Recently I’ve been involved with a bluecoat install; one of the requirements I’ve been faced with was helping the client with was removing fixed proxy settings within their browsers.

For how-to references a combination of google, wikipedia and this post are good places to start; I intend to document my experience you may find some overlap.

The 1st thing to understand is that Firefox (FF) and Internet Explorer (IE) both support an “automatically detect proxy” setting, but they are implement in different ways. Both FF & IE use a proxy.pac (also known as wpad.dat) for their configuration, they just “look for it” in different ways.

The proxy pac file is a java script that tells the browsers (both FF & IE) how to connect, there’s some good pac file examples here, this is what I did…


function FindProxyForURL(url, host)
{
// The 1st if function tests if the URI should be by-passed…
// Proxy By-Pass List
if (
// ignore RFC 1918 internal addreses
isInNet(host, "10.0.0.0", "255.0.0.0") ||
isInNet(host, "172.16.0.0", "255.240.0.0") ||
isInNet(host, "192.168.0.0", "255.255.0.0") ||

// is url is like http://server by-pass
isPlainHostName(host) ||

// localhost!!
localHostOrDomainIs(host, "127.0.0.1") ||

// by-pass internal URLS
dnsDomainIs(host, ".mycompany.com") ||
dnsDomainIs(host, ".mycompany.local")
)

// If True, tell the browser to go direct…
return "DIRECT";

// If False, it’s not on the by-pass then Proxy the request… if you fail to connect to the proxy, try direct.
return "PROXY 10.10.10.10:8080;DIRECT";

}


Once you’re happy with what you’ve written you need to “publish” the pac file on a webserver for your clients to download it… I’ve decided to use the bluecoat proxy SG.

Now you can’t upload the pac file via the GUI, you need to get down and dirty with the command line, below is an example ssh session…


Proxy> enable
Proxy# conf t
Proxy# inline accelerated-pac 123
....... Paste the contents of proxy.pac .......
123
Proxy#


Before going any further log into you’re bluecoat, make sure that under Services -> Proxy Services, HTTP 80 & 8080 are set to Intercept. Next check that Services -> Management services, HTTP-Console 8081 is enabled… this service will be used to get the pac file, leave HTTPS-Console 8082 on as using the 8081 for administrator access would be a bad idea.

You will now hopefully be able to download your pac file from the following url http://10.10.10.10:8081/accelerated_pac_base.pac .. change the IP as necessary.

Once that works we’re going to add some proxy policy to make that url (a) nicer (b) compatible with Firefox. In the Bluecoat GUI under policy (not the visual policy manager) make sure that the local policy is read 1st… at the top of the file list. The following ssh session of policy, re-writes the pac file for a variety of names, basically I’ve tried to capture every combination that a user might try…..


Proxy> enable
Proxy# conf t
Proxy# inline policy local 123


<proxy>
url=http://proxy.mycompany.local/proxy.pac authenticate(no)
url=http://proxy.mycompany.local/wpad.dat authenticate(no)
url=http://wpad.mycompany.local/wpad.dat authenticate(no)
url=http://www.wpad.com/wpad.dat authenticate(no)
url=http://proxy.mycompany.local:8081/accelerated_pac_base.pac authenticate(no)
url=http://10.10.10.10:8081/accelerated_pac_base.pac authenticate(no)


<cache>
url.domain=http://proxy.mycompany.local/proxy.pac cache(no)
url.domain=http://proxy.mycompany.local/wpad.dat cache(no)
url.domain=http://wpad.mycompany.local/wpad.dat cache(no)
url.domain=http://www.wpad.com/wpad.dat cache(no)
url.domain=http://proxy.mycompany.local:8081/accelerated_pac_base.pac cache(no)
url.domain=http://10.10.10.10:8081/accelerated_pac_base.pac cache(no)


<proxy>
url=http://proxy.mycompany.local/proxy.pac action.rewrite_pac(yes)
url=http://proxy.mycompany.local/wpad.dat action.rewrite_pac(yes)
url=http://wpad.mycompany.local/wpad.dat action.rewrite_pac(yes)
url=http://www.wpad.com/wpad.dat action.rewrite_pac(yes)
url=/wpad.dat action.rewrite_pac(yes)


define action rewrite_pac
rewrite(url,"(.*)","http://10.10.10.10:8081/accelerated_pac_base.pac")
end


123
Proxy#


Phew, thats the bluecoat side of things sorted, now we need to get clients to download the file! This is where the browser have different approaches….

Internet explorer uses DCHP Option 252 to detect the proxy, you can set the option of any of the URLS you’re re-writing on the bluecoat, I chose http://wpad.mycompany.local/wpad.dat .

Firefox uses DNS to detect the proxy, so you’re going to need to create some records… The bluecoat was called “proxy” so an A record for proxy.mycompany.local already existed, we created a CNAME record for wpad.mycompany.local pointing to proxy.mycompany.local … if your dns domain is something like uk.mycomany.local you’ll need to add cname records wpad.uk.mycompany.local & wpad.mycompany.local and add the necessary lines to the bluecoat rewire code above.

Once done you can set either browser to “automatically detect” and finger’s cross all will work!

I’m in the process the process of writing a whole new look for linickx.com, I think I’m about there so I’ve decided it was about time to give the other browsers a spin. All of my development has been with Firefox on linux (with a little epiphany for testing non logged in users) and I’ve got the look and feel pretty much as I like.

I reboot into windows cause according to google analytics 70% of my visitors in the last month are windows people; Firefox on windows passes the test, all the same, so I’ve downloaded a copy of safari for windows, good news there too and I finish off with Internet Explorer 6, crap I forgot that ie6 cannot render transparent .png files, although the layout is alright my new header is screwed and I’ve used .png icons in my /files/ section so that’s going to look rubbish.

This leaves me with a dilemma, do I re-do all of my images as .gifs to account for the 10% of ie6 users? And is it possible to dual install ie6 & ie7 ? … I still haven’t tested that and 20% of visitors use that…I’ve never bothered upgrading to ie7 since I new I was never going to use it, why waste the disk space & bandwidth?

I’m toying with having a browse happy banner appear for ie6 and a disclaimer saying this site will look awful use a proper browser; the banner will be easy to do within the WordPress powered section, but the /files/ section which is driven by apache may be more of an issue.

The whole thing is just irritating, I was really looking forward to getting the new look up soon, ho-hum off to make a decision!

P.s. In case you were wondering, yes 60% of vistors are firefox, 5% are safari and the other 5% is made up of random stuff (hello to the 2 users on the PSP!!!)