[SOLVED] MultiLAN squid + proxy.pac for browsers + Chromium (doesn't work)

  • I started to using squid3 with pfSense.

    I have 4 LAN with squid3 activated.

    Browsers read a proxy.pac file that say were is the proxy for each LAN and same destinations not to use the proxy.

    function FindProxyForURL(url, host) {
       if (shExpMatch(url,"*//aaaaaaa.*")) {return "DIRECT";}
       if (shExpMatch(url,"*.bbbbbbb.tld/*")) {return "DIRECT";}
       if (shExpMatch(url,"*.ccccccc.tld/*")) {return "DIRECT";}
       if (shExpMatch(url,"*.ddddddd.tld/*")) {return "DIRECT";}
       if (shExpMatch(url,"*.eeeeeee.tld/*")) {return "DIRECT";}
       if (shExpMatch(url,"*.fffffff.tld/*")) {return "DIRECT";}
       if (isInNet(myIpAddress(), "", "")) {return "PROXY";}
       if (isInNet(myIpAddress(), "", "")) {return "PROXY";}
       if (isInNet(myIpAddress(), "", "")) {return "PROXY";}
       if (isInNet(myIpAddress(), "", "")) {return "PROXY";}
       return "DIRECT";

    Today I see that there is an important bug for Chrome browser.

    I doesn't understand myIpAddress()


    Any idea to solve this?

  • Use "host = host.toLowerCase();" in combination with "dnsResolve(host)" as a replacement for  "myIpAddress()".
    Unfortunately I only have 1 LAN to worry about.

    Here is my proxy.pac as an example:

    function FindProxyForURL(url, host) {
      url = url.toLowerCase();
      host = host.toLowerCase();
      isHttp = (url.substring(0,5) == "http:");
      isHttps = (url.substring(0,6) == "https:")
    	// If the requested website is hosted within the internal network, send direct.
        	if (isPlainHostName(host) ||
               shExpMatch(host, "*.home") ||
               shExpMatch(host, "*.local") ||
               isInNet(dnsResolve(host), "", "") ||
               isInNet(dnsResolve(host), "",  "") ||
               isInNet(dnsResolve(host), "",  "") ||
               isInNet(dnsResolve(host), "", ""))
    	{ return "DIRECT"; }
    	// Forward non-http(s) and some hosts to forward proxy (or DIRECT)
    	if((!isHttp && !isHttps) // Skip all non http(s)
    	   || dnsDomainIs(host, "microsoft.com")
    	   || dnsDomainIs(host, "windowsupdate.com")
    	   || dnsDomainIs(host, "eset.com")
    	   || dnsDomainIs(host, "mcafee.com") // McAfee
    	   || dnsDomainIs(host, "siteadvisor.com") // McAfee
    	   || dnsDomainIs(host, "hackerwatch.com") // McAfee
    	   || dnsDomainIs(host, "hackerwatch.org") // McAfee
    	   || dnsDomainIs(host, "avg.com")
    	   || dnsDomainIs(host, "grisoft.cz")
    	   || dnsDomainIs(host, "avgfree.com")
    	   || dnsDomainIs(host, "avg.cz")
    	   || dnsDomainIs(host, "symantecliveupdate.com")
    	   || dnsDomainIs(host, "thawte.com"))
    	{ return "DIRECT"; }
    	if (isHttps)
    	   // Skip HTTPS
    	{ return "DIRECT"; }
    	// Otherwise, go through our proxy or if it fails, through bypass
    	return "PROXY; DIRECT";

  • I'm sorry! I can use dnsResolve() on my networks. Many of the machines hasn't DNS local records.

    There is a lot of http://en.wikipedia.org/wiki/Bring_your_own_device in my LANs.


    The myIpAddress function has often been reported to give incorrect or unusable results, e.g., the IP address of the localhost.

  • I think this is [SOLVED]. I will do more testing tomorrow!

    Full tested! Working!

    At root directory of my apache2 webserver:

    cat .htaccess
    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{REMOTE_ADDR} ^192\.168\.0\.
    RewriteRule (proxy\.pac|wpad\.dat|wpad\.da)$ http://www.mydomain.tld/lan0.pac [R=301,L]
    RewriteCond %{REMOTE_ADDR} ^192\.168\.1\.
    RewriteRule (proxy\.pac|wpad\.dat|wpad\.da)$ http://www.mydomain.tld/lan1.pac [R=301,L]
    RewriteCond %{REMOTE_ADDR} ^192\.168\.2\.
    RewriteRule (proxy\.pac|wpad\.dat|wpad\.da)$ http://www.mydomain.tld/lan2.pac [R=301,L]
    RewriteCond %{REMOTE_ADDR} ^192\.168\.3\.
    RewriteRule (proxy\.pac|wpad\.dat|wpad\.da)$ http://www.mydomain.tld/lan3.pac [R=301,L]

    wpad.dat (simlynk to proxy.pac)
    wpad.da (simlynk to proxy.pac)

    When browser ask for http://www.mydomain.tld/proxy.pac, http://www.mydomain.tld/wpad.dat or http://www.mydomain.tld/wpad.da  the URL is rewrited in function of the LAN.

    Or http://wpad.mydomain.tld/proxy.pac, http://wpad.mydomain.tld/wpad.dat or http://wpad.mydomain.tld/wpad.da

  • Tip:

    isInNet(host, pattern, mask)

    isInNet(host, "", "")
        is true if the IP address of host matches exactly
    isInNet(host, "", "")
        is true if the IP address of the host matches 192.168.*.*.

    Well it might work, but like you said you have hosts without local records…

Log in to reply