Exclude URL with non-stanard port from Proxy via PAC/WPAD file

Question

I'm running a Squid proxy and want to exclude a certain web address that is accessed over a non-standard port from going through the proxy, rather than open the port in an ACL within squid.conf (seems its a specific usage case).

In my case the port in question TCP 2222 (DirectAdmin) over both http:// and https://. I wasn't sure if this was actually possible to do without opening the port itself, but I did find several articles about bypassing URL's with non standard ports with PAC/WPAD. I've tried a ruleset like the one below, which sets a wildcard for the TLD and specific rules for the non-standard port URL.

 if (shExpMatch(host, "*.somedomain.com") ||
     shExpMatch(url, "http://example.somedomain.com:2222/*") ||
     shExpMatch(url, "https://example.somedomain.com:2222/*"))
     return "DIRECT";

Using pactester, I am getting the correct response of DIRECT from a rule test

pactester -p /path/to/wpad.dat -u http://example.somedomain.com
DIRECT
pactester -p /path/to/wpad.dat -u http://example.somedomain.com:2222
DIRECT
pactester -p /path/to/wpad.dat -u https://example.somedomain.com:2222
DIRECT

However it appears the request is still being sent through the proxy as I get "Proxy is refusing connections" etc in a web browser. The port itself is not blocked, I can telnet to it, but the Sqiud ACL doesn't have the port allowed. Though this is what I am trying to avoid doing, and surely the DIRECT response means bypass?

Is this actually possible to achieve with a PAC/WPAD with non-standard ports, or their an alternative way to bypass and send directly for this specific case?

score 1 · Answer 1 · answered Jan 30 '17 at 12:11

If you want something more generic, to allow all requests that require a non-standard port to go direct, try:

if (shExpMatch(url, "*://" + host + ":*"))
    return "DIRECT";

It's not perfect (and you might want to modify so that requests that explicitly specify the standard port for the protocol e.g. :80 for HTTP, and :443 for HTTPS still go via the proxy) but it should catch most requests. Refinements welcome.

score 0 · Accepted Answer · answered Jul 24 '15 at 13:09

Original config

if (shExpMatch(host, "*.somedomain.co.uk") ||
     shExpMatch(url, "http://example.somedomain.com:2222/*") ||
     shExpMatch(url, "https://example.somedomain.com:2222/*"))
     return "DIRECT";

Are you sure this shouldn't be

if (shExpMatch(host, "*.somedomain.co.uk") ||
     shExpMatch(url, "http://example.somedomain.co.uk:2222/*") ||
     shExpMatch(url, "https://example.somedomain.co.uk:2222/*"))
     return "DIRECT";

You might be trying to visit example.somedomain.co.uk but your condition is written for example.somedomain.com and so it keeps hitting the proxy?

score 0 · Answer 3 · answered Jul 24 '15 at 13:34

0

Looks like it was a combination of caching and a bad isInNet rule overriding the DIRECT rule in my specific port if statement.

The rule example posted does work, when executed in the correct order!

answered Jul 24 '15 at 13:34

James White

694

Exclude URL with non-stanard port from Proxy via PAC/WPAD file

3 Answers3