mchkorg
asked on
squid, firefox, "no proxy for" and local networks
Hello,
My company network is named ".mycomp.local" (I wish it were mycomp.net, something "more real", but it's too late now :)
I'm setting up a squid proxy running on a Debian stable box for external web accesses.
PROBLEM:
I can't really use the "no proxy for" option in firefox - it's OK in Internet Explorer
(for everything related to internet accesses, firefox and IE are working fine with my proxy)
DETAILS:
1) At first, with the proxy configuration active in firefox, I coudn't access local hosts with short names, like "myhost". Entire names were OK: myhost.mycomp.local
With IE and its "no proxy for local blah blah" checked, everything was OK.
So I tried to add some restrictions in the "no proxy for" part in firefox:
- added my entire sub-net IPs: 192.168.0.0/16
- added my entire sub-net: .mycomp.local (with a leading dot :)
Now the entire line is: .MYCOMP.local, localhost, 127.0.0.1, 192.168.0.0/16
Still, short names couldn't be used.
2) Then I added my domain in squid's "append_domain"
=> It's now working, BUT: I'm accessing squid to get to these "local" hosts !
This is stupid.
I'm sure of it when looking at squid's access.log file
=> How am I supposed to tell Firefox not to bother me with the proxy for my internal hosts?
Some things I've tried :
- my debian box and my windows computer have no problem resolving names, external or internal, short or FQDN
- I tried to add DNS suffixes (that kind of thing) in my windows network card configuration, it didn't change anything
Thank you,
My company network is named ".mycomp.local" (I wish it were mycomp.net, something "more real", but it's too late now :)
I'm setting up a squid proxy running on a Debian stable box for external web accesses.
PROBLEM:
I can't really use the "no proxy for" option in firefox - it's OK in Internet Explorer
(for everything related to internet accesses, firefox and IE are working fine with my proxy)
DETAILS:
1) At first, with the proxy configuration active in firefox, I coudn't access local hosts with short names, like "myhost". Entire names were OK: myhost.mycomp.local
With IE and its "no proxy for local blah blah" checked, everything was OK.
So I tried to add some restrictions in the "no proxy for" part in firefox:
- added my entire sub-net IPs: 192.168.0.0/16
- added my entire sub-net: .mycomp.local (with a leading dot :)
Now the entire line is: .MYCOMP.local, localhost, 127.0.0.1, 192.168.0.0/16
Still, short names couldn't be used.
2) Then I added my domain in squid's "append_domain"
=> It's now working, BUT: I'm accessing squid to get to these "local" hosts !
This is stupid.
I'm sure of it when looking at squid's access.log file
=> How am I supposed to tell Firefox not to bother me with the proxy for my internal hosts?
Some things I've tried :
- my debian box and my windows computer have no problem resolving names, external or internal, short or FQDN
- I tried to add DNS suffixes (that kind of thing) in my windows network card configuration, it didn't change anything
Thank you,
ASKER
Hello,
Yes I already found this page.
My understanding is that if I want to bypass the proxy for a host called "mycomp.local" (and all hosts like something.mycomp.local), I must not forget to add "mycomp.local" because ".mycomp.local" won't match. That is clear.
In doubt, I tried
=> I'm still accessing squid for these local servers
Yes I already found this page.
My understanding is that if I want to bypass the proxy for a host called "mycomp.local" (and all hosts like something.mycomp.local), I must not forget to add "mycomp.local" because ".mycomp.local" won't match. That is clear.
In doubt, I tried
=> I'm still accessing squid for these local servers
ASKER
Starting in 2001, the discussion goes on here:
https://bugzilla.mozilla.org/show_bug.cgi?id=72444
One solution would be to use a PAC file.
Bypassing host named "http://something_without_a_dot/" seems difficult
https://bugzilla.mozilla.org/show_bug.cgi?id=72444
One solution would be to use a PAC file.
Bypassing host named "http://something_without_a_dot/" seems difficult
Hello
You need a Intercepting/transparent proxy.
You can configure it and add a line: (change ip address if need to)
(for version 2.6up)
http_port 192.168.0.1:3128 transparent
(for version 2.6down)
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_head er on
acl lan src 192.168.0.0/24
http_access allow localhost
http_access allow lan
Put this things up on start-up: (eth0 is the first Ethernet device, eth1 is the second Ethernet device)
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
And if you want to access or change your localhost hostname to mycomp.net, just edit host.conf on /etc from mycomp.local to mycomp.net
About IE or Mozilla; theres no need to specify the port number on proxy settings, but if you want to specify the proxy port manually, just goto the Option'S of IE/Mozilla Network advance.
But its good to use the transparent proxy, so theres no need to specify it manually on every client.
Cheers!
You need a Intercepting/transparent proxy.
You can configure it and add a line: (change ip address if need to)
(for version 2.6up)
http_port 192.168.0.1:3128 transparent
(for version 2.6down)
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_head
acl lan src 192.168.0.0/24
http_access allow localhost
http_access allow lan
Put this things up on start-up: (eth0 is the first Ethernet device, eth1 is the second Ethernet device)
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
And if you want to access or change your localhost hostname to mycomp.net, just edit host.conf on /etc from mycomp.local to mycomp.net
About IE or Mozilla; theres no need to specify the port number on proxy settings, but if you want to specify the proxy port manually, just goto the Option'S of IE/Mozilla Network advance.
But its good to use the transparent proxy, so theres no need to specify it manually on every client.
Cheers!
ASKER
My proxy will be transparent soon. But a transparent proxy won't handle https connections
About changing my domain : no, I won't change my entire windows domain this way...
About changing my domain : no, I won't change my entire windows domain this way...
ASKER
I mean: if I want to make it really transparent for http (meaning : no configuration in the browser) but able to handle https connection, I'll have to configure the browsers to have a proxy for every protocol but http, assuming I don't have any https intranet (only http) or my problem will remain - in my case it will)
If you have included .mycomp.local and mycomp.local, that should have covered it. Although you mentioned in you original post that the DNS issue has been checked, it sounds very much like Firefox isn't resolving short names correctly. Although "..local" isn't a valid TLD, I can't find anything that indicates it's a problem. So a couple of tests (that you may have already tried) would help.
If you try to access "internal-server.mycomp.lo cal", does it still route through the proxy server?
From the command line, what does "nslookup internal-server" return?
From the command line, what does "tracert internal-server.mycomp.loc al" return?
If you try to access "internal-server.mycomp.lo
From the command line, what does "nslookup internal-server" return?
From the command line, what does "tracert internal-server.mycomp.loc
ASKER
@hfraser:
> If you try to access "internal-server.mycomp.lo cal", does it still route through the proxy server?
yes
> From the command line, what does "nslookup internal-server" return?
the right thing : the IP associated to internal.mycomp.local
> From the command line, what does "tracert internal-server.mycomp.loc al" return?
the right thing : the IP associated to internal.mycomp.local
> If you try to access "internal-server.mycomp.lo
yes
> From the command line, what does "nslookup internal-server" return?
the right thing : the IP associated to internal.mycomp.local
> From the command line, what does "tracert internal-server.mycomp.loc
the right thing : the IP associated to internal.mycomp.local
>But a transparent proxy won't handle https connections
Enable SSL, install the squid package with SSL.
Then continue the configurations with my previous comments.
Good Luck!
Enable SSL, install the squid package with SSL.
Then continue the configurations with my previous comments.
Good Luck!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://kb.mozillazine.org/No_proxy_for
I've always just used the domain name myself.