Whether connecting your Barracuda Web Security Gateway Inline or in Forward Proxy configuration, you might want to use a Proxy Auto-Configuration (PAC) file to distribute a set of rules for where to route/proxy web traffic from client browsers to the Barracuda Web Security Gateway, to intranets or to the internet. See also https://findproxyforurl.com for information about creating WPAD and PAC files.
You can create a custom PAC file and use a windows Group Policy Object (GPO) to push out proxy settings to client browsers. This method of proxying web traffic to the Barracuda Web Security Gateway has the following advantages:
- You can automatically configure all client browsers with proxy instructions rather than manually configuring them.
- A PAC file affords a lot of flexibility since you can optionally proxy specific traffic - domains, URLs, internal versus external traffic - to one or more specific Barracuda Web Security Gateways, or directly to the internal or external internet.
- You can set up load balancing of web traffic and failover (with multiple Barracuda Web Security Gateways) in case one system is not available.
How a PAC File Works
A PAC file is a specialized JavaScript function definition that a browser calls to determine how web requests are handled. The web browser fetches this PAC file before retrieving other pages. The JavaScript function "FindProxyForURL(url, host)" in the PAC file returns a string with one or more access method specifications. These specifications cause the user agent to either use a particular proxy server or to connect directly to the internet. The examples below give various scenarios in which you might want to proxy certain web traffic, while routing other web traffic directly to the internet or intranet.
Examples of PAC File Commands
In Example1 below, you want client browsers to manually proxy certain SSL traffic (https://mail.google.com, for example) to port 3128 of your Barracuda Web Security Gateway, and you'll use a PAC file like this example to define this for the browsers.
Example 1
When the client makes a request to a website, the web browser refers first to the PAC file. If the client is using a local network address, the specified proxy server (Barracuda Web Security Gateway) is used on the specified port. If the client is not using a local network address (example: a user is connecting from a hotel), the PAC file instructs the web browser to connect directly to the Internet.
proxy.pac
function FindProxyForURL(url,host)
{
if (isInNet(myIpAddress(), "10.175.175.0","255.255.255.0")) {
return "PROXY 10.170.2.252:3128";
} else {
return "DIRECT";
}
}
Example 2
In a PAC file, you can provide for failover by specifying multiple Barracuda Web Security Gateways to proxy traffic to in order of precedence. Or you could load balance traffic by indicating in the PAC file that traffic to ODD IP addresses should proxy to BarracudaWebFilter1 and traffic to EVEN IP addresses should proxy to BarracudaWebFilter2. This example PAC file includes these and other scenarios of proxying specific traffic to a particular Barracuda Web Security Gateway or directly to the internal or external internet.
function FindProxyForURL(url, host) {
// Array of domains not to send to a proxy: these domains, for example, would be domains you trust and don't need to filter.
var no_proxy = new Array("barracuda.com", "barracudanetworks.com", "mydomain.com", "yourdomain.org");
// If URL has no dots in host name, send traffic direct.
if (isPlainHostName(host))
{
return "DIRECT";
}
// If specific URL needs to bypass proxy, send traffic direct.
for(var i=0;i < no_proxy.length; i++)
{
if (shExpMatch(url, no_proxy[i]))
{
return "DIRECT";
}
}
// If you don't want to filter internal web traffic:
// If IP address is internal or hostname resolves to internal IP, send direct.
var resolved_ip = dnsResolve(host);
if (isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
{
return "DIRECT";
}
// If you want to load balance traffic, you can, for example, send odd IPs to one Barracuda Web Security Gateway
// and even IPs to 2nd Barracuda Web Security Gateway.
// Each PROXY command specifies two Barracuda Web Security Gateways; if one is not available, traffic goes to the other one (fail-over).
var proxy;
var myip=myIpAddress();
var ipbits=myip.split(".");
var myseg=parseInt(ipbits[3]);
//based on the 4th octet being even or odd we'll change proxy priority
if (myseg==Math.floor(myseg/2)*2)
{
// Even
proxy = "PROXY gbobarwebv02.yourdomain.org:3128; PROXY gbobarwebv01.yourdomain.org:3128; DIRECT";
}
else
{
// Odd
proxy = "PROXY gbobarwebv01.yourdomain.org:3128; PROXY gbobarwebv02.yourdomain.org:3128; DIRECT";
}
return proxy;
}