21.10.2024

Administration

Security

How to Set Up a Proxy Server Connection in Firefox

Mozilla Firefox provides native, granular proxy configuration that lets you route browser traffic through an intermediary server — without installing any third-party extension. Whether you need to enforce traffic through a corporate gateway, test geo-restricted content, or isolate browsing sessions from your system-level proxy, Firefox's built-in Connection Settings panel gives you full control over every proxy protocol independently.

This guide covers every configuration mode Firefox supports, explains the technical differences between proxy protocols, and flags the real-world pitfalls that most tutorials skip entirely.

Why Configure a Proxy Directly in Firefox Instead of System-Wide

Most operating systems expose a global proxy setting that all applications inherit. Firefox can consume those settings, but configuring the proxy at the browser level offers distinct advantages:

Per-application isolation: Your system proxy remains unchanged while Firefox routes through a separate server — useful for developers running local services alongside proxied browsing.
Protocol-level granularity: Firefox lets you assign different proxy servers to HTTP, HTTPS, and SOCKS traffic independently, which a system-wide setting cannot do.
Rapid switching without admin rights: On locked-down corporate machines, you may lack permission to change OS network settings but can still adjust Firefox's own configuration.
PAC file support: Firefox can load a Proxy Auto-Configuration script from a URL, enabling dynamic, rule-based routing that system proxies rarely support at this level of flexibility.

If you are running a VPS Hosting environment and need to test how your server responds to requests from different geographic exit nodes, browser-level proxy configuration is the fastest way to simulate that without touching your server's network stack.

Understanding Firefox Proxy Configuration Modes

Before touching any setting, understand what each mode actually does under the hood.

Mode	How It Works	Best Use Case
—	—	—
No Proxy	Direct connection; Firefox ignores any system proxy	Local development, trusted networks
Auto-detect (WPAD)	Sends a DHCP/DNS query for a `wpad.dat` PAC file	Managed corporate networks with WPAD infrastructure
Use system proxy settings	Reads OS proxy config (e.g., Windows Internet Options, macOS Network Preferences)	Consistency with other apps on the same machine
Manual proxy configuration	You specify server address and port per protocol	Personal proxies, SOCKS5 tunnels, SSH port forwards
Automatic proxy configuration URL	Fetches and executes a PAC file from a URL you provide	Multi-region setups, load-balanced proxy pools

WPAD auto-detect carries a real security risk: on untrusted networks (public Wi-Fi, shared office LANs), a malicious DHCP server can serve a rogue wpad.dat file and redirect all your traffic. Unless you are on a network you control, avoid this mode.

Step-by-Step: Configuring a Proxy Server in Firefox

Step 1 — Open Firefox Settings

Launch Firefox and access the settings panel using any of these methods:

Click the hamburger menu (three horizontal lines) in the top-right corner, then select Settings.
Type about:preferences directly into the address bar and press Enter.
On macOS, the menu entry reads Preferences rather than Settings — both open the same panel.

Step 2 — Navigate to Network Settings

Within the Settings page, stay on the General tab (it loads by default). Scroll to the very bottom of the page until you reach the Network Settings section. Click the Settings… button to open the Connection Settings dialog.

Alternatively, use the search bar at the top of the Settings page and type proxy — Firefox will highlight the relevant section immediately.

Step 3 — Select Your Proxy Configuration Mode

The Connection Settings dialog presents five radio button options. Select the one that matches your infrastructure. For most manual setups, you will choose Manual proxy configuration — covered in detail in the next section.

Step 4 — Manual Proxy Configuration in Detail

Selecting Manual proxy configuration reveals individual fields for each protocol. Here is what each field controls and what you need to know about each one:

HTTP Proxy

Enter the IP address or hostname of your proxy server and its port (commonly 3128, 8080, or 8888). This proxy handles plain HTTP traffic. Note that in modern Firefox, the HTTP Proxy field also intercepts HTTPS requests by default via the CONNECT tunneling method — meaning your HTTPS traffic is tunneled through this proxy even if the SSL Proxy field is left blank.

SSL Proxy

Historically used for a dedicated HTTPS proxy. In current Firefox versions, if you fill in the HTTP Proxy field and leave SSL Proxy blank, HTTPS is still proxied via CONNECT. Fill this field only if your infrastructure routes SSL traffic through a separate endpoint.

SOCKS Host

For SOCKS proxies, enter the host and port here. You must also choose the SOCKS version:

SOCKS v4: Supports TCP only, no authentication, no IPv6, no UDP. Simpler but limited.
SOCKS v5: Supports TCP and UDP, optional username/password authentication, and full IPv6 support. Always prefer SOCKS v5 unless your proxy explicitly requires v4.

A critical sub-option appears when SOCKS v5 is selected: Proxy DNS when using SOCKS v5. Enabling this checkbox sends DNS resolution requests through the SOCKS proxy rather than resolving them locally. This is essential for privacy and leak prevention. If you leave it unchecked, your DNS queries go to your local resolver even though your traffic goes through the proxy — a DNS leak that can expose every hostname you visit to your ISP or local network.

Use this proxy server for all protocols

Checking this box copies whatever you entered in the HTTP Proxy field into all other protocol fields. Use it only when your proxy server genuinely handles all protocols on the same address and port. Blindly enabling it when you have a SOCKS-only proxy will break things.

No Proxy for

A comma-separated list of hostnames, IP addresses, and CIDR ranges that bypass the proxy entirely. Always include at minimum:

localhost, 127.0.0.1, ::1

For corporate environments, add your internal domain suffix (e.g., .corp.example.com) and any RFC 1918 subnets your applications need to reach directly. Forgetting this causes local development servers and internal tools to route through the proxy, which either breaks them or leaks internal hostnames to an external server.

Step 5 — Automatic Proxy Configuration URL (PAC File)

If you manage a proxy pool or need rule-based routing, select Automatic proxy configuration URL and enter the URL of your PAC file. A PAC file is a JavaScript file containing a FindProxyForURL(url, host) function. Firefox downloads and caches this file, then calls the function for every request to determine which proxy (or direct connection) to use.

A minimal PAC file example:

function FindProxyForURL(url, host) {
  if (shExpMatch(host, "*.internal.example.com")) {
    return "DIRECT";
  }
  if (isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0")) {
    return "DIRECT";
  }
  return "SOCKS5 192.0.2.10:1080; DIRECT";
}

This routes internal hosts directly, bypasses RFC 1918 addresses, and falls back to a SOCKS5 proxy for everything else, with a failover to a direct connection if the proxy is unreachable.

Step 6 — Save and Verify the Configuration

Click OK to apply the settings. Firefox applies proxy settings immediately to new connections — a full browser restart is not required, though restarting clears any cached direct connections.

To verify the proxy is active, visit a site like https://ifconfig.me or https://ipinfo.io. The IP address shown should match your proxy server's exit IP, not your local IP.

If you see a "Proxy server is refusing connections" error, the most common causes are:

Wrong port number
The proxy process is not running or is bound to a different interface
A firewall on the proxy server is blocking your source IP
The proxy requires authentication and Firefox has not yet prompted for credentials

If you see a "The proxy server is not responding" error, the host address is unreachable — check DNS resolution, routing, and whether the server is online.

Step 7 — Proxy Authentication

If your proxy server requires credentials, Firefox will display an authentication dialog the first time it attempts a connection through that proxy. Enter the username and password. Firefox caches these credentials for the session and, if you allow it, in the Password Manager for future sessions.

For proxies that require authentication but are used in automated or headless contexts, credentials can be embedded directly in the PAC file or managed via the network.proxy.socks_username and network.proxy.socks_password preferences in about:config — though storing plaintext credentials in config files carries obvious security implications.

Step 8 — Disabling the Proxy

To revert to a direct connection, return to Settings > Network Settings and select No Proxy, then click OK. To restore system-wide proxy behavior, select Use system proxy settings instead.

Advanced Configuration via about:config

For scenarios where the GUI is insufficient, Firefox exposes every proxy parameter as a preference in about:config. Key preferences include:

Preference Key	Type	Description
—	—	—
`network.proxy.type`	Integer	0=No proxy, 1=Manual, 2=PAC URL, 4=Auto-detect, 5=System
`network.proxy.http`	String	HTTP proxy hostname
`network.proxy.http_port`	Integer	HTTP proxy port
`network.proxy.socks`	String	SOCKS proxy hostname
`network.proxy.socks_port`	Integer	SOCKS proxy port
`network.proxy.socks_version`	Integer	4 or 5
`network.proxy.socks_remote_dns`	Boolean	Enable DNS-over-SOCKS (prevents DNS leaks)
`network.proxy.no_proxies_on`	String	Bypass list, comma-separated
`network.proxy.autoconfig_url`	String	URL of PAC file

These preferences can also be locked via mozilla.cfg or Group Policy in enterprise deployments, preventing users from changing proxy settings.

Proxy Protocol Comparison: HTTP, HTTPS, SOCKS4, and SOCKS5

Feature	HTTP Proxy	HTTPS Proxy (CONNECT)	SOCKS4	SOCKS5
—	—	—	—	—
Protocol awareness	HTTP only	HTTP + HTTPS tunneling	TCP only	TCP + UDP
DNS resolution	Local	Local	Local	Remote (optional)
Authentication	Basic/Digest	Basic/Digest	None	Username/Password
IPv6 support	Depends on server	Depends on server	No	Yes
Non-HTTP traffic	No	No	No	Yes
Anonymity level	Low (headers exposed)	Medium	Medium	High (with remote DNS)
Typical use case	Corporate filtering	General HTTPS browsing	Legacy systems	SSH tunnels, privacy

For privacy-focused use cases, SOCKS5 with remote DNS enabled is the strongest option available within Firefox's native configuration. It handles all TCP traffic, resolves DNS on the proxy side, and supports authentication — making it suitable for routing through an SSH tunnel (ssh -D 1080) or a dedicated SOCKS5 server running on a Dedicated Server.

Security and Privacy Considerations

Traffic inspection risk: Every byte of your unencrypted HTTP traffic passes through the proxy server in plaintext. Even for HTTPS, the proxy sees the destination hostname via the CONNECT request. Use proxies only from providers or infrastructure you control or explicitly trust.

Certificate interception: Some corporate and "transparent" HTTPS proxies perform SSL inspection by acting as a man-in-the-middle, presenting their own certificate to Firefox. Firefox will warn you unless the proxy's root CA is installed in your certificate store. If you see unexpected certificate warnings after enabling a proxy, this is the likely cause.

WebRTC leaks: Firefox's WebRTC implementation can bypass proxy settings and expose your real IP address through STUN requests. To prevent this, set media.peerconnection.enabled to false in about:config if WebRTC is not needed, or use a browser extension that controls WebRTC behavior.

Proxy bypass via direct DNS: As noted earlier, always enable Proxy DNS when using SOCKS v5 to prevent DNS leaks. Combining a SOCKS5 proxy with a properly configured SSL Certificate on your origin server ensures end-to-end encryption even when traffic passes through intermediary infrastructure.

Credential exposure: HTTP proxy authentication sends credentials in Base64 encoding, which is trivially reversible. If your proxy requires authentication, ensure the connection to the proxy itself is encrypted (i.e., use an HTTPS or SOCKS5 proxy over TLS, or an SSH tunnel).

Setting Up Your Own Proxy Server

Using a third-party proxy service means trusting that provider with your traffic. Running your own proxy on a VPS gives you full control. A minimal SOCKS5 proxy using dante on a Debian/Ubuntu server:

apt update && apt install dante-server -y

Edit /etc/danted.conf:

logoutput: syslog
internal: 0.0.0.0 port = 1080
external: eth0
clientmethod: none
socksmethod: username
user.privileged: root
user.notprivileged: nobody

client pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    log: connect disconnect
}

socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    socksmethod: username
    log: connect disconnect
}

systemctl enable danted --now

Then in Firefox's SOCKS Host field, enter your VPS IP and port 1080, select SOCKS v5, and enable Proxy DNS when using SOCKS v5. This setup, running on a VPS with cPanel or a bare VPS, gives you a private, authenticated SOCKS5 proxy with full logging control.

For teams needing shared proxy infrastructure, Shared Web Hosting is not appropriate for running proxy daemons — you need a VPS or dedicated server with root access and the ability to open arbitrary ports.

Key Takeaways and Decision Matrix

Use this checklist before finalizing your Firefox proxy configuration:

Chosen SOCKS v5 over SOCKS v4 whenever the proxy server supports it — the UDP support, IPv6, and remote DNS capabilities are non-negotiable for modern use cases.
Enabled "Proxy DNS when using SOCKS v5" if privacy or leak prevention is a requirement.
Populated the "No Proxy for" field with localhost, 127.0.0.1, ::1, and any internal subnets or domain suffixes.
Verified the exit IP using ifconfig.me or equivalent after applying settings.
Disabled WebRTC via about:config if anonymity is the goal.
Avoided the WPAD auto-detect mode on untrusted networks.
Confirmed proxy authentication uses an encrypted channel if credentials are required.
Considered running your own proxy on a controlled VPS rather than relying on a third-party service for sensitive traffic.

If you need dynamic, rule-based routing across multiple exit nodes, invest the time to write a PAC file — it is far more maintainable than manually reconfiguring Firefox every time your proxy topology changes.

Frequently Asked Questions

Does configuring a proxy in Firefox affect other browsers or system applications?

No. Firefox stores its proxy settings independently of the operating system. Changes made in Firefox's Connection Settings have zero effect on Chrome, system curl, or any other application. Only traffic originating from Firefox is routed through the configured proxy.

Why is my HTTPS traffic still going through the proxy even though I left the SSL Proxy field blank?

This is expected behavior in modern Firefox. When an HTTP Proxy is configured, Firefox uses the HTTP CONNECT method to tunnel HTTPS connections through that same proxy. The SSL Proxy field is only relevant if you want HTTPS traffic to go through a different proxy endpoint than HTTP traffic.

How do I prevent DNS leaks when using a SOCKS5 proxy in Firefox?

Open Connection Settings, select your SOCKS v5 proxy, and check the Proxy DNS when using SOCKS v5 checkbox. Alternatively, set network.proxy.socks_remote_dns to true in about:config. This forces Firefox to send DNS queries through the SOCKS tunnel rather than resolving them locally.

Can I use Firefox's proxy settings with an SSH tunnel?

Yes. Create a local SOCKS5 tunnel with ssh -D 1080 -N user@your-server.com, then configure Firefox to use 127.0.0.1 on port 1080 as a SOCKS v5 proxy with remote DNS enabled. All Firefox traffic will be encrypted through the SSH tunnel to your remote server before exiting to the internet.

What is the difference between "Auto-detect proxy settings" and "Automatic proxy configuration URL"?

Auto-detect uses the WPAD protocol to discover a PAC file automatically via DHCP or DNS — you provide no URL. Automatic proxy configuration URL requires you to explicitly supply the PAC file URL. The latter is more predictable, more secure, and recommended whenever you know the PAC file location in advance.

Save 15% on All Hosting Services