Closed Bug 44980 Opened 24 years ago Closed 9 years ago

Proxy: fix no proxy so host aliases can match the full domain

Categories

(Core :: Networking, defect, P3)

Product:
Core
Component:
Networking
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: justin, Unassigned)

References

Details

(Whiteboard: (go to bug 80918 for IP address wildcards))

Attachments

(1 file)

Patch for this bug
3.70 KB, patch
darin.moz
: superreview-
Details | Diff | Splinter Review 
For many internal intranet sites, it's common to use the host alias when
entering URLs. For example, if I was in the bar.com domain, and I wanted
to access the host foo.bar.com, I would usually just type http://foo/ to get
there.

However, when sitting behind a proxy, there are problems doing this, since the
no_proxies_on list is for the domain (ie. we don't proxy on bar.com). That makes 
mozilla think http://foo/ is on the other side of the firewall.

Also, Netscape 4.x didn't mind if the no_proxies_on domain included a star in 
front (ie. *.bar.com). mozilla doesn't get rid of that, and then nothing 
matches.

Anyway, I've fixed both of these with some changes to nsProtocolProxyService.cpp
(btw, the following patch was made in mozilla/netwerk/base/src).

For the second part, I just strip the star off the front of any text added to 
the no proxy list.

For the first part, if a host doesn't hit anything in the list unchanged, and 
that host does not contain a dot (ie. foo but not foo.com), then I resolve the 
name and grab the canonical host name. I go through the no proxy list again, and 
see if anything hits it.

Also, to avoid having to resolve these aliases every time, if a FQDN version of 
an alias matches something in the no proxy list, then I add the alias to the no 
proxy list. That way, future proxy checks will hit the alias directly, avoiding 
the DNS lookup for all future accesses.

    
    

    
  
Seems reasonable to me. Setting to NEW, adding patch keyword.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: patch

    
    

    
  
two things--

for a * processing you need more than just strip it off since I could want to 
make things like ad.*.com or even better ad*.*.com So there is more stuff 
involved here than probably possible for this release. 

the remaining fix seems reasonable though I'd prefer to look over it again 
before calling it reviewed. thanks!
Keywords: nsbeta3

    
    

    
  
I agree that the wildcard processing could be better, but the 4.x browsers did 
support (at least) "*.bar.com". It's been my experience that most people try 
typing in the local domain with the star prefix and expect that to work. Since 
it's trivial to strip it off, I think that bit should go in for the sake of 
compatibility.

    
    

    
  
I would prefer to build the list of no_proxies_for as a FQDNs that way we don't 
run into doing PR_GetHostByName again and again. Anyway I think we can relnote 
this for beta3 and so giving it a nsbeta3- (as much as I would like this to be a 
plus, we have to leave this out for other beta3 nominations)
Whiteboard: [nsbeta3-]

    
  
Target Milestone: --- → Future

    
  
Blocks: 61691

    
    

    
  
mass move, v2.
qa to me.
QA Contact: tever → benc

    
    

    
  
I think the underlying problem is that we should take on hostname -> fqdn
conversion ourselves. I think we also need to support display of the systems
default domain and reconfiguration of it to a profile or selectable value (bug
88217). 

The main reason why is this: a user with a hostname is generally on an intranet,
and they generally know what that intranet is. By implication, that means that,
although the URL is deterministically mean to refer to a URI on a certain
service socket. The problem is that when you hand of a hostname to name
resolution, you can't predict where the resolution process will go. This varies
by OS, resolution methods involved (files, NIS, DNS), and system configuration. 

Mozilla is built across numerous operating systems, which potentially have
different ways of handling search domains, hostname or non-fqdn completion.
Vendors have changed search algorithms over time, and it is likely that they
will continue to do so. The hostname completion and search features were
originally designed to allow users to be lazy in typing, while searching their
subdomains. The vast majority of domains are now flat or delegate one level. 

Nobody should be so lazy as to create URL's that have just a hostname (but we
all are...), but what we need to do is make a browser that allows the user to
control this, because increasingly, they will not be able to reconfigure their
OS resolver (because of access control or user sophistication limitations)...

If we did this completion BEFORE we did the no-proxy check, then this problem
would be solved.

    
    

    
  
I'd increase the priority on this bug, as it has bad interactions with other bugs.  For example, if I want to avoid proxying http://foo/, I can try to exclude ".bar.com" (which doesn't work due to this bug), but I also could try to exclude "123.45.", which also does not seem to work.  I would be quite happy being able to wildcard an entire class B (or C) subnet, and a lot of corporate customers would too.  I appreciate that all good web apps should use FQDNs, but they really do not.  In fact, many networks rely on host aliases for easily-guessable web app names (e.g. "timecard", etc).  If we can't figure out the FQDN from the host alias prior to the proxy check, could we at least have the ability to do it with numerical addresses?

    
    

    
  
some cleanup -> sending to eng triage
Assignee: gagan → new-network-bugs
Keywords: helpwanted
Summary: URLs using host aliases do not match the full domain in no_proxies_on → Proxy: hostnames do not match the full domain in no_proxies_on
Whiteboard: [nsbeta3-]
Target Milestone: Future → ---

    
    

    
  
-> gordon
Assignee: new-network-bugs → gordon

    
    

    
  
This bug, more than any other bug, is why I cannot use Mozilla as my default
browser.  Our IT department assumes we are on the intranet, and has many
IT-provided pages that are referenced without full names.  Other browsers that
are more commonly used (IE) perform the auto-FQDN and direct requests within the
intranet or to the proxy server respectively.

The priority and severity of this bug should be increased significantly.

    
    

    
  
+clean report.

I was working on updating bug 72444, and I was searching for the bug that says
that hostname needs to be mapped to an FQDN w/ the default domain name so that
users can block unqualified requests by putting the default domain into "no
proxy for". In the past, I have had trouble finding that bug, because it seems
like there were several bugs that described the same problem and had their own
dupe lists. I think that bug 91587 is the right bug for this, so I'm morphing
this bug to the match the patch justin put in here.

Having 4xp compatability is very important, because people do migrate their
profiles, and as #4 states, they will have "*"s in their profile. I just tested
this, and found that "*" no proxies do not work, which would break connectivity
in an environment where proxies refuse to forward to systems in the no-proxy list.

Gagan's concerns in #3 are useful on a theoretical basis, but I have never heard
of anyone doing that with Communicator, and my personal contacts in Netscape and
iPlanet support suggest this never worked, and/or they would not support it anyhow.

That being said, this patch, absent bit-rot concerns, should probably be checked in.
Keywords: helpwanted4xp, 
          
            clean-report, 
          
            nsbeta1
Summary: Proxy: hostnames do not match the full domain in no_proxies_on → Proxy: ignore "*" characters in "no proxy for"

    
    

    
  
*** Bug 31284 has been marked as a duplicate of this bug. ***

    
    

    
  
how does this relate to bug 48718?

    
    

    
  
These two could be duplicates, depending on how you frame the details.

    
    

    
  
Also it would be good if in "no proxy for" field mozilla supported maskin like
192.168.0.*

    
    

    
  
we have bug 80918 for that. please search for a specific bug rather than put a
comment into this bug that causes drift.
Whiteboard: (go to bug 80918 for IP address wildcards)

    
    

    
  
adt: nsbeta1-
Keywords: nsbeta1nsbeta1-

    
  
Assignee: gordon → darin

    
    

    
  
is this bug still being looked at?

its still present in Firefox 0.9 and mozilla 1.7rc3.. probably not the need to
stip the * out, but more the problem where if you have "10." in the no proxy for
list, and you go to http://foo/  where foo resolves to 10.x.x.x, it thinks foo
is outside the firewall and tries to use the proxy.
very frustrating here at work!

    
  

        Attachment #11158 -
        Flags: superreview?(darin)

        Attachment #11158 -
        Flags: review?(bbaetz)

    
    

    
  
Comment on attachment 11158 [details] [diff] [review]
Patch for this bug

resolving hostnames here on the main UI thread is not ideal.  if DNS is slow it
could hang the entire browser UI for lengthy periods of time.  i would prefer
to see this happen lazily on a background thread.  but that is a very complex
patch to implement.

    
    

    
  
but the dns name entered into the address bar must be resolved anyway if you 
are to attempt to connect to that site.. right? so once thats resolved, you 
can compare it against the no proxy for list.

    
    

    
  
(In reply to comment #21)
> but the dns name entered into the address bar must be resolved anyway if you 
> are to attempt to connect to that site.. right?

wrong: the proxy resolves the name, not the browser.
(except maybe in the case of a socks proxy)

    
    

    
  
ok, but i guess this isn't really the point. IE does it, so it must be 
feasible..  this bug was brought up a long time ago (almost 4 years), should i 
start a new bug on it?  the fact that it hasn't been fixed in 4 years would 
suggest its not being looked at..

    
    

    
  
what makes you think that filing a new bug will get it looked at?
you'd be lucky if someone looks at it and recognizes it's a duplicate of this one.

anyway, the resolution we normally do (when we do some) for addresses doesn't
happen on the main thread, so at least from an abstract perspective, it would
seem to me that we should be able to do this work at the same time/place as
normal resolution.

nick: if you want to do something useful, how about building up a list of
situations and browsers and how they react.

the first one that comes to mind is:
ie, socks proxy, exclude: *.localdomain, http://foo/

local name server says foo=foo.localdomain
socks proxy says foo=foo.com

what does ie do?

be sure to specify os and ie version.

    
  
Blocks: 48718

    
    

    
  
sure, i'd love to help.

in the situation you described, entering http://foo/ into the address bar did 
NOT work.  entering http://foo.localdomain.com/ into the address bar DID work
OS: winXP sp1
ie vs: 6.0.2800.1106.xpsp2.030422-1633

same results for windows 2000 sp3, ie 5.50.4134.0600cO

however, in the proxy exclude list, if i enter foo, rather than http://foo/, 
then it works if entering http://foo/ in the address bar.  in this situation, 
entering http://foo.localdomain.com/ in the address bar still works.

further, if i remove all entries from the exclude list, so it is empty, 
entering http://foo/ into the address bar still works! also, if i enter 
http://10.16.17.88 (which is the ip of foo) into the address bar it still 
works.  however, if i untick "bypass proxy server for local addresses" in the 
LAN settings window, it will not work (only for http://foo/, 
http://10.16.17.88/ still works fine).  so it would seem that IE is somehow 
figuring out what's local and what's not without us entering anything into the 
exclude list.  

i guess im stuck as to what else i can test for you.  if you can suggest 
something, i'd be happy to try it

    
    

    
  
well, the definition of local could be 10.*, 192.168.*, 172.<i can't remember).

Try building a network using something that isn't in those ranges. (don't
connect it to the real world).

    
    

    
  
Comment on attachment 11158 [details] [diff] [review]
Patch for this bug

sr-

we must not block the UI thread waiting for slow DNS servers to respond.  we
currently do so for PAC, and that is unfortunate.  we should not add more code
that does this.

it is far better to use nsIDNSService::asyncResolve (which is what the browser
uses when loading non-proxy sites), but that requires that your code is happy
to get the response back asynchronously.  i don't think this code is, so we
need to drastically change the way things work.

christian and i spoke about a solution for PAC, and that is probably something
that we'd want to use here too.  it involves creating a dummy protocol handler
and channel that "redirects" to the proper channel after proxy settings have
been determined asynchronously.

i cannot accept this patch as is.  leave out the PR_GetHostByName for starters,
ok?

        Attachment #11158 -
        Flags: superreview?(darin) → superreview-

    
    

    
  
Hi All

Is this bug going to be dealt with in the near future?  I am trying to use
firefox in a corporate setting with a specified proxy.  The internal intranet
sites are listed in the no proxy for but the browser cannot find them.  If I
disable the proxy, it is able to find the sites without any issue.

Please address this bug as it is important for corporate users.

Tim

    
    

    
  
Darin: 
the patch provided in this bug by justin is very cool. I like the idea that the
no proxy list would magically grow over time. However, I doubt we are ever going
to implement this, for several reasons:

1- there are limits to the size of a pref. This feature was not designed to be a
block list because it is saved as a pref. Other features that support domain
lists have heavy UI support (cookies, image blocking, etc.)

2- this is basically using code logic to magically failover in a situation that
could be solved w/o magic. This is an example of my growing believe that
network-magic features are bad. We can fix most problems in no proxy by fixing
our handling of the default domain at the pre-resolution stage. 

3- the "*" stripping was already implemented elsewhere, so it is irrelevant to
this bug now.

I've reverted the description back to something closer to the original. most of
the issues raised by nick are actually in other bugs, so I think we should
wont-fix this bug.

Summary: Proxy: ignore "*" characters in "no proxy for" → Proxy: fix no proxy so host aliases can match the full domain

    
  
No longer blocks: 48718

    
  
Assignee: darin → nobody
QA Contact: benc → networking

        Attachment #11158 -
        Flags: review?(bbaetz)

    
    

    
  
This may no longer be needed, as it's now possible to add <local> to the "No proxy for" list.

See https://developer.mozilla.org/en-US/docs/Proxies_in_Necko#Proxies_and_local_hosts

    
    

    
  
This isn't on anyone's work list and realistically is an abandoned idea. I will close as wontfix - if someone has a patch or is actively going to work on it please reopen. (but please, only then.)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: