[SOLVED] MultiLAN squid + proxy.pac for browsers + Chromium (doesn't work)



  • I started to using squid3 with pfSense.

    I have 4 LAN with squid3 activated.

    Browsers read a proxy.pac file that say were is the proxy for each LAN and same destinations not to use the proxy.

    function FindProxyForURL(url, host) {
       if (shExpMatch(url,"*//aaaaaaa.*")) {return "DIRECT";}
       if (shExpMatch(url,"*.bbbbbbb.tld/*")) {return "DIRECT";}
       if (shExpMatch(url,"*.ccccccc.tld/*")) {return "DIRECT";}
       if (shExpMatch(url,"*.ddddddd.tld/*")) {return "DIRECT";}
       if (shExpMatch(url,"*.eeeeeee.tld/*")) {return "DIRECT";}
       if (shExpMatch(url,"*.fffffff.tld/*")) {return "DIRECT";}
       if (isInNet(myIpAddress(), "192.168.0.0", "255.255.255.0")) {return "PROXY 192.168.0.1:3128";}
       if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0")) {return "PROXY 192.168.1.1:3128";}
       if (isInNet(myIpAddress(), "192.168.2.0", "255.255.255.0")) {return "PROXY 192.168.2.1:3128";}
       if (isInNet(myIpAddress(), "192.168.3.0", "255.255.255.0")) {return "PROXY 192.168.3.1:3128";}
       return "DIRECT";
    }
    

    Today I see that there is an important bug for Chrome browser.

    I doesn't understand myIpAddress()

    http://code.google.com/p/chromium/issues/detail?id=175652#c11

    Any idea to solve this?



  • Use "host = host.toLowerCase();" in combination with "dnsResolve(host)" as a replacement for  "myIpAddress()".
    Unfortunately I only have 1 LAN to worry about.

    Here is my proxy.pac as an example:

    function FindProxyForURL(url, host) {
    
      url = url.toLowerCase();
      host = host.toLowerCase();
      isHttp = (url.substring(0,5) == "http:");
      isHttps = (url.substring(0,6) == "https:")
    
    	// If the requested website is hosted within the internal network, send direct.
        	if (isPlainHostName(host) ||
               shExpMatch(host, "*.home") ||
               shExpMatch(host, "*.local") ||
               isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
               isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
               isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
               isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
    	{ return "DIRECT"; }
    
    	// Forward non-http(s) and some hosts to forward proxy (or DIRECT)
    	if((!isHttp && !isHttps) // Skip all non http(s)
    	   || dnsDomainIs(host, "microsoft.com")
    	   || dnsDomainIs(host, "windowsupdate.com")
    	   || dnsDomainIs(host, "eset.com")
    	   || dnsDomainIs(host, "mcafee.com") // McAfee
    	   || dnsDomainIs(host, "siteadvisor.com") // McAfee
    	   || dnsDomainIs(host, "hackerwatch.com") // McAfee
    	   || dnsDomainIs(host, "hackerwatch.org") // McAfee
    	   || dnsDomainIs(host, "avg.com")
    	   || dnsDomainIs(host, "grisoft.cz")
    	   || dnsDomainIs(host, "avgfree.com")
    	   || dnsDomainIs(host, "avg.cz")
    	   || dnsDomainIs(host, "symantecliveupdate.com")
    	   || dnsDomainIs(host, "thawte.com"))
    	{ return "DIRECT"; }
    
    	if (isHttps)
    	   // Skip HTTPS
    	{ return "DIRECT"; }
    
    	// Otherwise, go through our proxy or if it fails, through bypass
    	return "PROXY 192.168.0.1:3128; DIRECT";
    }
    


  • I'm sorry! I can use dnsResolve() on my networks. Many of the machines hasn't DNS local records.

    There is a lot of http://en.wikipedia.org/wiki/Bring_your_own_device in my LANs.

    http://en.wikipedia.org/wiki/Proxy_auto-config

    The myIpAddress function has often been reported to give incorrect or unusable results, e.g. 127.0.0.1, the IP address of the localhost.



  • I think this is [SOLVED]. I will do more testing tomorrow!

    Full tested! Working!

    At root directory of my apache2 webserver:

    cat .htaccess
    
    Options +FollowSymLinks
    RewriteEngine On
    
    RewriteCond %{REMOTE_ADDR} ^192\.168\.0\.
    RewriteRule (proxy\.pac|wpad\.dat|wpad\.da)$ http://www.mydomain.tld/lan0.pac [R=301,L]
    
    RewriteCond %{REMOTE_ADDR} ^192\.168\.1\.
    RewriteRule (proxy\.pac|wpad\.dat|wpad\.da)$ http://www.mydomain.tld/lan1.pac [R=301,L]
    
    RewriteCond %{REMOTE_ADDR} ^192\.168\.2\.
    RewriteRule (proxy\.pac|wpad\.dat|wpad\.da)$ http://www.mydomain.tld/lan2.pac [R=301,L]
    
    RewriteCond %{REMOTE_ADDR} ^192\.168\.3\.
    RewriteRule (proxy\.pac|wpad\.dat|wpad\.da)$ http://www.mydomain.tld/lan3.pac [R=301,L]
    

    proxy.pac
    wpad.dat (simlynk to proxy.pac)
    wpad.da (simlynk to proxy.pac)
    lan0.pac
    lan1.pac
    lan2.pac
    lan3.pac

    When browser ask for http://www.mydomain.tld/proxy.pac, http://www.mydomain.tld/wpad.dat or http://www.mydomain.tld/wpad.da  the URL is rewrited in function of the LAN.

    Or http://wpad.mydomain.tld/proxy.pac, http://wpad.mydomain.tld/wpad.dat or http://wpad.mydomain.tld/wpad.da



  • Tip:
    https://calomel.org/proxy_auto_config.html

    isInNet(host, pattern, mask)

    isInNet(host, "192.168.249.79", "255.255.255.255")
        is true if the IP address of host matches exactly 192.168.249.79.
    isInNet(host, "192.168.0.0", "255.255.0.0")
        is true if the IP address of the host matches 192.168.*.*.
    

    Well it might work, but like you said you have hosts without local records…


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy