cyber-101

What is a Proxy Auto-Configuration (PAC) file and how does it work?

A quick description of how PAC files work.

Mike Berggren

Mike Berggren

— 2 min read
What is a Proxy Auto-Configuration (PAC) file and how does it work?
Photo by Mika Baumeister / Unsplash
💡
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.

Proxy Auto-Configuration (PAC) files have been around for quite a while now but their purpose can be a little confusing to newcomers. You can think of the file as basically a set of rules (written in JavaScript) that tell a local system (usually a web browser) what type of traffic to route directly vs through a proxy.

Not all traffic leaving a web browser necessarily needs to go to a proxy. Depending on the use case, sometimes the most appropriate path for a web transaction is a direct one. For example, some services are sensitive to TLS inspection and implement certificate pinning.

Here's an example PAC file with a set of rules. 

function FindProxyForURL(url, host) {

    // 1. Internal/Local Traffic: DIRECT
    // Keep internal traffic off the internet/cloud gateway.
    if (isPlainHostName(host) ||
        isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
        isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0")) {
        return "DIRECT";
    }

    // 2. Performance Bypasses: DIRECT
    // Bypass high-bandwidth apps or SSL-pinned apps.
    if (shExpMatch(host, "*.zoom.us") ||
        shExpMatch(host, "*.microsoft.com")) {
        return "DIRECT";
    }

    // 3. Default/Fallback: PROXY (Security Inspection)
    // Inspect everything else. Includes primary and backup gateways.
    return "PROXY secure-gateway.company.com:8080; PROXY backup-gateway.company.com:8080";
}

Every implementation is different but the configuration above is a sample scenario when a company wants to inspect most things. Here are a few quick code highlights to:

  • Default-to-Inspect Logic: The script ends with return "PROXY..." rather than DIRECT. This ensures all unknown or new traffic is automatically inspected by the security gateway.
  • Internal Privacy: The isInNet block ensures local traffic stays on the intranet, preventing the internal network topology from leaking to the cloud provider.
  • Performance Bypasses: High-bandwidth apps (like video conferencing) are explicitly routed DIRECT to avoid the latency and jitter caused by proxy processing.
  • Automatic Failover: The return string lists two proxies separated by a semicolon (PROXY primary; PROXY backup). If the first fails, the browser automatically switches to the second.
  • SSL Pinning Fixes: The bypass section is critical for applications that reject "Man-in-the-Middle" inspection (like banking apps or developer tools), keeping them functional.

For more information on the topic check out these resources:

Proxy Auto-Configuration (PAC) file - HTTP | MDN
A Proxy Auto-Configuration (PAC) file is a JavaScript function that determines whether web browser requests (HTTP, HTTPS, and FTP) go directly to the destination or are forwarded to a web proxy server. The JavaScript function contained in the PAC file defines the function:
MDN
What is a PAC file?
A Proxy Auto-Configuration (PAC) file is a JavaScript function definition that determines whether web browser requests (HTTP, HTTPS, and FTP) go direct to the destination or are forwarded to a web…

Read more