Automatic proxy in NEProxySettings is bypassed when proxy server is down.

I am going to try and provide a general response here, but a lot of this comes down to testing on your end and debugging your environment. Establishing Proxy settings with something like a PAC URL does not mean that you will always be able to access your resources. For example, if your remote or destination address does not meet the criteria to forward or redirect your traffic to resources, you will not reach them. I would recommend that you take a look at your remote addresses or hostnames on your IP packets and then see how this aligns with your proxy settings. Next, see if you are reaching your proxy server. If you are reaching your server, and your proxy settings are setup to route your traffic appropriately, look at the next hop in the network.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hi Matt,

Thanks for your quick response. I think I have not been very clear with my question. Let me try to rephrase it with more details:

Given that:

1. I have a resource some-resource.com which is accessible with or without proxy.

2. I have a proxy pac file at my-file-server.com/some-proxy.pac

3. I have a simple proxy server my-proxy.com:8080 configured/returned inside the pac file. All my traffic should go through this proxy server and if it’s not reachable, no resource should be accessible.

• Now, when proxy server my-proxy.com:8080 is configured manually:

If proxy server is up, my resource some-resource.com is accessible via proxy.
If proxy server is down, my resource some-resource.com is no more accessible. This is as expected.

• When proxy is configured automatic by providing pac file URL:

If proxy server my-proxy.com:8080 is up, my resource some-resource.com is accessible via proxy.
If proxy server my-proxy.com:8080 is down, my resource some-resource.com is still accessible, bypassing the proxy. This is what is not expected.

Please note, in case of automatic configuration, pac file located at my-file-server.com/some-proxy.pac is always accessible.

As you can see, there is a difference in behaviour of automatic proxy configuration using pac file and manually configuring the same proxy server. I have tried all the above scenarios in NetworkExtension proxy configuration as well WiFi proxy configuration and the result is same for both. So, is it expected that automatic proxy would be bypassed when proxy server is not reachable?

I have a resource some-resource.com which is accessible with or without proxy.

If proxy server my-proxy.com:8080 is down, my resource some-resource.com is still accessible, bypassing the proxy. This is what is not expected.

It seems like there is a contradiction in these statements.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hi Matt,
Thanks for your reply.

My resource some-resource.com is accessible from public internet (I have taken public resource just to check the behaviour of proxy when configured in Wi-Fi Settings). I want all my traffic to go through the proxy server and if it’s not reachable, no resource should be accessible.

• When I configure Manual proxy and the proxy server is down, some-resource.com is inaccessible (No websites are accessible when tried to reach from Safari). But, 

• When I configure an Automatic proxy the resource some-resource.com is accessible though the proxy server is down (Websites are accessible when tried to reach from Safari).

From the above, I can see there is a difference in behaviour between automatic and manual proxy configured using the same proxy server. I have tried all the above scenarios in NetworkExtension proxy configuration and the behaviour is same.

So,

1. Is Manual and Automatic proxy designed to behave differently when proxy server is down?

2. Is it expected that Automatic proxy would be bypassed when proxy server is down?

Hi,

Any update on the above?

Hi Matt,

To reply to your above question,

I would recommend that you take a look at your remote addresses or hostnames on your IP packets and then see how this aligns with your proxy settings. Next, see if you are reaching your proxy server. If you are reaching your server, and your proxy settings are setup to route your traffic appropriately, look at the next hop in the network.

When Proxy server is down,

• Manual proxy:

The packets destination IP is Proxy server IP and I can see that packets are reaching proxy server and its been dropped at server end. This is making some-resource.com inaccessible.

• Automatic proxy:

Here, when packets destination IP is Proxy server IP, I can see that packets are reaching proxy server and its been dropped at server end. But I see that packets are somehow recreated with destination IP which is certainly not Proxy IP. This is actually causing some-resource.com accessible.

Hi, I'm seeing the same thing. Is there a way to make sure that the connection is never made directly? So if the proxy is down, the connection is actually dropped instead of being made directly?

I've decided to file a radar (FB9650785) for this one, as it seems to behave incorrectly.

Hi, I'm seeing the same thing. Is there a way to make sure that the connection is never made directly? So if the proxy is down, the connection is actually dropped instead of being made directly?

In general, if you are running a PAC file with a VPN API such as NEPacketTunnelProvider this seems like you are wanting to use the VPN APIs to receive device traffic and proxy it to a location other than a VPN server, which does not sound like a proper use case for a VPN API. I would recommend using the NEAppProxyProvider API instead.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Using NEAppProxyProvider would work only for supervised devices, which is a major limitation. What if the proxy (or proxies) reside on an IP destination(s) that are routed through the tunnel set up using the VPN APIs? So there's an active VPN tunnel and we have cache/filtering proxy on the remote network that should be always used for certain connections.