Automatic Proxy Configuration with WPAD

Recent Web browsers have the ability to automatically detect a web proxy to use. This tutorial shows you how to set up automatic proxy detection.

History

The first automatic detection system, called PAC, was in Netscape Navigator. This allowed you to specify a javascript script which told the browser which proxy to use. This provided a central position from which to change proxy servers.

This still had a slight disadvantage in that you needed to specify the script location. If you needed to change the lcoation you still had to visit all your clients. The solution for this is WPAD (Web Proxy AutoDiscovery). This is a set of methods for finding the PAC script to be tried in order.

Proxy Auto Configuration (PAC)

The involves creating a javascript script to return which proxy servers to use. The script needs to define the function which will be called by the browser for every URL that is retrieved:

string FindProxyForURL stringurl stringhostname

url
The full URL being accessed.
host
The hostname extracted from the URL. This is only for convenience, it is the exact same string as between :// and the first : or / after that. The port number is not included in this parameter. It can be extracted from the URL when necessary.
return value
A string describing the configuration.The return value of the function should be a semicolon seperated list of options from the following list:

DIRECT
Connections should be made directly, without any proxies.
PROXY host:port
The specified proxy should be used.
SOCKS host:port
The specified SOCKS server should be used.

A null string is the same as DIRECT. Each option will be tried in turn until one is useable.

Basic proxy.pac

You can download the source for this example athttp://www.davidpashley.com/articles/proxy.pac

function FindProxyForURL(url, host)
{
   if (isInNet(host, "192.168.0.0", "255.255.0.0")) {
      return "DIRECT";
   } else {
      if (shExpMatch(url, "http:*")) 
         return "PROXY webcache.domain.com:3128" ;
      if (shExpMatch(url, "https:*"))
         return "PROXY webcache.domain.com:3128" ;
      if (shExpMatch(url, "ftp:*"))
         return "PROXY webcache.domain.com:3128" ;
      return "DIRECT";
   }
}

You need to place this on a web server accessable from your clients. The file should have a.pac extension (e.g. proxy.pac) and should just contain the javascript and not embedded in HTML. You will also need to configure your webserver to map the .pac filename extension to the application/x-ns-proxy-autoconfig MIME type. If you are using the Apache webserver put the following line in your httpd.conf

AddType    application/x-ns-proxy-autoconfig .pac

More information, useful javascript functions and examples can be found athttp://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

The Web Proxy Auto-Discovery Protocol (WPAD)

WPAD is not designed to find the actual proxy settings, but to find the PAC script which tell the browser which settings to use. WPAD uses several methods for finding out location of the PAC script. If the method does not provide information about the port or the path name, then the client should use, as defaults, port 80 and /wpad.dat respectively. The client should not use a default host.

There are several methods clients should use for finding the PAC file. They should be used in the order shown below, but clients are onoly required to use DHCP and well known aliases.

  • Dynamic Host Configuration Protocol (DHCP)
  • Service Location Protocol (SLP)
  • “Well Known Aliases” using DNS A records
  • DNS SRV Records
  • “service: URLS” in DNS TXT records

DHCP (Dynamic Host Configuration Protocol)

Clients using DHCP need to look for an option using the 252 option code. ISC DHCP server doesn’t support this option by default, but it does support adding arbitary options. To enable ISC DHCP server to advertise the location of your PAC file add the following two lines to your/etc/dhcp/dhcpd.conf¬†file.

option local-pac-server code 252 = text;
option local-pac-server "http://wpad.example.com/wpad.dat";

The first line needs to go in the global section, but you can use the second line anywhere were you can use options, e.g. in a host declaration.

SLP (Service Location Protocol)

“Well Known Aliases” using DNS A records

DNS SRV records

“service: URLs” in DNS TXT records