WinHTTP的AutoProxy常见问题

 WinHTTP的AutoProxy常见问题

Consider the following important issues when using the WinHTTP autoproxy feature.

使用WinHTTP autoproxy时要考虑到以下重要问题。

Only One Proxy Server is Currently Supported

当前生效的代理服务器只能有一个

WinHTTP does not currently support proxy configurations that specify more than one proxy server. IfWinHttpGetProxyForUrl returns a WINHTTP_PROXY_INFO structure that contains a list of proxy servers, which the application then sets on the request handle using theWINHTTP_OPTION_PROXY option, WinHTTP uses only the first proxy server in the list. If that proxy server is not accessible, WinHTTP does not failover to any of the other proxy servers in the list. It is up to the application to handle this case by setting the WINHTTP_OPTION_PROXY option again with the next proxy server in the list, and resending the request.

WinHTTP目前只支持设置设置一个代理服务器。如果WinHttpGetProxyForUrl返回的WINHTTP_PROXY_INFO结构体包含一个服务器列表，在后续的请求句柄上使用WINHTTP_OPTION_PROXY选项，那么WinHTTP只会使用列表中的第一个代理服务器。如果代理服务器不可用，WinHTTP不会转而使用列表中的其它代理服务器。要应对这种情况，需要重新设置WINHTTP_OPTION_PROXY参数中设置列表中的第二个代理服务器，然后重新发送请求，

Security Risk Mitigation

缓解安全风险

Processing the proxy auto-configuration file requires executing downloaded script code. Some security concerns to consider: If the server on which the PAC file resides has been compromised, it is possible the PAC script code is malicious. Therefore, WinHTTP uses the following precautions to protect the client:

处理代理自动配置文件需要下载执行脚本代码。这就带来一些安全问题：如果存有PAC文件的服务器沦陷掉了，那么PAC代码就有可能被变成恶意代码。因此，WinHTTP使用下列注意事项来保护客户端安全。

1. The script code is prevented from instantiating any ActiveX objects. This blocks a lot of potentially dangerous functionality, such as the ability to access files and to perform network I/O.
2. 不允许脚本使用任何实例化ActiveX 对象。这可以阻止许多潜在的危险功能，如文件访问能力和网络I/O能力。
   

3. Windows Server 2003:  WinHttpGetProxyForUrl delegates the entire WPAD processing to an external out-of-process service, the WinHTTP Web Proxy Auto-Discovery service, which runs under the low-privileged Local Service built-in user account.

4. Windows Server 2003:WinHttpGetProxyForUrl在一个外部进程服务（WinHTTP Web Proxy Auto-Discovery服务）中协商整个WPAD协议，这个服务运行在第权限的本地用户权限下。
   

5. Windows XP with SP2 and Windows Server 2003:  A PAC script is not permitted to execute for longer than 60 seconds, after which script execution is terminated.

6. Windows XP with SP2 and Windows Server 2003: 不允许PAC脚本执行超过60秒，超时后会自动终止脚本执行。
   

7. Windows XP with SP2 and Windows Server 2003:  WinHTTP rejects PAC files larger than 1MB. A typical PAC file is usually no more than a few kilobytes in size.

8. Windows XP with SP2 and Windows Server 2003:WinHTTP拒收超过1M的PAC文件。一个典型的PAC文件通常不超过几KB。
   

Be aware that processing the PAC script code requires the use of COM, because WinHTTP uses Microsoft JScript component to execute the script. If WinHTTP cannot delegate WPAD protocol processing to an external, out-of-process Web Proxy Auto-Discovery service,WinHttpGetProxyForUrl loads the COM runtime within the application process for the duration of the call. If the application itself is already using COM, this should not be a concern.

注意到在处理PAC脚本时需要使用COM，因为WinHTTP使用Microsoft JScript组件来执行脚本。如果WinHTTP不能利用外部进程服务（WinHTTP Web Proxy Auto-Discovery服务）协商WPAD协议，WinHttpGetProxyForUrl加载在程序执行过程中需要加载运行时COM组件。如果程序本身已经使用了COM，就不用管这些了。

Performance Considerations

性能方面考虑

The auto-detection process can be slow, possibly as long as several seconds. TheWinHttpGetProxyForUrl and WinHttpDetectAutoProxyConfigUrl functions are blocking, synchronous functions. It could be that one particular auto-detection mechanism (such as DHCP) is much slower than the other (such as DNS). If both theWINHTTP_AUTO_DETECT_TYPE_DHCP and WINHTTP_AUTO_DETECT_TYPE_DNS_A auto-detection flags are specified, WinHTTP uses DHCP first, in accordance with the WPAD specification. If no PAC URL is discovered by issuing a DHCP request, then WinHTTP tries to locate the PAC file at a well-known DNS address.

自动协商处理过程可能很慢，一般时延都是在秒级。WinHttpGetProxyForUrl 和WinHttpDetectAutoProxyConfigUrl函数是阻塞式的，同步函数。某些探测机制也比其它的要慢些，比如DHCP方式比DNS方式慢。如果同时指定了WINHTTP_AUTO_DETECT_TYPE_DHCP 和WINHTTP_AUTO_DETECT_TYPE_DNS_A两种方式。WinHTTP先使用DHCP，这和WPAD协议要求的一致。如果使用DHCP请求没有发现PAC URL，WinHTTP然后使用已知的DNS地址定位PAC文件。

WinHttpGetProxyForUrl uses the WinHTTP Session handle parameter for caching the PAC file and the results of auto-detection. It is best to use the same session handle for multiple WinHttpGetProxyForUrl calls if possible to avoid repeated PAC URL detection and file downloading. The PAC file is cached in-memory only, and is discarded when the application closes the session handle.

WinHttpGetProxyForUrl使用WinHTTP会话句柄参数缓存PAC文件和自动探测结果。最好在多次WinHttpGetProxyForUrl调用时使用同样的会话句柄，这样可以避免重复探测、下载PAC URL。PAC文件缓存在内存，在程序关闭会话句柄时就会消失。

Because of the performance impact of autoproxy, it is recommended that only desktop client applications or services use the feature; server-based applications should rely on the server administrator using the "ProxyCfg.exe" utility.

因为autoproxy性能上的影响，推荐只在用户桌面程序或服务中使用这个特性，基于服务的程序应该使用"ProxyCfg.exe" 工具。