Here is the default PAC file template from Zscaler cloud security solution:
Strictly speaking, this is not only Zscaler's default PAC template
error, but somehow this code snippet was spread widely across the
Internet.
For example, the same error migrated here:
http://itzecurity.blogspot.ru/2016/05/pac-file-recommendation-warnings-and.html
and here:
http://findproxyforurl.com/pac-code-snippets-examples/
and even here:
https://support.google.com/chrome/a/answer/3504945?hl=en
function FindProxyForURL(url, host) {I don't know how, but quiet obvious error crept here, highlighted with bold:
var privateIP = /^(0|10|127|192\.168|172\.1[6789]|172\.2[0-9]|172\.3[01]|169\.254|192\.88\.99)\.[0-9.]+$/;
var resolved_ip = dnsResolve(host);
/* Don't send non-FQDN or private IP auths to us */
if (isPlainHostName(host) || isInNet(resolved_ip, "192.0.2.0","255.255.255.0") || privateIP.test(host)) {
return "DIRECT";
}
/* FTP goes directly */
if (url.substring(0,4) == "ftp:") {
return "DIRECT";
}
/* Updates are directly accessible */
if (((localHostOrDomainIs(host, "trust.zscaler.com")) ||
(localHostOrDomainIs(host, "trust.zscaler.net")) ||
(localHostOrDomainIs(host, "trust.zscalerone.net")) ||
(localHostOrDomainIs(host, "trust.zscalertwo.net")) ||
(localHostOrDomainIs(host, "trust.zscloud.net")) ) &&
(url.substring(0,5) == "http:" || url.substring(0,6) == "https:")){
return "DIRECT";
}
/* Default Traffic Forwarding. Forwarding to Zen on port 80, but you can use port 9400 also */
return "PROXY ${GATEWAY}:80; PROXY ${SECONDARY_GATEWAY}:80; DIRECT";
}
var resolved_ip = dnsResolve(host);And here is the screenshot for sake of proof:
/* Don't send non-FQDN or private IP auths to us */
if (isPlainHostName(host) || isInNet(resolved_ip, "192.0.2.0","255.255.255.0") || privateIP.test(host)) {
The point being here is that privateIP.test should check resolved_ip variable against regexp instead of host. That's it. So the correct variant is here:
var resolved_ip = dnsResolve(host);
/* Don't send non-FQDN or private IP auths to us */
if (isPlainHostName(host) || isInNet(resolved_ip, "192.0.2.0","255.255.255.0") || privateIP.test(resolved_ip)) {
For example, the same error migrated here:
http://itzecurity.blogspot.ru/2016/05/pac-file-recommendation-warnings-and.html
and here:
http://findproxyforurl.com/pac-code-snippets-examples/
and even here:
https://support.google.com/chrome/a/answer/3504945?hl=en
Certainly, at the time you will check it, error may be fixed. But this is good sign that means my blog post was notified.
Hope this helps somebody.
