The increasing deployment of NAT, even into provider networks (eg, ISPs), means that it is increasingly common not to be able to reach out of, or into, a given portion of network directly; the "end to end principle" of the Internet has been all but abandoned. Various forms of assistance are required to cross network boundaries and get out of, or into, a given network. For web browsing, the usual form of assistance is a web proxy server such as Squid (although things like ssh port forwarding can also be used in some cases).
Web browsers have long supported configuration of a web proxy to gain access (or caching) to a particular network (or "the Internet" if it is being used as a cache/filter at the exit to the Internet). This can be configured with the appropriate proxy settings to use to access a given network, which does work. However for "mobile" users (eg, with a laptop) one can spend quite a bit of time manually configuring and unconfiguring the web proxy settings while moving around (and as one needs to use different proxies to gain access to various issolated network segments).
The Web Proxy Auto-Config
defines a method, supported by most common browsers, to select the
appropriate web proxy for a given destination (thus allowing the use of
multiple distinct proxies with different reach), and more importantly
for a given source network (thus helping mobile user with automatic
configuration). It consists of a file with a single Javascript function
FindProxyForURL(url, host)
that is evaluated to determine
which web proxy to use; the file can be retrieved from a URL (eg, via
HTTP) or loaded from the file system.
The trick to make it
useful
to mobile
users
is to classify the source location using myIpAddress()
to
retrieve your current IP address, and
isInNet(ip,netbock,netmask)
to check for membership.
Assuming each mobile location has a distinctive IP address range this
allows uniquely identifying the location. (If not, there may be other
Javascript functions that can be used to retrieve information that may
help determine the current location -- such as the local domain name.)
Having done that, isInNet(ip,netblock,netmask)
can be used
on the host
destination (IP) passed in to the function,
in order to identify which web proxy to use.
Putting this together, create a file called proxy.pac
containing something like:
// Proxy Auto Configuration (PAC) file for mobile user
//
function FindProxyForURL(url, host) {
// Special case internal NAT network
if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0")) {
// Special case remote internal NAT networks
if (isInNet(host, "192.168.113.0", "255.255.255.0")) {
return "PROXY A.B.C.D:3128";
}
if (isInNet(host, "192.168.239.0", "255.255.255.0")) {
return "PROXY E.F.G.H:3128";
}
}
// default is to go directly
return "DIRECT";
}
where A.B.C.D
and E.F.G.H
are the IP addresses
of the web proxies that can be used as a bridge into those remote
networks.
In the above example if the machine is currently on the 192.168.1.0/24 network, then it will use the appropriate proxies when trying to access 192.168.113.0/24 or 192.168.239.0/24. When the machine is somewhere else, or when trying to access any other location, it will simple send the request directly. More special cases can be added for other networks, and when appropriate default proxies can be added for specific networks.
For laptop use, save this file onto the file system in some suitable
location. Then go to Firefox -> Preferences -> Advanced ->
Network -> Settings, and enter an appropriate URL for the file
location. For instance
file://full/path/to/file/location/proxy.pac
. For desktop
use, the file could be put on a webserver (eg, an intranet server) and
the http://machine/location/proxy.pac
URL specified
instead. The file will be loaded when the web browser starts up, and
whenever the "Reload" button next to the URL in the settings is pressed;
the function will be evaluated with each URL. (In Safari, this is
in the system Network settings (Apple -> System Preferences ->
Network > Advanced -> Proxies), also accessible via Safari ->
Preferences -> Advanced -> Proxies; tick "Proxy Auto
Configuration" and enter the URL. I expect other browsers have similar
support.)
Also in these configuration screens is the option "Auto-detect proxy settings for this network" which should not be used outside fixed machines in a well-run corporate, locked down, network. It enables WPAD, the Web Proxy Autodiscovery Protocol, which essentially tries to guess the URL of the PAC file, by appending "wpad" to the shorter and shorter portions of the local domain name. Unfortunately the web browsers do very poorly at identifying security boundaries and thus are quite willing to ask for a WPAD server outside the local network, such as country-wide WPAD server, leading to silent interception of all traffic. The problem is rather similar to the DNS Resolution Issues caused by arbitrarily walking up the local domain name hierachy without proper boundary checking.