Re: [squid-users] Squid + WPAD issues
mån 2007-06-11 klockan 11:03 +0200 skrev [EMAIL PROTECTED]: > my question was regarding some user-excpetions. a combination of > proxy-pac and "browser-settings" is not possible - at least not with > IE. so if we want to support user excpetions than it only could be > done if these settings also were provided by the cgi-generated > pac-file, right? Yes. Or if you could convince the makers of IE that combining the two is the right thing. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid + WPAD issues
On 6/11/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: my question was regarding some user-excpetions. a combination of proxy-pac and "browser-settings" is not possible - at least not with IE. Correct. That is not possible. When a browser is configured to use a Proxy script (via WPAD or specified as a PAC url), the browser ignores locally configured proxy and proxy exceptions. so if we want to support user excpetions than it only could be done if these settings also were provided by the cgi-generated pac-file, right? Yes, exactly. I am not aware of any web browser which will mix local settings and PAC. Getting back to Squid, one earlier question was whether squid could tell the client "don't use me as a proxy to access this, you need to go direct". While that isn't directly technically possible (as HTTP doesn't offer such a feature), what you can do is make sure that all clients know (via PAC or via exception lists) that any *.intranet URL must always be accessed directly, and configure Squid and an external helper so when a client tries to use Squid to access internal resource "foo", the client receives a redirect telling it to go to the appropriate foo.intranet URL. You'd also need to put in an explicit DENY policy for "*.intranet" URLs to avoid forwarding loops. Kevin
Re: [squid-users] Squid + WPAD issues
thanxs for your answer. pac-files - when created via CGI - offer more
flexibility than the "hard-coded" stuff in the browser's proxy dialog.
i also know, that with pac-files you can choose different proxies - something
we do at the moment at our subsidiaries proxy, which then forwards the request
to one of our main-proxies (internet, intranet, extranet, misc).
my question was regarding some user-excpetions. a combination of proxy-pac and
"browser-settings" is not possible - at least not with IE. so if we want to
support user excpetions than it only could be done if these settings also were
provided by the cgi-generated pac-file, right?
markus
>-Ursprüngliche Nachricht-
>Von: K K [mailto:[EMAIL PROTECTED]
>Gesendet: Freitag, 8. Juni 2007 19:58
>An: Rietzler, Markus (Firma Rietzler Software / RZF)
>Cc: squid-users@squid-cache.org
>Betreff: Re: [squid-users] Squid + WPAD issues
>
>On 6/8/07, [EMAIL PROTECTED]
><[EMAIL PROTECTED]> wrote:
>> what about proxy exceptions?
>
>Glad you asked :)
>
>> a few tests with proxy.pac - the simple form of wpad (wpad
>only defines
>> how to find the proxy.pac-file, right?) - showed, that
>settings in the
>> "proxy exceptions" - sites which should fetched direct
>without proxy -
>> are ignored. you have to provide those sites via proxy.pac file.
>> settings in the browser dialogs are ignored. so you could some users
>> define additional exceptions?
>> i also thought about letting a script generate the proxy.pac based on
>> client ip or location in our subsidiaries. but with this "proxy
>> exceptions" ore ignored and this is - at the moment - a problem.
>
>PAC supports infinitely greater flexibility for exceptions than the
>browsers' "exceptions" dialog. It can instruct the browser to go
>DIRECT, to use a different PROXY for certain sites (there are caveats
>with this last feature under MSIE), etc.
>
>Our proxy.pac, after being post-processed by the server-side CGI
>(which removes comments and extraneous whitespace, then substitutes in
>the right proxy IP based on the client's network), is 16KB, several
>hundred lines, mostly to deal with exceptions and to try to minimize
>the number of DNS lookups performed by the browser.
>
>
>Here's a paraphrased version of my PAC, I've added some comments to
>explain the logic:
>
>
>function FindProxyForURL(url, host)
>{
>var host_addr = null;
>
>// This weird comment block addresses a Jave WebStart (JWS) bug.
>/* if(0) {
> return "PROXY placeholder.broken.client";
>} */
>
>
>// Intranet sites, equivalent to "exceptions" in a non-PAC browser:
>if (dnsDomainIs(host,".intranet.corp")
>|| shExpMatch(host, "172.16.*") || shExpMatch(host, "172.17.*")
>|| shExpMatch(host, "192.168.?.*") )
>{
> return "DIRECT";
>}
>
>
>// These sites don't like being cached, so use a non-caching proxy
>if (dnsDomainIs(host, "drudgereport.com")
>|| dnsDomainIs(host, "whatismyip.com")
>|| dnsDomainIs(host, "wunderground.com") )
>{
> return PROXY "10.192.28.3:80; PROXY 10.7.7.3:80";
>}
>
>
>// Evil domains, user trying to go here gets what they deserve.
>if (dnsDomainIs(host, ".hotbar.com") ||
>dnsDomainIs(host, ".gator.com") ||
>dnsDomainIs(host, "poll.gotomypc.com") ||
>dnsDomainIs(host, "top10sites.com") )
>{
> return "PROXY 127.0.0.1:445 ; PROXY 10.255.255.255:7; DIRECT";
>}
>
>
>// We know these are always Internet, so any site in these domains we
>// assume we use Squid (unless it's SSL).
>if (dnsDomainIs(host, ".com")
>|| dnsDomainIs(host, ".net")
>|| dnsDomainIs(host, ".org")
>|| dnsDomainIs(host, ".edu")
>|| dnsDomainIs(host, ".gov")
>|| dnsDomainIs(host, ".biz")
>|| dnsDomainIs(host, ".mil")
>|| dnsDomainIs(host, ".pro")
>|| dnsDomainIs(host, ".int")
>|| dnsDomainIs(host, ".aero")
>|| dnsDomainIs(host, ".info")
>|| dnsDomainIs(host, ".name")
>|| dnsDomainIs(host, ".coop")
>|| dnsDomainIs(host, ".museum")
>|| dnsDomainIs(host, ".us")
>|| dnsDomainIs(host, ".tv") )
>{
> // We can't cache SSL, so use a non-caching proxy
> if( url.substring(0, 6) == "https:") {
> return PROXY "10.192.28.3:80; PROXY 10.7.7.3:80";
> }
> return PROXY "10.7.7.5:3128; PROXY 10.192.28.5:3128";
>}
>
>
>// BTW, in my production PAC, we repeat the above exception list for
>// a total of 170+ .CC TLDs as well, all to avoid falling through to
>// this next block below:
>
>
>// No matches above, so now we consult DNS.
>host_addr = dnsResolve(host);
>if (host_addr == false || host_addr == "")
>{
> host_addr = null;
>}
>
>
>// Same exceptions as previously, but these are matching the
>resolved IP.
>if (shExpMatch(host_addr, "172.16.*") || shExpMatch(host_addr,
>"172.17.*")
>|| shExpMatch(host_addr, "192.168.*") )
>{
> return "DIRECT";
>}
>
>
>//
>// Nothing matched, here are the fall-backs.
>//
>
>
>// We can't cache SSL, so use a non-caching proxy
>if (url.substring(0, 6) == "https:") {
> return PROXY "10.192.28.3:80; PROXY 10.7.7.3:80";
>}
>
>return PROXY "10.7.7.5:3128; PROXY 10.192.28.5:3128";
>}
>///EOF///
>
Re: [squid-users] Squid + WPAD issues
On 6/8/07, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
what about proxy exceptions?
Glad you asked :)
a few tests with proxy.pac - the simple form of wpad (wpad only defines
how to find the proxy.pac-file, right?) - showed, that settings in the
"proxy exceptions" - sites which should fetched direct without proxy -
are ignored. you have to provide those sites via proxy.pac file.
settings in the browser dialogs are ignored. so you could some users
define additional exceptions?
i also thought about letting a script generate the proxy.pac based on
client ip or location in our subsidiaries. but with this "proxy
exceptions" ore ignored and this is - at the moment - a problem.
PAC supports infinitely greater flexibility for exceptions than the
browsers' "exceptions" dialog. It can instruct the browser to go
DIRECT, to use a different PROXY for certain sites (there are caveats
with this last feature under MSIE), etc.
Our proxy.pac, after being post-processed by the server-side CGI
(which removes comments and extraneous whitespace, then substitutes in
the right proxy IP based on the client's network), is 16KB, several
hundred lines, mostly to deal with exceptions and to try to minimize
the number of DNS lookups performed by the browser.
Here's a paraphrased version of my PAC, I've added some comments to
explain the logic:
function FindProxyForURL(url, host)
{
var host_addr = null;
// This weird comment block addresses a Jave WebStart (JWS) bug.
/* if(0) {
return "PROXY placeholder.broken.client";
} */
// Intranet sites, equivalent to "exceptions" in a non-PAC browser:
if (dnsDomainIs(host,".intranet.corp")
|| shExpMatch(host, "172.16.*") || shExpMatch(host, "172.17.*")
|| shExpMatch(host, "192.168.?.*") )
{
return "DIRECT";
}
// These sites don't like being cached, so use a non-caching proxy
if (dnsDomainIs(host, "drudgereport.com")
|| dnsDomainIs(host, "whatismyip.com")
|| dnsDomainIs(host, "wunderground.com") )
{
return PROXY "10.192.28.3:80; PROXY 10.7.7.3:80";
}
// Evil domains, user trying to go here gets what they deserve.
if (dnsDomainIs(host, ".hotbar.com") ||
dnsDomainIs(host, ".gator.com") ||
dnsDomainIs(host, "poll.gotomypc.com") ||
dnsDomainIs(host, "top10sites.com") )
{
return "PROXY 127.0.0.1:445 ; PROXY 10.255.255.255:7; DIRECT";
}
// We know these are always Internet, so any site in these domains we
// assume we use Squid (unless it's SSL).
if (dnsDomainIs(host, ".com")
|| dnsDomainIs(host, ".net")
|| dnsDomainIs(host, ".org")
|| dnsDomainIs(host, ".edu")
|| dnsDomainIs(host, ".gov")
|| dnsDomainIs(host, ".biz")
|| dnsDomainIs(host, ".mil")
|| dnsDomainIs(host, ".pro")
|| dnsDomainIs(host, ".int")
|| dnsDomainIs(host, ".aero")
|| dnsDomainIs(host, ".info")
|| dnsDomainIs(host, ".name")
|| dnsDomainIs(host, ".coop")
|| dnsDomainIs(host, ".museum")
|| dnsDomainIs(host, ".us")
|| dnsDomainIs(host, ".tv") )
{
// We can't cache SSL, so use a non-caching proxy
if( url.substring(0, 6) == "https:") {
return PROXY "10.192.28.3:80; PROXY 10.7.7.3:80";
}
return PROXY "10.7.7.5:3128; PROXY 10.192.28.5:3128";
}
// BTW, in my production PAC, we repeat the above exception list for
// a total of 170+ .CC TLDs as well, all to avoid falling through to
// this next block below:
// No matches above, so now we consult DNS.
host_addr = dnsResolve(host);
if (host_addr == false || host_addr == "")
{
host_addr = null;
}
// Same exceptions as previously, but these are matching the resolved IP.
if (shExpMatch(host_addr, "172.16.*") || shExpMatch(host_addr, "172.17.*")
|| shExpMatch(host_addr, "192.168.*") )
{
return "DIRECT";
}
//
// Nothing matched, here are the fall-backs.
//
// We can't cache SSL, so use a non-caching proxy
if (url.substring(0, 6) == "https:") {
return PROXY "10.192.28.3:80; PROXY 10.7.7.3:80";
}
return PROXY "10.7.7.5:3128; PROXY 10.192.28.5:3128";
}
///EOF///
Re: [squid-users] Squid + WPAD issues
tis 2007-06-05 klockan 11:39 -0400 skrev Terry Dobbs: > Hi All, > > We have been using a proxy server with a WPAD.dat file for a year or > two. Now, we have setup another squid server in a remote site. I need to > configure the WPAD.dat file in a way where if you are on subnet A use > Proxy Server A and if you are on subnet B user proxy server B. Trivial, and a fairly standard application of PAC files.. http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html#myIpAddress http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html#isInNet Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] Squid + WPAD issues
Yes, your right. I need the myIpAddress(), however like you said it doesn't always works as desired. I also read somewhere that not all browsers support that particular function. Right now that's what im using (in theory I really don't care what proxy they use as they can authenticate to either, but it makes logical and geographical sense to distinguish between the two), but your idea seems pretty cool. What exactly do you do though? What kind of script do you point them to, is it the .pac java script? (anyway we can see a sample?). Im assuming you do it in the "Automatic Configuration Script" field in Internet Explorer, or do you still use the WPAD.dat file? Thanks for any input. -Original Message- From: K K [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 06, 2007 4:30 AM To: Terry Dobbs Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid + WPAD issues On 6/5/07, Terry Dobbs <[EMAIL PROTECTED]> wrote: > We have been using a proxy server with a WPAD.dat file for a year or > two. Now, we have setup another squid server in a remote site. I need > to configure the WPAD.dat file in a way where if you are on subnet A > use Proxy Server A and if you are on subnet B user proxy server B. In my environment, I've solved this by having a single proxy script and setting all browsers to use the same URL, but the server where the file is hosted actually generates the contents on the fly. This way the script can be customized by the server in ways not supported in the client, including providing a different default proxy server/port to different clients. The other reason I do this is to eliminate 99.9% of the DNS lookups by the client -- in theory, we could disable Internet resolution by internal workstations (we've done this once or twice,mostly by accident) and so long as the proxy server was able to resolve, browsers would never notice. > For the life of me, I cannot get this to work. For example, I am using > what is seen below, and it seems the only line that works is the "else" > statement so everyone is using the same server? Where you say: if (isInNet(host,"192.168.0.0","255.255.0.0")) I think you meant: if (isInNet(myIpAddress() ,"192.168.0.0","255.255.0.0")) While myIpAddress() is documented in the original Netscape specification, it doesn't have provisions for hosts with multiple interfaces. In the past I've seen false negatives, where the above test returns false when it really should have been true. That's one reason we instead have the web server hosting the script look at REMOTE_ADDR instead. Kevin -- http://wiki.squid-cache.org/Technology/WPAD ^Watch this space^
Re: [squid-users] Squid + WPAD issues
On 6/5/07, Terry Dobbs <[EMAIL PROTECTED]> wrote: We have been using a proxy server with a WPAD.dat file for a year or two. Now, we have setup another squid server in a remote site. I need to configure the WPAD.dat file in a way where if you are on subnet A use Proxy Server A and if you are on subnet B user proxy server B. In my environment, I've solved this by having a single proxy script and setting all browsers to use the same URL, but the server where the file is hosted actually generates the contents on the fly. This way the script can be customized by the server in ways not supported in the client, including providing a different default proxy server/port to different clients. The other reason I do this is to eliminate 99.9% of the DNS lookups by the client -- in theory, we could disable Internet resolution by internal workstations (we've done this once or twice,mostly by accident) and so long as the proxy server was able to resolve, browsers would never notice. For the life of me, I cannot get this to work. For example, I am using what is seen below, and it seems the only line that works is the "else" statement so everyone is using the same server? Where you say: if (isInNet(host,"192.168.0.0","255.255.0.0")) I think you meant: if (isInNet(myIpAddress() ,"192.168.0.0","255.255.0.0")) While myIpAddress() is documented in the original Netscape specification, it doesn't have provisions for hosts with multiple interfaces. In the past I've seen false negatives, where the above test returns false when it really should have been true. That's one reason we instead have the web server hosting the script look at REMOTE_ADDR instead. Kevin -- http://wiki.squid-cache.org/Technology/WPAD ^Watch this space^
RE: [squid-users] Squid + WPAD issues
Hi Terry
isInNet refers to the network that the Host is on so where you have
(isInNet(host,"192.168.0.0","255.255.0.0")) return "PROXY
192.168.10.14:3128";
If they are GOING to a www host that is at 192.168.1.1 then it will use
the proxy 192.168.10.14:3128 this options does not refer to the clients
options
You could try using a DHCP option for each Subnet which allows you to
specify the proxy.pac -> symlink to wpad.dat file to use
Add option 252 to Predefined options
Detect proxy server using DHCPINFORM (Option2)
DHCP server can send DHCPINFORM message and then client can get
javascript URL. DHCP server should be supported using DHCPINFORM.
Windows 2000 Server/Windows .NET Server support it.
Open DHCP Window, right click the host name and select "Set Predefined
Options..."
Click "Add" button at "Predefined Option and Values" window. And then
type as below. You can give any name, but data type and Code should be
"String" and "252"
Add "AUTO-PROXY-CONFIG" to each scope options and the value should point
your proxy.pac file (make link to wpad.dat or copy same file to
proxy.pac)
http://www.grape-info.com/doc/win2000srv/internet-gw/wpad/
Hope this helps
Thanks
Andrew Loughnan
Computer Services Manager
compassion innovation integrity
St Joseph's College Geelong
135 Aphrasia Street Newtown Vic 3220
T +61 3 5226 8165, F +61 3 5221 6983, E [EMAIL PROTECTED]
www.sjc.vic.edu.au
-Original Message-
From: Terry Dobbs [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 6 June 2007 1:40 AM
To: squid-users@squid-cache.org
Subject: [squid-users] Squid + WPAD issues
Hi All,
We have been using a proxy server with a WPAD.dat file for a year or
two. Now, we have setup another squid server in a remote site. I need to
configure the WPAD.dat file in a way where if you are on subnet A use
Proxy Server A and if you are on subnet B user proxy server B.
For the life of me, I cannot get this to work. For example, I am using
what is seen below, and it seems the only line that works is the "else"
statement so everyone is using the same server?
function FindProxyForURL(url, host)
{
if (isPlainHostName(host))
return "DIRECT";
else if (isInNet(host,"192.168.0.0","255.255.0.0"))
return "PROXY 192.168.10.14:3128";
else if (isInNet(host,"192.150.170.0","255.255.255.0"))
return "PROXY 192.150.170.120:3128";
else
return "PROXY 192.150.170.120:3128";
}
Any help would be GREATLY appreciated!! All machines run IE 6 or 7 and
are on Win2K/WinXP.
Thanks
