cancel
Showing results for 
Search instead for 
Did you mean: 
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 1 of 3

How can I Simplify PAC file Exception Additions?

Jump to solution

When using smart phones with WGCS explicit proxy, on port 8084, controlled by a mobile device management solution (MDM), a PAC file is required to create bypass exceptions. PAC files while very flexible, can be cumbersome to manage and the process is error prone. Is there an easy way to semi-automate this process so a novice user can simply add a hosts, domains, or urls to a simple text list and update the PAC file?

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: How can I Simplify PAC file Host Exception Additions?

Jump to solution

Updated 11/2/2019

The attached python code will take an existing PAC file and add exceptions from a list. The idea is that once the base PAC file is created, almost anyone could be given simple instructions on how to add host or domain or URL exceptions to the PAC file. A master list could be kept and used with the replace option, or one or a handful of new sites or domains or URLs could easily be added to an existing PAC file with exceptions to supplement those previously added by the same process. The newer versions will add comments and date to the added exceptions.

The zip now contains an improved combined host exceptions script and domain exceptions and url exceptions script. Operation is essentially the same and can work on a base, or modified PAC file. At first I had two separate scripts, but now there is just one that can handle domain exception lists and host exceptions lists and URL exceptions lists. The new script also incorporates John's suggestion for getpass from below and adds a section name option, so you can have multiple sections in your PAC file that you can manage individually with the script.

11/6/2019 Using https://app.thorsen.pm/proxyforurl I identified significant issues with shExpMatch function (implied wildcards at beginning and end of string) that resulted in the recent significant changes in operation.

11/18/2019 Modern browser operation does not match the testing from link above. Modern browsers do not imply wildcards so I reinstated the host expression code. The option for using a host expression list is either ehost or ehostRep

As always, comments, suggestions, improvements welcome.

Here are the comments from within the current python code itself:

#!/usr/bin/python
# PACInsertExcept.py
#
#Written by Jeff Ebeling 10/23/2019
#Updated 10/31/2019 Combined domain and host and added section name option
#Updated 11/3/2019 added url and fixed domain code
#Testing with https://app.thorsen.pm/proxyforurl indicated some issues with the host section (can't be corrected easily with the way shExpMatch works)
#Acording to the site above shExpMatch has implied wildcards at the beginning and end of the string.
# *.cisco.com will not match cisco.com but will match cisco.com.evil.com ;-( which is not desirable. I recommend using domain or URL instead
# Because of this I changed operation of host option to use host == and now it only matches on exact do not use wildcards in a host list!
#
#Updated 11/18/2019 restored host expression, because modern browsers I tested with do not imply wildcards when evaluating shExpMatch
#
#This small python script with limited error checking designed to simply add a set of exception hosts host expression or url expressions or domain exceptions
# with comments into a PAC file.
#
#The first argument is the filename or full pathname of the PAC file to use as the source.
#At a minimum you must add two comment lines in the source pac file where you want the exceptions to be inserted:
# // BEGIN Exceptions from PACInsertExcept.py
# // END Exceptions from PACInsertExcept.py
#The second argument is the filename or full pathname for the output.
#The program will work from a list of host names, one per line with optional quote enclosed comments, in a file or filepath designated by the third argument.
# www.microsoft.com
# microsoft.com
# www.example.com "optional comment"
#Or it can work from a list of host shell expression exceptions, one per line with optional quote enclosed comments, in a file or filepath designated by the third arguement
# *.microsoft.com
# microsoft.com
# mcafee.com "optional comment"
#Or it can work from a list of domain exceptions, one per line with optional quote enclosed comments, in a file or filepath designated by the third arguement
# microsoft.com
# mcafee.com "optional comment"
#Or it can work from a list of url glob shell expressions, one per line with optional quote enclosed comments, in a file or filepath designated by the third arguement
# */somedir/* "begin and end wildcards not needed equivalent is /somedir/ "
# https://www.mcafee.com/* "end wildcard not needed does not match https://www.mcafee.com or http://mcafee.com"
# ://*.microsoft.com/ "note this will not match https://www.microsoft.com also won't match https://microsoft.com/*"
# microsoft.com "do not use for url list! matches far too broad even matches http://evil.com/foo/microsoft.com/malicious.exe"
#The fourth argument is the return proxy string to be sent if any of the exception expressions match the hostname.
# "PROXY proxy.local:9090; DIRECT"
#The default action is to ADD a full set of exceptions with the designated return string immediately after the BEGIN comment.
#Desired actions are specified by the optional 5th argument.
# host - if you want to prepend what is between \\BEGIN and \\END using a host list (default)
# hostRep - if you want to replace what is between \\BEGIN and \\END using a host list
# ehost - if you want to prepend what is between \\BEGIN and \\END using a host expression list (default)
# ehostRep - if you want to replace what is between \\BEGIN and \\END using a host expression list
# dom - if you want to prepend what is between \\BEGIN and \\END using a domain list
# domRep - if you want to replace what is between \\BEGIN and \\END using a domain list
# url - if you want to prepend what is between \\BEGIN and \\END using a url expression list (default)
# urlRep - if you want to replace what is between \\BEGIN and \\END using a url expression list
#If you specify a 5th parameter you can also optionally specify a 6th parameter and use a different string to identify the section to work on
#
#Example usage:
# python PACInsertExceptv3.py orig.pac new.pac hostList.txt "PROXY proxy.local:9090; DIRECT" hostRep
# python PACInsertExceptv3.py orig.pac new.pac domList.txt "PROXY proxy.local:8080; DIRECT" dom "Section 1"
# python PACInsertExceptv3.py orig.pac new.pac urlList.txt "PROXY proxy.local:8080; DIRECT" urlRep "Section 1"
#The second and third examples will look for "BEGIN Section 1" and "END Section 1" instead of "BEGIN Exceptions from PACInsertExcept.py" and "END Exceptions from PACInsertExcept.py"

View solution in original post

2 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: How can I Simplify PAC file Host Exception Additions?

Jump to solution

Updated 11/2/2019

The attached python code will take an existing PAC file and add exceptions from a list. The idea is that once the base PAC file is created, almost anyone could be given simple instructions on how to add host or domain or URL exceptions to the PAC file. A master list could be kept and used with the replace option, or one or a handful of new sites or domains or URLs could easily be added to an existing PAC file with exceptions to supplement those previously added by the same process. The newer versions will add comments and date to the added exceptions.

The zip now contains an improved combined host exceptions script and domain exceptions and url exceptions script. Operation is essentially the same and can work on a base, or modified PAC file. At first I had two separate scripts, but now there is just one that can handle domain exception lists and host exceptions lists and URL exceptions lists. The new script also incorporates John's suggestion for getpass from below and adds a section name option, so you can have multiple sections in your PAC file that you can manage individually with the script.

11/6/2019 Using https://app.thorsen.pm/proxyforurl I identified significant issues with shExpMatch function (implied wildcards at beginning and end of string) that resulted in the recent significant changes in operation.

11/18/2019 Modern browser operation does not match the testing from link above. Modern browsers do not imply wildcards so I reinstated the host expression code. The option for using a host expression list is either ehost or ehostRep

As always, comments, suggestions, improvements welcome.

Here are the comments from within the current python code itself:

#!/usr/bin/python
# PACInsertExcept.py
#
#Written by Jeff Ebeling 10/23/2019
#Updated 10/31/2019 Combined domain and host and added section name option
#Updated 11/3/2019 added url and fixed domain code
#Testing with https://app.thorsen.pm/proxyforurl indicated some issues with the host section (can't be corrected easily with the way shExpMatch works)
#Acording to the site above shExpMatch has implied wildcards at the beginning and end of the string.
# *.cisco.com will not match cisco.com but will match cisco.com.evil.com ;-( which is not desirable. I recommend using domain or URL instead
# Because of this I changed operation of host option to use host == and now it only matches on exact do not use wildcards in a host list!
#
#Updated 11/18/2019 restored host expression, because modern browsers I tested with do not imply wildcards when evaluating shExpMatch
#
#This small python script with limited error checking designed to simply add a set of exception hosts host expression or url expressions or domain exceptions
# with comments into a PAC file.
#
#The first argument is the filename or full pathname of the PAC file to use as the source.
#At a minimum you must add two comment lines in the source pac file where you want the exceptions to be inserted:
# // BEGIN Exceptions from PACInsertExcept.py
# // END Exceptions from PACInsertExcept.py
#The second argument is the filename or full pathname for the output.
#The program will work from a list of host names, one per line with optional quote enclosed comments, in a file or filepath designated by the third argument.
# www.microsoft.com
# microsoft.com
# www.example.com "optional comment"
#Or it can work from a list of host shell expression exceptions, one per line with optional quote enclosed comments, in a file or filepath designated by the third arguement
# *.microsoft.com
# microsoft.com
# mcafee.com "optional comment"
#Or it can work from a list of domain exceptions, one per line with optional quote enclosed comments, in a file or filepath designated by the third arguement
# microsoft.com
# mcafee.com "optional comment"
#Or it can work from a list of url glob shell expressions, one per line with optional quote enclosed comments, in a file or filepath designated by the third arguement
# */somedir/* "begin and end wildcards not needed equivalent is /somedir/ "
# https://www.mcafee.com/* "end wildcard not needed does not match https://www.mcafee.com or http://mcafee.com"
# ://*.microsoft.com/ "note this will not match https://www.microsoft.com also won't match https://microsoft.com/*"
# microsoft.com "do not use for url list! matches far too broad even matches http://evil.com/foo/microsoft.com/malicious.exe"
#The fourth argument is the return proxy string to be sent if any of the exception expressions match the hostname.
# "PROXY proxy.local:9090; DIRECT"
#The default action is to ADD a full set of exceptions with the designated return string immediately after the BEGIN comment.
#Desired actions are specified by the optional 5th argument.
# host - if you want to prepend what is between \\BEGIN and \\END using a host list (default)
# hostRep - if you want to replace what is between \\BEGIN and \\END using a host list
# ehost - if you want to prepend what is between \\BEGIN and \\END using a host expression list (default)
# ehostRep - if you want to replace what is between \\BEGIN and \\END using a host expression list
# dom - if you want to prepend what is between \\BEGIN and \\END using a domain list
# domRep - if you want to replace what is between \\BEGIN and \\END using a domain list
# url - if you want to prepend what is between \\BEGIN and \\END using a url expression list (default)
# urlRep - if you want to replace what is between \\BEGIN and \\END using a url expression list
#If you specify a 5th parameter you can also optionally specify a 6th parameter and use a different string to identify the section to work on
#
#Example usage:
# python PACInsertExceptv3.py orig.pac new.pac hostList.txt "PROXY proxy.local:9090; DIRECT" hostRep
# python PACInsertExceptv3.py orig.pac new.pac domList.txt "PROXY proxy.local:8080; DIRECT" dom "Section 1"
# python PACInsertExceptv3.py orig.pac new.pac urlList.txt "PROXY proxy.local:8080; DIRECT" urlRep "Section 1"
#The second and third examples will look for "BEGIN Section 1" and "END Section 1" instead of "BEGIN Exceptions from PACInsertExcept.py" and "END Exceptions from PACInsertExcept.py"

View solution in original post

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 3

Re: How can I Simplify PAC file Host Exception Additions?

Jump to solution

If you want to increase some logging, you can use the getpass module to get the username. Below is the code changes:

import getpass 

outputPACData.write('// ' + getpass.getuser() + ' ran PACInsertExcept2.py at ' + now.strftime("%d/%m/%Y %H:%M:%S") + ' using input list: ' + inputHostList + '\n')

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community