I'm hosting a proxy.pac file on my Windows Server through IIS, and clients use this file to set their system proxy settings. My goal is to prevent users from manually entering the PAC file URL and downloading or viewing its contents, while still ensuring the file can be accessed automatically by the OS or browser. Is there a way to configure IIS to allow this automatic retrieval but block direct browser access?
4 Answers
Using WPAD can help your system locate the PAC file without exposing its URL directly. However, if you're embedding sensitive logic in the PAC file, you're fighting a losing battle; knowledgeable users can easily discover it. Simplifying the PAC and letting the proxy manage filtering is a better approach.
To stop casual users from accessing your PAC file, configure your server to block requests that include the header 'Sec-Fetch-Mode: navigate', which is sent by browsers but not by automatic PAC file fetching. This ideally prevents manual downloads while allowing automatic usage.
If you're worried about users discovering the PAC file URL, remember that those who know their way around browsers will still find it. Also, consider that common tools can identify proxy usage. You could obfuscate the URL via DHCP, but it's best to focus on the actual issue you're trying to solve.
Making the PAC file totally unreadable is tough since it needs to be accessible to the browser for proper functioning. Trying to hide sensitive info in the PAC file might backfire, so it’s better to ensure the proxy itself handles security rather than relying on obscuring the PAC.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures