search

foxyproxy / browser-extension

Version 8 and above. Browser extension source code for Firefox, Chrome, and other Chromium-based browsers
GNU General Public License v2.0
198 stars 29 forks source link

Unable to use Chrome enterprise policy to configure proxies #95

Closed chigley closed 6 months ago

chigley commented 6 months ago

Firstly, thank you so much for your efforts over so many years.

For a while now I've been using a script to generate FoxyProxy's LevelDB, allowing me to manage the configuration across multiple devices. I'm excited to see that version 8.3 brought in experimental support for enterprise policies, which should allow me to do this with JSON rather than a binary LevelDB.

I wanted to report that this isn't working as expected for me, and to ask whether I'm doing anything wrong.

I'm using v8.6, commit b7567458042d516f0587b92a6fd108bcadb60333.

My enterprise policy looks like this:

{
    "3rdparty": {
        "extensions": {
            "pageecmkhgoknhllhfojghkhddebkgcd": {
                "mode": "disable",
                "sync": false,
                "proxyDNS": true,
                "passthrough": "",
                "container": {
                    "incognito": "",
                    "container-1": "",
                    "container-2": "",
                    "container-3": "",
                    "container-4": ""
                },
                "commands": {
                    "setProxy": "",
                    "setTabProxy": "",
                    "quickAdd": ""
                },
                "data": [
                    {
                        "active": true,
                        "title": "Test",
                        "color": "#fa8072",
                        "type": "socks5",
                        "hostname": "test.example.com",
                        "port": "8080",
                        "username": "",
                        "password": "",
                        "cc": "",
                        "city": "",
                        "include": [],
                        "exclude": [],
                        "pac": "",
                        "pacString": ""
                    }
                ]
            }
        }
    }
}

I've tried the above in both a managed and a recommended policy, in Chrome.

Expected behaviour: FoxyProxy has a test.example.com proxy configured.

Actual behaviour: FoxyProxy has no proxies configured.

At chrome://policy I can see most of the policy as expected, but the data attribute is missing, I expect because Chrome thinks it doesn't match the schema.

image

My JSON was exported from the same version of FoxyProxy, so I would hope that it validates under the schema.

In other experiments of mine, I have managed to get the data attribute to show up in chrome://policy (unlike above). In these cases, however, the data property still hasn't actually taken effect. I have not yet managed to configure a proxy using this method.

I would appreciate any insight you can offer. Thanks again.

erosman commented 6 months ago

Sorry, that is probably due schema.json which was not updated after changes were made to the code. To make sure, please use the latest v8.7.

There is also an error in the Help: Chrome: /etc/opt/chrome/policies/managed/

I have managed to get the data attribute to show up in chrome://policy (unlike above)

If data doesn't come up, FoxyProxy wont process it.

chigley commented 6 months ago

Thanks for the reply!

I just tried with v8.7 (16a92140738a82dcd2b36a2d651130c5c36ee036) and am still experiencing similar issues.

To be extra safe, I started from scratch. I ran v8.7 with no config at all, added a test proxy, and exported the JSON config. This is the exact config that was exported, after I've wrapped the Chrome boilerplate around it:

{
    "3rdparty": {
        "extensions": {
            "pageecmkhgoknhllhfojghkhddebkgcd": {
                "mode": "disable",
                "sync": false,
                "autoBackup": false,
                "showPatternProxy": false,
                "passthrough": "",
                "container": {
                    "incognito": "",
                    "container-1": "",
                    "container-2": "",
                    "container-3": "",
                    "container-4": ""
                },
                "commands": {
                    "setProxy": "",
                    "setTabProxy": "",
                    "quickAdd": ""
                },
                "data": [
                    {
                        "active": true,
                        "title": "Test",
                        "type": "socks5",
                        "hostname": "test.example.com",
                        "port": "8080",
                        "username": "",
                        "password": "",
                        "cc": "",
                        "city": "",
                        "color": "#ff4500",
                        "pac": "",
                        "pacString": "",
                        "proxyDNS": true,
                        "include": [],
                        "exclude": []
                    }
                ]
            }
        }
    }
}

This time, the data attribute shows in chrome://policy, which is better than before:

image

But unfortunately the Test proxy from the JSON config is nowhere to be seen:

image

image

My expectation is that the Test proxy will be loaded in from the managed config and available for use, since it was there when I exported the config from v8.7 (and you can see it's there in the data attribute).

erosman commented 6 months ago

"pageecmkhgoknhllhfojghkhddebkgcd"

Does this ID match the FoxyProxy ID? Can you post a screenshot of the chrome://extensions/?

chigley commented 6 months ago

Yes, the extension ID is correct, at least in my environment. I see chrome-extension://pageecmkhgoknhllhfojghkhddebkgcd/content/options.html when navigating the options, for example.

I'm getting somewhere, though. I disabled all other extensions to clean up noise for your benefit, and the proxy magically appeared as expected once FoxyProxy was the only extension being loaded :smile: I'll dig into the clash myself at some point.

I now have a new problem: the "Test" proxy shows in the list, but I can't select it for use. I expect this is because of the mode: "disabled" in the managed policy as exported from FoxyProxy. I tried two workarounds for this:

  1. I tried setting my managed policy as recommended, rather than managed, which is Chrome's way of allowing users to override enterprise settings. After doing this, my FoxyProxy config shows as "recommended" in chrome://policy as expected, but FoxyProxy no longer seems to be loading it in - I'm back at the same symptoms as before. It's behaving as if it's only reading managed policy, but not recommended policy.
  2. I tried leaving the policy as managed, but removing mode from the JSON. In this case, the proxy still shows in the list as desired, but I'm still stuck on disabled and can't select another proxy.

What's the intended way of using this feature with multiple proxies, such that the selector can still be used to change the proxy mode?

In the long run I am hoping to be able to use the managed policy to set a default proxy, but with the user still able to manually choose a different one if they'd like. For now, however, just having the user be able to change away from disabled would be good start.

Perhaps I've jumped the gun on this feature, and need to go back to building the LevelDB for now. Thanks again for all your replies.

erosman commented 6 months ago

I now have a new problem: the "Test" proxy shows in the list, but I can't select it for use. I expect this is because of the mode: "disabled" in the managed policy as exported from FoxyProxy.

When an enterprise policy is in effect, users wont be able to change anything. The setting is what the policy has set. Since your policy has set"mode": "disable", it will stay as such. If you want a different mode, you have to set it in the policy.

In the long run I am hoping to be able to use the managed policy to set a default proxy, but with the user still able to manually choose a different one if they'd like.

That would conflict with https://github.com/foxyproxy/browser-extension/issues/42#issuecomment-1830407101

The managed Enterprise Policy is set to give control to the admin and thus remove the control from the user.

A set in the managed folder that is required and is mandated by an admin. Make sure that these files are not writable and, therefore, cannot be overridden by non-admin users.

chigley commented 6 months ago

I have the same problem even if my policy doesn't contain "mode": "disable" (as per case 2 in https://github.com/foxyproxy/browser-extension/issues/95#issuecomment-1859139694).

It sounds like this feature isn't helpful for my purposes and I'll have to continue using my script to achieve the same (by building a LevelDB containing my proxy set).

To my mind, it'd make sense if the FoxyProxy settings were immutable if in managed/, but user-editable if in recommended/. That's how most other stuff works, in my experience.

Thanks anyway for your help! I'll close this now.

erosman commented 6 months ago

To my mind, it'd make sense if the FoxyProxy settings were immutable if in managed/, but user-editable if in recommended/. That's how most other stuff works, in my experience.

The manged has been implemented in FoxyProxy. The recommended hasn't been implemented but it can be looked into as a feature request, subject to reasonable demand.