ProxySG & Advanced Secure Gateway

Hello wise people!

We have recently started finding more and more issues with websocket connections. In our infrastructure we have a little bit of a hybrid solution and quite a few internet breakouts globally. To control these flows we are using a proxy config file or PAC and works like a charm. Until recently...

Example flow:

A web page loaded from "www.thisurl.com/coolapp" will want to load data from a third party, say via a VPN connection. From say "www.thaturl.com".
For this traffic to be able to reach the VPN it will need to go via a diffrent explicit proxy than the normal surf traffic that gives access to "www.thisurl.com/coolapp".

Easily controlled in a pac right using something like this?

function FindProxyForURL(url, host) {

// If the hostname matches, send to Proxy A
if (dnsDomainIs(host, "thaturl.com") ||
    dnsDomainIs(host, "www.thaturl.com"))
        return "2.2.2.2:8080";

// All other traffic, use Proxy A
    return "PROXY 1.1.1.1:8080";
}

However.. this seems not to be the case when there are websockets involved recently. I know a websocket connection should start its life as a normal http connection and then upgrade, and this we see in the SG logs.. but before this happens, it ignores what the proxy pac tells it and just goes for the default proxy. Regardless of what variables we use in the pac file. 

Did something change with Websockets? Did our lovely browser magnates decide to change something?
Has anyone else experienced the same and if so, any tips? :)

Thank you for your time!

Regards,
Daniel

Hi Daniel,

 

          Not seen such an issue so far. On a quick search, I could find an article to let the WS and WSS connections to be pointed to specific proxies. Ref: https://groups.google.com/forum/m/#!topic/browsermob-proxy/JzTHxje0qP4 . Will that help in your case.

Thanks Aravind! Sadly such actions in the pac would force all ws or wss connections through one proxy. And.. as far as im aware this should no longer be needed for websockets since they should start their life as normal web request and then be upgraded. I assume this would upgrade the existing web session, not create a new one? Regards Daniel

Hi Daniel,

 

           My understanding also on the same direction where WS or WSS will follow the same session opened before. Some pac files do have "http" or "https" based split up but if you are able to replicate with a simple PAC as in your thread starter, I don't know :(

At least for a normal webbrowser

return "2.2.2.2:8080";

returns an invalid value. Possible return values are:

• DIRECT
• PROXY host:port
• SOCKS host:port

Hi Fi-Da...

That was just a typo in my example pac script sadly.  I wish it would have been that simple though! :)

 

Best Regards
Daniel

Hiya Daniel,

Try this Blog of a guy who wrote down the experience he had with pac files and, of course, reading the RFC.

We should all read more RFC's.

Hope it helps!
Original Message:
Sent: 10-08-2019 03:04 AM
From: Daniel Engberg
Subject: Proxy configuration file (PAC) and WebSockets?

Hi Fi-Da...

That was just a typo in my example pac script sadly.  I wish it would have been that simple though! :)

 

Best Regards
Daniel

Thanks Andy! That did the trick! Noticed that blog has a ton of useful stuff in regards to Proxies as well! Subscribing :)
Original Message:
Sent: 12-07-2021 10:12 AM
From: Andy Quaeyhaegens
Subject: Proxy configuration file (PAC) and WebSockets?

Hiya Daniel,

Try this Blog of a guy who wrote down the experience he had with pac files and, of course, reading the RFC.

We should all read more RFC's.

Hope it helps!
Original Message:
Sent: 10-08-2019 03:04 AM
From: Daniel Engberg
Subject: Proxy configuration file (PAC) and WebSockets?

Hi Fi-Da...

That was just a typo in my example pac script sadly.  I wish it would have been that simple though! :)

 

Best Regards
Daniel

Duplicate ... Who knew it would take over 8 hours for a forum post to get published.

Original Message:
Sent: 10-01-2019 04:03 AM
From: Daniel Engberg
Subject: Proxy configuration file (PAC) and WebSockets?

Hello wise people!

We have recently started finding more and more issues with websocket connections. In our infrastructure we have a little bit of a hybrid solution and quite a few internet breakouts globally. To control these flows we are using a proxy config file or PAC and works like a charm. Until recently...

Example flow:

A web page loaded from "www.thisurl.com/coolapp" will want to load data from a third party, say via a VPN connection. From say "www.thaturl.com".
For this traffic to be able to reach the VPN it will need to go via a diffrent explicit proxy than the normal surf traffic that gives access to "www.thisurl.com/coolapp".

Easily controlled in a pac right using something like this?

function FindProxyForURL(url, host) {

// If the hostname matches, send to Proxy A
if (dnsDomainIs(host, "thaturl.com") ||
    dnsDomainIs(host, "www.thaturl.com"))
        return "2.2.2.2:8080";

// All other traffic, use Proxy A
    return "PROXY 1.1.1.1:8080";
}

However.. this seems not to be the case when there are websockets involved recently. I know a websocket connection should start its life as a normal http connection and then upgrade, and this we see in the SG logs.. but before this happens, it ignores what the proxy pac tells it and just goes for the default proxy. Regardless of what variables we use in the pac file. 

Did something change with Websockets? Did our lovely browser magnates decide to change something?
Has anyone else experienced the same and if so, any tips? :)

Thank you for your time!

Regards,
Daniel