Hello wise people!
We have recently started finding more and more issues with websocket connections. In our infrastructure we have a little bit of a hybrid solution and quite a few internet breakouts globally. To control these flows we are using a proxy config file or PAC and works like a charm. Until recently...
Example flow:
A web page loaded from "www.thisurl.com/coolapp" will want to load data from a third party, say via a VPN connection. From say "www.thaturl.com".
For this traffic to be able to reach the VPN it will need to go via a diffrent explicit proxy than the normal surf traffic that gives access to "www.thisurl.com/coolapp".
Easily controlled in a pac right using something like this?
function FindProxyForURL(url, host) {
// If the hostname matches, send to Proxy A
if (dnsDomainIs(host, "thaturl.com") ||
dnsDomainIs(host, "www.thaturl.com"))
return "2.2.2.2:8080";
// All other traffic, use Proxy A
return "PROXY 1.1.1.1:8080";
}
However.. this seems not to be the case when there are websockets involved recently. I know a websocket connection should start its life as a normal http connection and then upgrade, and this we see in the SG logs.. but before this happens, it ignores what the proxy pac tells it and just goes for the default proxy. Regardless of what variables we use in the pac file.
Did something change with Websockets? Did our lovely browser magnates decide to change something?
Has anyone else experienced the same and if so, any tips? :)
Thank you for your time!
Regards,
Daniel