Kiosk 4.8.0 not properly applying proxy autoconfiguration script settings

Post bug reports related to either the kiosk ISO or the kiosk wizard here.
Post Reply
rburtcher
Ronin
Ronin
Posts: 1
Joined: 12 Apr 2019, 18:08
Distribution: Porteus Kiosk
Location: Oklahoma City, Oklahoma, US

Kiosk 4.8.0 not properly applying proxy autoconfiguration script settings

Post#1 by rburtcher » 17 May 2019, 00:57

We're trying to get Porteus Kiosk 4.8.0 set up behind a proxy with remote management enabled, but after enabling the proxy server settings, we're having some trouble getting the kiosk to download the kiosk-config.txt file both during the setup process and after the next boot. Our proxy.pac file is configured so that all HTTP traffic goes to port 8080 on the proxy server, and all HTTPS traffic goes to port 8443 - except for traffic to the server hosting the config files, which is sent direct. During the setup process, the kiosk is able to download the proxy.pac and Chrome just fine, but then past that it just can't seem to get the kiosk-config.txt. The kiosk just displays an error message that says "Server is not accessible or remote file is not present on it". Interestingly enough, however, Chrome is able to successfully access the kiosk-config. I think the proxy configuration is not being properly applied at the OS level. In order to complete the setup wizard, I copied the kiosk-config.txt file from our webserver and put it on a thumbdrive, then loaded it onto the kiosk that way.

To test whether or not the proxy server settings were being correctly applied, I first enabled SSH and used the Ctrl+Alt+F1 shortcut to get a command shell. I ran the command

Code: Select all

wget http://<user>:<pass>@<config_server_ip>/kiosk-config.txt
and it failed to download the file with error 502 Proxy Error. TMG denied the specified URL (12202); further examination showed that wget connected to the proxy server instead of directly to <config_server_ip>! That's not correct based on our proxy.pac configuration, so I verified that the kiosk had gotten a complete and proper copy of the proxy.pac with the command

Code: Select all

cat /opt/scripts/proxy.pac
The readout of this file matched the proxy.pac on the server exactly.

Code: Select all

pactester -p /opt/scripts/proxy.pac -u http://<config_server_ip>/proxy/proxy.pac
gave me an output of DIRECT, as expected. However, when I run the command

Code: Select all

echo $http_proxy; echo $https_proxy
it returned both values as http://<proxy_server_ip>:8080; shouldn't the $https_proxy variable contain https://<proxy_server_ip>:8443 instead, like in our proxy.pac? Further, if I run the command

Code: Select all

echo $no_proxy
the output only contains localhost,127.0.0.1, and does not include <config_server_ip>. If I use the

Code: Select all

export
command to set $https_proxy to https://<proxy_server_ip>:8443, as well as add <config_server_ip> to $no_proxy, then run the wget command (from above) again, it will successfully download the proxy-config.txt file without error. Porteus Kiosk does not appear to be correctly parsing and applying the settings in the proxy.pac to the OS's proxy settings.

As a workaround, I tried adding

Code: Select all

run_command=export http_proxy="172.16.216.2:8080"; export https_proxy="172.16.216.2:8443"; export no_proxy="localhost,127.0.0.1,172.16.1.104"
to our kiosk-config.txt, but that made no difference and Porteus Kiosk still failed to download the config files.

Is there anything else we can try to get this working? We're hoping to deploy these kiosks in production as soon as we can once this issue is resolved. Thank you in advance for your assistance!

Here's a redacted copy of our proxy.pac:

Code: Select all

function FindProxyForURL(url, host) {
	if (shExpMatch(host, "<config_server_ip>")) {
		return "DIRECT";
	}
	if (shExpMatch(url, "https://*")) {
		return "PROXY <proxy_server_ip>:8443; PROXY <proxy_server_fqdn>:8443";
	} else {
		return "PROXY <proxy_server_ip>:8080; PROXY <proxy_server_fqdn>:8080";
	}
}
And here's a redacted copy of our kiosk-config.txt:

Code: Select all

connection=wired
dhcp=yes
browser=chrome
homepage_check=Kiosk is not available - please ask for assistance
session_idle=10
scheduled_action=Monday-18:00 Tuesday-18:00 Wednesday-18:00 Thursday-18:00 Friday-18:00 action:halt
allow_popup_windows=yes
rtc_wake=Monday-06:00 Tuesday-06:00 Wednesday-06:00 Thursday-06:00 Friday-06:00
timezone=America/Chicago
screensaver_idle=1
slide_duration=12
root_password=Password1
additional_components=uefi.zip 06-fonts.xzm 08-ssh.xzm
removable_devices=yes
enable_file_protocol=yes
shutdown_menu=reboot restart-session
homepage=http://<corporate_kiosk_portal_url>
kiosk_config=http://<user>:<pass>@<config_server_ip>/kiosk-config.txt
wallpaper=http://<user>:<pass>@<config_server_ip>/wallpaper.jpg
# screensaver_video=http://<config_server_ip>/proxy/KioskAttract.mp4
screensaver_archive=http://<user>:<pass>@<config_server_ip>/Slideshow.zip
proxy_config=http://<config_server_ip>/proxy/proxy.pac
debug=yes

User avatar
fanthom
Site Admin
Site Admin
Posts: 5136
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland
Contact:

Kiosk 4.8.0 not properly applying proxy autoconfiguration script settings

Post#2 by fanthom » 17 May 2019, 07:17

Hello rburtcher,

I have quickly tested your sample proxy.pac and i'm not able to recreate the issue. Please send your original proxy.pac and kiosk config to support@porteus-kiosk.org and i'll check it again.
Would be great if you could associate your kiosk with my PK Server so i could do test them directly in your environment.

Thanks

Added in 21 hours 28 minutes 44 seconds:
For further reference:

Seems to be a limitation of the 'pactester' utility as basic authentication is not recognized properly.
We get different results depending if basic auth is enabled or not:

Code: Select all

pactester -p proxy.pac -u http://kioskuser:pass@192.16.1.104/kiosk-config.txt
PROXY 192.16.216.2:8080

pactester -p proxy.pac -u http://192.16.1.104/kiosk-config.txt
DIRECT
Potential solutions:
a) disable basic auth on remote config (not recommended)
b) use static proxy settings (add proxy exceptions for specific IPs)
c) switch to PK Server "Premium" which allows to host config files securely without basic auth (files are copied over SSH)

Thanks
Please add [Solved] to your thread title if the solution was found.

Post Reply