Implementing Authentication in Proxy PAC Files: How to Automate Username/Password for Specific Proxies


3 views

When working with complex proxy environments that include authenticated proxies, manually entering credentials becomes a significant productivity bottleneck. The standard PAC file format doesn't natively support embedding credentials in proxy definitions, making automation challenging.

Attempts to use PROXY username:password@server:port or PROXY http://username:password@server:port syntax fail because:

  • PAC files execute in a security-restricted context
  • Browser implementations deliberately prevent credential embedding
  • The PAC specification doesn't include authentication parameters

Solution 1: Pre-authenticated Proxy Chains

Configure an intermediate proxy that handles authentication:

function FindProxyForURL(url, host) {
    if (shExpMatch(host, "*.internal.company.com")) {
        return "PROXY auth-proxy.company.com:8080";
    }
    return "DIRECT";
}

Solution 2: Enterprise Authentication Integration

For Windows environments, leverage system credentials:

function FindProxyForURL(url, host) {
    if (isInNet(host, "10.0.0.0", "255.0.0.0")) {
        return "PROXY proxy-with-ntlm.company.com:3128";
    }
    return "DIRECT";
}

Solution 3: Browser-specific Extensions

For Chrome/Edge, use the --proxy-server flag with credentials:

chrome.exe --proxy-server="http://user:pass@proxy:port"

For large deployments consider:

  • Proxy auto-configuration servers that support authentication
  • Transparent proxy solutions with Kerberos/NTLM
  • VPN solutions with always-on connectivity

While automating credentials improves usability:

  • Never hardcode credentials in PAC files
  • Use domain authentication where possible
  • Rotate service account credentials regularly
  • Consider certificate-based authentication

To test your PAC file implementation:

// Test in browser console
alert(FindProxyForURL("http://internal.site.com", "internal.site.com"));

When working with complex proxy environments, handling authentication requirements in PAC (Proxy Auto-Configuration) files presents unique challenges. The standard PAC file specification doesn't natively support embedding credentials in proxy definitions, making automatic authentication problematic.

Attempts to include credentials directly in the proxy URL (PROXY username:password@server:port or PROXY http://username:password@server:port) typically fail because:

  • Most browsers and HTTP clients don't support credentials in proxy URLs
  • This approach poses significant security risks by exposing credentials
  • The PAC specification doesn't officially support this syntax

1. Pre-authenticating Proxy Connections

For internal enterprise environments, consider configuring proxies to authenticate based on:

// Example PAC file using IP-based authentication
function FindProxyForURL(url, host) {
    if (isInNet(myIpAddress(), "10.0.0.0", "255.0.0.0")) {
        return "PROXY internal-proxy.example.com:8080";
    }
    return "DIRECT";
}

2. System-level Proxy Configuration

Combine PAC files with system proxy settings that store credentials:

# Windows registry example for storing proxy credentials
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"="http=proxy.example.com:8080"
"ProxyEnable"=dword:00000001
"ProxyUser"="domain\\username"
"ProxyPass"="encrypted_password"

3. Custom Browser Extensions

For web applications, create extensions that handle authentication:

// Chrome extension background script example
chrome.proxy.settings.set({
    scope: 'regular',
    value: {
        mode: 'pac_script',
        pacScript: {
            url: 'http://internal/path/to/proxy.pac'
        }
    }
}, function() {});

chrome.webRequest.onAuthRequired.addListener(
    function(details) {
        return {
            authCredentials: {
                username: "proxy_user",
                password: "secure_password"
            }
        };
    },
    {urls: [""]},
    ['blocking']
);

For large deployments, consider:

  • Kerberos or NTLM authentication for Windows environments
  • SSO integration through SAML or OAuth
  • Proxy auto-configuration servers that handle authentication internally

When implementing automatic proxy authentication:

  • Never store credentials in plaintext
  • Use encrypted credential stores or vaults
  • Implement proper credential rotation policies
  • Consider certificate-based authentication where possible

Here's a comprehensive PAC file approach that works with authenticated proxies:

function FindProxyForURL(url, host) {
    // Internal resources go direct
    if (shExpMatch(host, "*.internal.example.com")) {
        return "DIRECT";
    }
    
    // Special case for authenticated proxy
    if (shExpMatch(host, "*.special-resource.com")) {
        // This requires system-level credentials to be configured
        return "PROXY auth-proxy.example.com:3128";
    }
    
    // Default proxy for everything else
    return "PROXY standard-proxy.example.com:8080";
}

Remember that the actual authentication must be handled at the system or application level, as the PAC file itself cannot contain credentials.