Aproxy auto-config (PAC) file defines howweb browsers and otheruser agents can automatically choose the appropriateproxy server (access method) for fetching a givenURL.
A PAC file contains aJavaScriptfunctionFindProxyForURL(url, host). This function returns a string with one or more access method specifications. These specifications cause the user agent to use a particular proxy server or to connect directly.[1]
Multiple specifications provide a fallback when a proxy fails to respond. The browser fetches this PAC file before requesting other URLs. The URL of the PAC file is either configured manually or determined automatically by the Web Proxy Auto-Discovery Protocol.
Modern web browsers implement several levels of automation; users can choose the level that is appropriate to their needs. The following methods are commonly implemented:
localhost) that will bypass this proxy.The Proxy auto-config file format was originally designed byNetscape in 1996 for theNetscape Navigator 2.0[2] and is atext file that defines at least one JavaScript function.
By convention, the PAC file is normally namedproxy.pac. TheWPAD standard useswpad.dat. The.pac file is expected to contain at least one function:
FindProxyForURL(url, host), with two arguments and return value in specific format:url is the URL of the objecthost is the host-name derived from that URL. Syntactically it is the same string as between:// and the first: or/ after that.[3]return "..." is a string of signatures in the following format (see examples below):[note 1]returnValue=type host,":",port,[{";",returnValue}];type="DIRECT"|"PROXY"|"SOCKS"|"HTTP"|"HTTPS"|"SOCKS4"|"SOCKS5"host=UTF16String(* ECMA262-compatible UTF16 string *)port=UTF16String(* Digits *)
To use it, a PAC file is published to aHTTP server, and client user agents are instructed to use it, either by entering the URL in the proxy connection settings of the browser or through the use of the WPAD protocol. The URL may also reference a local file as for example:file:///etc/proxy.pac.
Even though most clients will process the script regardless of theMIME type returned in theHTTP reply, for the sake of completeness and to maximize compatibility, the HTTP server should be configured to declare the MIME type of this file to be eitherapplication/x-ns-proxy-autoconfig orapplication/x-javascript-config.
There is little evidence to favor the use of one MIME type over the other. It would be, however, reasonable to assume thatapplication/x-ns-proxy-autoconfig will be supported in more clients thanapplication/x-javascript-config as it was defined in the original Netscape specification, the latter type coming into use more recently.
A very simple example of a PAC file is:
functionFindProxyForURL(url,host){return'PROXY proxy.example.com:8080; DIRECT';}
This function instructs the browser to retrieve all pages through the proxy onport 8080 of the serverproxy.example.com. Should this proxy fail to respond, the browser contacts the Web-site directly, without using a proxy. The latter may fail iffirewalls, or other intermediary network devices, reject requests from sources other than the proxy—a common configuration in corporate networks.
A more complicated example demonstrates some available JavaScript functions to be used in theFindProxyForURL function:
functionFindProxyForURL(url,host){// our local URLs from the domains below example.com don't need a proxy:if(shExpMatch(host,'*.example.com')){return'DIRECT';}// URLs within this network are accessed through// port 8080 on fastproxy.example.com:if(isInNet(host,'10.0.0.0','255.255.248.0')){return'PROXY fastproxy.example.com:8080';}// All other requests go through port 8080 of proxy.example.com.// should that fail to respond, go directly to the WWW:return'PROXY proxy.example.com:8080; DIRECT';}
By default, the PROXY keyword means that a proxy corresponding to the protocol of the original request, be it http, https, or ftp, is used. Other supported keyword and proxy types include:
The encoding of PAC scripts is generally unspecified, and different browsers and network stacks have different rules for how PAC scripts may be encoded. In general, whollyASCII PAC scripts will work with any browser or network stack.Mozilla Firefox 66 and later additionally supports PAC scripts encoded asUTF-8.[4]
DnsResolveThe functiondnsResolve (and similar other functions) performs aDNS lookup that can block the browser for a long time if the DNS server does not respond.
myIpAddressThemyIpAddress function has often been reported to give incorrect or unusable results, e.g.127.0.0.1, the IP address of the localhost.[5]It may help to remove on the system's host file (e.g./etc/hosts on Linux) any lines referring to the machine host-name, while the line127.0.0.1 localhost can, and should, stay.[citation needed]
In 2013, researchers began warning about the security risks of proxy auto-config.[6] The threat involves using a PAC, discovered automatically by the system, to redirect the victim's browser traffic to an attacker-controlled server instead.
Another issue with pac-file is that the typical implementation involve clear text http retrieval, which does not include any security features such as code signing or web certificates. Attackers can performman-in-the-middle attacks easily.
Caching of proxy auto-configuration results by domain name in Microsoft'sInternet Explorer 5.5 or newer limits the flexibility of the PAC standard. In effect, you can choose the proxy based on the domain name, but not on the path of the URL. Alternatively, you need to disable caching of proxy auto-configuration results by editing theregistry.[7]
It is recommended to always useIP addresses instead of host domain names in theisInNet function for compatibility with other Windows components which make use of the Internet Explorer PAC configuration, such as.NET 2.0 Framework. For example,
if(isInNet(host,dnsResolve(sampledomain),'255.255.248.0')){}// .NET 2.0 will resolve proxy properlyif(isInNet(host,sampledomain,'255.255.248.0')){}// .NET 2.0 will not resolve proxy properly
The current convention is to fail over to direct connection when a PAC file is unavailable.
Shortly after switching between network configurations (e.g. when entering or leaving a VPN),dnsResolve may give outdated results due to DNS caching.
For instance, Firefox usually keeps 20 domain entries cached for 60 seconds. This may be configured via thenetwork.dnsCacheEntries andnetwork.dnsCacheExpiration configuration variables. Flushing the system'sDNS cache may also help, which can be achieved e.g. in Linux withsudo service dns-clean start or in Windows withipconfig /flushdns.
On Internet Explorer 9,isInNet('localHostName', 'second.ip', '255.255.255.255') returnstrue and can be used as a workaround.
ThemyIpAddress function assumes that the device has a single IPv4 address. The results are undefined if the device has more than one IPv4 address or has IPv6 addresses.
Further limitations are related to theJavaScript engine on the local machine.
More advanced PAC files can reduce load on proxies, perform load balancing, fail over, or evenblack/white listing before the request is sent through the network.One can return multiple proxies:
return'PROXY proxy1.example.com:80; PROXY proxy2.example.com:8080';
The above will try proxy1 first and if unavailable it will then try proxy2.
Internet censorship circumvention technologies | |||||||
|---|---|---|---|---|---|---|---|
| Background |
| ||||||
| Principles |
| ||||||
| Anti-censorship software |
| ||||||
| Anonymity |
| ||||||
| Physical circumvention methods | |||||||
| Relevant organizations | |||||||
| Reference | |||||||
