Forum Discussion
Luca_55898
Nimbostratus
NimbostratusUsing an iRule for a proxy pac file
Trying to get an iRule working to deploy a proxy pac file.
I have been reading this link http://devcentral.f5.com/wiki/default.aspx/iRules/Proxy_Pacfile_Hosting_without_need_for_Web_servers.html and have created the iRule below based on the version 10 source in the link above.
So I understand that the 'return DIRECT' will bypass the proxy for all the sites listed in the shExpMatch section. But what about going onto the internet, which section of the iRule determines that www.microsoft.com for example needs to be assigned proxy1.ourbusiness.com?
Also, the devcentral link above says to just create the VIP but do not assign any pool, is that correct?
So apart from my questions above, does the rule below look OK? If i just point a client to the IP of the vip on whatever port the VIP listens on, such as http://192.1.1.1:8080/proxy.pac will that work?
when RULE_INIT {
set static::pacfile {
function FindProxyForURL(url, host) {
if (isPlainHostName(host))
return "DIRECT";
if (shExpMatch(url,"*.messages.*") ||
shExpMatch(url,"*remote.ourbusiness.com.au*") ||
shExpMatch(url,"*ww.ourbusiness.com.au*"))
shExpMatch(url,"*gobusiness.*") ||
shExpMatch(url,"*firstcust.*") ||
shExpMatch(url,"*longday.*") ||
shExpMatch(url,"*rosshome.*") ||
shExpMatch(url,"*ourbusiness.com*") ||
shExpMatch(url,"*portal.ourbusiness.com.au*") ||
shExpMatch(url,"*ourbusiness.com.au*") ||
shExpMatch(url,"*w2.ourbusiness.com.au*") ||
shExpMatch(url,"*w3.ourbusiness.com.au*") ||
shExpMatch(url,"*msgpooled.com*") ||
shExpMatch(url,"*corporateorders.com*") ||
shExpMatch(url,"*generic.com.au*") ||
shExpMatch(url,"*.ecommerce.com*") ||
shExpMatch(url,"*.paymentpage.com*") ||
shExpMatch(url,"*.mpt.com.*") ||
shExpMatch(url,"*.customercentral.com*") ||
shExpMatch(url,"*.informatic.com*"))
return "DIRECT";
if (dnsDomainIs(host, ".extranet.com")||
dnsDomainIs(host, ".extranet2.com"))
return "Proxy proxy1.ourbusiness.com:8080";
if (dnsDomainIs(host, ".intrant.com")||
dnsDomainIs(host, ".intranet2.com"))
return "DIRECT";
return "PROXY proxy1.ourbusiness.com:8080";
}
}
}
when HTTP_REQUEST {
switch [HTTP::uri] {
"/proxy.pac" {
HTTP::respond 200 content $static::pacfile "Content-Type" "application/x-ns-proxy-autoconfig" "pragma" "no-cache"
}
}
}
- The_BhattmanHi Luca,
The iRule looks fine from what I can tell. However, I think you can remove
if (dnsDomainIs(host, ".extranet.com")||
dnsDomainIs(host, ".extranet2.com"))
return "Proxy proxy1.ourbusiness.com:8080";
Because you have a
"return "PROXY proxy1.ourbusiness.com:8080";
which is a catch all that if nothing matches the IF statements with the proxy.pac logic - ALWAYS go to proxy1ourbusiness.com:8080
Yes you can create a virtual 192.1.1.1:8080 with the iRule associated to the virtual then accessing the pacfile would be http://192.168.1.1:8080/proxy.pac
I hope this helps
Bhattman 
Luca_55898Thanks for the reply.
The issue i'm having is that the iRule does not seem to send the proxy server for external sites. So when I assign the VIP to a clients browser they can't access the web. Internal sites work fine so that side of things looks to be working.
The iRule now looks like this (i removed the dnsDomainIs sections)
Note - the proxy that this iRule should return is another VIP on the same LTM, is that OK?
when RULE_INIT {
set static::pacfile {
function FindProxyForURL(url, host) {
if (isPlainHostName(host))
return "DIRECT";
if (host.substring(0,3)=="10.")
return "DIRECT";
if (shExpMatch(url,"*.messages.*") ||
shExpMatch(url,"*remote.ourbusiness.com.au*") ||
shExpMatch(url,"*ww.ourbusiness.com.au*"))
shExpMatch(url,"*gobusiness.*") ||
shExpMatch(url,"*firstcust.*") ||
shExpMatch(url,"*longday.*") ||
shExpMatch(url,"*rosshome.*") ||
shExpMatch(url,"*ourbusiness.com*") ||
shExpMatch(url,"*portal.ourbusiness.com.au*") ||
shExpMatch(url,"*ourbusiness.com.au*") ||
shExpMatch(url,"*w2.ourbusiness.com.au*") ||
shExpMatch(url,"*w3.ourbusiness.com.au*") ||
shExpMatch(url,"*msgpooled.com*") ||
shExpMatch(url,"*corporateorders.com*") ||
shExpMatch(url,"*generic.com.au*") ||
shExpMatch(url,"*.ecommerce.com*") ||
shExpMatch(url,"*.paymentpage.com*") ||
shExpMatch(url,"*.mpt.com.*") ||
shExpMatch(url,"*.customercentral.com*") ||
shExpMatch(url,"*.informatic.com*"))
return "DIRECT";
return "PROXY proxy1.ourbusiness.com:3128";
}
}
}
when HTTP_REQUEST {
switch [HTTP::uri] {
"/proxy.pac" {
HTTP::respond 200 content $static::pacfile "Content-Type" "application/x-ns-proxy-autoconfig" "pragma" "no-cache"
}
}
}- The_BhattmanHi Luca,
Using another VIP is fine since the client is going to process the pacfile. What about replacing $static::pacfile with [subst $static::pacfile]?
Bhattman - Luca_55898That has not helped :-(
Still no connection. I will do some tcpdumps and other debugging to see whats going on - The_BhattmanHi Luca,
My suggestion is to simplify the pacfile down to the following:
For examplefunction FindProxyForURL(url, host) { return "PROXY proxy1.ourbusiness.com:3128"; } } }
I hope this helps
Bhattman 
Ryan_Paras_7933Luca-
If I understand your question correctly, the iRule technically looks okay, but you have a couple of errors in your PAC file. For example look at the line "shExpMatch(url,"*ww.ourbusiness.com.au*"))"
Your last PAC you defined, cleaned up, should look like this:
function FindProxyForURL(url, host) {
if (isPlainHostName(host))
return "DIRECT";
if (host.substring(0,3)=="10.")
return "DIRECT";
if (shExpMatch(url,"*.messages.*") ||
shExpMatch(url,"*remote.ourbusiness.com.au*") ||
shExpMatch(url,"*ww.ourbusiness.com.au*") ||
shExpMatch(url,"*gobusiness.*") ||
shExpMatch(url,"*firstcust.*") ||
shExpMatch(url,"*longday.*") ||
shExpMatch(url,"*rosshome.*") ||
shExpMatch(url,"*ourbusiness.com*") ||
shExpMatch(url,"*portal.ourbusiness.com.au*") ||
shExpMatch(url,"*ourbusiness.com.au*") ||
shExpMatch(url,"*w2.ourbusiness.com.au*") ||
shExpMatch(url,"*w3.ourbusiness.com.au*") ||
shExpMatch(url,"*msgpooled.com*") ||
shExpMatch(url,"*corporateorders.com*") ||
shExpMatch(url,"*generic.com.au*") ||
shExpMatch(url,"*.ecommerce.com*") ||
shExpMatch(url,"*.paymentpage.com*") ||
shExpMatch(url,"*.mpt.com.*") ||
shExpMatch(url,"*.customercentral.com*") ||
shExpMatch(url,"*.informatic.com*"))
return "DIRECT";
return "PROXY proxy1.ourbusiness.com:3128";
}- The_BhattmanGood catch Ryan
Bhattman 
mr_skater99_640Hi Guys,
I'm using a very very similar iRule. I've defined the pac file the same way, but the HTTP_REQUEST looks like this:
when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/proxy/pacfile.pac"} {
HTTP::respond 200 content $static::pacfile "Content-Type" "application/x-ns-proxy-autoconfig" "pragma" "no-cache"
}
}
But when i try and get the file i only get a portion (the same portion) of it every time before the connection is reset:
$ wget http://pachost/proxy/pacfile.pac
--2011-07-26 15:34:44-- http://pachost/proxy/pacfile.pac
Resolving pachost... 10.70.1.1
Connecting to pachost|10.70.1.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20476 (20K) [application/x-ns-proxy-autoconfig]
Saving to: `pacfile.pac'
27% [===========================================> ] 5,644 --.-K/s in 0s
2011-07-26 15:34:44 (502 MB/s) - Read error at byte 5644/20476 (Connection reset by peer). Retrying.
And it keeps failing at byte 5644.
Anyone have any suggestions?
Cheers,
Scotty- Ryan_Paras_7933Not that I believe it will make a difference ... but would you like the try the following:
when HTTP_REQUEST {
switch [HTTP::uri] {
"/proxy/pacfile.pac" {
HTTP::respond 200 content $static::pacfile "Content-Type" "application/x-ns-proxy-autoconfig" "pragma" "no-cache"
}
}
}
What are the other rules you have applied?
Can you share your virtual's settings and your http profile settings? - mr_skater99_640I've found my problem - maybe someone can explain to me why i'm seeing this...
I had two rules applied to the vip - both very similar. This is because we have two reasonably large and reasonably different PAC files. So to keep them separate i created a rule for each PAC file.
Apart from defining the PAC file differently in each, the other difference was the http_request block. I did this so if anyone requested something other than the PAC file URL they would get a nice 404.
The first rule applied to the vip just had the above http_request block, but the second one had this:
when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/proxy/pacfile2.pac"} {
HTTP::respond 200 content $static::pacfile "Content-Type" "application/x-ns-proxy-autoconfig" "pragma" "no-cache"
} else {
HTTP::respond 404 content {These are not the pages you are looking for...}
}
}
I changed this to:
when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/proxy/pacfile2.pac"} {
HTTP::respond 200 content $static::pacfile "Content-Type" "application/x-ns-proxy-autoconfig" "pragma" "no-cache"
}
HTTP::respond 404 content {These are not the pages you are looking for...}
}
Same result. But as soon as i comment out the 404 line like so:
when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/proxy/pacfile2.pac"} {
HTTP::respond 200 content $static::pacfile "Content-Type" "application/x-ns-proxy-autoconfig" "pragma" "no-cache"
}
HTTP::respond 404 content {These are not the pages you are looking for...}
}
Both PAC files are served up in their entirety. What is the 404 line doing that is breaking the rule from sending the whole PAC file?
Cheers,
Scotty
