You can use proxy servers in ChromeOS to provide protection between your organization and the sites your users are visiting. Proxy serves can filter out unsafe or unwanted content, keep user IP addresses hidden, or filter specific websites.
When you use proxy servers, the following steps are taken:
- Site requests pass through the proxy server.
- The server then passes then requests on to the website.
- The website returns the webpage back to the proxy server.
- The server routes the webpage back to the user device.
How to choose a proxy?
ChromeOS supports different proxy schemes, depending on your organizational needs such as security, what traffic should be proxied, or where DNS resolution should happen. To view all the supported proxy schemes in ChromeOS, as well as implementation details, see Proxy support in Chrome.
Some proxy configurations might not be compatible with other network settings. For example, when a proxy is configured in ChromeOS, DNS resolution happens on the server side, except for socks4 proxies, making it incompatible with custom DNS configurations.
When you choose the proxy authentication mechanism, different components at the ChromeOS level, have different, or less, network capabilities than Chrome browser.
Proxy authentication at the ChromeOS level
When a user signs into Chrome browser, their username and password are stored in the authentication cache associated with their profile and are only accessible for Chrome browser user navigation requests in the OS browser.
This means system services that require connectivity in Chrome browser, such as policy updates or kiosk enrollment, and on the OS, such OS updates, uploading crash reports, or synchronizing the system time, do not have access to the usernames and passwords. Network admins must make sure that traffic generated by system services bypasses the authentication step.
This also applies to Google Play and Google Play app traffic.
For a list of endpoints, used by system services and Google Play, that should bypass the authentication step on the proxy, see the Proxy authentication bypass lists section.
The proxy bypass list can be significantly reduced on enrolled devices by configuring the SystemProxySettings policy to allow system services on the OS and Google Play traffic to be authenticated by an OS service. For details, see the Authenticated Proxy Traffic setting in Set ChromeOS device policies.
Also, custom CA certificates are only honored on user traffic. When the proxy does TLS inspection, system traffic and Android traffic should be allowed to bypass inspection. See Set up TLS (or SSL) inspection on Chrome devices > Set up a hostname allowlist.
How to configure an explicit proxy on ChromeOS
Which setting to use
You can configure proxies on ChromeOS for individual networks or, globally, for all networks in your organization. Proxy configurations are listed below in order of priority:
- User policy ProxySettings—Global
- Extensions—Global
- User policy OpenNetworkConfiguration—Per network
- Device policy DeviceOpenNetworkConfiguration—Per network
- Network settings UI—Set by the user per network
In general, proxy configurations apply to the whole OS, with the following exceptions where users must explicitly allow the proxy configuration in the browser:
- Extension set proxies are by default disabled in Incognito mode. Users must explicitly allow the extension that controls the proxy to run in Incognito mode from the chrome://extensions page.
You cannot enforce extension-set proxies in Incognito mode, but you can block Incognito navigation if a pre-configured extension is not allowed by the user in Incognito mode. For more details, see the MandatoryExtensionsForIncognitoNavigation policy. - If you are using Lacros secondary profiles, users can opt in or out of using the proxy configured on the OS by going to the chrome://settings/system page and tuning on Use ChromeOS proxy settings for this profile.
Which proxy configuration format to use
ChromeOS supports the following proxy formats:
- Manual—A static list of proxy identifiers along with a bypass list of endpoints that should bypass the proxy
- PAC script—A JavaScript file that allows setting more complex rules for determining which proxy to use for a URL
- Auto-detect—The Web Proxy Auto-Discovery Protocol (WPAD) that is a discovery mechanisms in which DNS or DHCP are probed to get the PAC URL
- Direct—A pseudo-proxy that means no proxy is being used
When deciding on the format, keep in mind that:
- Proxy resolution happens before name resolution. If the proxy bypass list is configured using IP literals, the exception is only honored if the user is navigating to the specific IP address, not the hostname associated with the IP. For more details, see the Proxy bypass rules.
- The following applies to Android proxy support:
- PAC URLs with data:// scheme are not supported
- For manual proxy settings, the bypass list does not support special characters for IPv6 addresses or non-ASCII characters
Proxy authentication bypass lists
ChromeOS system services
| Chrome/Chrome OS service | Hostnames |
|---|---|
| Essential | |
| DMServer | m.google.com |
| Forced re-enrollment, for Verified Access | chromeos-ca.gstatic.com |
| ChromeOS—Auto-updates | cros-omahaproxy.appspot.com omahaproxy.appspot.com tools.google.com |
| Chrome OS—Crash reporter update log Chrome—WebRTC update logs |
clients2.google.com |
| Chrome OS—tlsdate system clock sync | clients3.google.com |
| Captive portal detection | www.gstatic.com or accounts.google.com or www.googleapis.com |
| Upload reporting for troubleshooting, downloading Crostini, and so on | storage.googleapis.com |
| Various API services | www.googleapis.com |
| Domain used by Google—Keep it separate from *.google.com to avoid XSS attacks | *.1e100.net |
| Bandaid URL—Some requests get redirected to the google caching infrastructure speeding up app downloading | *.gvt1.com |
| Download auto-updates, static images, and so on | dl.google.com dl-ssl.google.com |
| Chrome components updates (chrome://components) | update.googleapis.com |
| Strongly recommended | |
| Safe Browsing | safebrowsing-cache.google.com safebrowsing.google.com safebrowsing.googleapis.com enterprise-safebrowsing.googleapis.com sb-ssl.google.com |
| Chrome account sync server—Syncs user data such as bookmarks, user metric collection, and other services | clients4.google.com |
| Omnibox doc suggestions | cloudsearch.googleapis.com |
| Download OEM customizations (and other) | ssl.gstatic.com |
|
Third party or user generated content, for example printer drives or extensions googleusercontent.com shields the main Google properties from user-generated content that could contain bugs or maliciously make the domain vulnerable to cross-site-scripting attacks |
*.googleusercontent.com |
| Printer support—Download printer PDD | printerconfigurations.googleusercontent.com |
| Peripherals support—Specialized instruction on how to better adapt to various connected devices; currently supporting printers and displays | chromeosquirksserver-pa.googleapis.com |
Google Play
| Google Play | Hostnames |
|---|---|
| Essential | |
| Essential for provisioning and installing apps | android.googleapis.com android.apis.google.com play.google.com |
|
Google Cloud Messaging (GCM), Firebase Cloud Messaging, GMS core endpoints gcm-http.googleapis.com gcm-xmpp.googleapis.com fcm.googleapis.com fcm-xmpp.googleapis.com gmscompliance-pa.googleapis.com |
*.googleapis.com |
| Other | connectivitycheck.android.com *.android.com google-analytics.com android.googleapis.com pki.google.com clients5.google.com clients6.google.com connectivitycheck.gstatic.com |
Extensions and kiosk
| Chrome/Chrome OS service | Hostnames |
|---|---|
| Essential | |
| Extension download endpoint | clients2.google.com clients2.googleusercontent.com chrome.google.com |