LocalProxy-HostViewer and Generator for PAC

[ripdad]

What is PAC?
Automatic Proxy Configuration

It is mostly used as a traffic director or redirector for internet browsers.
Corporations use it for both internet and intranet.

In addition, they can also blacklist websites, or rather deny access to them.
Mostly used to keep employees off social media while they work.

This implementation uses a PAC file written in javascript to whitelist websites and deny everything else.

To learn more about PAC, you can visit this site:
http://findproxyforurl.com/pac-file-introduction/

Javascript Tutorial, in case you need it:
http://www.w3schools.com/js/default.asp

How do you load a PAC file?
In Firefox, the dialog looks like this under Options>Advanced>Network>Settings



Enter the path to the PAC file for whitelist.js -- Firefox will automatically change the local path
C:\temp\whitelist.js to a local URL when you click OK.

Description of the LocalProxy-HostViewer



This viewer displays host names from PAC (Automatic Proxy Configuration), through your browser,
which has been denied permission from it. You can then determine if the host name is friend or foe.

The main reason for the viewer is to find the host name of a content server (CDN), when you whitelist
a website host, so that you can also whitelist their content server.

Description of the PAC-Editor



- Provides a way to edit your whitelisted host names.
- Makes a backup of your whitelist when you press "Make PAC", and then
generates a javascript whitelist PAC.

Description of the javascript PAC file that is generated by the PAC-Editor
- Whitelist websites you approve -- all others will be denied.
- Puts your internet browser on a tight leash. Great for computer security.
- Greatly reduces infection from malware or virus.
- Keeps children on websites you approve.
- Denies third party ads and trackers.
- Speeds up your browser response.

Displays host names from PAC that are denied.
Download: LocalProxy-HostViewer.au3

Edit your whitelist and generate a javascript PAC.
Download: PAC-Editor.au3


 

Edited March 5, 2017 by ripdad

[TheDcoder]

Looks like you are using RegEx to interpret Javascript which is a very bad idea... I would use something like IE to interpret JS . By using RegEx you are limiting your script to be able to work with only PAC scripts with the same pattern as your example

Edited February 4, 2017 by TheDcoder
Totally misunderstood response

[ripdad]

Well, I guess I don't get what you are saying.

I'm pretty sure I didn't use RegEx, except in the autoit viewer script.

Can you copy paste the code you are referring to?

 

Edited February 4, 2017 by ripdad
clarrified

[ripdad]

Updated first post with MakeWhitelistPAC.au3

If anyone has any questions on how to use these scripts, please let me know.

It took me several days to figure out how to do this - it wasn't easy.
Not much information out there to use a PAC for whitelisting.

But, in the end, this is a much simpler solution than a Local Proxy Server.
It's much better to use the browser transport. No upload problems or
version differences. 32bit or 64bit, doesn't matter.

Edited February 4, 2017 by ripdad

[TheDcoder]

Sorry, I was looking at this code:

$sHost = StringRegExpReplace($sHeader, '(?is).*Host:\s(.*?)\r\n.*', '\1')
$sHost = StringRegExpReplace($sHost, '(:.*)', '')

I just realised that it is not parsing the JS .

And sorry again, I will mind my own business from now on.

[ripdad]

Hey, it's okay. No problem.

You had me worried there for a minute.

[ripdad]

Now that I have a few hours sleep, I need to clarify the difference between
using "Automatic Proxy Configuration" and "No Proxy For" methods.

They are about the same in function, but "No Proxy For" can only handle
so many characters on one line. I don't know exactly how many. They
don't state -- I can only guess. Maybe up to 4096 characters?

I was able to list 50 websites with no problem. Which is fine if that's all
you are going to list. You might be able to list up to 200 websites on that
one line. The problem is maintenance of it when it becomes so long.
Too many chances for error.

Mozilla states that it was never intended to be used for anything more than
a dozen or so proxy addresses. And then, they go on to state, you should use
a PAC instead, because it is more suited to handle it.

Originally, a PAC file was limited to 64k in size. As I understand now,
the limit is 1MB in size. Whether ALL browsers support this is another story.
PAC was never standardized, but all major browsers support it.

A PAC is alot more versatile than a hosts file. You can code it any way you want,
without the limits of the hosts file. For instance, you can use IP numbers in a PAC.
You can not do that in the hosts file - it only accepts host names.

Well, in any case, whitelisting is much more efficient than blacklisting, in my
opinion. The PAC can handle both at the same time. It depends on how
you code it. I wouldn't use blacklisting except for a few special cases.

The nice thing about using PAC is it uses the browsers' mechanisms
and transport. No need to rely on third party software, and you can
code it any way you want -- within limits, of course.

You can also use the URL parameter in PAC to filter unwanted content, when
filtering just the host name is not an option.

For instance:
I want access to: www.example.com, but I don't want certain images from it:
www.example.com/images/wp/image.jpg

I can filter that address location with some additional code.

---

I guess most people use the .pac extension for their PAC file. But, you can use any
extension you like. I prefer to use the .js extension because it's easier to view it in a
supported javascript editor.

I could change my editors' supported file extensions to include PAC with JS,
Hmm...

--

In the end, I want the browser to get MY permission to access websites.
Otherwise, it will be like a child alone in a candy store -- running wild.
Always at risk from malware, virus and other crap.

Did I ask for a virus? No! Then why and how did I get it?

Guess I should get a better anti-virus. Not!
What a racket.

Malware would not exist on the web, if the browser was coded properly.
Yes, thats right. They have the ability to do it.
Heck, I could do it -- I would find a way.

They have had over 20 years to do something about it.
So, whats their problem? That is the question.

In the meantime, solutions like PAC will be extremely helpful.
It may be a pain to set it up just right, but well worth the effort.

---

By the way, it's been 10 years or so since I played around with javascript.
Coding the PAC file made me appreciate AutoIt for its simplicity.

Edited February 6, 2017 by ripdad
added a few more thoughts

[ripdad]

Updated MakeWhitelistPAC.au3 and simplified/clarrified first post.

 

[ripdad]

Updated first post - added a stricter version of PAC - MakeWhitelistPACv2.au3

There are 3 ways to list your host names :

1. domain name which starts with a dot, which will be a partial match to the full host name: (Safe)
.example.com

2. full host name, which will be an exact match. (Safe)
www.example.com
or
search.example.com

3. partial host name without dot. (Not Safe)
example.com

The 3rd one is not supported in v2 unless THAT IS the full host name to the URL.
http://example.com

The reason is, if you list example.com, and it's not the full host name, then it could become
subject to a malicious website. For instance:
spoofexample.com

Edited February 7, 2017 by ripdad

[ripdad]

With IE11, the usage of a PAC-file through the file-protocol is no more possible,
unless you add the following registry-key:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
(DWORD)”EnableLegacyAutoProxyFeatures”=1

Link:

https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/


 

Edited February 7, 2017 by ripdad

[ripdad]

One more thing and I think I'm done with this project, unless you have a problem or questions.

At the bottom of the generated whitelist.js file, shows these two lines:
// return 'PROXY 0.0.0.0:8080'; // <-- denied, go to fake proxy
return 'PROXY 127.0.0.1:8080'; // <-- denied, go to LocalProxy-HostViewer and get host names

The first line is commented so that it will be directed to the second for viewing denied host names.
You can switch between the two, simply by commenting one or the other.

You can change the code in MakeWhitelistPACv2.au3
to provide an automatic way for both, with this one liner:

return 'PROXY 127.0.0.1:8080; PROXY 0.0.0.0:8080';
This states that if the first one is not available, then go to the second one.

This will work even if LocalProxy-HostViewer is not running.

But --
There is a little delay (~1000ms) in browser response if the LocalProxy-HostViewer is not running,
because of the time needed to check if the proxy is up or down.

 

Edited March 5, 2017 by ripdad

[ripdad]

Updated first post.

Combined MakeWhitelistPAC with an editor.

 

 

Edited February 17, 2017 by ripdad

[ripdad]

Updated the PAC-Editor in first post.

-Optimized the javascript code for PAC