WPAD, HTTPs and an odd bug!

jonatas.baldin

@mendilli:

in squid3 ı found some bugs and quit using it i it is not mondatory for you try squid(2) package

Man, it just worked! I changed to squid2 and now everything is fine. Thank you so much!

mendilli

you are welcome, it was just an idea,

do you mind if a ask you to share your wpad file contents and dhcp/dns settings, ı would like to try on my system

jonatas.baldin

No problem man!

First, I create the files wpad.dat and proxy.pac (some OS can read just one file) in /usr/local/www with this content:
function FindProxyForURL(url,host)
{
return "PROXY ip.addr.proxy.server:port";
}

DNS Forwarded

• Enabled DNS
• Register DHCP static mappings in DNS forwarder
• Host Override
  HOST                            DOMAIN                        IP                            DESCRIPTION
  wpad                            your.domain.com            ip.addr.proxy.server  wpad

DHCP SERVER
Domain name: your.domain.com
Domain search list: your.domain.com
Additional BOOTP/DHCP Options:
NUMBER                      TYPE                            VALUE
252                                text                                http://wpad/wpad.dat

FIREWALL
In the firewall I create one rule from LAN SUB -> LAN ADDRESS allowing traffic for the squid port.
Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this).

SQUID
Disabled the Transparent Proxy options.
Using squidGuard for creating the rules. It's a lot more flexible.

CLIENTS
In the proxy clients, set the option like "Auto detect configuration for proxy server…"

Well, I guess this is it. Thanks one more time and I hope I could help too!

mendilli

thank you jonatas.baldin,

I will try and let you know

jonatas.baldin

Ok, anything I can help just ask.

Nachtfalke

Did you try with "Use IPv4 first" on squid3 package ?

I read some posts about problems if you are using IPv4 and did not check this option.

batocy

helo jonatas

I would like to  ask about what you say about this:
"Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this)."

What do you mean by this?
Do you mean I will not configure it on the fireWALL??
Please help me I really need this.

Thank you.

Nachtfalke

@batocy:

helo jonatas

I would like to  ask about what you say about this:
"Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this)."

What do you mean by this?
Do you mean I will not configure it on the fireWALL??
Please help me I really need this.

Thank you.

This means that you should block all traffic for port 80/443 which hast not your pfsense as destination IP.
This rule schould block 80/443 traffic which goes directly to the internet because you want that this traffic must go through squid proxy. So you must allow traffic for 80/443 directly to squid but deny it to the internet.

batocy

Thanks very much
I have tried your instruction but it seems I can only access the pfsense but I canh access the internet.
I have a question, is    http://wpad/wpad.dat  is correct for all configurations?

thermo

some clients might append the domain name to the request, eg: wpad.yourdomain.tld/wpad.dat check that this (and just http://wpad.dat) is resolvable/accessible from the client.

• manually enter the proxy:port settings to check whether the  problem is with the wpad detection, or with your firewall rules, and check the firewall logs.

batocy

How to check if the wpad is correct is being used by the client?
Thanks

thermo

• Check the wpad web server logs. Beware that IE caches the wpad config and might not request a changed wpad.dat file again for some time.
• Check the proxy logs, eg, SSL sites are appearing with CONNECT:www.site.kom:443
• Firefox has an addon called 'Foxy Proxy', it has an option to auto detect and tells you whether the config was downloaded & parsed correctly.