Chrome Enterprise Network Settings: Configuring Proxy PAC Files

Proxy Auto-Configuration (PAC) files remain one of the most flexible ways to route browser traffic through proxies in enterprise environments. Chrome Enterprise provides robust support for PAC file deployment through group policies, making it possible to control network routing at scale. This guide covers practical implementation for developers and power users managing Chrome deployments.

Understanding Proxy PAC Files

A PAC file is a JavaScript function that determines whether browser requests should be routed directly to the destination or through a proxy. The browser evaluates the function for each request, returning either a direct connection or a proxy address.

function FindProxyForURL(url, host) {
  // Direct connection to local addresses
  if (isPlainHostName(host) || 
      isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
      isInNet(dnsResolve(host), "172.16.0.0", "255.240.0.0") ||
      isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0")) {
    return "DIRECT";
  }
  
  // All other traffic goes through the proxy
  return "PROXY proxy.example.com:8080";
}

Chrome supports the standard PAC functions defined in the Navigator Preemption specification, including isPlainHostName, isInNet, shExpMatch, and dnsResolve. Understanding these functions enables sophisticated routing rules based on domain, IP ranges, or URL patterns.

Deploying PAC Files via Chrome Enterprise Policy

Chrome Enterprise uses the ProxySettings policy to configure proxy settings across managed devices. The policy supports several modes, with PAC file mode being the most flexible.

Group Policy Configuration (Windows)

For Windows environments using Group Policy, configure the following policy path:

Computer Configuration > Administrative Templates > Google Chrome > Proxy Settings

Set the policy to “Manual proxy configuration” and specify your PAC file URL. The recommended approach uses a centralized PAC file hosted on your internal network:

{
  "ProxyMode": "pac_script",
  "ProxyPacUrl": "https://proxy.example.com/config.pac",
  "ProxyBypassList": "localhost;127.0.0.1;*.internal"
}

Chrome Policy JSON (Cross-Platform)

For Chrome Browser Cloud Management or JSON-based deployment, use the following configuration:

{
  "ProxySettings": {
    "ProxyMode": "pac_script",
    "ProxyPacUrl": "https://proxy.example.com/config.pac"
  }
}

This configuration deploys through the Chrome Policy Service and applies to all platforms Chrome runs on, including Windows, macOS, and Linux.

Practical PAC Configuration Patterns

Split Tunneling by Domain

Many organizations need internal traffic to bypass the proxy while external traffic routes through it:

function FindProxyForURL(url, host) {
  // Internal domains - direct connection
  if (shExpMatch(host, "*.company.local") ||
      shExpMatch(host, "*.internal")) {
    return "DIRECT";
  }
  
  // Development environments - direct for faster builds
  if (shExpMatch(host, "*.dev") ||
      shExpMatch(host, "localhost")) {
    return "DIRECT";
  }
  
  // External traffic through proxy
  return "PROXY corporate.proxy.com:8080";
}

Failover Configuration

PAC files support defining multiple proxy servers with automatic failover:

function FindProxyForURL(url, host) {
  // Primary proxy, fallback to secondary, then direct
  return "PROXY primary.proxy.com:8080; PROXY secondary.proxy.com:8080; DIRECT";
}

Chrome evaluates proxies in order, moving to the next option if the primary fails. This pattern provides redundancy without manual intervention.

Conditional Routing Based on Network Location

You can detect the network and adjust routing accordingly:

function FindProxyForURL(url, host) {
  // Detect if we're on the corporate network
  var corporateNetwork = isInNet(myIpAddress(), "10.0.0.0", "255.0.0.0");
  
  if (corporateNetwork) {
    // Use corporate proxy when in office
    return "PROXY corp-proxy.company.com:8080";
  } else {
    // Use direct connection when remote (VPN handles corporate traffic)
    return "DIRECT";
  }
}

Troubleshooting PAC File Issues

When PAC files do not behave as expected, Chrome provides diagnostic tools. Navigate to chrome://net-internals/#proxy to view current PAC script status, last evaluation result, and any errors.

Common Issues and Solutions

PAC file not loading: Verify the URL is accessible from client machines. Use HTTPS for PAC URLs to prevent mixed content issues in Chrome. Check that the server returns the correct MIME type (application/x-ns-proxy-autoconfig).

Script syntax errors: PAC files are JavaScript. A single syntax error breaks the entire script. Test your PAC file in Chrome’s proxy settings page before deploying. The browser console (F12) may display syntax error details.

Performance problems: Complex PAC scripts with DNS lookups for every request slow down browsing. Use dnsResolve() sparingly, and consider caching results or pre-resolving frequently accessed domains.

Testing PAC Files Locally

Before deploying, test your PAC file manually in Chrome:

1. Navigate to Settings > System > Open your computer’s proxy settings
2. Under Automatic Proxy Setup, enter your PAC file URL
3. Chrome evaluates the script for each request

For development, serve your PAC file locally:

# Simple PAC file server with Python
python3 -m http.server 8080 --directory .

Access at http://localhost:8080/config.pac during testing.

Automating PAC Deployment

For organizations with multiple offices or frequently changing network configurations, automate PAC file deployment. Store your PAC file in version control and deploy through your existing infrastructure.

A simple deployment script using scp:

#!/bin/bash
PAC_FILE="config.pac"
SERVER="proxy-server.example.com"
TARGET_DIR="/var/www/html/"

scp "$PAC_FILE" "deploy@${SERVER}:${TARGET_DIR}"
ssh deploy@${SERVER} "cd ${TARGET_DIR} && touch ${PAC_FILE}"

Combine with your configuration management tool (Ansible, Chef, Puppet) to ensure consistency across all proxy servers.

Security Considerations

PAC files execute in the context of every browser request, making them a sensitive component of your network infrastructure. Follow these security practices:

• Host PAC files on internal, trusted servers
• Use HTTPS to prevent tampering in transit
• Restrict access to PAC file servers
• Monitor for unauthorized changes to PAC configurations

Chrome Enterprise supports validating PAC file signatures when distributed through managed policies, providing additional protection against tampering.

Conclusion

Proxy PAC files offer enterprise-grade traffic routing with the flexibility to handle complex network topologies. Chrome Enterprise’s policy-based deployment makes centralized management straightforward across Windows, macOS, and Linux clients. By understanding PAC script functions and deployment methods, developers and IT administrators can implement robust proxy configurations that scale.

Related Reading

• Claude Code for Beginners: Complete Getting Started Guide
• Best Claude Skills for Developers in 2026
• Claude Skills Guides Hub

Built by theluckystrike — More at zovo.one