How To Use a .pac File in iOS

Following on from last week’s post, I have spent some time this week playing with .pac files. As discussed last week this is the only way to configure Proxy exceptions on an iOS device. In this post I’ll show you some basics in relation to creating, serving and using the .pac file.

How to serve and use a .pac file

Lets jump forward a step. You’ve got your proxy settings and put these into a file. Lets call it ‘proxyfile.pac’ (nice and original). Now where can you put this file so that your devices can access it?

For your standard Mac OS X clients, you can actually store this file locally on the machine. Just point the machine to the relevant area in System Preferences. I have tested this in a lab environment and this works fine with both Firefox and Google Chrome, however an additional security feature in Safari prevents this.

As of Lion, Safari now runs in an almost entirely sandboxed mode that will ignore any Proxy files that are hosted on a standard file system. The way around this is to turn on web sharing on the client and place the .pac file in the relevant place. Or do it properly…

Hosted a .pac file on a Web Server

The standard location for a .pac is on a Web server. Now due to the large amount of different Web servers, I’m sorry to say I cannot provide instructions for each, however I will draw out some general instructions for a Mac Web Server.

1. Turn in the Web Service. This is located in Server Admin (10.6 – Snow Leopard Server or older) or Server.app (10.7 – Lion Server). Also make a note of the Web Server documents folder location. In this example, our Web Server address is https://www.macserver.co.uk.

2. Navigate to the primary Web Server documents folder used for storing the webpages. As default on Lion this is “/Library/Server/Web/Data/Sites/Default”. Move your .pac file (remember ours is “proxyfile.pac”) into this folder.

3. Test the .pac file. Open a web browser and navigate to the address/proxy file. In our example, we would use “https://www.macserver.co.uk/proxyfile.pac”. This should display your Proxy file in the browser window.

Please Note: some Web Browsers and Web Servers do not support this.

4. Finally, add the above test address to the “Automatic” field for proxies. On Mac OS X launch System Preferences, and navigate to the relevant interface’s Proxy configuration page. Tick the “Automatic Proxy Configuration” box and fill in the entire URL in the provided box (as we used in step 3).

For iOS, follow the steps I outlined in my previous blog post, but instead of following step 3, select “Auto” and fill in the URL as we used above.

And that should enable your devices to use the Proxy Automatic Configuration (pac) file.

Awesome, but how do I make one in the first place?

This is the part that took the most digging around, researching and testing to pull together. I have managed to write and test a fairly basic .pac file but I have to say I’ve only scratched the surface it seems!

The .pac file can be created in Text Edit or any other basic text editor (including Dreamweaver – use the JavaScript template) but it MUST be a plain text file or it will not work. The file is comprised of arguments, commands and returned values much like an Apple script or a Bash script.

Again, much like a Bash script, the .pac file must start with an opening line, in this case:

“function FindProxyForURL(url, host)”

This basically tells the network connection that it will work out the Proxy URL and provide this back.

The information that is returned to the connection is done by the line:

“return “PROXY [proxy address]:[Proxy Port]”; ”

The theory gets much more complex, but is easier to explain with examples.

Example 1: Direct all traffic to the proxy 41.190.16.17 on port 8080

Nice and easy, forward all traffic to one address and port no matter what. To do this, use the below content in your .pac file, changing the address where required:

function FindProxyForURL(url, host)
{
return "PROXY 41.190.16.17:8080";
}

Example 2: Direct all traffic to the proxy 41.190.16.17 on port 8080, except data bound for addresses in the 192.168.1.1/24 range.

A bit more complicated but probably much more widely required. Again, just use this content in your .pac file, changing the address where required:

function FindProxyForURL(url, host)
{
if (isInNet(host, "192.168.1.1", "255.255.255.0"))
return "DIRECT"; else return "PROXY 41.190.16.17:8080";
}

Conclusion

There you have it, enough to get you started and trying things out. There’s some decent information on the Proxy auto-config wiki page to help with any more advanced configuration, but the only way is to give it a go….in a test environment of course!!

As always, please feel free to ask questions, or make suggestions for future topics in the comments below.

Disclaimer

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

21 Replies to "How To Use a .pac File in iOS"

  • Luk

    Is it possible that this doesn’t work with iOS 6? The file is being loaded by my iPod ∼15 times but it seems to be ignored by Safari. Any ideas what could be wrong?

  • Hi Luk

    I’m sorry to say I have yet to test this on iOS 6 but there is no reason why it shouldn’t work. I’d suggest trying it on another device, as well as checking the URL.

    Additionally you can point a Mac OS X computer to the file (In System Preferences > Network > Advanced) to test if its the OS or the PAC file its self.

    Hope that helps

    Darren

  • Luk

    Can you recommend a free uploading service which works with this method? I think that this may be the problem (I’m using my.cl.ly direct links)

  • Luk

    I know, but how to best host this file? Can you recommend a service which lets me just upload the file for this use? I don’t have my own webserver and am not really into this stuff…

  • Hi Luk,

    I’m afraid I’m not aware of any service that will host a PAC file for yourself and so could not recommend one.

    If you would just like to test it on a client machine, you can host the PAC file on the client and use the file path, rather then a URL to test with.

    Kind Regards

    Darren

  • sergio

    I followed another website’s directions, and yours are more complete (ip range) what could help me to proxify only the sites I’m interested in.
    Now, the question is:

    1) How do I ignore a domain name rather than an IP?
    2) Shouldn’t I be getting a different IP when accessing what’smyip.net?
    I tried the proxy.pac file from firefox in the machine where tor is running and I get a different IP in whatsmyip.net, but in iPhone’s Safari keeps showing the real IP.
    3) Will apps still connect to internet if the proxy fails for an even an instant?
    Thanks.

  • Hi Sergio,

    To use a domain instead of an IP address (or range) I suggest you check the Wiki page linked in the article (http://en.wikipedia.org/wiki/Proxy_auto-config#DnsResolve) particularly this section:

    DnsResolve[edit]
    The function dnsResolve (and similar other functions) performs a DNS lookup that can block your browser for a long time if the DNS server does not respond.
    Caching of proxy auto-configuration results by domain name in Microsoft’s Internet Explorer 5.5 or newer limits the flexibility of the PAC standard. In effect, you can choose the proxy based on the domain name, but not on the path of the URL. Alternatively, you need to disable caching of proxy auto-configuration results by editing the registry, a process described by de Boyne Pollard (listed in further reading).
    It is recommended to always use IP addresses instead of host domain names in the isInNet function for compatibility with other Windows components which make use of the Internet Explorer PAC configuration, such as .NET 2.0 Framework. For example,
    if (isInNet(host, dnsResolve(sampledomain), “255.255.248.0”)) // .NET 2.0 will resolve proxy properly

    if (isInNet(host, sampledomain, “255.255.248.0”)) // .NET 2.0 will not resolve proxy properly
    The current convention is to fail over to direct connection when a PAC file is unavailable.
    Shortly after switching between network configurations (e.g. when entering or leaving a VPN), dnsResolve may give outdated results due to DNS caching.
    For instance, Firefox usually keeps 20 domain entries cached for 60 seconds. This may be configured via the network.dnsCacheEntries and network.dnsCacheExpiration configuration variables. Flushing the system’s DNS cache may, also, help, which can be achieved e.g. in Linux by sudo service dns-clean start.

    2) I believe if the device and the proxy server are going out on the same public IP then they will remain the same.

    3) You’re asking the wrong guy. Each app is different and you should contact the app developer for advice. Some Apps can run their own proxy settings (e.g. Firefox) and some need to have their own settings populated.

    Kind Regards

    Darren

  • Mark fleming

    Sandboxing of Safari is preventing the WebProcess daemon from accessing the proxy.pac file.

    WebProcess has read access to the “/Library/Internet Plug-Ins/” directory.
    So, copy the pac file into “/Library/Internet Plug-Ins/proxy.pac”, modified network preferences to reflect the pac file’s new home, and restarted Safari.

    After doing this, Safari is able to use the local pac file again…

  • Andrew

    Hi Darren

    I have been using wpad/pac for sometime on my iOS devices, since the release of iOS7, safari no longer works with the pac file. Other browsers, ie google seem fine. Have you come across this, an any idea of a solution? These are unmanaged devices and cannot be managed.

    Thanks
    Andrew

  • Hi Mark,

    I believe that issue is because the PAC file is local. Ideally, you’d have your PAC file on a web server somewhere within your organisation. That should avoid the issue.

    ————————–

    Hi Andrew,

    I’m afraid I did and I have yet to find the solution.

    Alternatively, you could create a Configurator payload with the proxy hardcoded in and manually install it on the unmanaged devices?

    thanks

    Darren

  • Rob

    Hi Darren,

    Thanks for this great post. I tried this on my iPhone, having my .pac file on a local web server. It turns out that the browsers (Safari, Chrome, etc) work fine, but other apps do not use the proxy server and just directly connect to internet. Do you have any idea why this happens?

    Cheers,
    Rob

  • Darren Wallace

    Hi Rob,

    Thanks for the reply.

    It could be that these apps don’t support proxys.

    With iOS 7 it’s possible to set a system wide proxy setting which will work on wifi and cellular connections but this will require a configuration profile (and possibly supervision mode from Apple Configurator).

    I hope that helps.

    Darren

  • Urías

    Is there any way to have the pac file locally on the iPad ? that is, without having to store it on a server?

    • Darren Wallace

      Hi Urías,

      I’m afraid that it is not possible to host a PAC file on an iPad, and use it.

      Thanks for your comment.

      Darren

  • RonB

    I didn’t see it mentioned in the responses, but if you are using a DHCP server in your network to serve IP address and DNS information, you should also be able to set it up to also send DHCP Option 252. See the following info:

    http://www.cisco.com/c/en/us/td/docs/security/web_security/connector/connector3000/WPADAP.html

    There are several different methods that clients use to automatically detect a proxy, so you may need to enable this on the client machine as well. In others, it may be that receiving Option 252 actually turns proxy detection on.

  • RonB

    I forgot to add…you may need to deploy several of the mentioned methods, in order to accommodate the needs of different devices, Operating Systems, environments, etc. But the nice thing is that the PAC file will be centralized, so any changes that need to be made can be done on the centralized PAC file, and the clients should load the updated file the next time they renew IP address via DHCP.

    I plan to test this out in a Guest Wireless environment we are updating at work. Since it will need to accommodate a variety of computers (Windows, Linux, Mac) and mobile devices (iOS, Android), all running various browser options (IE, Firefox, Chrome, Opera, Safari), it should be an interesting exercise. Combined with Access Control Lists on the firewall, we should be able to control/limit what is accessible by guest users.

    • Darren Wallace

      Hi Dominik,
      Thanks for your comment. I’m afraid it’s been a while and I’m not in a position to advise.

      I’d suggest speaking to your MDM and / or Proxy solution provider for assistance.

      Good Luck!

      Darren

    • Hi Dominik,

      Any success in your tests ?
      We are in the same process of integrating Ipads on corporate WIFI.
      We manage to give access to internet or internal web ressources but not at same time…

Leave a Reply

Your email address will not be published. Required fields are marked *