Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WPAD, HTTPs and an odd bug!

    Scheduled Pinned Locked Moved pfSense Packages
    16 Posts 5 Posters 8.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mendilli
      last edited by

      in squid3 ı found some bugs and quit using it if it is not mondatory for you try squid(2) package

      1 Reply Last reply Reply Quote 0
      • J
        jonatas.baldin
        last edited by

        @mendilli:

        in squid3 ı found some bugs and quit using it i it is not mondatory for you try squid(2) package

        Man, it just worked! I changed to squid2 and now everything is fine. Thank you so much!

        1 Reply Last reply Reply Quote 0
        • M
          mendilli
          last edited by

          you are welcome, it was just an idea,

          do you mind if a ask you to share your wpad file contents and dhcp/dns settings, ı would like to try on my system

          1 Reply Last reply Reply Quote 0
          • J
            jonatas.baldin
            last edited by

            No problem man!

            First, I create the files wpad.dat and proxy.pac (some OS can read just one file) in /usr/local/www with this content:
            function FindProxyForURL(url,host)
            {
            return "PROXY ip.addr.proxy.server:port";
            }

            DNS Forwarded

            • Enabled DNS
            • Register DHCP static mappings in DNS forwarder
            • Host Override
              HOST                            DOMAIN                        IP                            DESCRIPTION
              wpad                            your.domain.com            ip.addr.proxy.server  wpad

            DHCP SERVER
            Domain name: your.domain.com
            Domain search list: your.domain.com
            Additional BOOTP/DHCP Options:
            NUMBER                      TYPE                            VALUE
            252                                text                                http://wpad/wpad.dat

            FIREWALL
            In the firewall I create one rule from LAN SUB -> LAN ADDRESS allowing traffic for the squid port.
            Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this).

            SQUID
            Disabled the Transparent Proxy options.
            Using squidGuard for creating the rules. It's a lot more flexible.

            CLIENTS
            In the proxy clients, set the option like "Auto detect configuration for proxy server…"

            Well, I guess this is it. Thanks one more time and I hope I could help too!

            1 Reply Last reply Reply Quote 0
            • M
              mendilli
              last edited by

              thank you jonatas.baldin,

              I will try and let you know

              1 Reply Last reply Reply Quote 0
              • J
                jonatas.baldin
                last edited by

                Ok, anything I can help just ask.

                1 Reply Last reply Reply Quote 0
                • N
                  Nachtfalke
                  last edited by

                  Did you try with "Use IPv4 first" on squid3 package ?

                  I read some posts about problems if you are using IPv4 and did not check this option.

                  1 Reply Last reply Reply Quote 0
                  • B
                    batocy
                    last edited by

                    helo jonatas

                    I would like to  ask about what you say about this:
                    "Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this)."

                    What do you mean by this?
                    Do you mean I will not configure it on the fireWALL??
                    Please help me I really need this.

                    Thank you.

                    1 Reply Last reply Reply Quote 0
                    • N
                      Nachtfalke
                      last edited by

                      @batocy:

                      helo jonatas

                      I would like to  ask about what you say about this:
                      "Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this)."

                      What do you mean by this?
                      Do you mean I will not configure it on the fireWALL??
                      Please help me I really need this.

                      Thank you.

                      This means that you should block all traffic for port 80/443 which hast not your pfsense as destination IP.
                      This rule schould block 80/443 traffic which goes directly to the internet because you want that this traffic must go through squid proxy. So you must allow traffic for 80/443 directly to squid but deny it to the internet.

                      1 Reply Last reply Reply Quote 0
                      • B
                        batocy
                        last edited by

                        Thanks very much
                        I have tried your instruction but it seems I can only access the pfsense but I canh access the internet.
                        I have a question, is    http://wpad/wpad.dat  is correct for all configurations?

                        1 Reply Last reply Reply Quote 0
                        • T
                          thermo
                          last edited by

                          some clients might append the domain name to the request, eg: wpad.yourdomain.tld/wpad.dat check that this (and just http://wpad.dat) is resolvable/accessible from the client.

                          • manually enter the proxy:port settings to check whether the  problem is with the wpad detection, or with your firewall rules, and check the firewall logs.
                          1 Reply Last reply Reply Quote 0
                          • B
                            batocy
                            last edited by

                            How to check if the wpad is correct is being used by the client?
                            Thanks

                            1 Reply Last reply Reply Quote 0
                            • T
                              thermo
                              last edited by

                              • Check the wpad web server logs. Beware that IE caches the wpad config and might not request a changed wpad.dat file again for some time.
                              • Check the proxy logs, eg, SSL sites are appearing with CONNECT:www.site.kom:443
                              • Firefox has an addon called 'Foxy Proxy', it has an option to auto detect and tells you whether the config was downloaded & parsed correctly.
                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.