Re: Global proxy autoconfig script?

From: Janos Farkas <Janos.Farkas-#AZMe3nuZ6XRqSUChsxznB7nUuPK@dont-contact.us>
Date: Wed, 10 Sep 1997 18:47:03 +0200

On 1997-09-10 at 16:22:50, Andreas Strotmann wrote:
> funny, I posted a very similar question to the German academic proxy
> cache mailing list six weeks ago. Here's the technique that I proposed
> to solve this problem.
>
> First, note that the original poster of this question had noticed that
> users complained that their proxy configs don't work any more when they
> change ISPs. Second, this assumes that we're talking about
> auto-configs, i.e. there are WWW servers involved.

[...nice idea snipped...]

There are some cases it wouldn't work; first if somehow the pac
fetching does not obey redirects. No I don't say it doesn't, but it's
possible.. :) Second; if the clients are not allowed to do direct
access; only through a proxy. The latter is not really desirable
behaviour for ISP's to have users, but it's quite common in cases.

Another, maybe more legitimate example: imagine if you bring your
laptop home; at work, you could only access the web via the corporate
proxy, and you can't access it from any outer ISP. It's still a bit
academic, but it may be inconvenient to change the browser config too
besides the network config. (In a sane environment, the network config
can still stay the same, you just start a dialer and use it as a better
route to the internet, than using the network card.)

So, if somehow I could guarantee that the autoconfig URL is always
accessible to local clients without using proxies? Let's see..

On 1997-09-10 at 16:21:59, Oskar Pearson replied to someone:
> > Use a squid system with 2 IP addresses.
> >
> > One IP address being private. Maybe 10.0.0.1. The other being internet
> > connected.
> >
> > Client browsers access 10.0.0.1.
> yeah, but then your firewalled clients would have to be setup not to
> have a proxy... there goes the 'universal config'...

Ok, how about tricking the DNS even more? Use a split DNS, so that
cache.YOURDOMAIN resolves to a valid pac supplying web server, but only
from your networks; from outside, it still can be a pointer to a public
server returning direct access. If the DNS is configured this way at
any of your POPs for a local PAC, it's really universal.

(I hope with "firewalled clients" you mean clients who use 10.X.X.X
addresses internally for their purposes, so I can't use it for mine.)
This is still not as generic as Andreas' idea, but works better in a
controlled environment, i.e. for all your users.

It still wouldn't work with the laptop brought home, however. Maybe if
you tell your clients to use only not qualified "cache" address, so it
might work in the cross-provider case, but it still might depend on
changing network setup (domain names). Maybe it's possible to use
"local" names, like cache.local, and have every ISP resolve this name
to theirs? Quite ugly... :)

The more I think of it, the more I see PAC is not really a carefully
designed feature. :)

Oh, and for split DNS, see secure_zone in your bind manuals. :)

-- 
Janos - Don't worry, my address works.  I'm just bored of spam.
Received on Wed Sep 10 1997 - 09:50:17 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:36:57 MST