Stefan Baur wrote:
> Hi list,
> 
> I'm not sure if this is a squid issue - probably not - but since the FAQ 
> mentions proxy autoconfiguration files in quite some detail, I'm hoping 
> that the folks that came up with the examples in the FAQ are reading 
> along and might provide some insight on my issue, or maybe even a solution.
> 
> I'm using Iceweasel (Debian Lenny's rebranded Firefox) 3.0.6-3,
> Squid 2.7.STABLE3-4.1lenny1, and the following proxy autoconfiguration 
> file:
> 
> function FindProxyForURL(url, host) {
> if (
>     isPlainHostName(host) ||
>     isInNet(host, "192.168.0.0", "255.255.0.0") ||
>     isInNet(host, "172.16.0.0", "255.240.0.0") ||
>     isInNet(host, "10.0.0.0", "255.0.0.0")
>    )
>    {
>     return "DIRECT";
>     // This excludes plain host names
>     // (WINS, non-FQDNs) as well as the IP ranges
>     // 192.168.0.0-192.168.255.255,
>     // 172.16.0.0-172.31.255.255 and
>     // 10.0.0.0-10.255.255.255
>     // from the proxy service
>     // (needed as the proxy is in the DMZ
>     // and can't fetch pages from internal
>     // addresses)
>    } else {
>     return "PROXY proxy.ip.here:8080;DIRECT";
>     // Everything else should go through the proxy
>    }
> }
> 
> What happens is that as soon as an URL with a non-existent DNS name is 
> entered, the browser locks up for almost 90 seconds before it displays 
> Squid's DNS error message (ERR_DNS_FAIL).
> 
> I tried changing
> return "PROXY proxy.ip.here:8080;DIRECT";
> to
> return "PROXY proxy.ip.here:8080";
> as I thought it might freeze until it gets some sort of time out in the 
> "DIRECT" part.
> That wasn't the case, though.
> 
> I also tried removing the isPlainHostName part, in case it would do some 
> sort of lookup that causes the delay, but that didn't help, either.
> (I closed the browser between those attempts, so it wouldn't cache the 
> old config file somewhere.)
> 
> However, when I don't use the autoconfiguration file, but rather enter 
> the data directly in Iceweasel's proxy configuration screen 
> (Edit/Preferences/Advanced/Network/Connection: Settings), the 
> ERR_DNS_FAIL page upon hitting an invalid DNS name shows up instantly.
> 
> The Wiki/FAQ at 
> <http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers#Partially_Automatic_Configuration> 
> 
> suggests using
> 
> if (!isResolvable(host))
> return "DIRECT";
> 
> This probably won't work in my case, as none of my clients have access 
> to the "real" DNS (the DNS server they know only resolves internal 
> names, and that is intentional), so they'd always try to avoid the proxy 
> as they can't resolve any host name.
Yes.
> 
> Also, working the opposite way, as in this example from 
> <http://docs.sun.com/app/docs/doc/820-1652/adysm?a=view>,
> 
> function FindProxyForURL(url, host)
>     {
>         if (isPlainhost name(host) ||
>             isResolvable(host))
>             return "DIRECT";
>         else
>             return "PROXY proxy.ip.here:8080";
>     }
> it still shows the freeze/lockup issue.
> 
> Any suggestions on how I can use an autoconfiguration file and still get 
> timely ERR_DNS_FAIL replies?
With your stated environment where clients cannot resolve non-local 
domains I'd go for just:
{
   if (isResolvable(host))
     return "DIRECT";
   else
     return "PROXY proxy.ip.here:8080";
}
That way the local domains (which are resolvable) get used directly. And 
everything else is up to whether the proxy can resolve it or not.
If you still hit lockup with the above, I'd then look at how long the 
local DNS resolver is taking to reject non-resolvable requests. If its 
just dropping them the client will fallback to a full DNS timeout 
(somewhere between 30 seconds and five minutes) before even attempting 
the proxy.
Amos
-- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE24 Current Beta Squid 3.1.0.17Received on Wed Mar 10 2010 - 11:00:23 MST
This archive was generated by hypermail 2.2.0 : Wed Mar 10 2010 - 12:00:03 MST