However when establishing the tunnel, the hostname of the target URL is sent to the proxy server in the clear. When proxying requests through an HTTP proxy, the TLS exchange is forwarded through the proxy using the CONNECT method, so end-to-end encryption is not broken. HTTP proxies can proxy ws:// and wss:// URLs.Ĭommunication to HTTP proxy servers is insecure, meaning proxied requests are sent in the clear. When using an HTTP proxy in Chrome, name resolution is always deferred to the proxy. Generally when one refers to a “proxy server” or “web proxy”, they are talking about an HTTP proxy. Example identifiers (URI): proxy:8080 (can omit scheme).Example identifier (PAC): PROXY proxy:8080, proxy (non-standard don't use).It is imprecise to call this a “proxy server”, but it is a convenient abstraction. This is a pseudo proxy scheme that indicates instead of using a proxy we are sending the request directly to the target server. Default port: N/A (neither host nor port are applicable).What network traffic can be sent through the proxy?Ĭhrome supports these proxy server schemes:.What authentication schemes to the proxy server are supported?.Is name resolution (ex: DNS) done client side, or proxy side?.Is communication to the proxy done over a secure channel?.Some implications of the proxy scheme are: When using an explicit proxy in the browser, multiple layers of the network request are impacted, depending on the scheme that is used. PAC script - proxy resolution is defined using a JavaScript program, that is invoked whenever fetching a URL to get the list of proxy server identifiers to use.Īuto-detect - the WPAD protocol is used to probe the network (using DHCP/DNS) and possibly discover the URL of a PAC script. These rules are expressed as a mapping from URL scheme to proxy server identifier(s), and a list of proxy bypass rules for when to go DIRECT instead of using the mapped proxy. Manual proxy settings - proxy resolution is defined using a declarative set of rules. What proxies to use can be described using either: The input to proxy resolution is a URL, and the output is an ordered list of proxy server identifiers. This can be either a proxy server, or the target host. When the browser is asked to fetch a URL, it needs to decide which IP endpoint to send the request to. Proxying in Chrome is done at the URL level. With the exception of “SOCKS”, those are all identifiers for insecure HTTP proxy servers (proxy scheme is assumed as HTTP). In Windows' proxy settings there are host and port fields for the “HTTP”, “Secure”, “FTP”, and “SOCKS” proxy. However outside of Chrome, proxy servers are generally identified less precisely by just an address - the proxy scheme is assumed based on context. Most UI surfaces in Chrome (including command lines and policy) expect URI formatted proxy server identifiers.
See the Proxy server schemes section for details on what schemes Chrome supports, and how to write them in the PAC and URI formats. When omitted, a per-scheme default is used. The port number is optional in both formats. The “URI format” instead encodes the information as a URL. The PAC format is how one names a proxy server in Proxy auto-config scripts. This can be written as a string using either the “PAC format” or the “URI format”. A proxy server can be described by its address, along with the proxy scheme that should be used to communicate with it.
Proxy credentials in manual proxy settings.