Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

DJLC

macrumors 6502a
Original poster
Jul 17, 2005
958
401
North Carolina
So I was just alerted to a pretty big issue at work: it seems Safari is ignoring our zScaler-provided proxy auto configuration file. It is hosted on the zScaler cloud service, and is set properly in the Network prefpane for all network interfaces. Oddly, both Firefox and Chrome honor the system network settings and route traffic through the proxy when appropriate. Safari, on the other hand, ignores the proxy in all circumstances.

If I put the PAC file in /Library/Internet Plug-Ins/, Safari honors the PAC file as appropriate. But is there any way to get it to use a PAC file hosted on a remote web server? If not, can anyone point me in the right direction as far as updating the PAC file path in the Network prefpane via the command line? If I have to start using a locally hosted PAC file, I'm going to have to update that setting on our 200 student MacBooks.

Below is the PAC file. I had some trouble initially getting the if statements to work properly under OS X; the problem could lie there as well. When on the school network traffic is routed thru zScaler with a tunnel, thus making the proxy undesirable.

Code:
function FindProxyForURL(url, host) {
			var privateIP = /^(0|10|127|192\.168|172\.1[6789]|172\.2[0-9]|172\.3[01]|169\.254|192\.88\.99)\.[0-9.]+$/;

			/* Don't send non-FQDN or private IP auths to us */
			if (isPlainHostName(host) || shExpMatch(host, "192.0.2.*") || privateIP.test(host))
			return "DIRECT";

			/* FTP goes directly */
			if (url.substring(0,4) == "ftp:")
			return "DIRECT";

			/* If on local ARS network, don't do it. */
			if (dnsResolve("xserve.arsnc.private") == "192.168.2.200")
			return "DIRECT";

	/* Default Traffic Forwarding.
	 * Forwarding to Zen on port 80, but you can use port 9400 also */
	 return "PROXY 152.26.228.6:9443; PROXY 152.26.230.6:9443";
}
 
Last edited:

DJLC

macrumors 6502a
Original poster
Jul 17, 2005
958
401
North Carolina
Doesn't really solve the problem... I need the PAC file to be implemented only when the client is not connected to my network. Thus, I have no control over DHCP in the locations where the proxy is necessary.

In any case, I later found that some of the Macs do work with the filter. They're all clones of one another, and thus have the exact same versions of everything. Yet Safari ignores the proxy on some and honors it on others.

I think I'll just let it sit for two more weeks until school is out. This summer I can do a local PAC file in my image before I re-image all of them.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.