Home / server / Questions / 708165
Accepted
James White
Asked: 2015-07-24 23:53:36 +0800 CST

Exclude URL with non-stanard port from Proxy via PAC/WPAD file

  • 772

I'm running a Squid proxy and want to exclude a certain web address that is accessed over a non-standard port from going through the proxy, rather than open the port in an ACL within squid.conf (seems its a specific usage case).

In my case the port in question TCP 2222 (DirectAdmin) over both http:// and https://. I wasn't sure if this was actually possible to do without opening the port itself, but I did find several articles about bypassing URL's with non standard ports with PAC/WPAD. I've tried a ruleset like the one below, which sets a wildcard for the TLD and specific rules for the non-standard port URL.

 if (shExpMatch(host, "*.somedomain.com") ||
     shExpMatch(url, "http://example.somedomain.com:2222/*") ||
     shExpMatch(url, "https://example.somedomain.com:2222/*"))
     return "DIRECT";

Using pactester, I am getting the correct response of DIRECT from a rule test

pactester -p /path/to/wpad.dat -u http://example.somedomain.com
DIRECT
pactester -p /path/to/wpad.dat -u http://example.somedomain.com:2222
DIRECT
pactester -p /path/to/wpad.dat -u https://example.somedomain.com:2222
DIRECT

However it appears the request is still being sent through the proxy as I get "Proxy is refusing connections" etc in a web browser. The port itself is not blocked, I can telnet to it, but the Sqiud ACL doesn't have the port allowed. Though this is what I am trying to avoid doing, and surely the DIRECT response means bypass?

Is this actually possible to achieve with a PAC/WPAD with non-standard ports, or their an alternative way to bypass and send directly for this specific case?

proxy

3 Answers

  1. If you want something more generic, to allow all requests that require a non-standard port to go direct, try:

    if (shExpMatch(url, "*://" + host + ":*"))
    return "DIRECT";

    It's not perfect (and you might want to modify so that requests that explicitly specify the standard port for the protocol e.g. :80 for HTTP, and :443 for HTTPS still go via the proxy) but it should catch most requests. Refinements welcome.

    • 1
  2. Best Answer

    Original config

    if (shExpMatch(host, "*.somedomain.co.uk") ||
     shExpMatch(url, "http://example.somedomain.com:2222/*") ||
     shExpMatch(url, "https://example.somedomain.com:2222/*"))
     return "DIRECT";

    Are you sure this shouldn't be

    if (shExpMatch(host, "*.somedomain.co.uk") ||
     shExpMatch(url, "http://example.somedomain.co.uk:2222/*") ||
     shExpMatch(url, "https://example.somedomain.co.uk:2222/*"))
     return "DIRECT";

    You might be trying to visit example.somedomain.co.uk but your condition is written for example.somedomain.com and so it keeps hitting the proxy?

    • 0

  3. Looks like it was a combination of caching and a bad isInNet rule overriding the DIRECT rule in my specific port if statement.

    The rule example posted does work, when executed in the correct order!

    • 0