thanxs for your answer. pac-files - when created via CGI - offer more flexibility than the "hard-coded" stuff in the browser's proxy dialog. i also know, that with pac-files you can choose different proxies - something we do at the moment at our subsidiaries proxy, which then forwards the request to one of our main-proxies (internet, intranet, extranet, misc). my question was regarding some user-excpetions. a combination of proxy-pac and "browser-settings" is not possible - at least not with IE. so if we want to support user excpetions than it only could be done if these settings also were provided by the cgi-generated pac-file, right? markus >-----Ursprüngliche Nachricht----- >Von: K K [mailto:kkadow@xxxxxxxxx] >Gesendet: Freitag, 8. Juni 2007 19:58 >An: Rietzler, Markus (Firma Rietzler Software / RZF) >Cc: squid-users@xxxxxxxxxxxxxxx >Betreff: Re: Squid + WPAD issues > >On 6/8/07, Markus.Rietzler@xxxxxxxxxxxxxx ><Markus.Rietzler@xxxxxxxxxxxxxx> wrote: >> what about proxy exceptions? > >Glad you asked :) > >> a few tests with proxy.pac - the simple form of wpad (wpad >only defines >> how to find the proxy.pac-file, right?) - showed, that >settings in the >> "proxy exceptions" - sites which should fetched direct >without proxy - >> are ignored. you have to provide those sites via proxy.pac file. >> settings in the browser dialogs are ignored. so you could some users >> define additional exceptions? >> i also thought about letting a script generate the proxy.pac based on >> client ip or location in our subsidiaries. but with this "proxy >> exceptions" ore ignored and this is - at the moment - a problem. > >PAC supports infinitely greater flexibility for exceptions than the >browsers' "exceptions" dialog. It can instruct the browser to go >DIRECT, to use a different PROXY for certain sites (there are caveats >with this last feature under MSIE), etc. > >Our proxy.pac, after being post-processed by the server-side CGI >(which removes comments and extraneous whitespace, then substitutes in >the right proxy IP based on the client's network), is 16KB, several >hundred lines, mostly to deal with exceptions and to try to minimize >the number of DNS lookups performed by the browser. > > >Here's a paraphrased version of my PAC, I've added some comments to >explain the logic: > > >function FindProxyForURL(url, host) >{ >var host_addr = null; > >// This weird comment block addresses a Jave WebStart (JWS) bug. >/* if(0) { > return "PROXY placeholder.broken.client"; >} */ > > >// Intranet sites, equivalent to "exceptions" in a non-PAC browser: >if (dnsDomainIs(host,".intranet.corp") >|| shExpMatch(host, "172.16.*") || shExpMatch(host, "172.17.*") >|| shExpMatch(host, "192.168.?.*") ) >{ > return "DIRECT"; >} > > >// These sites don't like being cached, so use a non-caching proxy >if (dnsDomainIs(host, "drudgereport.com") >|| dnsDomainIs(host, "whatismyip.com") >|| dnsDomainIs(host, "wunderground.com") ) >{ > return PROXY "10.192.28.3:80; PROXY 10.7.7.3:80"; >} > > >// Evil domains, user trying to go here gets what they deserve. >if (dnsDomainIs(host, ".hotbar.com") || >dnsDomainIs(host, ".gator.com") || >dnsDomainIs(host, "poll.gotomypc.com") || >dnsDomainIs(host, "top10sites.com") ) >{ > return "PROXY 127.0.0.1:445 ; PROXY 10.255.255.255:7; DIRECT"; >} > > >// We know these are always Internet, so any site in these domains we >// assume we use Squid (unless it's SSL). >if (dnsDomainIs(host, ".com") >|| dnsDomainIs(host, ".net") >|| dnsDomainIs(host, ".org") >|| dnsDomainIs(host, ".edu") >|| dnsDomainIs(host, ".gov") >|| dnsDomainIs(host, ".biz") >|| dnsDomainIs(host, ".mil") >|| dnsDomainIs(host, ".pro") >|| dnsDomainIs(host, ".int") >|| dnsDomainIs(host, ".aero") >|| dnsDomainIs(host, ".info") >|| dnsDomainIs(host, ".name") >|| dnsDomainIs(host, ".coop") >|| dnsDomainIs(host, ".museum") >|| dnsDomainIs(host, ".us") >|| dnsDomainIs(host, ".tv") ) >{ > // We can't cache SSL, so use a non-caching proxy > if( url.substring(0, 6) == "https:") { > return PROXY "10.192.28.3:80; PROXY 10.7.7.3:80"; > } > return PROXY "10.7.7.5:3128; PROXY 10.192.28.5:3128"; >} > > >// BTW, in my production PAC, we repeat the above exception list for >// a total of 170+ .CC TLDs as well, all to avoid falling through to >// this next block below: > > >// No matches above, so now we consult DNS. >host_addr = dnsResolve(host); >if (host_addr == false || host_addr == "") >{ > host_addr = null; >} > > >// Same exceptions as previously, but these are matching the >resolved IP. >if (shExpMatch(host_addr, "172.16.*") || shExpMatch(host_addr, >"172.17.*") >|| shExpMatch(host_addr, "192.168.*") ) >{ > return "DIRECT"; >} > > >// >// Nothing matched, here are the fall-backs. >// > > >// We can't cache SSL, so use a non-caching proxy >if (url.substring(0, 6) == "https:") { > return PROXY "10.192.28.3:80; PROXY 10.7.7.3:80"; >} > >return PROXY "10.7.7.5:3128; PROXY 10.192.28.5:3128"; >} >///EOF/// >
