PAC, or proxy auto-configuration, files automatically configure browser proxy settings when the browser's proxy 'configuration from a file' setting is enabled and pointed at the specific proxy file. A proxy PAC file contains javascript code. Configuring Internet Explorer to Use a PAC File To redirect your web traffic to the Zscaler cloud, you can configure your browser to use a Proxy Auto-Configuration (PAC) file. A PAC file is a text file that directs a browser to forward traffic to a proxy server before going to the destination server. To use PAC, you publish a PAC file on a web server and instruct a user agent to use it, either by entering the URL in the proxy connection settings of your web browser or through the use of the Web Proxy Autodiscovery Protocol (WPAD).
A Proxy Auto-Configuration (PAC) file is a JavaScript function that determines whether web browser requests (HTTP, HTTPS, and FTP) go directly to the destination or are forwarded to a web proxy server. The JavaScript function contained in the PAC file defines the function:
Syntax
Parameters
- url
- The URL being accessed. The path and query components of
https://
URLs are stripped. In Chrome, you can disable this by settingPacHttpsUrlStrippingEnabled
tofalse
, in Firefox the preference isnetwork.proxy.autoconfig_url.include_path
. - host
- The hostname extracted from the URL. This is only for convenience; it is the same string as between :// and the first : or / after that. The port number is not included in this parameter. It can be extracted from the URL when necessary.
Description
Returns a string describing the configuration. The format of this string is defined in return value format below.
Return value format
- The JavaScript function returns a single string
- If the string is null, no proxies should be used
- The string can contain any number of the following building blocks, separated by a semicolon:
- DIRECT
- Connections should be made directly, without any proxies
- PROXY host:port
- The specified proxy should be used
- SOCKS host:port
- The specified SOCKS server should be used
Recent versions of Firefox support as well:
- HTTP host:port
- The specified proxy should be used
- HTTPS host:port
- The specified HTTPS proxy should be used
- SOCKS4 host:port
- SOCKS5 host:port
- The specified SOCKS server (with the specified SOCK version) should be used
If there are multiple semicolon-separated settings, the left-most setting will be used, until Firefox fails to establish the connection to the proxy. In that case, the next value will be used, etc.
The browser will automatically retry a previously unresponsive proxy after 30 minutes. Additional attempts will continue beginning at one hour, always adding 30 minutes to the elapsed time between attempts.
If all proxies are down, and there was no DIRECT option specified, the browser will ask if proxies should be temporarily ignored, and direct connections attempted. After 20 minutes, the browser will ask if proxies should be retried, asking again after an additional 40 minutes. Queries will continue, always adding 20 minutes to the elapsed time between queries.
Examples
- PROXY w3proxy.netscape.com:8080; PROXY mozilla.netscape.com:8081
- Primary proxy is w3proxy:8080; if that goes down start using mozilla:8081 until the primary proxy comes up again.
- PROXY w3proxy.netscape.com:8080; PROXY mozilla.netscape.com:8081; DIRECT
- Same as above, but if both proxies go down, automatically start making direct connections. (In the first example above, Netscape will ask user confirmation about making direct connections; in this case, there is no user intervention.)
- PROXY w3proxy.netscape.com:8080; SOCKS socks:1080
- Use SOCKS if the primary proxy goes down.
The auto-config file should be saved to a file with a .pac filename extension:
And the MIME type set to:
Next, you should configure your server to map the .pac filename extension to the MIME type.
Notes:
- The JavaScript function should always be saved to a file by itself and not be embedded in HTML.
- The examples at the end of this document are complete. There is no additional syntax needed to save it into a file and use it. (Of course, the JavaScripts must be edited to reflect your site's domain name and/or subnets.)
Predefined functions and environment
These functions can be used in building the PAC file:
- Hostname based conditions
- Related utility functions
- URL/hostname based conditions
- Time based conditions
- There is one associative array already defined (because a JavaScript currently cannot define them on its own):
- ProxyConfig.bindings
Note: pactester (part of the pacparser package) was used to test the following syntax examples.
- The PAC file is named proxy.pac
- Command line:
pactester -p ~/pacparser-master/tests/proxy.pac -u http://www.mozilla.org
This command passes the host parameter www.mozilla.org and the url parameter http://www.mozilla.org.
isPlainHostName()
Syntax
Parameters
- host
- The hostname from the URL (excluding port number).
Description
True if and only if there is no domain name in the hostname (no dots).
Examples
dnsDomainIs()
Syntax
Parameters
- host
- Is the hostname from the URL.
- domain
- Is the domain name to test the hostname against.
Description
Returns true if and only if the domain of hostname matches.
Examples
localHostOrDomainIs()
Syntax
Parameters
- host
- The hostname from the URL.
- hostdom
- Fully qualified hostname to match against.
Description
Is true if the hostname matches exactly the specified hostname, or if there is no domain name part in the hostname, but the unqualified hostname matches.
Examples
isResolvable()
Syntax
Parameters
host- is the hostname from the URL.
Tries to resolve the hostname. Returns true if succeeds.
Examples:
isInNet()
Syntax
Parameters
host- a DNS hostname, or IP address. If a hostname is passed, it will be resolved into an IP address by this function.
- pattern
- an IP address pattern in the dot-separated format.
- mask
- mask for the IP address pattern informing which parts of the IP address should be matched against. 0 means ignore, 255 means match.
True if and only if the IP address of the host matches the specified IP address pattern.
Pattern and mask specification is done the same way as for SOCKS configuration.
Examples:
dnsResolve()
Parameters
host- hostname to resolve.
Resolves the given DNS hostname into an IP address, and returns it in the dot-separated format as a string.
Example
convert_addr()
Syntax
Parameters
ipaddr- Any dotted address such as an IP address or mask.
Concatenates the four dot-separated bytes into one 4-byte word and converts it to decimal.
Example
myIpAddress()
Syntax
Parameters
(none)
Returns the server IP address of the machine Firefox is running on, as a string in the dot-separated integer format.
myIpAddress() returns the same IP address as the server address returned by
nslookup localhost
on a Linux machine. It does not return the public IP address.Example
dnsDomainLevels()
Syntax
Parameters
host- is the hostname from the URL.
Returns the number (integer) of DNS domain levels (number of dots) in the hostname.
Examples:
shExpMatch()
Syntax
Parameters
str- is any string to compare (e.g. the URL, or the hostname).
- shexp
- is a shell expression to compare against.
Returns true if the string matches the specified shell expression.
Currently, the patterns are shell expressions, not regular expressions.
Examples
weekdayRange()
File Explorer
Syntax
Note: (Before Firefox 49) wd1 must be less than wd2 if you want the function to evaluate these parameters as a range. See the warning below.
Parameters
- wd1 and wd2
- One of the ordered weekday strings:
- gmt
- Is either the string 'GMT' or is left out.
Only the first parameter is mandatory. Either the second, the third, or both may be left out.
If only one parameter is present, the function returns a value of true on the weekday that the parameter represents. If the string 'GMT' is specified as a second parameter, times are taken to be in GMT. Otherwise, they are assumed to be in the local timezone.
If both wd1 and wd1 are defined, the condition is true if the current weekday is in between those two ordered weekdays. Bounds are inclusive, but the bounds are ordered. If the 'GMT' parameter is specified, times are taken to be in GMT. Otherwise, the local timezone is used.
The order of the days matter; Before Firefox 49,
weekdayRange('SUN', 'SAT')
will always evaluate to true. Now weekdayRange('WED', 'SUN')
will only evaluate true if the current day is Wednesday or Sunday.Examples
dateRange()
Syntax
Note: (Before Firefox 49) day1 must be less than day2, month1 must be less than month2, and year1 must be less than year2 if you want the function to evaluate these parameters as a range. See the warning below.
Parameters
- day
- Is the ordered day of the month between 1 and 31 (as an integer).
- month
- Is one of the ordered month strings below.
- year
- Is the ordered full year integer number. For example, 2016 (not 16).
- gmt
- Is either the string 'GMT', which makes time comparison occur in GMT timezone, or is left out. If left unspecified, times are taken to be in the local timezone.
If only a single value is specified (from each category: day, month, year), the function returns a true value only on days that match that specification. If both values are specified, the result is true between those times, including bounds, but the bounds are ordered.
The order of the days, months, and years matter; Before Firefox 49,
dateRange('JAN', 'DEC')
will always evaluate to true
. Now dateRange('DEC', 'JAN')
will only evaluate true if the current month is December or January.Examples
timeRange()
Syntax
Note: (Before Firefox 49) the category hour1, min1, sec1 must be less than the category hour2, min2, sec2 if you want the function to evaluate these parameters as a range. See the warning below.
Parameters
- hour
- Is the hour from 0 to 23. (0 is midnight, 23 is 11 pm.)
- min
- Minutes from 0 to 59.
- sec
- Seconds from 0 to 59.
- gmt
- Either the string 'GMT' for GMT timezone, or not specified, for local timezone.
If only a single value is specified (from each category: hour, minute, second), the function returns a true value only at times that match that specification. If both values are specified, the result is true between those times, including bounds, but the bounds are ordered.
The order of the hour, minute, second matter; Before Firefox 49,
timeRange(0, 23)
will always evaluate to true. Now timeRange(23, 0)
will only evaluate true if the current hour is 23:00 or midnight.Examples
Example 1
Use proxy for everything except local hosts
Note: Since all of the examples that follow are very specific, they have not been tested.
All hosts which aren't fully qualified, or the ones that are in local domain, will be connected to directly. Everything else will go through w3proxy:8080. If the proxy goes down, connections become direct automatically:
Note: This is the simplest and most efficient autoconfig file for cases where there's only one proxy.
Example 2
As above, but use proxy for local servers which are outside the firewall
If there are hosts (such as the main Web server) that belong to the local domain but are outside the firewall and are only reachable through the proxy server, those exceptions can be handled using the
localHostOrDomainIs()
function:The above example will use the proxy for everything except local hosts in the mozilla.org domain, with the further exception that hosts www.mozilla.org and merchant.mozilla.org will go through the proxy.
Note the order of the above exceptions for efficiency: localHostOrDomainIs() functions only get executed for URLs that are in local domain, not for every URL. Be careful to note the parentheses around the or expression before the and expression to achieve the above-mentioned efficient behaviour.
Example 3
Use proxy only if cannot resolve host
This example will work in an environment where the internal DNS server is set up so that it can only resolve internal host names, and the goal is to use a proxy only for hosts that aren't resolvable:
The above requires consulting the DNS every time; it can be grouped intelligently with other rules so that DNS is consulted only if other rules do not yield a result:
Example 4
Subnet based decisions
In this example all of the hosts in a given subnet are connected-to directly, others are connected through the proxy:
Again, use of the DNS server in the above can be minimized by adding redundant rules in the beginning:
Example 5
Load balancing/routing based on URL patterns
This example is more sophisticated. There are four (4) proxy servers; one of them is a hot stand-by for all of the other ones, so if any of the remaining three goes down the fourth one will take over. Furthermore, the three remaining proxy servers share the load based on URL patterns, which makes their caching more effective (there is only one copy of any document on the three servers -- as opposed to one copy on each of them). The load is distributed like this:
Proxy | Purpose |
---|---|
#1 | .com domain |
#2 | .edu domain |
#3 | all other domains |
#4 | hot stand-by |
All local accesses are desired to be direct. All proxy servers run on the port 8080 (they don't need to). Note how strings can be concatenated with the + operator in JavaScript.
Example 6
Setting a proxy for a specific protocol
Most of the standard JavaScript functionality is available for use in the FindProxyForURL() function. As an example, to set different proxies based on the protocol the substring() function can be used:
Note: The same can be accomplished using the shExpMatch() function described earlier.
For example:
The autoconfig file can be output by a CGI script. This is useful, for example, when making the autoconfig file act differently based on the client IP address (the REMOTE_ADDR environment variable in CGI).
Use of
isInNet()
, isResolvable()
and dnsResolve()
functions should be carefully considered, as they require the DNS server to be consulted. All the other autoconfig-related functions are mere string-matching functions that don't require the use of a DNS server. Mcmyadmin professional licence key. If a proxy is used, the proxy will perform its DNS lookup which would double the impact on the DNS server. Most of the time these functions are not necessary to achieve the desired result. (Redirected from Proxy.pac)
A proxy auto-config (PAC) file defines how web browsers and other user agents can automatically choose the appropriate proxy server (access method) for fetching a given URL.
A PAC file contains a JavaScriptfunction “
FindProxyForURL(url, host)
”. This function returns a string with one or more access method specifications. These specifications cause the user agent to use a particular proxy server or to connect directly.Multiple specifications provide a fall-back when a proxy fails to respond. The browser fetches this PAC file before requesting other URLs. The URL of the PAC file is either configured manually or determined automatically by the Web Proxy Autodiscovery Protocol.
- 2The PAC File
- 2.1Limitations
Context[edit]
Modern web browsers implement several levels of automation; users can choose the level that is appropriate to their needs. The following methods are commonly implemented:
- Automatic proxy selection: Specify a host-name and a port number to be used for all URLs. Most browsers allow you to specify a list of domains (such as
localhost
) that will bypass this proxy. - Proxy auto-configuration (PAC): Specify the URL for a PAC file with a JavaScript function that determines the appropriate proxy for each URL. This method is more suitable for laptop users who need several different proxy configurations, or complex corporate setups with many different proxies.
- Web Proxy Autodiscovery Protocol (WPAD): Let the browser guess the location of the PAC file through DHCP and DNS lookups.
The PAC File[edit]
The Proxy auto-config file format was originally designed by Netscape in 1996 for the Netscape Navigator 2.0[1] and is a text file that defines at least one JavaScript function,
FindProxyForURL(url, host)
, with two arguments: url
is the URL of the object and host
Cara video di youtube ke flash disk kingston. is the host-name derived from that URL. Syntactically it is the same string as between ://
and the first :
or /
after that.[2]By convention, the PAC file is normally named
proxy.pac
. The WPAD standard uses wpad.dat
.To use it, a PAC file is published to a HTTP server, and client user agents are instructed to use it, either by entering the URL in the proxy connection settings of the browser or through the use of the WPAD protocol. The URL may also reference a local file as for example:
file:///etc/proxy.pac
.Even though most clients will process the script regardless of the MIME type returned in the HTTP reply, for the sake of completeness and to maximize compatibility, the HTTP server should be configured to declare the MIME type of this file to be either
application/x-ns-proxy-autoconfig
or application/x-javascript-config
.There is little evidence to favor the use of one MIME type over the other. It would be, however, reasonable to assume that
application/x-ns-proxy-autoconfig
will be supported in more clients than application/x-javascript-config
as it was defined in the original Netscape specification, the latter type coming into use more recently.A very simple example of a PAC file is:
This function instructs the browser to retrieve all pages through the proxy on port 8080 of the server
proxy.example.com
. Should this proxy fail to respond, the browser contacts the Web-site directly, without using a proxy. The latter may fail if firewalls, or other intermediary network devices, reject requests from sources other than the proxy—a common configuration in corporate networks.A more complicated example demonstrates some available JavaScript functions to be used in the FindProxyForURL function:
Limitations[edit]
PAC Character-Encoding[edit]
Pac File Browser Configuration Windows 10
The encoding of PAC scripts is generally unspecified, and different browsers and network stacks have different rules for how PAC scripts may be encoded. In general, wholly ASCII PAC scripts will work with any browser or network stack. Mozilla Firefox 66 and later additionally supports PAC scripts encoded as UTF-8.[3]
DnsResolve
[edit]
The function
dnsResolve
(and similar other functions) performs a DNS lookup that can block the browser for a long time if the DNS server does not respond.myIpAddress
[edit]
The
myIpAddress
function has often been reported to give incorrect or unusable results, e.g. 127.0.0.1
, the IP address of the localhost.It may help to remove on the system's host file (e.g. /etc/hosts
on Linux) any lines referring to the machine host-name, while the line 127.0.0.1 localhost
can, and should, stay.Security[edit]
In 2013, researchers began warning about the security risks of proxy auto-config.[4] The threat involves using a PAC to redirect the victim's browser traffic to an attacker-controlled server instead.
Old Microsoft problems[edit]
Caching of proxy auto-configuration results by domain name in Microsoft's Internet Explorer 5.5 or newer limits the flexibility of the PAC standard. In effect, you can choose the proxy based on the domain name, but not on the path of the URL. Alternatively, you need to disable caching of proxy auto-configuration results by editing the registry, a process described by de Boyne Pollard (listed in further reading).
It is recommended to always use IP addresses instead of host domain names in the
isInNet
function for compatibility with other Windows components which make use of the Internet Explorer PAC configuration, such as .NET 2.0 Framework. For example,The current convention is to fail over to direct connection when a PAC file is unavailable.
Shortly after switching between network configurations (e.g. when entering or leaving a VPN),
dnsResolve
may give outdated results due to DNS caching.For instance, Firefox usually keeps 20 domain entries cached for 60 seconds. This may be configured via the
network.dnsCacheEntries
and network.dnsCacheExpiration
configuration variables. Flushing the system's DNS cache may also help, which can be achieved e.g. in Linux with sudo service dns-clean start or in Windows with ipconfig /flushdns.On Internet Explorer 9,
isInNet('localHostName', 'second.ip', '255.255.255.255')
returns true
and can be used as a workaround.File Browser Add Boot Option
The
myIpAddress
function assumes that the device has a single IPv4 address. The results are undefined if the device has more than one IPv4 address or has IPv6 addresses.Others[edit]
Further limitations are related to the JavaScript engine on the local machine.
Apple OS X v10.10 and above operating system in some cases can ignore .pac file to use it in native Cocoa apps such as Safari web browser.[5]
Advanced functionality[edit]
More advanced PAC files can reduce load on proxies, perform load balancing, fail over, or even black/white listing before the request is sent through the network.One can return multiple proxies:
References[edit]
- ^'Navigator Proxy Auto-Config File Format'. Netscape Navigator Documentation. March 1996. Archived from the original on 2007-06-02. Retrieved 2013-07-05.
- ^https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_(PAC)_file
- ^'Bug 1492938 - Proxy autoconfig scripts should be loaded as UTF-8 if they are valid UTF-8, otherwise as Latin-1 (a byte is a code point)'. Retrieved 2019-04-10.
- ^Lemos, Robert (2013-03-06). 'Cybercriminals Likely To Expand Use Of Browser Proxies'. Retrieved 2016-04-20.
- ^'Safari and several other apps won't connect to proxy server'. CERN.
Further reading[edit]
de Boyne Pollard, Jonathan (2004). 'Automatic proxy HTTP server configuration in web browsers'. Frequently Given Answers. Retrieved 2013-07-05.
External links[edit]
- 'Proxy Auto-Configuration (PAC) file'. 2019-01-27.
- 'Using the Client Autoconfiguration File'. Netscape Proxy Server Administrator's Guide: Chapter 11. 1998-02-25. Archived from the original on 2004-08-10.
- 'Chapter 26 - Using Automatic Configuration, Automatic Proxy, and Automatic Detection'. Microsoft TechNet. Retrieved 2013-07-05.
- 'Proxy Auto Config for Firefox (PAC). Fully working examples including anti-ad and anti-adult filter rules'. 2012-05-12.
Retrieved from 'https://en.wikipedia.org/w/index.php?title=Proxy_auto-config&oldid=912097162'