cancel
Showing results for 
Search instead for 
Did you mean: 
sysec
Level 7

Pac File with Port restrictions

Hi All,

This goes out to all the pac file wizards out there,

i  need to add to the proxy pac file a line that will say to the browser to only send port80 and port 443 to the proxy , and the rest direct.

Eg if the client goes to https://"url":12345 or http://"url":12345 I want it to go direct  but if goes to http://"url". or https://"url" to be directed to the proxy

Do you know if I can set this using pac file function?

10x in advance for all your help

Sysec

0 Kudos
3 Replies
cnewman
Level 10

Re: Pac File with Port restrictions

Hi Sysec,

I often bypass based on the protocol for example:

if((url.substring(0,5)=="rtsp:") ||

       (url.substring(0,6)=="rtspt:") ||

       (url.substring(0,6)=="rtspu:") ||

       (url.substring(0,4)=="mms:") ||

       (url.substring(0,5)=="mmst:") ||

       (url.substring(0,4)=="ftp:") ||

       (url.substring(0,5)=="mmsu:")) { 

    return "DIRECT";

    }

Is pretty easy and safe to do and that way you don't particularly care about the port.

Host doesn't include the port, so your best bet is probably shexpmatch on url, something along the lines of:

if((url.substring(0,5)=="http:") ||

          (url.substring(0,6)=="https:")) { 

if ( shExpMatch(url,"*:*")

          return "DIRECT";

    }

Haven't really tested this and it seems to be a bit dangerous. It also might be slow, hard to say.

What http and https traffic specifically do you want to bypass the proxy? I'm wondering if there is a less dangerous way to accomplish what you need?

--CN

0 Kudos
sysec
Level 7

Re: Pac File with Port restrictions

Hi ,

thanks for the reply , the problem with this config i think

if((url.substring(0,5)=="http:") ||

(url.substring(0,6)=="https:")) {

if ( shExpMatch(url,"*:*")

return "DIRECT";

}

it will always fall on the url.substring becuase if you go for http://url.domain.com:12345 it will fall on if((url.substring(0,5)=="http:")

the request config is that we want to allow @ the firewall specific access to users to specific url on high ports.

if it falls on the proxy it will go out with  the proxy ip.

i tried to do it already with if ( shExpMatch(url,http://*:80) and also for 443 with the rest to go direct with no luck.

any thoughts?

Sysec

0 Kudos
cnewman
Level 10

Re: Pac File with Port restrictions

The idea is that if the protocol is http or https, you check if there is a colon (Smiley Happy in the url and if there is it goes direct.

There should be another statement after this that says return PROXY IPaddress:9090 if the protocol is http(s) and there is no : in the url.

Your shell expression does not work as url includes the path.

url = http://domain.nameSmiley Tongueort/page.htm

host is just domain.name in this example.

I would not do http://*:80/* as you could end up matching undesirable sites.

If you one this just for specific URLs why not put in specific bypasses for them:

/Filter-bypass-for-internal-sites or problematic external sites

if ( shExpMatch(host,"*.companydomain.com") ||

shExpMatch(url,"http://newport.companydomain.com:123456/*") ||

     isInNet(hostip, "192.168.0.0", "255.255.0.0") ||

     isInNet(hostip, "10.10.0.0", "255.255.0.0") ||

     isInNet(hostip, "192.120.121.0", "255.255.255.0") ||

     isInNet(hostip, "192.121.121.2", "255.255.255.255") ||

// Match this host

     isInNet(hostip, "100.100.170.202", "255.255.255.255")

    )

    return "DIRECT";

Regards,

--CN

0 Kudos