Link to home
Start Free TrialLog in
Avatar of mchkorg
mchkorgFlag for France

asked on

squid, firefox, "no proxy for" and local networks

Hello,

My company network is named ".mycomp.local" (I wish it were mycomp.net, something "more real", but it's too late now :)
I'm setting up a squid proxy running on a Debian stable box for external web accesses.

PROBLEM:
I can't really use the "no proxy for" option in firefox - it's OK in Internet Explorer
(for everything related to internet accesses, firefox and IE are working fine with my proxy)

DETAILS:
1) At first, with the proxy configuration active in firefox, I coudn't access local hosts with short names, like "myhost". Entire names were OK: myhost.mycomp.local
With IE and its "no proxy for local blah blah" checked, everything was OK.
So I tried to add some restrictions in the "no proxy for" part in firefox:
- added my entire sub-net IPs: 192.168.0.0/16
- added my entire sub-net: .mycomp.local  (with a leading dot :)
Now the entire line is: .MYCOMP.local, localhost, 127.0.0.1, 192.168.0.0/16
Still, short names couldn't be used.

2) Then I added my domain in squid's "append_domain"
=> It's now working, BUT: I'm accessing squid to get to these "local" hosts !
This is stupid.
I'm sure of it when looking at squid's access.log file

=> How am I supposed to tell Firefox not to bother me with the proxy for my internal hosts?

Some things I've tried :
- my debian box and my windows computer have no problem resolving names, external or internal, short or FQDN
- I tried to add DNS suffixes (that kind of thing) in my windows network card configuration, it didn't change anything

Thank you,
Avatar of Hugh Fraser
Hugh Fraser
Flag of Canada image

I believe you need to include "mycomp.local" to the list. Here's a link that describes the possible values for the no-proxy:

http://kb.mozillazine.org/No_proxy_for

I've always just used the domain name myself.
Avatar of mchkorg

ASKER

Hello,
Yes I already found this page.
My understanding is that if I want to bypass the proxy for a host called "mycomp.local" (and all hosts like something.mycomp.local), I must not forget to add "mycomp.local" because ".mycomp.local" won't match. That is clear.

In doubt, I tried
=> I'm still accessing squid for these local servers
Avatar of mchkorg

ASKER

Starting in 2001, the discussion goes on here:
https://bugzilla.mozilla.org/show_bug.cgi?id=72444
One solution would be to use a PAC file.
Bypassing host named "http://something_without_a_dot/" seems difficult
Hello

You need a Intercepting/transparent proxy.
You can configure it and add a line:  (change ip address if need to)
(for version 2.6up)
http_port 192.168.0.1:3128 transparent

(for version 2.6down)
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.0.0/24
http_access allow localhost
http_access allow lan

Put this things up on start-up: (eth0 is the first Ethernet device, eth1 is the second Ethernet device)
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

And if you want to access or change your localhost hostname to mycomp.net, just edit host.conf on /etc from mycomp.local to mycomp.net

About IE or Mozilla; theres no need to specify the port number on proxy settings, but if you want to specify the proxy port manually, just goto the Option'S of IE/Mozilla Network advance.

But its good to use the transparent proxy, so theres no need to specify it manually on every client.

Cheers!
Avatar of mchkorg

ASKER

My proxy will be transparent soon. But a transparent proxy won't handle https connections
About changing my domain : no, I won't change my entire windows domain this way...
Avatar of mchkorg

ASKER

I mean: if I want to make it really transparent for http (meaning : no configuration in the browser) but able to handle https connection, I'll have to configure the browsers to have a proxy for every protocol but http, assuming I don't have any https intranet (only http) or my problem will remain - in my case it will)
If you have included .mycomp.local and mycomp.local, that should have covered it. Although you mentioned in you original post that the DNS issue has been checked, it sounds very much like Firefox isn't resolving short names correctly. Although "..local" isn't a valid TLD, I can't find anything that indicates it's a problem. So a couple of tests (that you may have already tried) would help.

If you try to access "internal-server.mycomp.local", does it still route through the proxy server?
From the command line, what does "nslookup internal-server" return?
From the command line, what does "tracert internal-server.mycomp.local" return?
Avatar of mchkorg

ASKER

@hfraser:
> If you try to access "internal-server.mycomp.local", does it still route through the proxy server?

yes

> From the command line, what does "nslookup internal-server" return?

the right thing : the IP associated to internal.mycomp.local

> From the command line, what does "tracert internal-server.mycomp.local" return?

the right thing : the IP associated to internal.mycomp.local

>But a transparent proxy won't handle https connections
Enable SSL, install the squid package with SSL.
Then continue the configurations with my previous comments.


Good Luck!
ASKER CERTIFIED SOLUTION
Avatar of mchkorg
mchkorg
Flag of France image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial