Stop Breaking Proxy Functionality!

codonaft

npub1alptdev5srcw2hxg03567p4k6xs3lgj7f6545suc0rzp0xw98svse7rg94

hex

01f0c655c5cdeb3a97c518ddfd85822de6faa034870776739d98744cf2bc0b62

nevent

nevent1qqsqruxx2hzum6e6jlz33h0askpzmeh65q6gwpmkwwwesazv727qkcsprpmhxue69uhhyetvv9ujuem4d36kwatvw5hx6mm9qgswls4kuk2gpu89tny8c6d0q6mdrggl5f0ya226gwv833qhn8zncxgqt7rkg

naddr

naddr1qq2h24nwwejnwentwap4v7j6dfvr2uzswp48yqgcwaehxw309aex2mrp0yhxwatvw4nh2mr49ekk7egzyrhu9dh9jjq0pe2uep7xntcxkmg6z8azte82jkjrnpuvg9uec57pjqcyqqq823ctmmsum

Kind-30023 (Article)

2026-02-17T17:32:53Z

Internet censorship seems to be everywhere to some degree today.

Switching between VPNs becomes mainstream. As a result, solving excessive amounts of CAPTCHA nonsense because some service detected a "suspicious" IP also became normal. And receiving sudden bans for whatever innocent action made from an unusual IP is not that unusual anymore.

I was looking for a simple way to route some of the traffic to various proxies due to all this, based on hostname. I find it funny how poorly it's implemented, for instance, in Chromium-based browsers.

PAC

There's a thing called Proxy Auto Configuration files. Somebody not very technical, if lucky enough, would do a test like this, based on LLM outputs:

function FindProxyForURL(url, host) {
  return 'HTTP 127.0.0.1:12345';
}

And then pass the file with --proxy-pac-url=file:///path/to/proxy.pac.

What's wrong? It silently uses direct traffic for multiple reasons:

  • HTTP keyword actually means nothing; PROXY should be used instead
    • SOCKS5 and PROXY are valid, but HTTP is not; very "logical"!
  • file:// PAC URIs became outdated at some point
    • and it seems to me the intention was to make people publish their PAC files on http(s) instead, accessible with a direct connection; those who didn't do that simply leaked their real IPs.

This will happen again

Some base64-perversion is currently supported instead of http(s) links to PAC files. I wonder for how long.

I believe that whatever I configured will silently switch to direct traffic on some browser update again. SOCKS5 will be renamed to SOCKS5H or this functionality will be removed entirely while the argument will still be there for compatibility or whatever.

App devs, test this properly!

Please don't make proxy functionality like this crap in your apps. If something is not right, your app is supposed to just stop transmitting data and scream with an explanation of what's wrong.

If you believe it should suddenly and silently send your data directly instead—imagine a journalist visiting/living in an authoritarian country and unwillingly connecting to a nostr relay hosted in some so-called "enemy" country. And then goes to jail, in an extreme case. Or worse. Just because your software has updated to something "clever".

And don't rely too much on your project dependencies when it comes to privacy! If you have a subsystem that supports proxy connections and you don't control it very much, write a test that verifies that not just your app still works with the configured proxy, but the fact that the data is still transmitted from the expected IP.

This might literally save somebody's life today.

原始 JSON

{
  "kind": 30023,
  "id": "01f0c655c5cdeb3a97c518ddfd85822de6faa034870776739d98744cf2bc0b62",
  "pubkey": "efc2b6e59480f0e55cc87c69af06b6d1a11fa25e4ea95a439878c41799c53c19",
  "created_at": 1771349595,
  "tags": [
    [
      "published_at",
      "1771349573"
    ],
    [
      "d",
      "uVnve7fkwCVzZjX5pPpjr"
    ],
    [
      "image",
      "https://codonaft.com/assets/img/cables-mess.webp"
    ],
    [
      "title",
      "Stop Breaking Proxy Functionality!"
    ],
    [
      "summary",
      "I've never trusted proxy functionality in various apps. There's something to learn from how Chromium-based browsers silently screwed it at some point, for example."
    ],
    [
      "zap",
      "efc2b6e59480f0e55cc87c69af06b6d1a11fa25e4ea95a439878c41799c53c19",
      "",
      "100"
    ],
    [
      "t",
      "privacy"
    ],
    [
      "t",
      "proxy"
    ],
    [
      "t",
      "chromium"
    ],
    [
      "L",
      "ISO-639-1"
    ],
    [
      "l",
      "en",
      "ISO-639-1"
    ],
    [
      "nonce",
      "76",
      "7"
    ]
  ],
  "content": "Internet censorship seems to be everywhere to some degree today.\n\nSwitching between VPNs becomes mainstream. As a result, solving excessive amounts of CAPTCHA nonsense because some service detected a \"suspicious\" IP also became normal. And receiving sudden bans for whatever innocent action made from an unusual IP is not that unusual anymore.\n\nI was looking for a simple way to route some of the traffic to various proxies due to all this, based on *hostname*. I find it funny how poorly it's implemented, for instance, in Chromium-based browsers.\n\n# PAC\nThere's a thing called **[Proxy Auto Configuration](https://en.wikipedia.org/wiki/Proxy_auto-config#The_PAC_file)** files. Somebody not very technical, if lucky enough, would do a test like this, based on LLM outputs:\n\n```js\nfunction FindProxyForURL(url, host) {\n  return 'HTTP 127.0.0.1:12345';\n}\n```\n\nAnd then pass the file with `--proxy-pac-url=file:///path/to/proxy.pac`.\n\nWhat's wrong? It *silently* uses direct traffic for multiple reasons:\n- `HTTP` keyword actually means nothing; `PROXY` should be used instead\n    - `SOCKS5` and `PROXY` are valid, but `HTTP` is not; very \"logical\"!\n- `file://` PAC URIs became **outdated** at some point\n    - and it *[seems](https://chromium.googlesource.com/chromium/src/+/HEAD/net/docs/proxy.md#Downloading-PAC-scripts)* to me the intention was to make people publish their PAC files on http(s) instead, accessible with a direct connection; those who didn't do that simply leaked their real IPs.\n\n# This will happen again\nSome [base64-perversion](https://nowhere.dk/2021/02/using-proxy-pac-with-chrome-and-derivatives-and-linux/) is *currently* supported instead of http(s) links to PAC files. I wonder for how long.\n\nI believe that whatever I configured will silently switch to direct traffic on some browser update again. `SOCKS5` will be renamed to `SOCKS5H` or this functionality will be removed entirely while the argument will still be there for compatibility or whatever.\n\n# App devs, test this properly!\nPlease don't make proxy functionality like this crap in your apps. If something is not right, your app is supposed to just stop transmitting data and scream with an explanation of what's wrong.\n\nIf you believe it should suddenly and *silently* send your data directly instead—imagine a journalist visiting/living in an authoritarian country and unwillingly connecting to a nostr relay hosted in some so-called \"enemy\" country. And then goes to jail, in an extreme case. Or worse. Just because your software has updated to something \"clever\".\n\nAnd don't rely too much on your project dependencies when it comes to privacy! If you have a subsystem that supports proxy connections and you don't control it very much, write a test that verifies that not just your app still works with the configured proxy, but the fact that the data is still transmitted from the expected IP.\n\nThis might literally save somebody's life today.\n",
  "sig": "8034ebfe816f47f8aef7589ddaa30ec4e93ec0f897ba2231a3438e17faf7d83da044ef5bc00b011944658e992a9892e54ec2f63f9f8a9ae75b9faa92213c5cd0"
}