[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2352
  • Last Modified:

squid, firefox, "no proxy for" and local networks

Hello,

My company network is named ".mycomp.local" (I wish it were mycomp.net, something "more real", but it's too late now :)
I'm setting up a squid proxy running on a Debian stable box for external web accesses.

PROBLEM:
I can't really use the "no proxy for" option in firefox - it's OK in Internet Explorer
(for everything related to internet accesses, firefox and IE are working fine with my proxy)

DETAILS:
1) At first, with the proxy configuration active in firefox, I coudn't access local hosts with short names, like "myhost". Entire names were OK: myhost.mycomp.local
With IE and its "no proxy for local blah blah" checked, everything was OK.
So I tried to add some restrictions in the "no proxy for" part in firefox:
- added my entire sub-net IPs: 192.168.0.0/16
- added my entire sub-net: .mycomp.local  (with a leading dot :)
Now the entire line is: .MYCOMP.local, localhost, 127.0.0.1, 192.168.0.0/16
Still, short names couldn't be used.

2) Then I added my domain in squid's "append_domain"
=> It's now working, BUT: I'm accessing squid to get to these "local" hosts !
This is stupid.
I'm sure of it when looking at squid's access.log file

=> How am I supposed to tell Firefox not to bother me with the proxy for my internal hosts?

Some things I've tried :
- my debian box and my windows computer have no problem resolving names, external or internal, short or FQDN
- I tried to add DNS suffixes (that kind of thing) in my windows network card configuration, it didn't change anything

Thank you,
0
mchkorg
Asked:
mchkorg
  • 6
  • 2
  • 2
1 Solution
 
Hugh FraserConsultantCommented:
I believe you need to include "mycomp.local" to the list. Here's a link that describes the possible values for the no-proxy:

http://kb.mozillazine.org/No_proxy_for

I've always just used the domain name myself.
0
 
mchkorgAuthor Commented:
Hello,
Yes I already found this page.
My understanding is that if I want to bypass the proxy for a host called "mycomp.local" (and all hosts like something.mycomp.local), I must not forget to add "mycomp.local" because ".mycomp.local" won't match. That is clear.

In doubt, I tried
=> I'm still accessing squid for these local servers
0
 
mchkorgAuthor Commented:
Starting in 2001, the discussion goes on here:
https://bugzilla.mozilla.org/show_bug.cgi?id=72444
One solution would be to use a PAC file.
Bypassing host named "http://something_without_a_dot/" seems difficult
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
rionrocCommented:
Hello

You need a Intercepting/transparent proxy.
You can configure it and add a line:  (change ip address if need to)
(for version 2.6up)
http_port 192.168.0.1:3128 transparent

(for version 2.6down)
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.0.0/24
http_access allow localhost
http_access allow lan

Put this things up on start-up: (eth0 is the first Ethernet device, eth1 is the second Ethernet device)
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

And if you want to access or change your localhost hostname to mycomp.net, just edit host.conf on /etc from mycomp.local to mycomp.net

About IE or Mozilla; theres no need to specify the port number on proxy settings, but if you want to specify the proxy port manually, just goto the Option'S of IE/Mozilla Network advance.

But its good to use the transparent proxy, so theres no need to specify it manually on every client.

Cheers!
0
 
mchkorgAuthor Commented:
My proxy will be transparent soon. But a transparent proxy won't handle https connections
About changing my domain : no, I won't change my entire windows domain this way...
0
 
mchkorgAuthor Commented:
I mean: if I want to make it really transparent for http (meaning : no configuration in the browser) but able to handle https connection, I'll have to configure the browsers to have a proxy for every protocol but http, assuming I don't have any https intranet (only http) or my problem will remain - in my case it will)
0
 
Hugh FraserConsultantCommented:
If you have included .mycomp.local and mycomp.local, that should have covered it. Although you mentioned in you original post that the DNS issue has been checked, it sounds very much like Firefox isn't resolving short names correctly. Although "..local" isn't a valid TLD, I can't find anything that indicates it's a problem. So a couple of tests (that you may have already tried) would help.

If you try to access "internal-server.mycomp.local", does it still route through the proxy server?
From the command line, what does "nslookup internal-server" return?
From the command line, what does "tracert internal-server.mycomp.local" return?
0
 
mchkorgAuthor Commented:
@hfraser:
> If you try to access "internal-server.mycomp.local", does it still route through the proxy server?

yes

> From the command line, what does "nslookup internal-server" return?

the right thing : the IP associated to internal.mycomp.local

> From the command line, what does "tracert internal-server.mycomp.local" return?

the right thing : the IP associated to internal.mycomp.local

0
 
rionrocCommented:
>But a transparent proxy won't handle https connections
Enable SSL, install the squid package with SSL.
Then continue the configurations with my previous comments.


Good Luck!
0
 
mchkorgAuthor Commented:
I switched to WPAD + pac file
My point was to understand why firefox messes up with local hostnames resolution.
The bug mentionned seems to explain this

'regards
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 6
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now