCHCOMMAND. You could set it to use curl, which supports proxy digest. Regards. -- Canek Peláez Valdés Posgrado en Ciencia e Ingeniería de la Computación Universidad Nacional Autónoma de México
Re: [gentoo-user] wget with http proxy
On Wed, 12 Feb 2014 10:00:00 +0100, Raffaele BELARDI wrote: 3. convince emerge to use a different http downloader that supports 'digest' authentication. I'll probably go with 1 or 2 but nevertheless is there any possibility to pursue 3? man make.conf and see the entry for FETCHOMAND. You can use this to tweal wget's options or to use a different downloader. -- Neil Bothwick An unemployed Court Jester is nobody's fool. signature.asc Description: PGP signature
Re: [gentoo-user] wget with http proxy
Canek Peláez Valdés wrote: On Wed, Feb 12, 2014 at 3:00 AM, Raffaele BELARDI 3. convince emerge to use a different http downloader that supports 'digest' authentication. man 5 make.conf, search for FETCHCOMMAND. You could set it to use curl, which supports proxy digest. Great, precisely what I need. Thanks also for the tip on curl. raffaele
