[SOLVED] MultiLAN squid + proxy.pac for browsers + Chromium (doesn't work)

bellera · Apr 1, 2014, 7:42 AM

I started to using squid3 with pfSense.

I have 4 LAN with squid3 activated.

Browsers read a proxy.pac file that say were is the proxy for each LAN and same destinations not to use the proxy.

function FindProxyForURL(url, host) {
   if (shExpMatch(url,"*//aaaaaaa.*")) {return "DIRECT";}
   if (shExpMatch(url,"*.bbbbbbb.tld/*")) {return "DIRECT";}
   if (shExpMatch(url,"*.ccccccc.tld/*")) {return "DIRECT";}
   if (shExpMatch(url,"*.ddddddd.tld/*")) {return "DIRECT";}
   if (shExpMatch(url,"*.eeeeeee.tld/*")) {return "DIRECT";}
   if (shExpMatch(url,"*.fffffff.tld/*")) {return "DIRECT";}
   if (isInNet(myIpAddress(), "192.168.0.0", "255.255.255.0")) {return "PROXY 192.168.0.1:3128";}
   if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0")) {return "PROXY 192.168.1.1:3128";}
   if (isInNet(myIpAddress(), "192.168.2.0", "255.255.255.0")) {return "PROXY 192.168.2.1:3128";}
   if (isInNet(myIpAddress(), "192.168.3.0", "255.255.255.0")) {return "PROXY 192.168.3.1:3128";}
   return "DIRECT";
}

Today I see that there is an important bug for Chrome browser.

I doesn't understand myIpAddress()

http://code.google.com/p/chromium/issues/detail?id=175652#c11

Any idea to solve this?

Tikimotel · Mar 31, 2014, 4:31 PM

Use "host = host.toLowerCase();" in combination with "dnsResolve(host)" as a replacement for "myIpAddress()".
Unfortunately I only have 1 LAN to worry about.

Here is my proxy.pac as an example:

function FindProxyForURL(url, host) {

  url = url.toLowerCase();
  host = host.toLowerCase();
  isHttp = (url.substring(0,5) == "http:");
  isHttps = (url.substring(0,6) == "https:")

	// If the requested website is hosted within the internal network, send direct.
    	if (isPlainHostName(host) ||
           shExpMatch(host, "*.home") ||
           shExpMatch(host, "*.local") ||
           isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
           isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
           isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
           isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
	{ return "DIRECT"; }

	// Forward non-http(s) and some hosts to forward proxy (or DIRECT)
	if((!isHttp && !isHttps) // Skip all non http(s)
	   || dnsDomainIs(host, "microsoft.com")
	   || dnsDomainIs(host, "windowsupdate.com")
	   || dnsDomainIs(host, "eset.com")
	   || dnsDomainIs(host, "mcafee.com") // McAfee
	   || dnsDomainIs(host, "siteadvisor.com") // McAfee
	   || dnsDomainIs(host, "hackerwatch.com") // McAfee
	   || dnsDomainIs(host, "hackerwatch.org") // McAfee
	   || dnsDomainIs(host, "avg.com")
	   || dnsDomainIs(host, "grisoft.cz")
	   || dnsDomainIs(host, "avgfree.com")
	   || dnsDomainIs(host, "avg.cz")
	   || dnsDomainIs(host, "symantecliveupdate.com")
	   || dnsDomainIs(host, "thawte.com"))
	{ return "DIRECT"; }

	if (isHttps)
	   // Skip HTTPS
	{ return "DIRECT"; }

	// Otherwise, go through our proxy or if it fails, through bypass
	return "PROXY 192.168.0.1:3128; DIRECT";
}

bellera · Mar 31, 2014, 6:39 PM

I'm sorry! I can use dnsResolve() on my networks. Many of the machines hasn't DNS local records.

There is a lot of http://en.wikipedia.org/wiki/Bring_your_own_device in my LANs.

http://en.wikipedia.org/wiki/Proxy_auto-config

The myIpAddress function has often been reported to give incorrect or unusable results, e.g. 127.0.0.1, the IP address of the localhost.

bellera · Apr 1, 2014, 7:43 AM

~~I think this is [SOLVED]. I will do more testing tomorrow!~~

Full tested! Working!

At root directory of my apache2 webserver:

cat .htaccess

Options +FollowSymLinks
RewriteEngine On

RewriteCond %{REMOTE_ADDR} ^192\.168\.0\.
RewriteRule (proxy\.pac|wpad\.dat|wpad\.da)$ http://www.mydomain.tld/lan0.pac [R=301,L]

RewriteCond %{REMOTE_ADDR} ^192\.168\.1\.
RewriteRule (proxy\.pac|wpad\.dat|wpad\.da)$ http://www.mydomain.tld/lan1.pac [R=301,L]

RewriteCond %{REMOTE_ADDR} ^192\.168\.2\.
RewriteRule (proxy\.pac|wpad\.dat|wpad\.da)$ http://www.mydomain.tld/lan2.pac [R=301,L]

RewriteCond %{REMOTE_ADDR} ^192\.168\.3\.
RewriteRule (proxy\.pac|wpad\.dat|wpad\.da)$ http://www.mydomain.tld/lan3.pac [R=301,L]

proxy.pac
wpad.dat (simlynk to proxy.pac)
wpad.da (simlynk to proxy.pac)
lan0.pac
lan1.pac
lan2.pac
lan3.pac

When browser ask for http://www.mydomain.tld/proxy.pac, http://www.mydomain.tld/wpad.dat or http://www.mydomain.tld/wpad.da the URL is rewrited in function of the LAN.

Or http://wpad.mydomain.tld/proxy.pac, http://wpad.mydomain.tld/wpad.dat or http://wpad.mydomain.tld/wpad.da …

Tikimotel · Apr 1, 2014, 4:26 PM

Tip:
https://calomel.org/proxy_auto_config.html

isInNet(host, pattern, mask)

isInNet(host, "192.168.249.79", "255.255.255.255")
    is true if the IP address of host matches exactly 192.168.249.79.
isInNet(host, "192.168.0.0", "255.255.0.0")
    is true if the IP address of the host matches 192.168.*.*.

Well it might work, but like you said you have hosts without local records…