Re: [squid-users] Squid + WPAD issues

From: <Markus.Rietzler@dont-contact.us>
Date: Mon, 11 Jun 2007 11:03:05 +0200

thanxs for your answer. pac-files - when created via CGI - offer more flexibility than the "hard-coded" stuff in the browser's proxy dialog.
i also know, that with pac-files you can choose different proxies - something we do at the moment at our subsidiaries proxy, which then forwards the request to one of our main-proxies (internet, intranet, extranet, misc).
my question was regarding some user-excpetions. a combination of proxy-pac and "browser-settings" is not possible - at least not with IE. so if we want to support user excpetions than it only could be done if these settings also were provided by the cgi-generated pac-file, right?

markus

>-----Ursprüngliche Nachricht-----
>Von: K K [mailto:kkadow@gmail.com]
>Gesendet: Freitag, 8. Juni 2007 19:58
>An: Rietzler, Markus (Firma Rietzler Software / RZF)
>Cc: squid-users@squid-cache.org
>Betreff: Re: [squid-users] Squid + WPAD issues
>
>On 6/8/07, Markus.Rietzler@rzf.fin-nrw.de
><Markus.Rietzler@rzf.fin-nrw.de> wrote:
>> what about proxy exceptions?
>
>Glad you asked :)
>
>> a few tests with proxy.pac - the simple form of wpad (wpad
>only defines
>> how to find the proxy.pac-file, right?) - showed, that
>settings in the
>> "proxy exceptions" - sites which should fetched direct
>without proxy -
>> are ignored. you have to provide those sites via proxy.pac file.
>> settings in the browser dialogs are ignored. so you could some users
>> define additional exceptions?
>> i also thought about letting a script generate the proxy.pac based on
>> client ip or location in our subsidiaries. but with this "proxy
>> exceptions" ore ignored and this is - at the moment - a problem.
>
>PAC supports infinitely greater flexibility for exceptions than the
>browsers' "exceptions" dialog. It can instruct the browser to go
>DIRECT, to use a different PROXY for certain sites (there are caveats
>with this last feature under MSIE), etc.
>
>Our proxy.pac, after being post-processed by the server-side CGI
>(which removes comments and extraneous whitespace, then substitutes in
>the right proxy IP based on the client's network), is 16KB, several
>hundred lines, mostly to deal with exceptions and to try to minimize
>the number of DNS lookups performed by the browser.
>
>
>Here's a paraphrased version of my PAC, I've added some comments to
>explain the logic:
>
>
>function FindProxyForURL(url, host)
>{
>var host_addr = null;
>
>// This weird comment block addresses a Jave WebStart (JWS) bug.
>/* if(0) {
> return "PROXY placeholder.broken.client";
>} */
>
>
>// Intranet sites, equivalent to "exceptions" in a non-PAC browser:
>if (dnsDomainIs(host,".intranet.corp")
>|| shExpMatch(host, "172.16.*") || shExpMatch(host, "172.17.*")
>|| shExpMatch(host, "192.168.?.*") )
>{
> return "DIRECT";
>}
>
>
>// These sites don't like being cached, so use a non-caching proxy
>if (dnsDomainIs(host, "drudgereport.com")
>|| dnsDomainIs(host, "whatismyip.com")
>|| dnsDomainIs(host, "wunderground.com") )
>{
> return PROXY "10.192.28.3:80; PROXY 10.7.7.3:80";
>}
>
>
>// Evil domains, user trying to go here gets what they deserve.
>if (dnsDomainIs(host, ".hotbar.com") ||
>dnsDomainIs(host, ".gator.com") ||
>dnsDomainIs(host, "poll.gotomypc.com") ||
>dnsDomainIs(host, "top10sites.com") )
>{
> return "PROXY 127.0.0.1:445 ; PROXY 10.255.255.255:7; DIRECT";
>}
>
>
>// We know these are always Internet, so any site in these domains we
>// assume we use Squid (unless it's SSL).
>if (dnsDomainIs(host, ".com")
>|| dnsDomainIs(host, ".net")
>|| dnsDomainIs(host, ".org")
>|| dnsDomainIs(host, ".edu")
>|| dnsDomainIs(host, ".gov")
>|| dnsDomainIs(host, ".biz")
>|| dnsDomainIs(host, ".mil")
>|| dnsDomainIs(host, ".pro")
>|| dnsDomainIs(host, ".int")
>|| dnsDomainIs(host, ".aero")
>|| dnsDomainIs(host, ".info")
>|| dnsDomainIs(host, ".name")
>|| dnsDomainIs(host, ".coop")
>|| dnsDomainIs(host, ".museum")
>|| dnsDomainIs(host, ".us")
>|| dnsDomainIs(host, ".tv") )
>{
> // We can't cache SSL, so use a non-caching proxy
> if( url.substring(0, 6) == "https:") {
> return PROXY "10.192.28.3:80; PROXY 10.7.7.3:80";
> }
> return PROXY "10.7.7.5:3128; PROXY 10.192.28.5:3128";
>}
>
>
>// BTW, in my production PAC, we repeat the above exception list for
>// a total of 170+ .CC TLDs as well, all to avoid falling through to
>// this next block below:
>
>
>// No matches above, so now we consult DNS.
>host_addr = dnsResolve(host);
>if (host_addr == false || host_addr == "")
>{
> host_addr = null;
>}
>
>
>// Same exceptions as previously, but these are matching the
>resolved IP.
>if (shExpMatch(host_addr, "172.16.*") || shExpMatch(host_addr,
>"172.17.*")
>|| shExpMatch(host_addr, "192.168.*") )
>{
> return "DIRECT";
>}
>
>
>//
>// Nothing matched, here are the fall-backs.
>//
>
>
>// We can't cache SSL, so use a non-caching proxy
>if (url.substring(0, 6) == "https:") {
> return PROXY "10.192.28.3:80; PROXY 10.7.7.3:80";
>}
>
>return PROXY "10.7.7.5:3128; PROXY 10.192.28.5:3128";
>}
>///EOF///
>
Received on Mon Jun 11 2007 - 03:03:35 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT