Location Awareness in Proxy PAC Files

Over the last few weeks, as mentioned before, my colleagues and I have been working to implement a proxy server solution. One of the more aggressive bugbears we’ve fought is the size and complexity of our network — we have dozens of different network segments, some of which have pre-existing proxies, many of which are out of my team’s control. Finding a solution that worked well, everywhere, was tricky. But we’ve made progress.

PAC files haven’t changed substantially in over twenty years. There’s no formal RFC or clear standard defining how they work. As near as I can tell, everyone is still working from this old chestnut, written by Netscape in March 1996. There’s no reliable way to get your own IP address, or to get your public IP address, for instance, which makes location awareness tricky. We needed a way to know if a user was on-site or off-site, and to potentially apply different proxy policies.

One of the side effects of our large and complex network is that we have so-called “split-horizon DNS,” where some DNS hostnames resolve to different values based on whether you’re on-site or off-site. While this won’t work for everyone, I figure most organizations large and complex enough to need a proxy, probably can also implement DNS servers. (ISC BIND, for instance, makes it relatively easy.)

We created two different DNS entries for our proxy, thus:

Internally: proxy.our.org resolves to
Externally: proxy.our.org resolves to

Then, early in our PAC file, we added a line like this:

if (dnsResolve('proxy.our.org') != '') return 'DIRECT';

If a machine is on-site, DHCP will tell it to use our internal DNS servers, the proxy’s hostname will resolve to the internal IP, and the PAC file continues executing; you can then make your code as complex as you like. If the machine is off-site, the hostname will resolve to a different IP, and the PAC file will quickly stop executing.

You want the proxy’s external IP address to resolve to something (probably not your proxy, but maybe…). If the name doesn’t resolve externally, some ISPs will hijack the DNS non-response, which will slow things down a bit for off-site users.

Location Awareness in Proxy PAC Files

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s