14

I have rather complex proxy setup and one of those proxies requires username/password. Is there a way to configure the username/password so that users don't have to enter them when traffic is redirected to this one proxy? Atleast returning PROXY username:password@server:port or PROXY http://username:password@server:port wont work.

Raynet
  • 511
  • 2
  • 4
  • 11

3 Answers3

12

I had similar problem, so create a tool: https://github.com/sjitech/proxy-login-automator

This tool can create a local proxy and automatically inject user/password to real proxy server. Support PAC script.

osexp2003
  • 355
  • 3
  • 5
8

Proxy auto-configuration files do not support hard-coded usernames and passwords. There's good reasoning behind this too, since providing support for hard-coded credentials would open up significant security holes, as anybody would be able to easily view the required credentials to access the proxy.

Rather configure the proxy as a transparent proxy, that way you won't need a username and password. You mention in one of your comments that the proxy server is located outside your LAN, which is why you require authentication. However, most proxies support rules based on the source IP, in which case it's a simple matter of only allowing requests originating from your corporate network.

The original proxy auto-config specification was originally drafted by Netscape in 1996. The original specification is no longer available directly, but you can still access it using The Wayback Machine's archived copy. The specification hasn't changed much, and is still largely the same as it was originally. You'll see the specification is quite simple, and that there is no provision for hard-coded credentials.

Richard Keller
  • 2,270
  • 2
  • 18
  • 31
  • 1
    The proxy is outside my LAN and my external LAN ip is not static and can change daily, hence I really wouldn't want to create IP based rules. – Raynet May 30 '12 at 22:34
  • Not much you can do then unfortunately, besides possibly setting up the external server as a cache peer to another local proxy which forwards certain requests onto its peer. But purely in the way of PAC, you're out of luck. – Richard Keller May 30 '12 at 22:52
4

I don't think it can be done - the proxy.pac file is a javascript file, as you know, with a rather limited syntax, and as far as I know this does not include any authentication method. A quick scan of the various reference sites for .pac files that I know of show no sign or hint of anything that might work, either.

Even if it did work, it would be horribly insecure as the username and password would be trivial to grab from the file, rendering any protection you hoped to gain from using authentication with your proxy useless.

Rob Moir
  • 31,664
  • 6
  • 58
  • 86
  • 1
    The insecurity is not a problem at all in this case. It is just needed so that the one proxy (which isn't in my LAN) is not open to everybody in the internet. (and the only servers that proxy can access are Youtube servers). – Raynet May 30 '12 at 21:04