Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Alternative to rdr games if you have your own squid and/or havp

    Scheduled Pinned Locked Moved
    NAT
    2
    3
    2.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danswartz
      last edited by

      I got squid 2.7 and havp running just fine on my freebsd8 server.  Only problem was: how to forward outbound http requests to it.  Due to limitations in pf, you can't redirect back out the same LAN interface, so I had to configure a separate subnet that pfsense and the gateway use for the proxy traffic.  Okay, that worked fine, only I then ran into a limitation in the current GUI where I was not able to add rules that are as fine-grained as I would like.  The problem: you basically have this: LAN-client => pfsense (LAN) => proxy-server (XXX) => pfsense (LAN) => internet.  The problem here is that the GUI only lets you define a simple rdr rule (as far as I can tell), so the attempt by the proxy server to send the traffic out to the real host won't work (it gets re-forwarded back to itself.)  Squid on the pfsense avoids this by having 'no rdr' rules it adds, but you can't do this via the GUI.  Alternatively, I could try to have squid talk to the internet via the squid interface, but that would require some kind of policy routing hack on the freebsd server - not very appealing.  So, after all that, I was googling around and found an easy way around all of this (that eliminates the need for pf rules, 2nd interfaces, etc…)  Any new enough browser supports auto configuration of proxy settings (WPAD - Web Proxy Auto Detection).  There are a couple of ways to do this, one with a special DHCP option - the other a simpler way involving DNS.  Basically, a browser will look for the host 'wpad.xxx.com' (replacing 'xxx.com with the real domain).  If it gets a positive response, it tries to load the javascript 'wpad.xxx.com/wpad.dat' and executes it.  This took me all of 5 minutes to get working.  I ginned up a wpad.dat and put it in the document root of my web server and added a host alias in pfsense called wpad, which was the same as the LAN IP of the web server.  Here is the script:

      
function FindProxyForURL(url, host)
{
   if (isInNet(host, "10.0.0.0", "255.255.0.0")) {
      return "DIRECT";
   } else {
      if (shExpMatch(url, "http:*")) 
         return "PROXY sphinx.xxx.com:3128" ;
      if (shExpMatch(url, "https:*"))
         return "PROXY sphinx.xxx.com:3128" ;
      return "DIRECT";
   }
}

      Obviously, you want to change the subnet and the server name.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        I have some instructions up for this already, though a little different than what you have for the function:

        http://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • D
          danswartz
          last edited by

          Cool, I hadn't noticed that one :)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post