Re: [squid-users] proxy.pac vs manual proxy + LiveLink

From: Donovan Baarda <abo@dont-contact.us>
Date: Sat, 10 Aug 2002 00:36:43 +1000

On Thu, Aug 08, 2002 at 09:51:11PM -0700, Deb wrote:
> Donovan, Thanks for responding,
>
> Donovan Baarda <abo@minkirri.apana.org.au> had this to say,
> >
> > I suspect the problem is the manual config is specifying a http proxy, but
> > not an ssl proxy. As this is an https request, it would go to your ssl
> > proxy. If the ssl proxy is blank, it would go direct.
>
> Are you saying that because the manual config only directs
> non-secure requests to the proxy, secure-requests are sent
> without respect to the www-proxy? Okay, I think I understand
> that.

Most clients have the ability to set http, ssl, ftp, and socks proxies. The
ssl proxy setting is what is used for https urls.

Try manualy setting a client to uses your proxy as it's ssl proxy. I bet you
get the same result you are currently getting for using the proxy.pac.

> > I think your proxy.pac above specifys your proxy for all requests, including
> > https requests. It looks like the livelink site does not like its https
> > connections going through a proxy, or perhaps you have some firewall problem
> > preventing the proxy from using ssl properly.
>
> So, would you have any suggestions for how the proxy.pac ought
> to look like to take care of SSL requests?

Sorry, can't help you there, I know nothing about proxy.pac, just
configuring clients manualy and configuring squid :-)

However, I'm not sure that you want or need to make _all_ https traffic go
direct. It sounds like only that particular https url is causing you grief,
and other https urls work fine. Perhaps you should check some other https
urls to see if they are also broken.

If they are all broken, then I would be suspecting something about the proxy
is busted for https. Perhaps the host it is running on has port 443
firewalled?

If it is just that particular https url, then I suspect that the particular
url is doing something strange, like attempting to make another connection
back to the originating host on a different port. Strangeness's like this
are a total PITA, and I would be tempted to tell the clients that the site
they are attempting to access is busted, please complain to them.

If you absolutely must allow access to that https url, then you have two
options; make all https requests go direct, or make a special case out of
them. The manual way to make a special case it to include the site in the
"No Proxy for". I have no idea what the proxy.pac way to do this, but you
can probably figure it out.

-- 
----------------------------------------------------------------------
ABO: finger abo@minkirri.apana.org.au for more info, including pgp key
----------------------------------------------------------------------
Received on Fri Aug 09 2002 - 08:36:52 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:34 MST