Configure proxy settings on ChromeOS

You can use proxy servers in ChromeOS to provide protection between your organization and the sites your users are visiting. Proxy serves can filter out unsafe or unwanted content, keep user IP addresses hidden, or filter specific websites.

When you use proxy servers, the following steps are taken:

  1. Site requests pass through the proxy server.
  2. The server then passes then requests on to the website.
  3. The website returns the webpage back to the proxy server.
  4. The server routes the webpage back to the user device.

How to choose a proxy?

ChromeOS supports different proxy schemes, depending on your organizational needs such as security, what traffic should be proxied, or where DNS resolution should happen. To view all the supported proxy schemes in ChromeOS, as well as implementation details, see Proxy support in Chrome.

Some proxy configurations might not be compatible with other network settings. For example, when a proxy is configured in ChromeOS, DNS resolution happens on the server side, except for socks4 proxies, making it incompatible with custom DNS configurations.

When you choose the proxy authentication mechanism, different components at the ChromeOS level, have different, or less, network capabilities than Chrome browser.

Proxy authentication at the ChromeOS level

When a user signs into Chrome browser, their username and password are stored in the authentication cache associated with their profile and are only accessible for Chrome browser user navigation requests in the OS browser.

This means system services that require connectivity in Chrome browser, such as policy updates or kiosk enrollment, and on the OS, such OS updates, uploading crash reports, or synchronizing the system time, do not have access to the usernames and passwords. Network admins must make sure that traffic generated by system services bypasses the authentication step.

This also applies to Google Play and Google Play app traffic.

For a list of endpoints, used by system services and Google Play, that should bypass the authentication step on the proxy, see the Proxy authentication bypass lists section.

The proxy bypass list can be significantly reduced on enrolled devices by configuring the SystemProxySettings policy to allow system services on the OS and Google Play traffic to be authenticated by an OS service. For details, see the Authenticated Proxy Traffic setting in Set ChromeOS device policies.

Also, custom CA certificates are only honored on user traffic. When the proxy does TLS inspection, system traffic and Android traffic should be allowed to bypass inspection. See Set up TLS (or SSL) inspection on Chrome devices > Set up a hostname allowlist.

How to configure an explicit proxy on ChromeOS

Which setting to use

You can configure proxies on ChromeOS for individual networks or, globally, for all networks in your organization. Proxy configurations are listed below in order of priority:

  1. User policy ProxySettings—Global
  2. Extensions—Global
  3. User policy OpenNetworkConfiguration—Per network
  4. Device policy DeviceOpenNetworkConfiguration—Per network
  5. Network settings UI—Set by the user per network

In general, proxy configurations apply to the whole OS, with the following exceptions where users must explicitly allow the proxy configuration in the browser:

  • Extension set proxies are by default disabled in Incognito mode. Users must explicitly allow the extension that controls the proxy to run in Incognito mode from the chrome://extensions page.
    You cannot enforce extension-set proxies in Incognito mode, but you can block Incognito navigation if a pre-configured extension is not allowed by the user in Incognito mode. For more details, see the MandatoryExtensionsForIncognitoNavigation policy.
  • If you are using Lacros secondary profiles, users can opt in or out of using the proxy configured on the OS by going to the chrome://settings/system page and tuning on Use ChromeOS proxy settings for this profile.

Which proxy configuration format to use

ChromeOS supports the following proxy formats:

  • Manual—A static list of proxy identifiers along with a bypass list of endpoints that should bypass the proxy
  • PAC script—A JavaScript file that allows setting more complex rules for determining which proxy to use for a URL
  • Auto-detect—The Web Proxy Auto-Discovery Protocol (WPAD) that is a discovery mechanisms in which DNS or DHCP are probed to get the PAC URL
  • Direct—A pseudo-proxy that means no proxy is being used

When deciding on the format, keep in mind that:

  • Proxy resolution happens before name resolution. If the proxy bypass list is configured using IP literals, the exception is only honored if the user is navigating to the specific IP address, not the hostname associated with the IP. For more details, see the Proxy bypass rules.
  • The following applies to Android proxy support:
    • PAC URLs with data:// scheme are not supported
    • For manual proxy settings, the bypass list does not support special characters for IPv6 addresses or non-ASCII characters

Proxy authentication bypass lists

ChromeOS system services

Chrome/Chrome OS service Hostnames
Essential
DMServer m.google.com
Forced re-enrollment, for Verified Access chromeos-ca.gstatic.com
ChromeOS—Auto-updates cros-omahaproxy.appspot.com
omahaproxy.appspot.com
tools.google.com
Chrome OS—Crash reporter update log
Chrome—WebRTC update logs
clients2.google.com
Chrome OS—tlsdate system clock sync clients3.google.com
Captive portal detection gstatic.com or accounts.google.com or googleapis.com
Upload reporting for troubleshooting, downloading Crostini, and so on storage.googleapis.com
Various API services googleapis.com
Domain used by Google—Keep it separate from *.google.com to avoid XSS attacks *.1e100.net
Bandaid URL—Some requests get redirected to the google caching infrastructure speeding up app downloading *.gvt1.com
Download auto-updates, static images, and so on dl.google.com
dl-ssl.google.com
Chrome components updates (chrome://components) update.googleapis.com
Strongly recommended
Safe Browsing safebrowsing-cache.google.com
safebrowsing.google.com
safebrowsing.googleapis.com
enterprise-safebrowsing.googleapis.com
sb-ssl.google.com
Chrome account sync server—Syncs user data such as bookmarks, user metric collection, and other services clients4.google.com
Omnibox doc suggestions cloudsearch.googleapis.com
Download OEM customizations (and other) ssl.gstatic.com

Third party or user generated content, for example printer drives or extensions

googleusercontent.com shields the main Google properties from user-generated content that could contain bugs or maliciously make the domain vulnerable to cross-site-scripting attacks

*.googleusercontent.com
Printer support—Download printer PDD printerconfigurations.googleusercontent.com
Peripherals support—Specialized instruction on how to better adapt to various connected devices; currently supporting printers and displays chromeosquirksserver-pa.googleapis.com

Google Play

Google Play Hostnames
Essential
Essential for provisioning and installing apps android.googleapis.com
android.apis.google.com
play.google.com

Google Cloud Messaging (GCM), Firebase Cloud Messaging, GMS core endpoints
Examples

gcm-http.googleapis.com

gcm-xmpp.googleapis.com

fcm.googleapis.com

fcm-xmpp.googleapis.com

gmscompliance-pa.googleapis.com

*.googleapis.com
Other connectivitycheck.android.com
*.android.com
google-analytics.com
android.googleapis.com
pki.google.com
clients5.google.com
clients6.google.com
connectivitycheck.gstatic.com

Extensions and kiosk

Chrome/Chrome OS service Hostnames
Essential
Extension download endpoint clients2.google.com
clients2.googleusercontent.com
chrome.google.com

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
4907881144823472933
true
Search Help Center
true
true
true
true
true
410864
false
false