Lines Matching +full:implicit +full:- +full:fall +full:- +full:through

3 This document establishes basic proxy terminology and describes Chrome-specific
18 auto-config](https://en.wikipedia.org/wiki/Proxy_auto-config) scripts. For
30 The port number is optional in both formats. When omitted, a per-scheme default
33 See the [Proxy server schemes](#Proxy-server-schemes) section for details on
38 are generally identified less precisely by just an address -- the proxy
55 identifiers](#Proxy-server-identifiers).
59 * [Manual proxy settings](#Manual-proxy-settings) - proxy resolution is defined
64 * PAC script - proxy resolution is defined using a JavaScript program, that is
68 * Auto-detect - the WPAD protocol is used to probe the network (using DHCP/DNS)
80 * What network traffic can be sent through the proxy?
84 * [DIRECT](#DIRECT-proxy-scheme)
85 * [HTTP](#HTTP-proxy-scheme)
86 * [HTTPS](#HTTPS-proxy-scheme)
87 * [SOCKSv4](#SOCKSv4-proxy-scheme)
88 * [SOCKSv5](#SOCKSv5-proxy-scheme)
89 * [QUIC](#QUIC-proxy-scheme)
105 * Example identifier (PAC): `PROXY proxy:8080`, `proxy` (non-standard; don't use)
115 requests are sent in the clear. When proxying `https://` requests through an
116 HTTP proxy, the TLS exchange is forwarded through the proxy using the `CONNECT`
117 method, so end-to-end encryption is not broken. However when establishing the
130 This works like an [HTTP proxy](#HTTP-proxy-scheme), except the
135 sent through the proxy are not sent in the clear as with an HTTP proxy.
149 Specifying an HTTPS proxy is generally not possible through system proxy
154 proxies](http://dev.chromium.org/developers/design-documents/secure-web-proxy)
199 A handy way to create a SOCKSv5 proxy is with `ssh -D`, which can be used to
202 In Chrome SOCKSv5 is only used to proxy TCP-based URL requests. It cannot be
213 proxy](#HTTPS-proxy-scheme), in that the connection to the proxy server
218 URLs through a QUIC proxy is [disabled by
230 1. A mapping of URL schemes to [proxy server identifiers](#Proxy-server-identifiers).
231 2. A list of [proxy bypass rules](#Proxy-bypass-rules)
247 also supports idioms from other platforms -- for instance KDE's notion of
252 empty) lists of [proxy server identifiers](#Proxy-server-identifiers).
254   * proxies for HTTP - A list of proxy server identifiers to use for `http://`
255     requests, if non-empty.
256   * proxies for HTTPS - A list of proxy server identifiers to use for
257     `https://` requests, if non-empty.
258   * other proxies - A list of proxy server identifiers to use for everything
265 `--proxy-server=XXX` (and optionally `--proxy-bypass-list=YYY`)
268 Chrome with `--proxy-server="http://foo:8080"`. This translates to:
270   * proxies for HTTP - *empty*
271   * proxies for HTTPS - *empty*
272   * other proxies - `http://foo:8080`
277 `--proxy-server="http://foo:8080,direct://"` (note the comma separated list).
280   * proxies for HTTP - *empty*
281   * proxies for HTTPS - *empty*
282   * other proxies - `http://foo:8080`, `direct://`
284 If instead we wanted to proxy only `http://` URLs through the
287 `--proxy-server="http=https://foo:443;socks=socks5://mysocks:1080"`. This now
290   * proxies for HTTP - `https://foo:443`
291   * proxies for HTTPS - *empty*
292   * other proxies - `socks5://mysocks:1080`
306 [Manual proxy settings](#Manual-proxy-settings) don't have mappings for `ws://`
312 * If "other proxies" is non-empty use it
313 * If "proxies for HTTPS" is non-empty use it
323 Most platforms' [manual proxy settings](#Manual-proxy-settings) allow
328 Proxy authentication will instead go through the ordinary flow to find
334 identifiers](#proxy-server-identifiers), Chrome's [manual proxy
335 settings](#Manual-proxy-settings) lets you specify a list of "proxy bypass
348 `--proxy-bypass-list="RULES"` switch can be used, where `RULES` is a semicolon
369 * `foobar.com` - Matches URL of any scheme and port, whose normalized host is
371 * `*foobar.com` - Matches URL of any scheme and port, whose normalized host
373 * `*.org:443` - Matches URLs of any scheme, using port 443 and whose top level
375 * `https://x.*.y.com:99` - Matches https:// URLs on port 99 whose normalized
389 * `.google.com` - Matches `calendar.google.com` and `foo.bar.google.com`, but
391 * `http://.google.com` - Matches only http:// URLs that are a subdomain of `google.com`.
408 * `[::1]` - Matches any URL to the IPv6 loopback address.
409 * `[0:0::1]` - Same as above
410 * `http://[::1]:99` - Matches any http:// URL to the IPv6 loopback on port 99
422 literals](#Meaning-of-IP-address-range-bypass-rules).
438 literals](#Meaning-of-IP-address-range-bypass-rules).
443 * `[fefe::]/40` -- WRONG! IPv6 literals must not be bracketed.
452 is a naive string search -- meaning that periods appearing *anywhere* count
461 implicitly](#Implicit-bypass-rules).
463 ### Bypass rule: Subtract implicit rules
466 <-loopback>
469 *Subtracts* the [implicit proxy bypass rules](#Implicit-bypass-rules)
478 in a left-to-right order. `<-loopback>;127.0.0.1` has a subtly different effect
479 than `127.0.0.1;<-loopback>`.
493 It will go through the proxy.
506 ## Implicit bypass rules
508 Requests to certain hosts will not be sent through a proxy, and will instead be
511 We call these the _implicit bypass rules_. The implicit bypass rules match URLs
512 whose host portion is either a localhost name or a link-local IP literal.
527 This concept of implicit proxy bypass rules is consistent with the
528 platform-level proxy support on Windows and macOS (albeit with some differences
529 due to their implementation quirks - see compatibility notes in
532 Why apply implicit proxy bypass rules in the first place? Certainly there are
541 * Prior to M71 there were no implicit proxy bypass rules, except if using
542   [`--winhttp-proxy-resolver`](#winhttp_proxy_resolver-command-line-switch).
543 * In M71 Chrome applied implicit proxy bypass rules to PAC scripts
544 * In M72 Chrome generalized the implicit proxy bypass rules to manually
547 ### Overriding the implicit bypass rules
549 If you want traffic to `localhost` to be sent through a proxy despite the
551 `<-loopback>`. This has the effect of _subtracting_ the implicit rules.
556 --proxy-bypass-list="<-loopback>"
559 Note that there currently is no mechanism to disable the implicit proxy bypass
567 identifiers](#Proxy-server-identifiers) to use for a
587 the request through `http://proxy1:80`. If that "fails", the request is
588 next attempted through `https://proxy2:443`. Lastly if that fails, the
589 request is attempted through `socks5://proxy3:1080`.
602 Chrome will first attempt to issue the request through these proxies in the
603 left-to-right order.
605 Let's say that the attempt through `http://proxy1:80` fails, but then the
606 attempt through `https://proxy2:443` succeeds. Chrome will mark
608 means that `http://proxy1:80` is de-prioritized with respect to
645 chrome://net-export/](https://dev.chromium.org/for-testers/providing-network-details).
647 viewer](https://netlog-viewer.appspot.com/).
654   re-ordered proxy list was after taking into account bad proxies.
661 [chrome://net-internals/#proxy](chrome://net-internals/#proxy). Note the UI
723 This API is [inherently ambiguous when used on multi-homed
724 hosts](#myIpAddress_myIpAddressEx_and-multi_homed-hosts), as such hosts can
729 ordered steps and short-circuiting once the first candidate IP is found:
743 Note that when searching for candidate IP addresses, link-local and loopback
744 addresses are skipped over. Link-local or loopback address will only be returned as a
756 extension](https://docs.microsoft.com/en-us/windows/desktop/winhttp/myipaddressex)
760 can return multiple IP addresses. It returns a string containing a semi-colon
769   interfaces](#myIpAddress_myIpAddressEx_and-multi_homed-hosts)
770 * Chrome does not return link-local or loopback addresses (except if no other
789 Note that short-circuiting happens whenever steps 1-3 find a candidate IP. So
791 public Internet, only those IPs will be returned, and steps 2-3 will not run.
793 ## myIpAddress() / myIpAddressEx() and multi-homed hosts
805 and may not address all use-cases.
810 Moreover, note that Chrome does not support the Firefox-specific
812 special side-effect in Chrome. Whereas in Firefox it reconfigures
822   out-of-process as on Desktop Chrome. This architectural difference is
858 * Are never fetched through a proxy
870 a long-lived Java Script context) will be assumed to be fresh until either:
874 * A user explicitly invalidates PAC through `chrome://net-internals#proxy`
876 Once considered stale, the PAC URL will be re-fetched the next time proxy
892 * Otherwise proxy resolution will silently fall back to `DIRECT`.
897 re-fetch it:
908 Similarly to successful fetches, the PAC URL will be also be re-fetched
910 invalidated via `chrome://net-internals#proxy`.
914 Note that UTF-8 is *not* the default interpretation of PAC response bodies.
918 1. The `charset` property of the HTTP response's `Content-Type`
920 3. Otherwise defaults to ISO-8859-1.
922 When setting the `Content-Type`, servers should prefer using a mime type of
923 `application/x-ns-proxy-autoconfig` or `application/x-javascript-config`.
931 net-export](https://www.chromium.org/for-testers/providing-network-details),
936 3. In a new tab, navigate to `chrome://net-internals/#proxy` and click both
937    buttons ("Re-apply settings" and "Clear bad proxies").
943 Viewer](https://netlog-viewer.appspot.com/). See the next section for some tips
948 Load saved Net Logs using [Net Log Viewer](https://netlog-viewer.appspot.com/).
952 Start by getting a big-picture view of the proxy settings by clicking to the
959   * Command line flags (ex: `--proxy-server`)
960 …* (per-profile) Chrome extensions (ex: [chrome.proxy](https://developer.chrome.com/extensions/prox…
961   * (per-network) System proxy settings
963 * Was [proxy autodetect (WPAD)](#Web-Proxy-Auto_Discovery-WPAD) specified? In
967 * Internally, proxy settings are per-NetworkContext. The proxy
969   one associated with the Profile used to navigate to `chrome://net-export`. For
970   instance if the net-export was initiated from an Incognito window, it may
971   show different proxy settings here than a net-export capture initiated by a
972   non-Incognito window. When the net-export was triggered from command line
973   (`--log-net-log`) no particular NetworkContext is associated with the
980 Skim through the Import tab and look for relevant command line flags and active
981 field trials. A find-in-page for `proxy` is a good starting point. Be on the lookout for
982 [`--winhttp-proxy-resolver`](#winhttp_proxy_resolver-command-line-switch) which
990 requests, and then keep click through the dependency links to
1001 of any PAC scripts/auto-detect can change.
1003 ## Web Proxy Auto-Discovery (WPAD)
1008 1. DHCP-based WPAD (option 252)
1009 2. DNS-based WPAD
1011 These are tried in order, however DHCP-based WPAD is only supported for Chrome
1016 ### Chrome on macOS support for DHCP-based WPAD
1018 Chrome on macOS does not support DHCP-based WPAD when configured to use
1021 However, macOS might perform DHCP-based WPAD and embed this discovered PAC URL
1023 to "use system proxy settings" it may behave as if it supports DHCP-based WPAD.
1025 ### Dangers of DNS-based WPAD and DNS search suffix list
1027 DNS-based WPAD involves probing for the non-FQDN `wpad`. This means
1038    funnel the user's traffic through a proxy server of their choice. The
1042    Vulnerability](https://www.us-cert.gov/ncas/alerts/TA16-144A)
1044 ## --winhttp-proxy-resolver command line switch
1046 Passing the `--winhttp-proxy-resolver` command line argument instructs Chrome
1057 smilar meaning on other platforms (macOS), despite its Windows-specific naming.