What’s a .PAC file?
PAC file allows your to create custom rules for proxy settings in an intranet. All workstations can have their proxy settings centralized in one file and you can set different proxies, depending on IP address, URL or network.
Under the hood, it is basically a JavaScript file (but with .pac extension) loaded onto browsers. When the browser is requesting a new URL, the JavaScript function FindProxyForURL() runs, and based on the function’s return value, a proxy is set.
What you will need?
- Webserver
- Browser
- Text editor
- 2 cups of coffee – cappuccino recommended
1. Create your PAC file
Use our PAC file generator (Chrome/Firefox is recommended, might not work on IE):
If you get any problem with our PAC file generator (except the IE thing), please let us know in the comments below!
Or you can use the following contents for this example:
function FindProxyForURL(url, host) {
// All other traffic uses below proxies, in fail-over order.
return "PROXY 192.168.1.1:8080; DIRECT";
}
This very simple example just sets a proxy for 192.168.1.1 on port 8080 for all websites that the client tries to browse.
Save the contents on a file called proxy.pac
2. Upload to your web server
Now, upload this file to a web server accessible by the client, in this example, the web server is reached on the URL http://intranet/proxy.pac
If you wish to use WPAD (described below), you need to configure your web server to deploy .pac files with a custom content type.
Create or edit the .htaccess file on htdocs folder (or the web server document root) and add:
AddType application/x-ns-proxy-autoconfig .dat AddType application/x-ns-proxy-autoconfig .pac
3. Setting the browser to use the PAC file
Edit your browser proxy configuration, as below: (IE, Safari and Chrome on left and Firefox on right)
Where “http://intranet/proxy.pac” is a valid URL where you dropped your pac file.
Setting the PAC file to all browsers using proxy auto-discovery
There is another protocol, called WPAD (Web Proxy Auto-Discovery Protocol), which is in charge of deploying the PAC file to browsers. And that’s how it works:
- When the browser starts and “Automatic detect settings” is enabled, the browser will try to resolve a domain named wpad.
- The browser then tries to fetch a file on http://wpad/wpad.dat
In order to make this work, you need to create the wpad hostname on your DNS server and point to the IP of a web server you control.
You can easily test if your domain is working by trying to ping wpad from a command prompt:
Not cool! wpad hostname not working so no auto-discovery for me.
You don’t have access to the DNS server but have access to the DHCP server? No problemo!
You can also use DHCP to force the PAC file to be read from an specific location (instead of http://wpad/wpad.dat), just need to add this lines to your dhcpd.conf:
option local-pac-server code 252 = text; option local-pac-server "http://intranet/proxy.pac";
On the example above, the browser will try to fetch the file on http://intranet/proxy.pac
Note that you can use IP addresses on the URL, example: http://192.168.1.1/proxy.pac, the browser doesn’t care.
References:
- http://en.wikipedia.org/wiki/Proxy_auto-config
- http://www.proxypacfiles.com/proxypac/
- http://findproxyforurl.com/
Pages with examples:
- http://technet.microsoft.com/en-us/library/dd361950.aspx
- http://findproxyforurl.com/pac_file_examples.html
How about Hacking?
In theory, if you can point the wpad hostname to your machine, you can control the proxy settings of a whole network of machines, make them point to a proxy you control and monitor/fake websites to victims.
It’s possible to achieve that using a DNS spoofing tool, such as ettercap.
While I don’t write a post about that, read this: http://www.mmgeeks.com/discussion/1038/dns-spoofing-with-ettercap/p1, just need to change the DNS entry from “facebook.com” to simply “wpad”, and the IP address to the IP of your “rogue” web server holds the pac file (named wpad.dat).
Have fun!
No related posts.
Hi,
How about if I want to exempt a host?
Do I put:
shExpMatch(host, “*.host.com”) ||
And do I put this with between the Specific URL section () tags?
E.g:
if (
shExpMatch(url,”https://website.com*”) ||
shExpMatch(url,”https://website2.com*”) ||
shExpMatch(host, “*.host.com”)
)
Yes, to exempt a URL, just use add (before the return statement on the end):
if (shExpMatch(host,”*.host.com”))
{
return “DIRECT”;
}
You can put that either on a new “if” block (like above) or add to the URL exemption block, like you did. Both will work because the return is the same: “DIRECT”.