[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

PAC (Proxy Auto Configuration) file  problem

Posted on 2010-03-31
2
Medium Priority
?
1,426 Views
Last Modified: 2012-05-09
Hi all, I have a problem related to a recently deployed PAC file.

We are behind an Squid proxy and we want to access a domain www.webmail.unitan.net. We are using a PAC file for auto configuring the proxy settings. Whe we set the browser to access DIRECT the webmail server can be accessed but when we set it like a non transparent proxy we cannot.

The webmail server has two NICs, one with private ip 131.107.2.7 and one with public ip 200.69.219.59. The second ip address is correctly resolved but we cannot get the login page.

All clients have ip 131.107.2.x, proxy ip is 131.107.2.95 and port 3128.

TIA,

Pancho

I've attached the squid.conf file and the proxy.pac file
###squid.conf###

http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

pid_filename /var/run/squid.pid

log_fqdn on

hosts_file /etc/hosts

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_children 2

auth_param ntlm program /usr/lib/squid/ntlm_auth -d unitanba.corp/ba-dc1
auth_param ntlm children 5
auth_param basic program /usr/lib/squid/ntlm_auth -d unitanba.corp/ba-dc1
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours 

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl lan src 131.107.2.0/255.255.255.0
acl to_localhost dst 127.0.0.0/8
acl ntlm_users proxy_auth REQUIRED
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow ntlm_users
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all

icp_access allow all
cache_effective_group proxy
visible_hostname Penelope
logfile_rotate 0
coredump_dir /var/spool/squid
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
#tcp_outgoing_tos 0x4


###proxy.pac###
function FindProxyForURL(url, host){
	if (shExpMatch(url, "*.unitan.net")){
		return "DIRECT";
		}

	if (isInNet(myIpAddress(), "131.107.2.0", "255.255.255.0")){
		return "PROXY 131.107.2.95:3128";
		}
	else{
		return "DIRECT";
		}

	}

Open in new window

0
Comment
Question by:Panchux
2 Comments
 
LVL 16

Accepted Solution

by:
Steve Jennings earned 2000 total points
ID: 29361226
Why not . . .

###proxy.pac###
function FindProxyForURL(url, host){
        if (isInNet(myIpAddress(), "131.107.2.0", "255.255.255.0")){
                return "PROXY 131.107.2.95:3128";
                }
        else{
                return "DIRECT";
                }
 
        }

Wish I could offer more.

Good luck,
SteveJ
0
 
LVL 8

Author Comment

by:Panchux
ID: 29404901
Steve, my original function looked just like that but since www.webmail.unitan.net will resolve to 131.107.0.7 and not 200.69.219.59 as it should browser will use the proxy and proxy won't let you get the server.

Squid gives a tcp_denied 407 error. I might be able to solve it through Iptables but I don't know how. Other thought would be to change the DNS server (Windows 2003 Server DC) to route that domain to 200.69.219.59.

The only thing I know is using the Squid as a transparent proxy it won't get the error and I would be able to browse the webmail page. Maybe it's just and ACL problem.

Any idea is welcome,

Pancho
0

Featured Post

[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

640 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question