Proxy failover issue with PAC file
search cancel

Proxy failover issue with PAC file

book

Article ID: 253747

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

The customer has implemented a PAC file with multiple proxy addresses in return statement but the expected proxy redundancy from the PAC file is not working.

For example WSS hosted PAC file has the following content,

function FindProxyForURL(url, host)
{
       if (isPlainHostName(host)) return "DIRECT";

    if (url.substring(0, 4) == "ftp:")
        return "DIRECT";

    if (isInNet(host, "10.0.0.0", "255.0.0.0") 
    || isInNet(host, "172.16.0.0",  "255.240.0.0") 
    || isInNet(host, "192.168.0.0", "255.255.0.0") 
    || isInNet(host, "169.254.0.0", "255.255.0.0") 
    || isInNet(host, "127.0.0.0", "255.255.255.0"))
        return "DIRECT";

    return "PROXY 10.0.0.100:8080; 10.0.0.200:8080; 10.0.0.300:8080; DIRECT";
}

FindProxyForURL function return statement has following three proxy defined in failover sequence followed by DIRECT.

Proxy-1: 10.0.0.100:8080
Proxy-2: 10.0.0.200:8080
Proxy-3: 10.0.0.300:8080

Now issue observed with above mentioned PAC file is if Proxy-1 is unreachable it should failover to Proxy-2 then to Proxy-3 and finally to DIRECT incase Proxy-2 and Proxy-3 are down as well. Unfortunately this is not the case here. It has observed that browser will keep on sending SYN request to Proxy-1 and it will not failover to Proxy-2.

If you test above mentioned PAC file against any given valid URL(i.e. https://example.com) , it will not give you any syntax error rather it will return Matching rule as follow,

PROXY 10.0.0.100:8080; 10.0.0.200:8080; 10.0.0.300:8080; DIRECT

Resolution

PAC file are implemented using a Java Script function and syntactically there is no error in above mentioned PAC file. Only issue is there is PROXY keyword missing before Proxy-2 and Proxy-3 due to which incase of Proxy-1 is unavailable browser will not failover to Proxy-2.

PAC file return statement should be as follow,

function FindProxyForURL(url, host)
{
       if (isPlainHostName(host)) return "DIRECT";

    if (url.substring(0, 4) == "ftp:")
        return "DIRECT";

    if (isInNet(host, "10.0.0.0", "255.0.0.0") 
    || isInNet(host, "172.16.0.0",  "255.240.0.0") 
    || isInNet(host, "192.168.0.0", "255.255.0.0") 
    || isInNet(host, "169.254.0.0", "255.255.0.0") 
    || isInNet(host, "127.0.0.0", "255.255.255.0"))
        return "DIRECT";

    return "PROXY 10.0.0.100:8080; PROXY 10.0.0.200:8080; PROXY 10.0.0.300:8080; DIRECT";
}


After modifying PAC file as above incase Proxy-1 is unavailable, browser automatically failover to Proxy-2.