Hello,
We have a Network extension transparent proxy (NETransparentProxyProvider) that receives browser TCP flows as NEAppProxyTCPFlow. For each flow we create an NWConnection to the flow's original destination and set NEParameters.preferNoProxies = true - expecting the outbound connection to bypass the user's HTTP/HTTPS proxy and PAC so it goes to the destination server directly.
However, in practice we see connections still being redirected to local proxy after being evaluated against the PAC rules using the destination IP and port.
Our questions are:
- Could we expect preferNoProxies to be respected when a PAC exist on the endpoint and supersede the PAC rule decision?
- If yes, what would be the best way to file a bug and what information do you need?
- If not, is there any other way of making sure that the outbound NWConnection created by the transparent proxy is not redirected to a proxy and goes directly to the destination?
- One other way of avoiding our NWConnection being redirected to the proxy is to use hostname instead of destination IP. Would there be a reliable way of getting hostname for the NEAppProxyTCPFlow so that PAC can correctly filter all NWConnection based on rules? We have explored remoteHostname but it's generally not available for connections from browsers other than Safari.
The expected behavior with preferNoProxies is it should attempt to connect to the destination server directly, and fall back to the result from the PAC file if the direct attempt fails - so it doesn't guarantee that the connection won't go over a proxy, but it will try without one first.
If this doesn't match the behavior you're seeing can you take a sysdiagnose and submit this to https://developer.apple.com/feedback-assistant, then post the number here?
