A PAC file contains some JavaScript code that lets your browser know what route is has to take to connect to different sites on the Internet. For most home users, the browser normally connects directly to a web site. However, it's also possible to have the browser connect to a "proxy" computer that gets the web content and passes it back to your browser. If you connect through a proxy, the proxy can act as an intelligent "man in the middle", blocking pornography and viruses. Sounds great, huh? What's the catch? Well, the companies that control proxy servers usually charge you money to use those proxy servers. That takes all the fun out of it...
Wikipedia PAC file definition
How to create/edit a PAC file?
Utilize a plain-text editor like notepad in Windows or TextEdit in Mac. Here's a few (tame) lines from the PAC file:
BadURL_Parts[i++] = "sex"; BadURL_Parts[i++] = "porn"; BadURL_Parts[i++] = "bitch";
You probably have no problem figuring out how to modify those words to suit your own needs.
Where does the proxy.pac file get installed?
If placed locally then most people who discuss PAC files are kind of vague about where to put them or what to name them. I'm going to be specific. The PAC file should be named "proxy" with no file extension and it should be in the same folder as your "hosts" file. Why? This puts it in a folder normally reserved for system files (which is good, because this is a system file), the lack of a file extension makes it look like all the other files there (so it won't attract attention), and the lack of a file extension makes it difficult for kids to open. The folder we are discussing is located here:
XP C:\Windows\system32\drivers\etc\ 2000 C:\WINNT\system32\drivers\etc\ 98/ME C:\Windows\
If using your browser config then in the Internet Explorer menu, select "Tools", then "Internet Options", then go to the "Connections" tab. Click the "Settings..." or "LAN Settings..." button depending on whether you have broadband or a dialup connection. If you aren't sure, you can do both.
Check the "Use automatic configuration script" box and enter the location of your PAC file. You must use the "file://" protocol when specifying your file location. It's a little awkward to type in because all the slashes go the "wrong way", but when you get done, you should have something like this:
XP file://C:/Windows/system32/drivers/etc/proxy 2000 file://C:/WINNT/system32/drivers/etc/proxy 98/ME file://C:/Windows/proxy
Setup a dummy proxy server to test
The only reason you may need to do this is if you use this pac file solution on something other than IE, FireFox, or Mozilla. If you do, and if that other application seems to hang, you may need to get a real proxy server. Another reason to set up a dummy server is if you don't like to see error messages in your web pages! The simplest proxy server is "Homer".
The great thing about Homer is that it returns a blank image to replace the ad or porn image that might have originally displayed. This stops the error from being displayed and gives you "nothing" in return. It also has a log to show you what URLs are being blocked.
Homer.zip 281.23K
17 downloads
pactester-pacparser-1.0.8-1.0.4-win32.zip 446.21K
15 downloadsUsage: ./pactester <-p pacfile> <-u url> [-h host] [-c client_ip]
./pactester <-p pacfile> <-f urlslist> [-c client_ip]
Options:
-p pacfile: PAC file to test
-u url: URL to test
-h host: Host part of the URL
-c client_ip: client IP address (defaults to IP address of the machine on which script is running)
-f urlslist: a file containing list of URLs to be tested.
Example:
./pactester -p wpad.dat -u http://www.google.com
./pactester -p wpad.dat -u http://www.google.com -c 192.168.1.105
./pactester -p wpad.dat -f url_listBelow is a very simple example of a PAC file. Use notepad or your preferred text editor to create the file, and save it as proxy.pac.
function FindProxyForURL(url, host)
{
//set the ip address of the proxy into a variable named proxy
var proxy = "PROXY 192.168.250.1:8080";
return proxy;
}This very simple example of a PAC file will just re-direct traffic out through a proxy server running at 192.168.250.1 on port 8080. This of course is a very simple example but it should work. To test the PAC file drop it onto one of your internal web servers, and point your browser's automatic config file at the URL, e.g.http://webserver1/proxy.pac
Once you have set this, as long as the IP and port in the PAC file match yours, you should start using the logic contained in this file. How to distribute the PAC file to clients is discussed later in the article.
If that is working, you can now build more into the file to control what happens to certain sites and subnets.
One of the most useful things you can do is send different subnets through different proxies. This is very good for multiple sites that each have their own Internet connection.
To do this we use a simple if statement to test for the client's IP address, and then set the proxy server based on what is returned, like this:
// Test for entire subnets // if (isInNet(myIpAddress(), "192.168.250.0", "255.255.255.0")) // proxy = "PROXY 192.168.250.1:8080";
This statement uses the function IsInNet to determine whether or not the client's IP address matches the one you specify. In the above code if you are any client on the 192.168.0.0 subnet, the function will return true and set the proxy variable to be 192.168.250.1:8080.
You can also use a similar block of code to send individual clients to a certain proxy instead of the entire subnet. This could be useful if certain people are heavy Internet users and have a dedicated proxy.
// Test for individual clients if (isInNet(myIpAddress(), "192.168.250.25", "255.255.255.255")) proxy = "PROXY 192.168.250.242:8080";
Of course if you want to use this on certain clients, they will have to have a static IP address.
Directing Traffic based on URL
Next we will test for a certain site URL, and if we find the user wants to access that URL we will send them down yet another proxy.
if (url.substring(0, 24) == "http://www.microsoft.com") proxy = "PROXY 192.168.250.242:8080";
This function tests the URL string passed into the PAC file for the website address. The 0, 24 parameters tell the function to start at position 0 from the left hand side of the string, and count 24 characters. If the string matches the function returns true and the proxy variable is set.
As we are using the Substring function, we can not only test for a specific web site, but specific protocols as well. For instance you might want all of your FTP traffic to go out over a different link from your normal HTTP and HTTPS traffic.
if (url.substring(0, 4) == "ftp:") proxy = "PROXY 192.168.250.241:8080";Now that we have got this far, we are almost ready to send the user to the correct proxy. The only thing we have not done yet is make sure that, if they are trying to access a site on your internal network, they go directly and do not use the proxy. This is done like so:
if (isInNet(host, "192.168.0.0", "255.255.0.0"))
{
return "DIRECT";
}
else {
return proxy;
}The first part of the IF statement is the IsInNet function again, this time on the IP address of the destination passed into the PAC file. If it is in the IP scope specified, then the user is sent directly to the site. At this point the logic of the PAC file concludes and the user is sent to the site.If the IF statement returns false, then the user is sent to the proxy server that is currently held in the proxy variable.
Put it all Together
Now that we have all the building blocks, we can create our PAC file. If we wish, we can also set it up so that, instead of using the IP address of the proxy, it points to a DNS entry. This is useful if you have backup proxies. In that case, if the main one goes offline you can change the DNS entry to the backup and the clients will be re-directed, without you having to alter the PAC file. We use this in our final completed example.
function FindProxyForURL(url, host)
{
//Set a default proxy if non are returned below
var proxy = "PROXY 192.168.0.244:8080";
// Test for Prestons subnets
if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
proxy = "PROXY proxy_preston:8080";
if (isInNet(myIpAddress(), "192.168.2.0", "255.255.255.0"))
proxy = "PROXY proxy_preston:8080";
// Test for Londons subnets
if (isInNet(myIpAddress(), "192.168.3.0", "255.255.255.0"))
proxy = "PROXY proxy_blackpool:8080";
if (isInNet(myIpAddress(), "192.168.4.0", "255.255.255.0"))
proxy = "PROXY proxy_blackpool:8080";
//Now direct the user out through the proxy if not internal site
if (isInNet(host, "192.168.0.0", "255.255.0.0"))
{
return "DIRECT";
}
else if (url.substring(0, 24) == "http://www.microsoft.com")
{
return "PROXY 159.180.13.52:3128";
}
else if (url.substring(0, 5) == "http:")
{
return proxy;
}
else if (url.substring(0, 4) == "ftp:")
{
return proxy;
}
}Now that you have your PAC file, you need to get your users to start using it. There are a couple of ways you can accomplish this, apart from the obvious one of getting them to do it themselves.
Please note that all the options discussed below are for use with Internet Explorer; they won't affect FireFox, Opera, Safari etc. If you have any way of setting up these browsers send them to me and I'll attach them as a comment to this article.
Hacking the Registry
The IE home page is just a simple setting in the registry. It is specific for each user profile on the machine and lives in
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsAutoConfigURL
So if you use VBS login scripts you could have a function in them that writes down your config file, something like this:
'Create shell objext
Set objwsh = WScript.CreateObject("WScript.Shell")
'Assign the PAC file
Const PROXY_LOC = "http://webserver1/proxy.pac"
objwsh.RegWrite "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsAutoConfigURL", PROXY_LOC, "REG_SZ"Using a Group Policy
If you are running in an active directory domain, this is probably the best way to control it. By using this method you can not only set the location of the PAC file, but disable the option in Internet Explorer so that the user can't go in and change it.
Open up (or create) a Policy file that will hold the settings for your users. The options you need are all in the USER section under Windows Settings/Internet Explorer Maintenance/Connection. To use your PAC file, open up the Automatic Browser Configuration option.
In here tick the Enable Automatic Configuration box, and then in the bottom text area named Auto-proxy URL, put the address of your PAC file in. For example, http://webserver1/proxy.pac.
You can also set a time in minutes that will reload the PAC file. If you leave this blank the PAC file is just re-read every time you reload the browser.
Going Forward
As the language of the PAC file is JavaScript-based, there are a lot more functions you could build into it, such as re-directing the user to one site if they try to visit a page they shouldn't be visiting. There are also various other options for distributing the PAC file. One of the most interesting is using DNS and DHCP to implement the Web Proxy Autodiscovery (WPAD) protocol.
