Building in redundancy for CSP (standalone server)

book

Article ID: 178311

calendar_today

Updated On:

Products

Web Security.cloud

Issue/Introduction

 

Resolution

Building in redundancy for CSP (standalone server)

You can ensure failover and load-sharing of the HTTP proxy between two or more CSP servers without third-party products. Browsers can be configured automatically by using a configuration file known as "proxy.pac" file

The following code sample shows an example proxy.pac that uses one possible method to do load sharing and failover. After the code sample, the logic within the code is explained. This example must be customized for your organization.

                    
// Sample proxy.pac
function FindProxyForURL(url,host)
{
// set p1 and p2 to the 2 proxies
var p1="10.90.193.213"
var p2="10.90.193.211"
//find the 4th octet - if even, is p1/p2 else p2/p1
var myip=myIpAddress()
var ipbits=myip.split(".")
var myseg=parseInt(ipbits[3])
if(myseg==Math.floor(myseg/2)*2) {
  var proxone=p1
  var proxtwo=p2
}
else {
  var proxone=p2
  var proxtwo=p1
 }
                    
//if name has no dots, or is our domain, or starts 10., or if my
//current address does not start 10. don't use proxy
if(isPlainHostName(host)  ||
dnsDomainIs(host,".mydomain.co.uk") ||
myip.substring(0,3)!=="10." ||
host.substring(0,3)=="10." )
                    
//
{
// alert("direct")
return "DIRECT";
}
else {
//  alert("proxy")
return "PROXY "+proxone+":8080; PROXY "+proxtwo+":8080" ;
}
}
                    
    

Dissecting the Routine

For this example the company uses the class A "10" address range for all internal IP addresses, and the internal DNS domain is "mydomain.co.uk".

function FindProxyForURL(url,host)
{
    

This marks the start of the function. The function is always called FindProxyForURL. The browser passes the full URL (e.g. http://www.google.com/index.html) and the host name (e.g. www.google.com). The final closing "}" at the end of the script denotes the end of the function.

// set p1 and p2 to the 2 proxies
var p1="10.90.193.213"
var p2="10.90.193.211"
    

The first line is a comment. The next two lines set the values of the two variables to use. Putting them here at the start of the routine makes it easier to find them, if you want to change them.

To take down one of the proxies, change these variables so that they both refer to the same server. Once everyone has reloaded their browser, they only talk to one proxy. You can easily take down the second without any effect whatsoever.

//find the 4th octet - if even, is p1/p2 else p2/p1
var myip=myIpAddress()
var ipbits=myip.split(".")
var myseg=parseInt(ipbits[3])
if(myseg==Math.floor(myseg/2)*2) {
  var proxone=p1
  var proxtwo=p2
}
else {
  var proxone=p2
  var proxtwo=p1
 }
    

Here, you store the IP address of your workstation into a variable (myip). You then automatically divide it into the four octets (splitting at the "."). Then you store each octet into an element of an array (ipbits). You extract the last octet, and call it "myseg". Divide the number by 2, discarding any remainder. Then multiply the result by 2. If the result is the same as the original number, it was even. If not, it was odd. Then populate the variables "proxone" and "proxtwo" accordingly.

//if name has no dots, or is our domain, or starts 10., or if my
//current address does not start 10. don't use proxy
if(isPlainHostName(host)  ||
  dnsDomainIs(host,".mydomain.co.uk") ||
  myip.substring(0,3)!=="10." ||
  host.substring(0,3)=="10." )
    

Now you apply logic to decide whether to try to talk to your proxy or not. The line if(isPlainHostName(host) means "if the name typed in does not contain any dots". That is, if the user has typed in a single word, assume that they are referring to a web server inside the DNS domain, and expect DNS resolution to supply the rest of the address. For example, if you use a workstation at your company where the DNS domain is mydomain.co.uk, and at a command prompt you enter Ping www, it pings www.mydomain.co.uk. This line performs a similar function for web browsing.

Note:

The two vertical bars (||) represent OR.

The line dnsDomainIs(host,".mydomain.co.uk") means "if the domain of the specified host matches .mydomain.co.uk". So if you try to talk to a web server within the firewall, do not contact the proxy.

The line myip.substring(0,3)!=="10." || means "if my current IP address does not begin 10.". That is if the user is not within our firewall, go directly to the web server.

The line host.substring(0,3)=="10." ) means "if the IP address you are trying to reach begins 10.". That is if you have entered the IP address of the web server instead of the DNS name, and it is inside the firewall, go directly.

// alert("direct")
return "DIRECT";
}
  else {
//  alert("proxy")
  return "PROXY "+proxone+":8080; PROXY "+proxtwo+":8080" ;
}
    

The alert lines are commented out, but you can uncomment them for troubleshooting. The other lines mean "if the following test result in a TRUE value, return the value "DIRECT" to make the browser bypass the proxy. Otherwise, return a string containing the two proxies in the order you specified earlier".

Workstations on even IP addresses try to use the first named Proxy server (p1), and failover to the second (p2). Workstations with odd IP addresses try to use the second named proxy server (p2), and failover to the first (p1).