Deep Dive into PAC Files: Advanced Features and Best Practices for Effective Proxy Configuration - Part 2 of 4

Welcome to the second installment of this blog series on PAC files. In the previous post Understanding PAC Files: An Introduction to Dynamic Proxy Configuration, we explored the fundamental elements of PAC files, their purpose, and the structure that defines them. Now, let's dive deeper into the world of PAC files and discover how to create, configure, and harness their power for effective web proxy configuration. In this post, we'll explore the syntax and logic of conditional statements in PAC files, uncover advanced features and techniques, and discuss best practices for managing and maintaining PAC files. By the end of this post, you'll have a comprehensive understanding of the inner workings of PAC files and be equipped with practical knowledge to optimize their usage in your organization's web proxy setup.

While authoring this post, as I was coming up with topics, I had the thought to myself, "what's the difference between creating and configuring a PAC file?". Upon doing some research and discussing this further with my peers, I found it is worth covering both aspects. The creation of a PAC file is the initial file creation, but also the writing of the logic, policies, and other content of the PAC file itself. The configuration aspect of a PAC file is more focused on how to integrate your newly created PAC file into your organization's infrastructure.

The first topic we're going to cover in this post is the creation and configuration of a PAC file. When it comes to creating a PAC file, there are several key steps to keep in mind when defining the proxy configuration logic. Most importantly, as with any IT-related project or initiative, planning is key to a successful implementation. Developing web proxy configurations is something that can have immense impact on business continuity, both positive and negative, and should not be implemented on a whim without careful thought and consideration. Before delving into the code, it's important to consider the network architecture, the proxy server infrastructure you will be interacting with, and the specific needs of the organization.

As we delve into the planning, creation, and configuration of our PAC file in this series, we'll use the sample architecture shown in the image below. While it is drastically simplified, this architecture provides us with a workable model that is similar in nature to a typical global enterprise.

To create and configure a PAC file, you will need to have a good understanding of JavaScript syntax and the available functions for proxy configuration. The first step is to open a text editor and create a new file with a ".pac" extension. This file will serve as your PAC file. Within the PAC file, you can start writing the JavaScript code that defines the proxy configuration logic. This code will include conditional statements, functions, and variables to determine how web traffic should be routed as we discussed in the first post. You can define specific rules based on time, domain, or other conditions to direct traffic to the appropriate proxy server or bypass it altogether. Once you have written the logic, save the PAC file and ensure it has a unique and meaningful name.

For example, below is a sample PAC file for our AMS locations. This is a very basic PAC configuration that, if the machine using this PAC file has an IP address in the 10.0.0.0/16 address space, will send all web traffic to the proxy server us-proxy.example.com on port TCP/8080.

touch ams-proxy-cfg.pac

function FindProxyForURL(url, host) {
  // US-based location
  if (isInNet(myIpAddress(), "10.0.0.0", "255.255.0.0")) {
    return "PROXY us-proxy.example.com:8080";
  }

  // Default proxy configuration
  return "DIRECT";
}

With the PAC file created, you can then proceed to configure it within your organization's web proxy infrastructure, such as specifying the PAC file URL in the browser settings or distributing it through group policies. This ensures that the PAC file is applied and used by the browsers to dynamically configure proxy settings based on the defined rules and conditions. It is important to understand that there are many ways to distribute a PAC file to an organization, but PAC files can also be manually applied to a web browser on a user-by-user basis. While most organizations will want to deploy a PAC file via a GPO (Group Policy Object) or MDM (Mobile Device Management) platform, we'll cover manual deployment in more detail in order to provide information on the process, and we will cover mass-deployment options at a higher level.

Manual configuration of a PAC file in a web browser is a very straightforward process. While I'm going to be using Mozilla Firefox in my example, the process is very similar in most major browsers, you just have to find the appropriate settings menu. Within the Firefox browser, open the browser settings and navigate to the Network Settings section. As you can see in the image below, by default, Mozilla Firefox follows the System Proxy Settings. In another post we will discuss the pros and cons to using system proxy settings vs. browser-based proxy settings, however, it is important to know, that there is a difference.

Notice that in these configuration options there is the option to manually set a web proxy server for both HTTP and HTTPS traffic. If we chose to take this approach and configure the proxy settings as shown below, the configuration would still be effective in getting all of the browser's traffic to the proxy server, however, we would lose out on the benefits of things like conditional statements and dynamic forwarding rules that we gain from PAC files.

Further down the options menu we see the field for Automatic Proxy Configuration URL. This is where the magic of the PAC files begins. Once the file has been created, the administrator must host the file on a web server accessible by company assets. In this case, we're going to go on the assumption that the PAC file is hosted at http://synically-ackward.com/pac-part-2/proxy/us-proxy-cfg.pac.

📘 These PAC files referenced are available for download on GitHub. Be aware however, while you may download them, and look at them, do not apply them to a browser as a PAC configuration. With the proxy server being example.com your traffic will be black-holed until the proxy configuration is removed if you match the conditionals.

As shown in the configuration options below, we provide this URL in the browser settings, and the browser will automatically reach out and retrieve the PAC file each time it needs to reference the logic. This allows us to maintain a much smaller amount of PAC files, and, to make dynamic updates to the files which will automatically be honored once the browser pulls the updated file.

Based on the logic currently contained in our PAC file for our AMS users, the browser will identify if the machine in use has an IP address in the 10.0.0.0/16 address space, and, if so, it will forward the web traffic to our proxy server on port TCP/8080. However, if the machine IP is not within that range, for instance, our user could be at home and have a 192.168.0.0/16 address, the traffic will be forwarded directly to the internet with no proxy server in the path. Once a browser has been directed to the Automatic Proxy Configuration URL, the manual configuration of the browser is now complete.

As mentioned previously, it is generally in an organization's best interests to deploy their PAC files en-masse utilizing a GPO, MDM or other deployment mechanism. As an example, I've included an image below from Microsoft's InTune MDM on what a basic configuration would look like of a proxy configuration for Google Chrome Enterprise on Windows Platforms. This policy could be pushed out to all users, or a subset based on various criteria and used as a mechanism to distribute the PAC files appropriately.