We have a setup where the system uses proxy settings configured via a PAC file. We are investigating how NWConnection behaves inside a Network Extension (NETransparentProxyProvider) with a transparent proxy configuration based on this PAC file.
Scenario:
- The browser makes a connection which the PAC file resolves as "DIRECT" (bypassing the proxy)
- Our Network Extension intercepts this traffic for analysis
- The extension creates a new connection using NWConnection to the original remote address.
The issue: despite the PAC file’s "DIRECT" decision, NWConnection still respects the system proxy settings and routes the connection through the proxy.
Our questions:
- Is it correct that NWConnection always uses the system proxy if configured ?
- Does setting preferNoProxies = true guarantee bypassing the system proxy?
Additionally:
Whitelisting IPs in the Network Extension to avoid interception is not a viable solution because IPs may correspond to multiple services, and the extension only sees IP addresses, not domains (e.g., we want to skip scanning meet.google.com traffic but still scan other Google services on the same IP range). Are there any recommended approaches or best practices to ensure that connections initiated from a Network Extension can truly bypass the proxy (for example, for specific IP ranges or domains)?
I wouldn’t consider that to be correct, but to a large extent my opinion doesn’t matter (-: If this is causing you grief, I encourage you to file a bug about, explaining exactly what grief it’s causing you.
Please post your bug number, just for the record.
That’s what I’d expect, but it seems like you’re in an ideal position to try it out and let us know if you see anything different.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"