Patching a PAC File To Improve Performance

Having taken the trouble to write a PAC file debugger ( https://chentiangemalc.wordpress.com/2013/09/30/pacdbg-custom-proxy-browser-set-proxy-cmd-line-tool/ ) I have to say I’ve seen some pretty horrendous PAC files, where attempts have been made to put the entire network design in this little JavaScript file. In the more extreme cases I consider the PAC file is more like a major application to manage that requires a specialist development team.

By far the most frequent cause of hangs/lockups/slow web performance I’ve seen due to PAC file being processed is because of DNS lookups, in particular IsInNet. Check http://www.websense.com/content/support/library/web/v76/pac_file_best_practices/PAC_best_pract.aspx for some good tips on high performance PAC files.

In particular this issue seems to be worse when the websites request a hostname that can’t resolve successfully. In many cases this failure to resolve a hostname will happen in the background and not be visible to the user, but can be diagnosed with a packet capture tool like WireShark, Network Monitor, Fiddler/etc.

In some cases however because the logic of the PAC file has grown so complex, it can take significant effort to make it compact and high performing once again.

In these cases I’ve found a workaround which frequently improves the performance, having seen this simple change result in certain applications drop from minutes to seconds.

This logic does the following:

  • Checks if HOST is an IPv4 address, with shExpMatch – if it’s an IP address, the script continues on as normal (This script as is does not cater for IPv6)
  • If HOST is NOT an IPv4 address we check if we can resolve the HOST. If we can’t, we immediately return DIRECT. (No Proxy)
function FindProxyForURL(url, host) { if (!shExpMatch(host, "/^\d+\.\d+\.\d+\.\d+$/g")) { if(!isResolvable(host)) { return "DIRECT"; }}

If you are using a PAC file, I like to ensure I can always test with a direct proxy/no proxy in cases of slow performances or unexplained web issues.

This can be done without changing your browser proxy settings, by using the Custom Proxy Browser Tool I put together, also here https://chentiangemalc.wordpress.com/2013/09/30/pacdbg-custom-proxy-browser-set-proxy-cmd-line-tool/

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Fiddler, Internet Explorer and tagged . Bookmark the permalink.

5 Responses to Patching a PAC File To Improve Performance

  1. ringplus1@gmail.com says:

    Jan 4, 2015
    I posted a question today on https://chentiangemalc.wordpress.com/2011/05/08/windows-7-default-scheduled-taskscomplete-overview/ I don’t see it there even though I confirmed my subscription that said “You will receive an email at ringplus1@gmail.com whenever anyone comments on these posts.” How will anyone be able to respond if it’s not even there?

    This is what I wrote:
    I was looking for help online when I came upon this great site with very valuable information. Thank you so much.The Task Scheduler suddenly got the error message: “The selected task “{0}” no longer exists.” The problem seems to be in the AppID folder where PolicyConverter is missing. I would like to recreate this task using your options but cannot create a new task in that folder. Nothing happens when clicking on AppID although I have no problem creating a new task in any other folder. Any help or suggestion would be very appreciated.Thanks in advance.

    • Yeah sorry, made a response. Backlog of approving comments, due to high volume of spam, people like to send malicious links. Although once I’ve approved the content, it should be automatic for you afterwards. Thanks.

  2. Barry Griessel says:

    Thank you, Sir. Your debugger saved me a lot of hassle in finding a 500-900ms delay in the execution of our PAC file.
    It turns out the IsInNet commands are taking long to process for some unknown reason so we had exclude them from being processed. To exclude IP Ranges we had to use the shExpMatch command (e.g. shExpMatch(host, “*10.*”) ||) as opposed to IsInNet(host, “10.0.0.0”, “255.0.0.0”) || until we determine why the IsInNet command is being delayed.

    • Yes, IsInNet is common performance bottleneck, for best performance completely any of the PAC file commands that use DNS lookup such as IsInNet. I know that can be hard though in some environments…

  3. capricorn says:

    Hi!
    I am using shExpMatch(host, “*10.*”) for my Ip ranges but I can seen DNS queries to my local DNS when i browse websites. I doesnt appear every time but It does exist. My impression for this is that by using shExpMatch(host, “*10.*”) || the traffic will go direct to your websecurity towers.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s