PAC File and Web Proxy Auto-Configuration (WPAD) HowTo

Hello! I posted an article a while back on how to use a web proxy to block unwanted content. While this is good and fun, we need an easy way to configure clients to use the proxy. For this article I will be over both PAC file deployments and WPAD deployments. We will use the example proxy server of 172.16.0.5:3128. Let’s go!

First a few common ways clients are configured to use a Web Proxy:

• Manual configuration — Client manually inputs configuration data into each of their browsers to use the web proxy for each protocol (HTTP, HTTPS, FTP, etc).
• PAC File –– A PAC(Proxy Auto-configuration) file, is a method where the client’s browser is configured with the location of the PAC file via http:// or https:// to be downloaded automatically .
• WPAD — WPAD (Web Proxy Automatic Detection) is the automatic and transparent configuration of client’s to use and send their web-traffic to a proxy server. This deployment of PAC files using already existing network protocols such as DNS or DHCP options.
• GPO — GPO( Group Policy Objects deployments are primarily used in Windows Domain environments. User will obtain proxy configuration automatically through these Group Policy Objects upon log-in. (not-covered in this article)

The PAC File

A PAC file is nothing more than a text file containing javascript like information regarding where a client’s browser should or should not send web traffic to the proxy. This is helpful to be able to be selective on which destinations or sources a client should send or not send to a proxy server. For example, if you have internal web sites or resources that should not be proxied you can define those conditions in the PAC file.

function FindProxyForURL(url, host) {
        if (shExpMatch(host, "*.example.local")) {
                return "DIRECT";
        }

        if (isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
            isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
            isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
            isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0")) {
                return "DIRECT";
        }
        if (isInNet(host,"192.168.0.0", "255.255.0.0") ||
            isInNet(host,"172.16.0.0", "255.255.240.0") ||
            isInNet(host,"10.0.0.0", "255.0.0.0")) {
                return "DIRECT";
        }

    return "PROXY 172.16.0.5:3128";

}

 

return {value} = is a key function that will send the web request to either, DIRECT – for direction connections, or to PROXY — a proxy server

shExpMatch({host | url}, {expression to match}) = An expression function that will match the host entered to an expression. Returns TRUE if a match is found, else returned FALSE.
host = the FQDN typed into the User’s browser. Ex. youtube.com
— url = the complete URL typed into the User’s browser. Ex. http://youtube.com/video
— isInNet({IP address}, {Network, Netmask} = isInNet will return TRUE if the supplied host (see above) resolves to an IP address within a subnet, else it will return FALSE.
dnsResolve({hostname}) = Use to resovle hostnames to IP addresses.

For a List of PAC Functions, please visit http://findproxyforurl.com/pac-functions/

PAC File Deployments

A PAC file deployment requires a working PACs file, a server to host the file, and to have the User’s browser proxy settings configured to find the file. Using Firefox as the example and assuming the filename proxy.pac is hosted on http://host.example.local/proxy.pac, it would be:

Firefox:

Internet Explorer:

 

 

WPAD Deployments (DNS and DHCP)

Much of the Web Proxy Automatic Detection (WPAD) type deployments depend on the client’s browsers implementation, meaning it really depends on how the browser WPAD code was written into the browser application. For example Firefox WPAD process may be different for Safari then it is for Internet Explorer’s. For the most browsers the process is as follows for both types DNS or DHCP:

DNS Option

1. User’s Browser checks if Auto-Detect is enabled.
   Firefox:
   
   
   Internet Explorer:
   
2. User’s browser tries to resolve A record of wpad using the default domain suffix of the host belongs to (example.local)
   1. Tries wpad.subdomain.example.local
   2. Tries wpad.example.local
   3. Tries wpad.local
   4. Tries wpad.
3. On first resolve it the User’s browser will then try to make a HTTP request for against the URL for a file named wpad.dat
   http://wpad.subdomain.example.local/wpad.dat
4. The file is retrieved and loaded into the User’s browser session!

DHCP Option 252

DHCP method requires configuration of the DHCP scope that your User’s will use. A specific DHCP option, option 252 text string is used for this. On your DHCP server, find the scope your Users will be assigned an IP address from and add the DHCP option 252 as a type string. The string value should be the URL to reach the PAC file. For example,

Microsoft DHCP:

Other helpful links:

• http://wiki.squid-cache.org/Technology/WPAD
• http://wiki.squid-cache.org/Technology/WPAD/DNS
• http://support.microsoft.com/kb/934864
• http://wiki.squid-cache.org/Technology/WPAD
• http://techlib.barracuda.com/display/WSFLEXv41/How+to+Configure+Proxy+Settings+Using+PAC+Files+and+WPAD
• https://mikewest.org/2007/01/auto-configuring-proxy-settings-with-a-pac-file
• http://technet.microsoft.com/en-us/library/cc995158.aspx
• http://findproxyforurl.com/troubleshooting-pac-wpad/
• https://www.cisco.com/c/en/us/td/docs/security/web_security/connector/connector3000/WPADAP.html

Tags: LinuxWindows