3 Replies Latest reply on Jan 10, 2012 4:01 PM by cnewman

    Pac File with Port restrictions

    sysec

      Hi All,

      This goes out to all the pac file wizards out there,

      i  need to add to the proxy pac file a line that will say to the browser to only send port80 and port 443 to the proxy , and the rest direct.

      Eg if the client goes to https://"url":12345 or http://"url":12345 I want it to go direct  but if goes to http://"url". or https://"url" to be directed to the proxy

      Do you know if I can set this using pac file function?

       

      10x in advance for all your help

       

      Sysec

        • 1. Re: Pac File with Port restrictions

          Hi Sysec,

           

          I often bypass based on the protocol for example:

          if((url.substring(0,5)=="rtsp:") ||

                 (url.substring(0,6)=="rtspt:") ||

                 (url.substring(0,6)=="rtspu:") ||

                 (url.substring(0,4)=="mms:") ||

                 (url.substring(0,5)=="mmst:") ||

                 (url.substring(0,4)=="ftp:") ||

                 (url.substring(0,5)=="mmsu:")) { 

              return "DIRECT";

              }

           

          Is pretty easy and safe to do and that way you don't particularly care about the port.

           

           

          Host doesn't include the port, so your best bet is probably shexpmatch on url, something along the lines of:

           

          if((url.substring(0,5)=="http:") ||

                    (url.substring(0,6)=="https:")) { 

          if ( shExpMatch(url,"*:*")

                    return "DIRECT";

              }

           

          Haven't really tested this and it seems to be a bit dangerous. It also might be slow, hard to say.

           

          What http and https traffic specifically do you want to bypass the proxy? I'm wondering if there is a less dangerous way to accomplish what you need?

           

          --CN

          • 2. Re: Pac File with Port restrictions
            sysec

            Hi ,

            thanks for the reply , the problem with this config i think

            if((url.substring(0,5)=="http:") ||

            (url.substring(0,6)=="https:")) {

            if ( shExpMatch(url,"*:*")

            return "DIRECT";

            }

             

            it will always fall on the url.substring becuase if you go for http://url.domain.com:12345 it will fall on if((url.substring(0,5)=="http:")

            the request config is that we want to allow @ the firewall specific access to users to specific url on high ports.

            if it falls on the proxy it will go out with  the proxy ip.

             

            i tried to do it already with if ( shExpMatch(url,http://*:80) and also for 443 with the rest to go direct with no luck.

             

            any thoughts?

             

            Sysec

            • 3. Re: Pac File with Port restrictions

              The idea is that if the protocol is http or https, you check if there is a colon (:) in the url and if there is it goes direct.

              There should be another statement after this that says return PROXY IPaddress:9090 if the protocol is http(s) and there is no : in the url.

               

              Your shell expression does not work as url includes the path.

              url = http://domain.name:port/page.htm

               

              host is just domain.name in this example.

               

              I would not do http://*:80/* as you could end up matching undesirable sites.

               

              If you one this just for specific URLs why not put in specific bypasses for them:

               

              /Filter-bypass-for-internal-sites or problematic external sites

              if ( shExpMatch(host,"*.companydomain.com") ||

              shExpMatch(url,"http://newport.companydomain.com:123456/*") ||

                   isInNet(hostip, "192.168.0.0", "255.255.0.0") ||

                   isInNet(hostip, "10.10.0.0", "255.255.0.0") ||

                   isInNet(hostip, "192.120.121.0", "255.255.255.0") ||

                   isInNet(hostip, "192.121.121.2", "255.255.255.255") ||

              // Match this host

                   isInNet(hostip, "100.100.170.202", "255.255.255.255")

                  )

                  return "DIRECT";

               

              Regards,

               

              --CN