Issue downloading a PAC file hosted on the ProxySG in a NAT environment.

Products

ProxySG Software - SGOS

Issue/Introduction

ProxySG can host two different PAC files: proxy_pac_file and accelerated_pac_base.pac.

Only the second one can be edited. For more information about this topic, see the Create or edit proxy auto-configuration (PAC) files.

Resolution

In this example, the ProxySG has an interface configured with IP 10.91.22.2 and we will use CURL (with -H argument to modify the HTTP Header to IP 10.10.10.10) to perform some tests.

The two PAC files are accessible at these URLs via HTTP and HTTPS, on both management and non-management ports. For example:

http://10.91.22.2/proxy_pac_file

http://10.91.22.2/accelerated_pac_base.pac

http://10.91.22.2:8080/proxy_pac_file

http://10.91.22.2:8080/accelerated_pac_base.pac

https://10.91.22.2:8082/proxy_pac_file

https://10.91.22.2:8082/accelerated_pac_base.pac

http://10.91.22.2:8081/proxy_pac_file

http://10.91.22.2:8081/accelerated_pac_base.pac

The connection on port 80 and port 8080 will be established only if the ProxySG is configured to intercept traffic on those ports.

The connection on port 8081 and 8082 will be established only if the HTTP and HTTPS management is enabled on those ports. (Management on HTTP 8081 is disabled by default.)

If a browser requests a PAC file to a non-management port (either port 80 or 8080; it doesn’t make any difference), with a host header content different from the ProxySG IP, the ProxySG will generate an exception.

A typical example is a NATed environment, where the destination IP is changed from a public to a private one, but the host header still contains the public IP.

root@debian:~# curl http://10.91.22.2/proxy_pac_file -H Host:10.10.10.10

<TITLE>Network Error</TITLE>

</HEAD>

<BODY>

<big>Network Error (tcp_error)</big>

</TD></TR>

A communication error occurred: "Operation timed out"

</TD></TR>

The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.

</TD></TR>

For assistance, contact your network support team.

</TD></TR>

</TABLE>

</blockquote>

</BODY></HTML>

root@debian:~#

From a PCAP, we can see the REQUEST with the “wrong” host header:

The same example works fine on a management port. We will use the "--insecure" CURL argument in order to bypass untrusted certificate errors.

As you can see in the following scenario, also with a different host header, the PAC file can be downloaded.

root@debian:~# curl https://10.91.22.2:8082/proxy_pac_file --insecure -H Host:10.10.10.10

function FindProxyForURL(url, host)

{

if( url.substring(0, 5) == "http:" )

{

return "PROXY 10.91.22.2:8080; DIRECT";

}

else if( url.substring(0, 6) == "https:" )

{

return "PROXY 10.91.22.2:8080; DIRECT";

}

else if( url.substring(0, 4) == "ftp:" )

{

return "PROXY 10.91.22.2:8080; DIRECT";

}

else

{

return "DIRECT";

}

Considerations and workarounds in a NATed environment:

The simplest thing to do is to always use management port to provide PAC file when possible.

You can host the PAC file on an external web server.

The NAT device, if smart enough, can be used to modify the HTTP REQUEST Host value as well. (In our example, from public IP 10.10.10.10 to the Proxy IP 10.91.22.2.)

Configure a virtual IP on the ProxySG with the public IP address (in our case 10.10.10.10) . Please note that this configuration can generate network issues in particular routing environments.

As you can see, the request now works fine:

root@debian:~# curl http://10.91.22.2:8080/accelerated_pac_base.pac -H Host:10.10.10.10

function FindProxyForURL(url, host)

{

if( url.substring(0, 5) == "http:" )

{

return "PROXY 10.91.22.2:8080; DIRECT";

}

else

{

return "DIRECT";

}

The NAT device, if smart enough, can be used to completely remove the value of the host header. As you can see, the request now works fine:

root@debian:~# curl http://10.91.22.2:8080/accelerated_pac_base.pac -H Host:;

function FindProxyForURL(url, host)

{

if( url.substring(0, 5) == "http:" )

{

return "PROXY 10.91.22.2:8080; DIRECT";

}

else

{

return "DIRECT";

}

root@debian:~#

HTTPS Note:

If the certificate is invalid, when Firefox (v 7.0.1) tries to download the PAC file, it will generate a certificate error. From this error window, it is not possible to install the certificate.

You can easily import the certificate browsing the management GUI (https://10.91.22.2:8082 in our example) and installing it when the certificate error pops up. Then after you close and reopen the browser, the PAC file should be downloaded correctly.

IE 8 will silently drop the PAC file if the certificate is invalid. You can install the certificate using the following procedure:

Browse the management GUI (https://10.91.22.2:8082).
Choose Continue to this website (not recommended).
Select Tools > Internet Options.
Select Security > Trusted sites > Sites.
Add https://10.91.22.2:8082 to the list.
Refresh the current page.
Choose Continue to this website (not recommended).
Click Certificate Error at the right of the address bar and select View certificates.
Click on Install Certificate, then in the wizard, click Next.
On the next page, select Place all certificates in the following store.
Click Browse, select Trusted Root Certification Authorities, and click OK.
In the wizard, click Next, then Finish.
If you get a Security Warning message box, click Yes.

The certificate should now be trusted, and the PAC file correctly downloaded.