RE: [squid-users] proxy.pac vs manual proxy + LiveLink

From: Gerard Eviston <geviston@dont-contact.us>
Date: Sat, 10 Aug 2002 19:19:17 +1000

Hi,

Thought I might chip in my 2c to this interesting thread.

> function FindProxyForURL(url, host)
> {
> if (isInNet(host, "127.0.0.1", "255.255.255.255") ||
> dnsDomainIs(host, ".my.dom") )
> return "DIRECT";
> else
> return "PROXY nnn.nnn.nnn.nn:3128;"
> }

Your proxy PAC looks fine to me, and HTTPS requests are reaching the
proxy as you note below.

BTW, contrary to one comment here IE by default evaluates the PAC once
per host not once per url and this may also be true for other browsers.
Not that it matters, since you don’t need to specify a proxy for HTTPS,
it will be matched the same way as FTP or HTTP would be for this config.

>
> A user complained to me that they were unable to log in to
> a LiveLink server when they use the proxy.pac. HOWEVER, if
> they use the manual setting, point directly at the proxy server
> and port 3128, they can log in.
>

Client side behavior _should_ be the same, this is where things get
hairy, but read on.

> I have verified this behavior with the above proxy.pac, and the
> manual setting.
>
> 1. Using proxy.pac (no worky) - there is a CONNECT message in
> access.log:
>
> 1028835421.884 338 nnn.nnn.nnn.nn TCP_MISS/200 922 CONNECT
> livelink.some.dom:443 - DIRECT/xxx.xxx.xxx.xxx -
>

It sounds like this is what you want though, clients are at least trying
to use Squid for HTTPS.

> 2. Using manual proxy config (which works!) - there is __No__
> message in access.log

If manual settings were using this instance of squid then there would
definitely be an entry in the access log. I know it sounds silly, but
check that the manual settings that work are indeed the same as those in
your PAC file.

>
> I'm thinking there is something in my config that I need to tweek,
> maybe an ACL or something?
>

I'd go out on a limb and guess that "never_direct allow CONNECT" is what
you're after, since you mention in a different reply that you have an
upstream virus scanning proxy. Like Jerry said, the scanner won't pick
up viruses in the data stream but, I'm guessing, the AV box is the only
one allowed to get directly out to the net?

> I don't want to include the whole config - but I don't what would
> be relevent under these circumstances... If it would be helpful
> to provide the ACL settings, or whatever, let me know.
>
> Thanks,
>
> deb
>
> --
>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
> =-=-=-
> There are 10 types of people in the world:
> those that understand binary, and those that don't.
> τΏτ
> ~
Received on Sat Aug 10 2002 - 03:19:13 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:35 MST