Posts Tagged ‘Proxy Auto Config’

PAC files (… yes Proxy Auto Configuration Files)

Posted: August 23, 2013 in IT Security, Tech
Tags: , , , , , , , ,
0

What is a PAC file?
A PAC file is a Proxy Auto Configuration file, this defines how web browsers access the internet and can automatically set parameters based on URL, Service, Source and Destinations. The language is Java Script and it is designed in such a way which it can cater for any scenario.

How to implement?
Manual – Manually setting the file location in browser (see local testing below)
Enterprise wide – Set PAC file using something like group policy or similar
WDAP – Web Proxy Auto Discovery protocol (can also be set by Group Policy)

There are advantages and disadvantages to each of the above and depends on what suits your enterprise better.

Local Testing
Windows
You can set the PAC file locally and test this
1. Copy the PROXY.PAC file to the C:\WINDOWS directory, or other directory of your choice.
2. In the browser proxy settings, configure the Use Automatic Configuration Script (IE) URL to: Internet Explorer, use: file://c:/windows/proxy.pac

Linux
$ sudo apt-get install libpacparser1
$ cd /tmp/
$ wget http://pactester.googlecode.com/files/pactester-1.0.8.tar.gz
$ tar xvf pactester-1.0.8.tar.gz
$ mkdir $HOME/pactester
$ cd pactester-1.0.8/build/
$ ./install.sh $HOME/pactester

Usage:
pactester -p /path/to/proxy.pac.file -u url
pactester -p /path/to/proxy.pac.file -u url -c client.ip.address.here

Sample 1
Showing how to set internal network ranges for general bypass rules. The ability to set different proxy servers for different service types. Using multiple proxy servers for resilience.

function FindProxyForURL(url, host)
 { if (isInNet(host, "192.0.0.0", "255.0.0.0")) { ## defines internal LAN
 return "DIRECT"; ## states to go direct if not a part of 192.0.0.0
 }
 else
 { if (shExpMatch(url, "http:*")) ## tells to use proxy for http protocol
 return "PROXY 192.168.0.1:8080;
 PROXY newvirtualproxy:8080; PROXY 192.168.0.1:8080" ;
 if (shExpMatch(url, "https:*")) ## tells to use proxy for https protocol
 return "PROXY 192.168.0.1:8080;
 PROXY newvirtualproxy:8080; PROXY 192.168.0.1:8080" ;
 if (shExpMatch(url, "ftp:*")) ## tells to use proxy for ftp protocol
 return "PROXY 192.168.0.1:8080;
 PROXY newvirtualproxy:8080; PROXY 192.168.0.1:8080" ;
 return "DIRECT"; ## tells to go direct if not http, https or ftp
 } }

Sample 2

Showing how to set exclusions to the overal proxy rules based on specific URL’s. Setting network exclusion ranges.

function FindProxyForURL(url, host)
 { if (isPlainHostName(host)) { return "DIRECT"; }
 if (shExpMatch(host, "127.*")) { return "DIRECT"; } ## tells to go direct for sites that start with 127.
 if (shExpMatch(host, "192.*")) { return "DIRECT"; } ## tells to go direct for sites that start with 192.
 if (shExpMatch(host, "testdomain.com")) { return "DIRECT"; } ## example of url bypass
 if (shExpMatch(host, "my.sub.domain.testdomain.com")) { return "DIRECT"; } ## example of url bypass
 if (shExpMatch(host, "*.secure.*")) { return "DIRECT"; } ## example of url bypass
 if (shExpMatch(host, "portal.testdomain.com")) { return "DIRECT"; } ## example of url bypass
 if (isInNet(myIpAddress(), "192.168.2.0", "255.255.255.0")) { return "PROXY 192.168.1.253:8080"; }
 ## Setting specific proxy for network ranges
 if (isInNet(myIpAddress(), "10.0.2.0", "255.255.255.0")) { return "PROXY 10.0.2.253:8080"; }
 ## Setting specific proxy for network ranges
 else
 { if (shExpMatch(host, "*.jp")) { return "DIRECT"; } ## setting bypass for TLD .JP
 if (shExpMatch(host, "*.gmail.com")) { return "DIRECT"; } ## Setting bypass for everything Gmail
 return "PROXY proxy01.com:8080";

Sample 3

Showing how to simply the above using a different method

function FindProxyForURL(url, host)
 { if (isInNet(host, "192.0.0.0", "255.0.0.0")) { return "DIRECT"; } ## Networks to bypass & go direct
 else
 { if (shExpMatch(url, "http:*")) return "PROXY proxy01.com:8080" ; ## setting http proxy
 if (shExpMatch(url, "https:*")) return "PROXY proxy02.com:8080" ; ## Setting https proxy
 if (shExpMatch(url, "ftp:*")) return "PROXY proxy03.com:8080" ; return "DIRECT";} } ## Setting ftp proxy

Summary

These are meant to help others design and script their own, there are many examples above on different ways to do the same thing, to allow you to have more granular flexibility for bypass rules which are unavoidable sometimes. If you think about this now and plan to have a process to have exclusions even if this is based on groups in LDAP, this will save you time and effort in the future and add a level of resilience to the oh so sacred Internet Pipe!

Links
Issues with IE 5.x
Online Java debugger
Command Reference