{"id":1157,"date":"2017-10-11T18:44:16","date_gmt":"2017-10-11T22:44:16","guid":{"rendered":"https:\/\/infotechguy.net\/?p=1157"},"modified":"2022-08-26T09:44:32","modified_gmt":"2022-08-26T13:44:32","slug":"clientwebproxyautoconfiguration","status":"publish","type":"post","link":"https:\/\/infotechguy.net\/?p=1157","title":{"rendered":"PAC File and Web Proxy Auto-Configuration (WPAD) HowTo"},"content":{"rendered":"<p>Hello! I posted an article a while back on <a title=\"Squid 3.1 Caching Proxy with SSL\" href=\"https:\/\/infotechguy.net\/squid-3-1-caching-proxy-with-ssl\/\" target=\"_blank\" rel=\"noopener noreferrer\">how to use a web proxy to block unwanted content<\/a>. While this is good and fun, we need an easy way to configure clients to use the proxy. For this article I will be over both PAC file deployments and WPAD deployments. We will use the example proxy server <strong>of 172.16.0.5:3128<\/strong>. Let&#8217;s go!<\/p>\n<p>First a few common ways clients are configured to use a Web Proxy:<\/p>\n<ul>\n<li><span style=\"line-height: 13px;\"><strong>Manual configuration<\/strong> &#8212; Client manually inputs configuration data into each of their browsers to use the web proxy for each protocol (HTTP, HTTPS, FTP, etc).<\/span><\/li>\n<li><strong>PAC File &#8211;<\/strong>&#8211; A PAC(Proxy Auto-configuration) file, is a method where the client&#8217;s browser is configured with the location of the PAC file via http:\/\/ or https:\/\/ to be downloaded automatically .<\/li>\n<li><strong>WPAD<\/strong> &#8212; WPAD (Web Proxy Automatic Detection) is the automatic and transparent configuration of client&#8217;s to use and send their web-traffic to a proxy server. This deployment of PAC files using already existing network protocols such as DNS or DHCP options.<\/li>\n<li><strong>GPO<\/strong> &#8212; GPO( Group Policy Objects deployments are primarily used in Windows Domain environments. User will obtain proxy configuration automatically through these Group Policy Objects upon log-in. (not-covered in this article)<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<h3>The PAC File<\/h3>\n<p>A PAC file is nothing more than a text file containing javascript like information regarding where a client&#8217;s browser should or should not send web traffic to the proxy. This is helpful to be able to be selective on which destinations or sources a client should send or not send to a proxy server. For example, if you have internal web sites or resources that should not be proxied you can define those conditions in the PAC file.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"js\">function FindProxyForURL(url, host) {\n        if (shExpMatch(host, \"*.example.local\")) {\n                return \"DIRECT\";\n        }\n\n        if (isInNet(dnsResolve(host), \"10.0.0.0\", \"255.0.0.0\") ||\n            isInNet(dnsResolve(host), \"172.16.0.0\",  \"255.240.0.0\") ||\n            isInNet(dnsResolve(host), \"192.168.0.0\", \"255.255.0.0\") ||\n            isInNet(dnsResolve(host), \"127.0.0.0\", \"255.255.255.0\")) {\n                return \"DIRECT\";\n        }\n        if (isInNet(host,\"192.168.0.0\", \"255.255.0.0\") ||\n            isInNet(host,\"172.16.0.0\", \"255.255.240.0\") ||\n            isInNet(host,\"10.0.0.0\", \"255.0.0.0\")) {\n                return \"DIRECT\";\n        }\n\n    return \"PROXY 172.16.0.5:3128\";\n\n}<\/pre>\n<p>&nbsp;<br \/>\n<strong style=\"font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif;\"><br \/>\nreturn {value}<\/strong><span style=\"font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif;\"> = is a key function that will send the web request to either, DIRECT &#8211; for direction connections, or to PROXY &#8212; a proxy server<\/span><\/p>\n<p><strong>shExpMatch({host | url}, {expression to match})<\/strong> = An expression function that will match the host entered to an expression. Returns TRUE if a match is found, else returned FALSE.<br \/>\n<strong>host<\/strong> = the FQDN typed into the User&#8217;s browser. <em>Ex.<\/em> <em>youtube.com<\/em><br \/>\n<strong>&#8212; url<\/strong> = the complete URL typed into the User&#8217;s browser. <em>Ex. http:\/\/youtube.com\/video<\/em><br \/>\n<strong>&#8212; isInNet({IP address}, {Network, Netmask}<\/strong> = isInNet will return TRUE if the supplied host (see above) resolves to an IP address within a subnet, else it will return FALSE.<br \/>\n<strong>dnsResolve({hostname})<\/strong> = Use to resovle hostnames to IP addresses.<\/p>\n<p>For a<strong> List of PAC Functions<\/strong>, please visit <a href=\"http:\/\/findproxyforurl.com\/pac-functions\/\">http:\/\/findproxyforurl.com\/pac-functions\/<\/a><\/p>\n<h3>PAC File Deployments<\/h3>\n<p>A PAC file deployment requires a working PACs file, a server to host the file, and to have the User&#8217;s browser proxy settings configured to find the file. Using Firefox as the example and assuming the filename<strong> proxy.pac<\/strong> is hosted on <strong>http:\/\/host.example.local\/proxy.pac<\/strong>, it would be:<\/p>\n<p><strong>Firefox:<\/strong><\/p>\n<p><a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/pac-firefox.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3260\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/pac-firefox-300x296.png\" alt=\"\" width=\"450\" height=\"444\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/pac-firefox-300x296.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/pac-firefox.png 731w\" sizes=\"auto, (max-width: 450px) 100vw, 450px\" \/><\/a><\/p>\n<p><strong>Internet Explorer:<\/strong><\/p>\n<p><a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/pac-ie.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3262\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/pac-ie-233x300.png\" alt=\"\" width=\"450\" height=\"579\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/pac-ie-233x300.png 233w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/pac-ie.png 416w\" sizes=\"auto, (max-width: 450px) 100vw, 450px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h3>WPAD Deployments (DNS and DHCP)<\/h3>\n<p>Much of the Web Proxy Automatic Detection (WPAD) type deployments depend on the client&#8217;s browsers implementation, meaning it really depends on how the browser WPAD code was written into the browser application. For example Firefox WPAD process may be different for Safari then it is for Internet Explorer&#8217;s. For the most browsers the process is as follows for both types DNS or DHCP:<\/p>\n<h6><strong>DNS Option<\/strong><\/h6>\n<ol>\n<li>User&#8217;s Browser checks if Auto-Detect is enabled.<br \/>\n<strong>Firefox:<br \/>\n<a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Firefox-auto-detect.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3264\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Firefox-auto-detect-300x90.png\" alt=\"\" width=\"450\" height=\"134\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Firefox-auto-detect-300x90.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Firefox-auto-detect.png 687w\" sizes=\"auto, (max-width: 450px) 100vw, 450px\" \/><\/a><br \/>\n<\/strong><br \/>\n<strong>Internet Explorer:<\/strong><br \/>\n<a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/IE-auto-detect.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3265\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/IE-auto-detect-300x232.png\" alt=\"\" width=\"450\" height=\"349\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/IE-auto-detect-300x232.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/IE-auto-detect.png 395w\" sizes=\"auto, (max-width: 450px) 100vw, 450px\" \/><\/a><\/li>\n<li>User&#8217;s browser tries to resolve A record of <strong>wpad<\/strong> using the default domain suffix of the host belongs to (example.local)\n<ol>\n<li>Tries <strong>wpad.subdomain.example.local<\/strong><\/li>\n<li>Tries <strong>wpad.example.local<\/strong><\/li>\n<li>Tries <strong>wpad.local<\/strong><\/li>\n<li>Tries<strong> wpad.<\/strong><\/li>\n<\/ol>\n<\/li>\n<li>On first resolve it the User&#8217;s browser will then try to make a HTTP request for against the URL for a file named <strong>wpad.dat<\/strong><br \/>\n<strong>http:\/\/wpad.subdomain.example.local\/wpad.dat<\/strong><\/li>\n<li>The file is retrieved and loaded into the User&#8217;s browser session!<\/li>\n<\/ol>\n<h6>DHCP Option 252<\/h6>\n<p>DHCP method requires configuration of the DHCP scope that your User&#8217;s will use. A specific DHCP option, option 252 text string is used for this. On your DHCP server, find the scope your Users will be assigned an IP address from and add the<strong> DHCP option 252<\/strong> as a type string. The string value should be the URL to reach the PAC file. For example,<\/p>\n<p><strong>Microsoft DHCP:<\/strong><\/p>\n<p><a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/DHCP-option252.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3267\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/DHCP-option252-281x300.png\" alt=\"\" width=\"450\" height=\"481\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/DHCP-option252-281x300.png 281w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/DHCP-option252.png 412w\" sizes=\"auto, (max-width: 450px) 100vw, 450px\" \/><\/a><\/p>\n<p><strong>Other helpful links:<\/strong><\/p>\n<ul>\n<li><a href=\"http:\/\/wiki.squid-cache.org\/Technology\/WPAD\">http:\/\/wiki.squid-cache.org\/Technology\/WPAD<\/a><\/li>\n<li><a href=\"http:\/\/wiki.squid-cache.org\/Technology\/WPAD\/DNS\">http:\/\/wiki.squid-cache.org\/Technology\/WPAD\/DNS<\/a><\/li>\n<li><a href=\"http:\/\/support.microsoft.com\/kb\/934864\">http:\/\/support.microsoft.com\/kb\/934864<\/a><\/li>\n<li><a href=\"http:\/\/wiki.squid-cache.org\/Technology\/WPAD\">http:\/\/wiki.squid-cache.org\/Technology\/WPAD<\/a><\/li>\n<li><a href=\"http:\/\/techlib.barracuda.com\/display\/WSFLEXv41\/How+to+Configure+Proxy+Settings+Using+PAC+Files+and+WPAD\">http:\/\/techlib.barracuda.com\/display\/WSFLEXv41\/How+to+Configure+Proxy+Settings+Using+PAC+Files+and+WPAD<\/a><\/li>\n<li><a href=\"https:\/\/mikewest.org\/2007\/01\/auto-configuring-proxy-settings-with-a-pac-file\">https:\/\/mikewest.org\/2007\/01\/auto-configuring-proxy-settings-with-a-pac-file<\/a><\/li>\n<li><a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/cc995158.aspx\">http:\/\/technet.microsoft.com\/en-us\/library\/cc995158.aspx<\/a><\/li>\n<li><a href=\"http:\/\/findproxyforurl.com\/troubleshooting-pac-wpad\/\">http:\/\/findproxyforurl.com\/troubleshooting-pac-wpad\/<\/a><\/li>\n<li><a href=\"https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/security\/web_security\/connector\/connector3000\/WPADAP.html\">https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/security\/web_security\/connector\/connector3000\/WPADAP.html<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Hello! I posted an article a while back on how to use a web proxy to block unwanted content. While this is good and fun, we need an easy way to configure clients to use&#46;&#46;&#46;<\/p>\n","protected":false},"author":2,"featured_media":4268,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[86,130],"class_list":["post-1157","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-linux","tag-windows"],"_links":{"self":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/1157","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1157"}],"version-history":[{"count":1,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/1157\/revisions"}],"predecessor-version":[{"id":4142,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/1157\/revisions\/4142"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/media\/4268"}],"wp:attachment":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}