Oct.05

Proxy Auto Config File (.PAC) and Chromebooks

We made the decision early on to filter all traffic through our CIPA-compliant internet filter.  USD290 currently has a Lightspeed Rocket that is the barrier between all network traffic and the internet.  We also have a separate Cisco ASA that is a more hardened firewall that does the heavy lifting behind the scenes.

So what does that all mean exactly?  Well, every device is filtered through our Rocket, no matter where they are, as long as they have internet.  Our policies apply at all times.  That’s not to say we don’t loosen the reins at times.  We employ a simple .pac file that allows us to redirect some traffic and take certain loads off of our system.  We could, theoretically, allow Netflix, Pandora, and Spotify at home, and not see a bandwidth spike as long as our .pac file is properly configured.  Below, I will tear into our config line by line, and show you how it works!

First, all .pac files are JavaScript.  As such, it’s pretty easy to find resources for configuring your own script on the internet.  The first few lines of our script simply initialize the function, and set an IP address variable to use for the duration of the processing.  Setting this variable allows you to reuse it throughout the script, instead of requesting it multiple times, thereby increasing the time required to process the code.  We also allow any local resource to bypass the script, since it will already be filtered onsite anyway.

Next we have a code block that allows us to prevent students from logging off of their Chromebook, and logging in under a personal Gmail account.  This also prevents them from adding a consumer account to Google Chrome.

At one point, we would bypass the filter if the students had a local IP address.  This was an effort to remove some of the load from our Rocket, but was later deemed unnecessary.  We have not seen a substantial increase in traffic from our always proxying devices.  Nevertheless, here is the part of the script that would allow local IP bypass

Next step is the Google portion.  We previously had each of these declarations as a separate line.  What this does is force every single URL to iterate through each line and check for a match.  We wrapped all the Google URL’s into a single check, thus eliminating significant processing time.

And the final section checks for a few more URLs that we want to bypass our Rocket and go straight to the internet.  If no other rules apply, the last declaration of the script tells the Chromebook to pass the traffic directly to our Rocket.  If the Rocket is not reachable, it then proceeds to DIRECT.  You could, if you wanted, list several different URLs in this declaration, separated by semicolons.  This will allow you fail-over access to multiple proxy servers!

 

 

That’s all there is to it!  Here is the complete PAC script for USD290:

 

Here is a bonus piece of code that will allow you to load balance between multiple proxy servers.  Replace the last three lines of the above script with the following:

And don’t forget the closing  } !

 

Uncategorized
Share this Story:
  • facebook
  • twitter
  • gplus

Comments(1)

  1. Adam Smith
    1519 days ago

    Nice write up. I don’t know if I’ll ever need it, but I’ve bookmarked it just in case.

Leave a comment

Comment