What is a PAC file?

A Proxy Auto-Configuration (PAC) file contains a set of rules coded in JavaScript which allows a
web browser to determine whether to send web traffic direct to the Internet or be sent via a
proxy server.

PAC files can control how a web browser handles HTTP, HTTPS, and FTP traffic.

OK, tell me more

Sure! PAC files provide flexibility and redundancy in a manner which isn’t currently possible
when configuring an explicit proxy.

It’s possible to leverage many benefits when using PAC files:

 Supported by all major operating systems and browsers

 Able to automatically route traffic correctly regardless of whether the user enters a domain or IP
address

 Automatic proxy failover

What does all this mean to me?

Let’s say you’re deploying a cloud security service…

With a PAC file your internal traffic will go direct, your traffic destined for the Internet will go via
the cloud service, and any exceptions to that logic can be accounted for and routed as
necessary.

Once the PAC file is designed and deployed any ongoing maintenance will be straightforward.

So what exactly can a PAC file do? http://findproxyforurl.com/

A PAC file can have rules which leverage the following information to route traffic:

 IP address of the requested website

 Host of the requested website

 The user IP address*

 The date/time

Additionally, a PAC file can route:

 HTTP, HTTPS, and FTP traffic in a web browser

 Route traffic either direct or via proxy (hostname and port configurable)
What are the limitations?

 PAC files run in a browser sandbox thus don’t have access to the entire JavaScript programming
language. Instead, PAC file functionality is implemented in a browser with a custom sanboxed
function set. More information as to the available functions can be found here.
 No access to the machine hostname

 No reliable method to determine the user IP address*

 Proxy failover lacks intelligence and operates based on a TCP timeout occurring

* The myIpAddress() function is inconsistently implemented across the major web browsers and doesn’t
support IPv6; this may result in either an IPv6 address being returned unexpectedly, 127.0.0.1 being
returned, or the IP address of an unexpected network adapter being returned. As such it’s recommended to
avoid use of this function completely. Windows has implemented a new FindProxyForURLEx() function
to support IPv6, however, the implementation is complex and support across the major browsers is
lacking.

PAC Functions

A browser supporting PAC provides access to a list of functions as defined in the original
Netscape Specification.

Each browser implements PAC in a sandbox, allowing access to only those JavaScript functions
required to operate and nothing more. As an example, it isn’t possible to access the browser
user agent string in a PAC file, a string available to a normal web page.

The functions supported and allowed by the sandbox environment are documented on this
page.
The Functions

Click the name of a function in order to view a description and code example(s).
Deploying PAC Files

Deploying a PAC file explicitly using the browser proxy settings is one of the most
straightforward methods for deployment. Once you have a fully formed PAC file, the below
steps will aid in deploying a PAC file on a web server.

Web Server

The web server should be configured to serve a PAC file with the correct MIME type.

Browser Deployment
Depending on the administrative environment, browsers can be configured automatically
using a tool such as Group Policy, or manually for each browser’s connection settings.
Common PAC File Issues
Troubleshooting

Explicit PAC
 Review the PAC file code manually. Syntax issues often arise due to missing commas, parentheses,
curly braces, or semi-colons.

 Ensure that the PAC file code validates using a tool such as pacparser or Proxy Validator.
 Review the PAC file rules for any unintended routing behaviors; common issues include missing
proxy return statements and wildcard based rules affecting a larger volume of traffic than intended.
Such errors could result in all traffic passing directly to the Internet, making it only appear that the
file is failing to function.
 Confirm that the PAC file extensions (.pac or .dat) are being served with either of the following
content types:
application/x-ns-proxy-autoconfig
application/x-javascript-config
 Test the PAC file by hosting the file on the local file system; if the file works, this would isolate the
issue to the PAC file web server (e.g. connectivity or configuration). The URL format for local PAC
file testing is file://c:\folder\proxy.pac
WPAD DHCP
 Follow the steps for troubleshooting an explicit PAC file configuration – WPAD is a means of
deploying a PAC file, thus any issues with the web server or the file itself could be overlooked if
focusing solely on the WPAD portion.

 Test the PAC file URL being pushed out by DHCP, do so by using the PAC file URL in the browser
proxy settings configured as an explicit PAC file. This will verify whether the PAC file or PAC file
server itself is the issue.

 Review the Windows Registry to confirm the URL being pushed out by WPAD DHCP.

1. Click Start and Select Run.

2. Type regedit and click OK.
3. Navigate the Registry tree to the following
location:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Connections\
4. In the pane to the right, double click DefaultConnectionSettings.
5. The WPAD DHCP URL will be displayed in the dialog box – example.

WPAD DNS
 Follow the steps for troubleshooting an explicit PAC file configuration – WPAD is a means of
deploying a PAC file, thus any issues with the web server or the file itself could be overlooked if
focusing solely on the WPAD portion.
 Attempt to ping the host wpad, a failure to resolve would indicate an issue with the DNS server.
Does the hostname point to the correct web server? WPAD DNS requires this record to exist and
point to the web server hosting the PAC file.
 With all proxy/PAC settings disabled, attempt to access http://wpad/wpat.dat – WPAD DNS
requires that this be the functional URL format. Investigate any errors returned.