Long post - hope some of it makes sense / helps. By coincidence, I also have just spent the last week trying to sort out a proxy.pac file that works for all of our situations - Windows road-warriors that have to use our Squids from any of our LANs, from VPN and direct from the Internet to our HQ firewall/squid's outside interface. I too had problems with Java applications - until I realised that if proxy.pac returns an IP address that cannot be resolved by DNS reverse lookup to a hostname then Java triggers all sorts of weird delay-and-failure-inducing behaviours e.g. attempts to get the proxy IP using repeated Netbios lookups with a null hostname!! So, return a hostname from the proxy.pac - e.g.
function FindProxyForURL(url, host) {
// Are we on our LAN? Check first three octets of IP address
var myIPArray = myIpAddress().split(".");
var myClassC = myIPArray[0] + "." + myIPArray[1] +"." + myIPArray[2];
switch (myClassC) {
case "192.0.1": // HQ LAN and VPN
return "PROXY 192.0.1.124:3128";
case "192.0.10": // Branch LAN
return "PROXY 192.0.10.104:3128";
case "192.0.20": // Branch LAN
return "PROXY 192.0.20.104:3128";
.
.
.
case "192.0.110": Branch LAN
return "PROXY 192.0.1.124:3128";
default:
// Not on a LAN so use HQ proxy, via it's external
// interface, but fall back to no proxy if that fails
// so that if we're connecting via a public access
// point, we're able to get the logon page it serves
return "PROXY proxy:12345;DIRECT";
}
}
if the proxy is on an unregistered IP then any old hostname will do, provided it is defined in the client's hosts file.
"For example, don't try and code the wpad.dat to use its own IP address. That really doesn't work in lots of situations."
For example, on a Windoze client (XP-SP3 at least) on VPN, the javascript function myIPAddress() will return the IP address of the *outside* of the tunnel (e.g. the address of the WiFi or 3G interface) and therefore prevent you differentiating between clients on the Internet connected to Squid via the outside interface of the corporate firewall and clients on the Internet connected to Squid via VPN. A nuisance if you have Squid configured to request authentication when the connection is from outside but not when it is from the LAN or VPN. Needs more detailed specifying / careful ordering of access rules in squid.conf to prevent.
Also - if the proxy.pac file is on the client file-system, you must set Java proxy settings to use default browser settings - do not specify the location in the Java network settings. Then in FF specify the location in this way "file:///c:/windows/proxy.pac" and in IE specify it this way "file://c:\windows\proxy.pac" in both LAN and VPN profiles
Be warned - the above is quite new, i.e. has not yet stood the test of time!!
Cheers
Bill A.
-----Original Message-----
From: Gavin McCullagh [mailto:gavin.mccullagh@xxxxxx]
Sent: 17 August 2009 17:46
To: squid-users@xxxxxxxxxxxxxxx
Subject: Re: SQUID PAC-File and JAVA (1.6.11)
Hi,
On Mon, 17 Aug 2009, Volker Jahns wrote:
> We have a lot of IE clients here with a url..proxy.pac file as proxy
> configuration and without automatically finding a proxy server. Whenever we
> use SSL explorer and a JAVA program the final sync failed. If I change the
> configuration to the same manual proxy server and its port it works.
In my experience, what the Java VM can read in proxy.pac/wpad.dat files is
somewhat more limited than IE. I'd suggest you keep a _very_ simple wpad
if at all possible. For example, don't try and code the wpad.dat to use
its own IP address. That really doesn't work in lots of situations.
A tcpdump/windump on the computer watching port 80 should give you an idea
whether Java is really following the proxy settings you think it should.
If you want you can post your script here.
Gavin
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
