From:  Patrick McManus <mcmanus@ducksong.com>
Date:  11 Jul 2014 19:50:30 Hong Kong Time
Newsgroup:  news.mozilla.org/mozilla.dev.tech.network
Subject:  

Re: Using a Pac File to redirect https requests.

NNTP-Posting-Host:  63.245.216.66

The port number is the number of the port that the proxy is listening on in
your config - in mine that was 2443. For you it looks like 443.

You are probably having a problem authenticating that host, given that you
are using an IP address for it.. TLS requires a certificate witha matching
hostname chained to a CA in the trust store. So I recommend

return "HTTPS origin-www.abc.com:443;"

and then the proxy will need a signed cert for that name.


On Fri, Jul 11, 2014 at 7:39 AM, Sindhu  wrote:

> Hi Patrick,
>
> Yes, you are right. I am trying to proxy over TLS.
> I want to clarify one thing though. Is the port number in the return
> statement 2443 or 443?
> I tried using both(with the aurora build) and I faced issues with both.
> With 2443 the page remains in a connecting state( I assume there is no
> process listening on 2443) and with 443 I get the ns_error_unknown_host
> error(though I'm able to connect to the domain without using a pac file).
> The pac file I am using looks like this:
>
> function FindProxyForURL(url,host) {
> if(shExpMatch(host, "^www\.abc\.com$")){
> var new_ip=dnsResolve("origin-www.abc.com");
>   var proxyval = "HTTPS "+new_ip+":443;";
> return proxyval;
> }
> }
>
>   I can also send the http logs if that would help.
>
> Sindhu Simhadri
>
>
> On 8 July 2014 18:02, Patrick McManus  wrote:
>
>> Hi Sindhu - I I believe we have a confusion in terminology.
>>
>> I believe that you are trying to proxy over TLS (or some people call it
>> proxy over https) - not that you are having trouble proxing https://
>> urls. Is that correct?
>>
>> proxying https urls should work just fine with your original
>> configuration - the https request will be tunneled through the proxy using
>> the CONNECT method and thus be opaque to the proxy, but it will be routed
>> through it.
>>
>> If you would like to proxy http:// and or https:// using an https
>> /TLSconnection to the proxy then you need a new feature that is on firefox
>> 32 and newer. That's currently the aurora channel.
>>
>> To use that the pac file would look like
>>
>> function FindProxyForURL(url, host) {
>> return "HTTPS localhost:2443;"
>> }
>>
>> Note that https:// urls will still be routed through the connect method
>> at the proxy. If you are trying to see the contents of the https
>> transaction at the proxy that is not possible - https:// urls are
>> encrypted end to end.
>>
>> hope that helps.
>>
>> -Patrick
>>
>>
>> On Tue, Jul 8, 2014 at 1:55 AM, Sindhu  wrote:
>>
>>> Hi,
>>>
>>> I am trying to use a PAC file to redirect http / https requests.
>>>
>>> The following function works for a http request but it throws an
>>> NS_ERROR_UNKNOWN_PROXY_HOST error for* https* requests.
>>>
>>>
>>> function FindProxyForURL(url, host) {
>>> return "PROXY x.x.x.x;"
>>> }
>>>
>>> And if i change the function to :
>>>
>>> function FindProxyForURL(url, host) {
>>> return "PROXY x.x.x.x:443;"
>>> }
>>>
>>> it throws NS_ERROR_NET_RESET error.
>>>
>>> Is it possible to redirect https requests through a PAC file? Or is there
>>> any other way to achieve this?
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: Patrick McManus 
>>> Date: 2 July 2014 20:15
>>> Subject: Re: Using a Pac File to redirect https requests.
>>> To: Sindhu 
>>> Cc: firefox-dev@mozilla.org
>>>
>>>
>>> you can use a PAC file to route all http and https generated by gecko.
>>> https will of course be tunneled through the proxy using CONNECT because
>>> it
>>> needs to be end to end for appropriate security.
>>>
>>> e.g.
>>>
>>> function FindProxyForURL(url, host) {
>>> return "PROXY localhost:2443;"
>>> }
>>>
>>> dev-tech-network is probably the right place to followup to get the right
>>> visibility - you should supply the pac file there.
>>>
>>>
>>>
>>> On Wed, Jul 2, 2014 at 1:12 AM, Sindhu  wrote:
>>>
>>> > Hi,
>>> >
>>> > I have an extension which uses a PAC file to redirect particular
>>> requests
>>> > to a proxy server. But this doesn't working for any *https *request.
>>>
>>> > Firefox always uses a DIRECT connection for https requests. Is there
>>> any
>>> > way to redirect https requests using a PAC file? Or is there any other
>>> way
>>> > to achieve this?
>>> >
>>> > Sindhu Simhadri
>>> >
>>> > _______________________________________________
>>> > firefox-dev mailing list
>>> > firefox-dev@mozilla.org
>>> > https://mail.mozilla.org/listinfo/firefox-dev
>>> >
>>> >
>>> _______________________________________________
>>> dev-tech-network mailing list
>>> dev-tech-network@lists.mozilla.org
>>> https://lists.mozilla.org/listinfo/dev-tech-network
>>>
>>
>>
>