On 6/8/07, Markus.Rietzler@xxxxxxxxxxxxxx <Markus.Rietzler@xxxxxxxxxxxxxx> wrote:
what about proxy exceptions?
Glad you asked :)
a few tests with proxy.pac - the simple form of wpad (wpad only defines how to find the proxy.pac-file, right?) - showed, that settings in the "proxy exceptions" - sites which should fetched direct without proxy - are ignored. you have to provide those sites via proxy.pac file. settings in the browser dialogs are ignored. so you could some users define additional exceptions? i also thought about letting a script generate the proxy.pac based on client ip or location in our subsidiaries. but with this "proxy exceptions" ore ignored and this is - at the moment - a problem.
PAC supports infinitely greater flexibility for exceptions than the browsers' "exceptions" dialog. It can instruct the browser to go DIRECT, to use a different PROXY for certain sites (there are caveats with this last feature under MSIE), etc. Our proxy.pac, after being post-processed by the server-side CGI (which removes comments and extraneous whitespace, then substitutes in the right proxy IP based on the client's network), is 16KB, several hundred lines, mostly to deal with exceptions and to try to minimize the number of DNS lookups performed by the browser. Here's a paraphrased version of my PAC, I've added some comments to explain the logic: function FindProxyForURL(url, host) { var host_addr = null; // This weird comment block addresses a Jave WebStart (JWS) bug. /* if(0) { return "PROXY placeholder.broken.client"; } */ // Intranet sites, equivalent to "exceptions" in a non-PAC browser: if (dnsDomainIs(host,".intranet.corp") || shExpMatch(host, "172.16.*") || shExpMatch(host, "172.17.*") || shExpMatch(host, "192.168.?.*") ) { return "DIRECT"; } // These sites don't like being cached, so use a non-caching proxy if (dnsDomainIs(host, "drudgereport.com") || dnsDomainIs(host, "whatismyip.com") || dnsDomainIs(host, "wunderground.com") ) { return PROXY "10.192.28.3:80; PROXY 10.7.7.3:80"; } // Evil domains, user trying to go here gets what they deserve. if (dnsDomainIs(host, ".hotbar.com") || dnsDomainIs(host, ".gator.com") || dnsDomainIs(host, "poll.gotomypc.com") || dnsDomainIs(host, "top10sites.com") ) { return "PROXY 127.0.0.1:445 ; PROXY 10.255.255.255:7; DIRECT"; } // We know these are always Internet, so any site in these domains we // assume we use Squid (unless it's SSL). if (dnsDomainIs(host, ".com") || dnsDomainIs(host, ".net") || dnsDomainIs(host, ".org") || dnsDomainIs(host, ".edu") || dnsDomainIs(host, ".gov") || dnsDomainIs(host, ".biz") || dnsDomainIs(host, ".mil") || dnsDomainIs(host, ".pro") || dnsDomainIs(host, ".int") || dnsDomainIs(host, ".aero") || dnsDomainIs(host, ".info") || dnsDomainIs(host, ".name") || dnsDomainIs(host, ".coop") || dnsDomainIs(host, ".museum") || dnsDomainIs(host, ".us") || dnsDomainIs(host, ".tv") ) { // We can't cache SSL, so use a non-caching proxy if( url.substring(0, 6) == "https:") { return PROXY "10.192.28.3:80; PROXY 10.7.7.3:80"; } return PROXY "10.7.7.5:3128; PROXY 10.192.28.5:3128"; } // BTW, in my production PAC, we repeat the above exception list for // a total of 170+ .CC TLDs as well, all to avoid falling through to // this next block below: // No matches above, so now we consult DNS. host_addr = dnsResolve(host); if (host_addr == false || host_addr == "") { host_addr = null; } // Same exceptions as previously, but these are matching the resolved IP. if (shExpMatch(host_addr, "172.16.*") || shExpMatch(host_addr, "172.17.*") || shExpMatch(host_addr, "192.168.*") ) { return "DIRECT"; } // // Nothing matched, here are the fall-backs. // // We can't cache SSL, so use a non-caching proxy if (url.substring(0, 6) == "https:") { return PROXY "10.192.28.3:80; PROXY 10.7.7.3:80"; } return PROXY "10.7.7.5:3128; PROXY 10.192.28.5:3128"; } ///EOF///