Is it possible to use Proxy by Patterns and PAC at the same time?

[user753]

I use Firefox and FoxyProxy 8.9
I have a pac proxy and another proxy for x.com
If I select my pac proxy - sites for this proxy works buy proxy for x.com doesn't work
If I select Proxy by Patterns - proxy for x.com works buy pac proxy doesn't work
What can I do?

[erosman]

Proxy Auto-Configuration (PAC) file is meant to handle all patterns within itself. If you can edit the PAC, then you can add the patterns yourself.

The way browsers handles proxying is that you can either choose a PAC or an individual proxy, as seen on:
Firefox menu -> Settings -> Network Settings

[user753]

I cannot edit pac file.
I think it would be useful if pac proxy can be included and excluded the same way as common proxy. So I could exclude it from x.com and use it with Proxy by Patterns

[d-g]

What can I do?

If you are looking for some practical solution, then it would be good to know the practical problem.

But maybe proxying requests in every direction when browsing x.com (rather than proxying all requests to x.com whatever the current location is) would suffice? Containers allow that.

[user753]

If you are looking for some practical solution, then it would be good to know the practical problem.

I have a pac file and I cannot modify it. It sets proxies to a.com, b.com and c.com
Also I want to access x.com with another proxy foo
Right now to visit a.com or x.com I need to switch between pac proxy and foo proxy manually

[erosman]

If the target patterns are not many, you can manually set it up.

PAC
a.com, b.com and c.com to go through proxy1.com

• Set up a new proxy as proxy1.com and add a.com, b.com and c.com to it
• Set up a new proxy as proxy2.com and add x.com to it
• Set "Proxy by Patterns"

[user753]

I need to use pac file because it keeps changing. So I cannot replace it with manual setup

[d-g]

it would be good to know the practical problem.

I have a pac file... It sets proxies to a.com, b.com and c.com. Also I want to access x.com with another proxy foo

I am afraid, that adds nothing to what was said in the OP.

Right now to visit a.com or x.com I need to switch between pac proxy and foo proxy manually

You've got what was said about so called containers, I hope.

I have a pac file and I cannot modify it.

Why, by the way? Monkey-patching a PAC should be as easy as:

#!/bin/bash

pac_uri="http://_gateway/.pac"
pac_dest="$HOME/.pac"

cat > "$pac_dest" \
    <(curl "$pac_uri" \
          | sed 's/FindProxyForURL/FindProxyForURL_upstream/g') \
    - <<EOF

function FindProxyForURL(url, host)
{
	if (host === "x.com" || host.endsWith(".x.com"))
		return "SOCKS5 a-proxy-for-x.com:1080";
	else
		return FindProxyForURL_upstream(url, host);
}
EOF

(not tested of course)

[d-g]

FWIW, here is a slighly saner version:

#!/bin/bash
set -o errexit -o pipefail

pac_uri="http://_gateway/.pac"
pac_dest="$HOME/.pac"

pac_upstream=$(curl "$pac_uri")

cat > "$pac_dest" <<EOF
function _upstream(url, host)
{
EOF

printf >> "$pac_dest" '%s\n' "$pac_upstream"

cat >> "$pac_dest" <<EOF
	return FindProxyForURL(url, host);
}

function FindProxyForURL(url, host)
{
	if (host === "x.com" || host.endsWith(".x.com"))
		return "SOCKS5 a-proxy-for-x.com:1080";
	else
		return _upstream(url, host);
}
EOF

But may I now ask a bit offtopic question?

You said, you had a PAC file, yet had been already using FoxyProxy.

Till today I was under an impression, that FoxyProxy does not support loading PACs from local files; or rather Mozilla (unlike Google) forbids webexts to use file: scheme.

Neither I can find any documentation, that would promise such a support and explain how exactly to enjoy it (besides some heavily outdated https://getfoxyproxy.org/developers/jsapi/proxy-config-object/).

So the naive experiment fails:

TypeError: NetworkError when attempting to fetch resource.

with a pretty expectable error on console:

Security Error: Content at moz-extension://1a276657-72db-4f8b-9012-9bf3fa9e4cbd/content/options.html may not load or link to file:///home/d-g/sw/browser/pac/simple.pac.

But now I've found:
#49

I am confused...

[erosman]

But may I now ask a bit offtopic question?

You said, you had a PAC file, yet had been already using FoxyProxy.

Firefox allows loading PAC from file:///

• Go to: Settings -> Network Settings -> Automatic proxy configuration URL
• Enter a local PAC
• Check Multi process Browser Console (Ctrl+shift+J)
• You will see PAC file installed from file:///home/..../2022-09-09.pac

Extensions are not permitted to access local files in Firefox.
FoxyProxy does not load or implement PAC directly but sets the Firefox's Network settings (as in above) which can load local files.
That is also the reason FoxyProxy no longer controls the proxying once a PAC is set, as the control is passed to Firefox.

[aelfwine88]

I encountered a similar problem:

A large and dynamic pac is provided by our network team yet I need to have a few exceptions redirected to another dedicated proxy. These exceptions are mostly development systems and they will be not included in the live pac file.

Downloading+patching then importing the pac every few hours could work... however would be much simpler having a proxy manager that respects the higher priority of the exception rules then applies the pac if there were no other exception hit.

[user753]

FWIW, here is a slighly saner version:

Why do I ever need this extension if I could just write my own scripts?

[d-g]

Why do I ever need this extension if I could just write my own [PAC] scripts?

Yeah, you got my point right: you absolutely don't. ;)

[d-g]

Firefox allows loading PAC from file:///

Yes, sorry for being unclear, that I'm very familiar with that.

FoxyProxy does not load or implement PAC directly but sets the Firefox's Network settings (as in above)

Ah!

But I'm afraid in my case it does not!

If I understand you right, I should investigate it a bit further and report it as a bug, despite it being a (yet) undocumented feature.

[d-g]

however would be much simpler having a proxy manager that respects the higher priority of the exception rules then applies the pac if there were no other exception hit.

Ehm...

Is not that exactly what happens, when you configure a F***fox-based browser to use a PAC, and then configure patterns with FoxyProxy (or any other onRequest-based solution)?

With a reservation for a surprising behaviour (one, who thinks of proxy as of something closely related to privacy, would say, a vulnerability [1]), that Mozilla turns a blind eye to [2], that browser-wide proxy serves as a fallback one.

But as long as your case is not about privacy, but about connectivity, it should not be much of an issue.

Or do you talk about Chromium-based one?

[1] mozilla/multi-account-containers#2265
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1750561

[d-g]

however would be much simpler having a proxy manager that respects the higher priority of the exception rules then applies the pac if there were no other exception hit.

Is not that exactly what happens, when you configure a F***fox-based browser to use a PAC, and then configure patterns with FoxyProxy (or any other onRequest-based solution)?

Yes. Here is an example of a such config:

prefs.js:

user_pref("network.proxy.type", 2);
user_pref("network.proxy.autoconfig_url", "file:///home/d-g/sw/browser/firefox/proxy/foxyproxy/patterns+pac/.pac");

.pac:

// -*-javascript-*-

const tor = "SOCKS5 _gateway:9050";
const pxy = "SOCKS5 _gateway:1080";

const domains = {
	"onion" : tor,
	"example.org" : pxy,
};

function FindProxyForURL(_url, host)
{
	let proxy;
	if (proxy = domains[host])
		return proxy;
	let cursor;
	while (cursor !== 0 /* indexOf returns -1 instead of false */) {
		cursor = host.indexOf('.', cursor) + 1;
		if (proxy = domains[host.substring(cursor)])
			return proxy;
	}
	return "DIRECT";
}

FoxyProxy:

{
  "mode": "pattern",
  "passthrough": "",
  "data": [
    {
      "active": true,
      "title": "pxy-2",
      "type": "socks5",
      "hostname": "_gateway",
      "port": "2080",
      "pac": "",
      "pacString": "",
      "proxyDNS": true,
      "include": [
        {
          "type": "wildcard",
          "title": "",
          "pattern": "*://example.net",
          "active": true
        },
        {
          "type": "wildcard",
          "title": "",
          "pattern": "*://*.example.net",
          "active": true
        }
      ],
      "exclude": []
    }
  ]
}

[d-g]

FoxyProxy does not load or implement PAC directly but sets the Firefox's Network settings

But I'm afraid in my case it does not!

If I understand you right, I should investigate it a bit further and report it as a bug, despite it being a (yet) undocumented feature.

Okay, it had nothing to do with file: scheme; rather I tried it on a clean profile, where forgot to allow incognito-mode access, which made FoxyProxy simply ignore the user command, yet report the success.

This makes it even more of a bug, however!

[d-g]

By the way, @user753,

Why do I ever need this extension if I could just write my own scripts?

note, how writing a ruleset for ‘this extension’ actually turned out more cumbersome, than expressing the same idea with a homebrewed script:

just

example.org

vs

*://example.net
*://*.example.net

Which is hardly surprising by itself: given two tools: of a limited expressive power and of less limited, you can imagine infinite number of scenarios, when the latter enables you to write cleaner code.

What did surprise me, is that was the most (I believe) common scenario: when you need to match a domain and all its subdomains.

[aelfwine88]

however would be much simpler having a proxy manager that respects the higher priority of the exception rules then applies the pac if there were no other exception hit.

Is not that exactly what happens, when you configure a F***fox-based browser to use a PAC, and then configure patterns with FoxyProxy (or any other onRequest-based solution)?

Yes. Here is an example of a such config:

I tried to interpret what you just suggested and implement it:

1. Set pac proxy config on the browser settings level in Firefox
2. Configure exception rule in FoxyProxy
3. Test

Result:
Working as expected -> exceptions getting redirected, rest hits the browser level pac config.

Most likely my original problem was that I configured both the exceptions AND the "default" (the pac) on FoxyProxy level while leaving the browser level config on the "No Proxy" setting. I was expected FoxyProxy to sort out which traffic should go to which proxy config... and however this configuration now works, it is not too intuitive or logical... at least for me.

I would suggest an enhancement in some way so the user doesn't have to configure proxy settings on 2 different places: in the manager AND in the browser as well.

Anyways, thanks for the "workaround" suggestion!

[d-g]

Most likely my original problem was that I configured both the exceptions AND the "default" (the pac) on FoxyProxy level while leaving the browser level config on the "No Proxy" setting

Iʼm afraid the original underlying problem is that (as @erosman explained above) there is really no such thing as PAC support at FoxyProxy level (yet?).

Instead, when you command it to use PAC, it just sets network.proxy.type and network.proxy.autoconfig_url (or, in default installation, it actually does not, cf. #160); but presents it in UI as something equipotent with the rest of options.

I suppose, this mess is a result of UI unification with FP for Chromium-based browsers.

and however this configuration now works, it is not too intuitive ... at least for me

I have a bold guess, that you were not alone on this thread. ;)

Anyways, thanks for the "workaround" suggestion!

You are welcome. But it is hardly a workaround... it is a pretty straightforward setup for your task.