On 6/11/07, Markus.Rietzler@xxxxxxxxxxxxxx <Markus.Rietzler@xxxxxxxxxxxxxx> wrote:
my question was regarding some user-excpetions. a combination of proxy-pac and "browser-settings" is not possible - at least not with IE.
Correct. That is not possible. When a browser is configured to use a Proxy script (via WPAD or specified as a PAC url), the browser ignores locally configured proxy and proxy exceptions.
so if we want to support user excpetions than it only could be done if these settings also were provided by the cgi-generated pac-file, right?
Yes, exactly. I am not aware of any web browser which will mix local settings and PAC. Getting back to Squid, one earlier question was whether squid could tell the client "don't use me as a proxy to access this, you need to go direct". While that isn't directly technically possible (as HTTP doesn't offer such a feature), what you can do is make sure that all clients know (via PAC or via exception lists) that any *.intranet URL must always be accessed directly, and configure Squid and an external helper so when a client tries to use Squid to access internal resource "foo", the client receives a redirect telling it to go to the appropriate foo.intranet URL. You'd also need to put in an explicit DENY policy for "*.intranet" URLs to avoid forwarding loops. Kevin
