Support for setting proxy setting via policy

[z0id]

Hi,

This is a continuation of Support for chrome.storage.managed for the pre-8.0 ForxyProxy.

Would be nice to be able to set proxy settings via policy and have the user not able to modify/remove settings (access to Add-on Manager can be disabled in Firefox Enterprise,via policy; possibly also in Chrome).

Is this still on the roadmap?

Thanks!

[erosman]

have the user not able to modify/remove settings

That goes against the openness of browser extensions

Would be nice to be able to set proxy settings via policy

That is possible but requires a custom built extension which would not have the options page and the associated processes.

In fact, in an enterprise environment that users use enterprise computers, the admin can prevent users from making changes to the browser. Admin can set up proxies which would be controlled by the enterprise. There should not be any need for a proxy changing extensions.

Overall, feature requests require:

• Clear use case scenarios
• Reasonable user demand and/or applicable users

[z0id]

Thanks for the prompt reply.

In fact, in an enterprise environment that users use enterprise computers, the admin can prevent users from making changes to the browser. Admin can set up proxies which would be controlled by the enterprise. There should not be any need for a proxy changing extensions.

Indeed, and Firefox does support setting proxy settings via policy, which can be transparent to the user in a managed browser. Unfortunately, Firefox does not support SOCKS5 authentication ( open bug ) hence the need for FoxyProxy which brings this capability. With FoxyProxy we gain SOCKS5 auth support, but lose the setup via policy capability, since FoxyProxy does not support that.

So I guess the use case would be any enterprise environment with SOCKS5 proxy with user/pass authentication requirement. Also the added rules-based toggling capability of FoxyProxy is a nice addition over vanilla Firefox.

[erosman]

Isn't enterprise environment a close environment where the internet can be controlled by the admin?

Typically, in such environment, users connect to the internet via the enterprise intranet. Often, connecting to the intranet requires login and therefore additional authentication should not be required.

For example, in a college environment:

• users have to login to the college intranet to gain access to the internet
• Admin can control the login, privileges, and even set up proxes for the entire environment

There should be no need to set-up proxies on each computer terminal.

[z0id]

I'm sure there are networks in which what you are describing is true.

In my experience, in enterprise env it's not the classical proxy end-goal of spoofing location or pass all traffic through proxy, but to provide connectivity to network resources which are otherwise not accessible (no route to resource). Proxy is used only for accessing these certain resources, not for general intranet/internet access.

[erosman]

How would the enterprise prevent users from installing the full version FoxyProxy (or any other similar extension)?

[z0id]

How would the enterprise prevent users from installing the full version FoxyProxy (or any other similar extension)?

A combination of the ExtensionSettings and BlockAboutAddons policies, possibly other policies as well, depending on how much the browser should be locked down.

In addition, the Firefox Enterprise installer can be easily repackaged to include add-ons so they are available immediately after install or add-ons can be deployed in a live env.

[erosman]

I have thought of a way to implement the managed storage without having to resort to a custom built extension, however that depends on the purpose.

Is the purpose of the managed storage convenience or security?

• If it is convenience, then it would be fine
• If it is security, it can be bypassed by advanced users

[z0id]

Thank you for looking into it.

I have given it some thought, and I would say security would be first; in enterprise env a security audit can reject a solution regardless of the niceness of the features.

It also depends on how advanced the user needs to be to bypass it. For example, with current extension, even if I block access to about:addons (the addon manager) the user can still open FoxyProxy options via the toolbar popup in Extensions Button (which cannot be removed), and modify proxy settings & rules. That's pretty easy.

[erosman]

So far, I have prepared the code for Firefox. I am still looking into Chrome implementation as the instructions are limited.

• FoxyProxy checks for managed storage at start-up and MV3 background re-load
• Managed storage data will be used if found
• Managed storage data can set all, or some of the options and the rest will be set to default values
• Toolbar popup works normally and user can switch between the option values made available in managed storage
• Options page works normally but any changes will NOT be SAVED

Advanced user can bypass by opening the Developer Tools in a privileged page (i.e. options, popup, debugging -> inspect) and set the storage values via browser API or manually editing the extension storage in Developer Tools.

Preventing above, would involved making considerable changes to the FoxyProxy code which would be best for a custom built extension.

[z0id]

FoxyProxy checks for managed storage at start-up and MV3 background re-load

That's often enough.

Managed storage data will be used if found

So managed storage data takes priority. That's good.

Managed storage data can set all, or some of the options and the rest will be set to default values

Does it also include filters/patterns?

Toolbar popup works normally and user can switch between the option values made available in managed storage

So user will be able to switch between multiple proxies, defined via policy, or no proxy. I think that's also ok.

Options page works normally but any changes will NOT be SAVED

Does this mean they will not apply at all, nor not get carried over between sessions?

Advanced user can bypass by opening the Developer Tools in a privileged page (i.e. options, popup, debugging -> inspect) and set the storage values via browser API or manually editing the extension storage in Developer Tools.

I don't think that's a big issue, there's a policy available to DisableDeveloperTools

Thanks again!

[erosman]

Does it also include filters/patterns?

Sure... anything that can normally be set.

So user will be able to switch between multiple proxies, defined via policy, or no proxy

Yes. If the policy provides 2 proxies, uses can set disable, proxy 1, proxy 2. If they have patterns, user can also select Proxy by Patterns.

Does this mean they will not apply at all, nor not get carried over between sessions?

Yes. If managed storage is set, any edit in the Options page is irrelevant. It wont save, so it wont do anything.

I don't think that's a big issue, there's a policy available to DisableDeveloperTools

Then, it should work out.

[erosman]

Repo updated for beta testing the managed storage feature. Check Help: Enterprise Policy for more information.

[z0id]

Thanks! I'll be able to give it a go next week.

Yes. If the policy provides 2 proxies, uses can set disable, proxy 1, proxy 2. If they have patterns, user can also select Proxy by Patterns.

I just realized, the patterns are optional. The user can use proxy by patterns, not use proxy, or use proxy without patterns.

If I set a pattern to enable proxy only for addresses (actually IPs) in 10.1.2.*, the user can bypass that by selecting proxy1 instead.

Is there a way to enforce "Use proxy by pattern" and prevent the other options, proxy1, proxy2, etc and Proxy disabled? Or just between "Use proxy by pattern" and Disabled?

[erosman]

If I set a pattern to enable proxy only for addresses (actually IPs) in 10.1.2.*, the user can bypass that by selecting proxy1 instead.

Pattern would set proxy only for those IPS Proxy set the proxy for all, including those IPs.

Therefore in both cases, 10.1.2.* will go through proxy. The difference is that other requests would also go through proxy if individual proxy is selected.

What is your end goal?

Is there a way to enforce "Use proxy by pattern" and prevent the other options, proxy1, proxy2, etc and Proxy disabled? Or just between "Use proxy by pattern" and Disabled?

Not at the moment. I can implement it but that might only be useful for your use-case. It might not be a general use-case.

[z0id]

I will try arguing that it can be a general use-case:

Since this is a managed browser and user cannot change settings (related to proxy + patterns), it can be used as some kind of ACL.

If the user has a pattern that turns on the proxy only for addresses in the form of 10.1.2.*, he will only have access to that subnet, eventually only for HTTP or only for HTTPS, instead of every network/resource that exists behind the proxy.

I know this is kind of a hack and the best place to set restrictions is in the proxy server itself, but unfortunately not many proxy servers have this capability. In such cases, FoxyProxy is the next best place to set these, via patterns. It's only a matter of enforcing them.

[erosman]

Purpose

If the intension is to prevent users from making any changes at all, then the entire UI would become irrelevant. In that case, FoxyProxy Enterprise policy would be controlling every aspect of the network connection.

Is that the purpose?

Config

Please provide an example config that you wish to set.

Use Case

We need to get more feedback on various use cases.

[z0id]

Purpose If the intension is to prevent users from making any changes at all, then the entire UI would become irrelevant. In that case, FoxyProxy Enterprise policy would be controlling every aspect of the network connection.

Is that the purpose?

Yes,

But the GUI remaining but not saving was a good compromise. The only remaining available action for the user, which he should not have, is enabling/disabling the patterns. But no GUI at all is better.

Config Please provide an example config that you wish to set.

Any preference on format?

Thanks!

[erosman]

Any preference on format?

This is the format.

Check Help: Enterprise Policy for more information.

Update

• Repo and Help updated
• Popup change disabled

[erosman]

v8.3 Added enterprise policy & managed storage feature (#42) (experimental)