No Proxy For configuration


This document provides a comprehensive discussion of the manual proxy feature "No Proxy for:", including configuration issues, testing and bugs.


Mozilla users, mozilla developers, mozilla testers.


As browsers rapidly grew in popularity in the mid-90's, many network administrators added proxy servers. Initially, proxy servers were used for access control and performance. Many networks had limited access to the public network via proxy servers. Because the public network was small in scope and connections were slow, a caching proxy could often improve the overall performance.

This feature was originally designed as a "blacklist" of sites or domains that was within the intranet, and should not be accessed via the proxy server. Due to various limitations, this feature should be used for only the most simple blacklist scenarios. In almost all cases, PAC gives better control and flexibility.

User interface

"No proxy for" is an optional field, part of "Manual proxy configuration". The field is relatively short, but can hold reasonably long (2K+ characters) entries. New profiles contain the values "localhost,", by default.

Entry points:

  • Preferences | Advanced | Proxies
  • control-click menu for off line-online icon (network plug)


The no proxy list is composed of either domain elements or IPv4 address elements. The elements are separated by either a space (" ") or a comma (",").

Note for former-IE users: "*" is supported only at the beginning of domain filters (*

To block ... put this into "No Proxy for" ...for example use... Limitations
a domain, including sub-domains domain suffix "" Does not block domains that end in the same string (
sub-domains domain suffix, starting with a dot "" Does not block the main domain (
a hostname (without domain) hostname-only (see problems below) "localhost" Also blocks any possible domains that start with the entry ("www.otherdomain.localhost")
a hostname (with domain) domain name "" Does not block hostnames or domains that end in the same string (
an IP address IP address "" Does not block hostnames that resolve to the IP address ("" does not block "localhost")
a Network network w/ CIDR block "" Does not block hostnames that resolve to the IP address range ( is not "no proxy for intranet hostnames")
optional - port-specific (optional) ":" + port number "<FILTER>:81" Only black-lists port. Only applies to one port (no support for ranges and/or multiple ports). Port-only filters ":80" or "*:80" are not supported.
all non-FQDN hosts, such as intranet hosts The string "<local>" (without quotes) "<local>" Bypasses the proxy for all hostnames which have no periods in them. For example: "https://myCompanyIntranet/"
Formats that are not accepted Example
Domain filters with interior wildcards www.*.com
IP address string prefixes 127. or 10.0.*
IP addresses with wildcards in quads 10.*.*.*


Name network.proxy.no_proxies_on
Default value localhost,

By default "localhost" and "" are excluded, since most people assume these should connect to the local system.

Note: When IPv6 support is added, additional addresses will need to be added and tested.

Communicator used "network.proxy.none"


  • No IPv6 support - The backend stores IPv4 addresses as IPv6, but IPv6 formats are not supported.
  • Scalability - Not usable for local domains with numerous hostnames. Not usable for large number of filters (ad blocking).
  • Mozilla implements this feature with significant limitations, users may find that writing a PAC file is more suitable for their needs.


Contributors can test this feature, even without a proxy server, using a "negative proxy server test". Proxy connections that fail return an error "The proxy server you have configured cannot be found", so configure your browser to use a non-existent HTTP proxy (hostname: "imaginary", port "80"). Test each destination in an http: URL. All proxied URLs will return errors, all non-proxied connections will be attempted normally (direct connection).

Hostnames filter test destination result
basic filtering unit tests (local host) localhost localhost direct
localhost. localhost proxy local host direct
confirm the filter uses only suffix matches (hostname unit tests) hostname hostname direct
name hostname direct
host hostname proxy
domains with numbers direct
FQDNs proxy direct direct
* * same results as ""
* same results as ""
IP address
host IP address direct proxy
network range direct
127/8 proxy
127.*.*.* proxy
127. proxy
Ports 1 proxy
no port
port number
:81 proxy

Developer notes

The no_proxy for logic is written in C++. PAC is written in JS, so there are potential problems with feature consistency and porting. David Baron has pointed out that the original PAC code in the "classic" tree is written in C++. The PAC in C++ has not been tested in mozilla, so porting PAC in C++ forward would not be a panacea.

The relevant code lives in nsProtocolProxyService.cpp.

Notable bugs

  • bug 172083 - [meta] Proxy: "no proxy for" items
  • bug 80917 - Proxy: "No Proxy" w/ form based UI
  • bug 91587 - Proxy: "no proxy for" default domain filtering fails w/ non-FQDN (e.g., http://web/)
  • bug 201685 - No proxy for: support IPv6 address literals
  • bug 136789 - Proxy: no proxy IP entries do not block DNS resolved IPs
  • bug 314712 - No proxy for: "" should block only ""
  • bug 72444 - Proxy: "bypass proxy server for local addresses" (IE pref)
  • bug 260883 - "No proxy for" does not use FQDN wildcards "*" like IE

Bugzilla sources

bug 17158 comment 21:

the correct separator are spaces or commas. So use this- dor.intranet
or,, dor.intranet

Note that you don't need to (read shouldn't) put a * for all hosts with that
domain ending. Corollary- a no_proxies_on entry of will be
applicable to all hosts ending at including but an
entry of will specifically be applicable to all hosts in the
domain of

Original Document Information

  • Author(s): Benjamin Chuang
  • Last Updated Date: November 2, 2005
  • Copyright Information: Portions of this content are © 1998–2007 by individual contributors; content available under a Creative Commons license | Details.