Diff between proxy pac pac and the proxy server
Posted by DifferenceJolly5911@reddit | sysadmin | View on Reddit | 6 comments
Hi,
What is the difference between proxy pac file and the manual setup of a proxy server? I had to verify the traffic to a website and it worked only when the manual proxy server was set, with the pac file not at all
SevaraB@reddit
Honestly, neither option is really considered adequate security in 2024. Agent-based HTTPS inspection on managed systems that hit untrusted networks; transparent inline proxy, DNS filtering, and/or beefed-up NGFW policies for untrusted/guest/IoT devices on your internal network- that’s the way to go. All stuff that’s configured centrally instead of on the client.
pdp10@reddit
Proxies are fine for infosec. The bulk of our proxies (forward proxies) are Squids which are configured with whitelists. For example, servers are in physically-secured datacenters and all outbound access is through proxies. Those proxies whitelist OS vendor and app-vendor update URLs, and block everything else.
Linux updates are accessed over HTTP and cacheable. As far as I've noticed, all communication from a Windows Server to the vendor is obscured with encryption, and I don't recall seeing anything that was cacheable. We run only a small number of these and not enough of any one release version to bother setting up anything special, but it would be nice if the updates were over HTTP so they got cached automatically, like with Linux.
SevaraB@reddit
I wasn’t advising against proxying, I’m saying better to leave the traffic steering to the proxy completely off the client to avoid rogue bypasses- WCCP redirecting, default route, etc.
pdp10@reddit
Manual configuration is static, and the PAC file is a program defining dynamic rules.
With a PAC, the browser calls function
FindProxyForURLEx(url, host)before every HTTP(S) request. Then the function returns a list of proxies orDIRECTaccess.A PAC file can cause the browser to parse the
urlto find its protocol or destination port, and direct the client (browser) to different proxies accordingly. The PAC file can have the browser do an explicit DNS lookup and compare thehostor URL FQDN to a list of local addresses/network that don't get proxied.Just look at a few examples and you'll get the idea.
bageloid@reddit
A pac file lets you be granular in how you direct traffic, you can exempt certain ips or domains and have allow fail open or closed scenarios.
If you have a copy of the file, check that it is properly formatted using https://thorsen.pm/proxyforurl
That lets you test the pac file with whatever site you need to. If that works, the computer isn't pulling down the file.
harrywwc@reddit
if the proxy.pac file is not working, then I would suggest that there may be a syntax error in there - perhaps an extraneous space, or maybe a 'comma' instead of a 'full-stop / period' (which can appear similar on some screens).
actually, perhaps sniff the network to see if the pac file is being requested / returned via the 'wpad' mechanism.