WPAD not detected while pfSense on https in "webConfigurator"
-
Hello
I've done block some https site like facebook with wpad file by configure DHCP BOOTP/DNS Forwarder
and everything working fine , client browsers can detect wpad script
when I configure another pfSense with the same settings the can't downloading the wpad
I discover that when pfSense on http the the can get wpad from pfsense, and when pfSense on https in webConfigurator
the browser can't download the script
is there any solution ???? I need to use pfSense with https but this not working with wpad method -
Configure another lighthttpd daemon to listen on 80 and point to a dir with wpad script only.
-
thanks for replay
can you point me how to ? -
This is how I do it - using monit
-
Sorry for the late reply.
this is the way I'm doing using filer and cron package
file /var/etc/lighty-proxy-js.conf
# # lighttpd configuration file # # use a it as base for lighttpd 1.0.0 and above # ############ Options you really have to take care of #################### ## FreeBSD! server.event-handler = "freebsd-kqueue" server.network-backend = "writev" ## modules to load server.modules = ( "mod_access", "mod_accesslog", "mod_expire", "mod_compress", "mod_redirect", "mod_fastcgi", "mod_cgi" ) ## Unused modules # "mod_setenv", # "mod_rewrite", # "mod_ssi", # "mod_usertrack", # "mod_expire", # "mod_secdownload", # "mod_rrdtool", # "mod_auth", # "mod_status", # "mod_alias", # "mod_proxy", # "mod_simple_vhost", # "mod_evhost", # "mod_userdir", # "mod_cgi", server.max-keep-alive-requests = 15 server.max-keep-alive-idle = 30 ## a static document-root, for virtual-hosting take look at the ## server.virtual-* options server.document-root = "/usr/local/www/wpad/" # Maximum idle time with nothing being written (php downloading) server.max-write-idle = 999 ## where to send error-messages to server.errorlog = "/var/log/lighttpd-prxy-js.error.log" accesslog.filename = "/var/log/lighttpd-prxy-js.access.log" # files to check for if .../ is requested server.indexfiles = ( "index.php", "index.html", "index.htm", "default.htm" ) # mimetype mapping mimetype.assign = ( ".pdf" => "application/pdf", ".sig" => "application/pgp-signature", ".spl" => "application/futuresplash", ".class" => "application/octet-stream", ".ps" => "application/postscript", ".torrent" => "application/x-bittorrent", ".dvi" => "application/x-dvi", ".gz" => "application/x-gzip", ".pac" => "application/x-ns-proxy-autoconfig", ".swf" => "application/x-shockwave-flash", ".tar.gz" => "application/x-tgz", ".tgz" => "application/x-tgz", ".tar" => "application/x-tar", ".zip" => "application/zip", ".mp3" => "audio/mpeg", ".m3u" => "audio/x-mpegurl", ".wma" => "audio/x-ms-wma", ".wax" => "audio/x-ms-wax", ".ogg" => "audio/x-wav", ".wav" => "audio/x-wav", ".gif" => "image/gif", ".jpg" => "image/jpeg", ".jpeg" => "image/jpeg", ".png" => "image/png", ".xbm" => "image/x-xbitmap", ".xpm" => "image/x-xpixmap", ".xwd" => "image/x-xwindowdump", ".css" => "text/css", ".html" => "text/html", ".htm" => "text/html", ".js" => "text/javascript", ".asc" => "text/plain", ".c" => "text/plain", ".conf" => "text/plain", ".text" => "text/plain", ".txt" => "text/plain", ".dtd" => "text/xml", ".xml" => "text/xml", ".mpeg" => "video/mpeg", ".mpg" => "video/mpeg", ".mov" => "video/quicktime", ".qt" => "video/quicktime", ".avi" => "video/x-msvideo", ".asf" => "video/x-ms-asf", ".asx" => "video/x-ms-asf", ".wmv" => "video/x-ms-wmv", ".bz2" => "application/x-bzip", ".tbz" => "application/x-bzip-compressed-tar", ".tar.bz2" => "application/x-bzip-compressed-tar" ) # Use the "Content-Type" extended attribute to obtain mime type if possible #mimetypes.use-xattr = "enable" #### accesslog module #accesslog.filename = "/dev/null" ## deny access the file-extensions # # ~ is for backupfiles from vi, emacs, joe, ... # .inc is often used for code includes which should in general not be part # of the document-root url.access-deny = ( "~", ".inc" ) ######### Options that are good to be but not neccesary to be changed ####### ## bind to port (default: 80) server.port = 80 server.bind = "your_ip_address_here" ## error-handler for status 404 #server.error-handler-404 = "/error-handler.html" #server.error-handler-404 = "/error-handler.php" ## to help the rc.scripts server.pid-file = "/var/run/lighty-proxy-js.pid" ## virtual directory listings server.dir-listing = "disable" ## enable debugging debug.log-request-header = "disable" debug.log-response-header = "disable" debug.log-request-handling = "disable" debug.log-file-not-found = "disable" # gzip compression compress.cache-dir = "/tmp/lighttpdcompress/" compress.filetype = ("text/plain","text/css", "text/xml", "text/javascript" ) server.upload-dirs = ( "/root/", "/tmp/", "/var/" ) server.max-request-size = 2097152 #### fastcgi module ## read fastcgi.txt for more info fastcgi.server = ( ".php" => ( "localhost" => ( "socket" => "/tmp/php-fastcgi-proxy-js.socket", "min-procs" => 0, "max-procs" => 2, "bin-environment" => ( "PHP_FCGI_CHILDREN" => "2", "PHP_FCGI_MAX_REQUESTS" => "500" ), "bin-path" => "/usr/local/bin/php" ) ) ) #### CGI module cgi.assign = ( ".cgi" => "" ) expire.url = ( "" => "access 50 hours", ) ## ssl configuration #ssl.engine = "enable" #ssl.pemfile = "/var/etc/cert.pem" #ssl.use-sslv2 = "disable" #ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES #@STRENGTH"
file /root/check_proxyjs.sh
#!/bin/sh /bin/ps ax | /usr/bin/grep /var/etc/lighty-proxy-js.conf | /usr/bin/grep -v grep if [ $? -eq 0 ];then /bin/echo ok else /usr/local/sbin/lighttpd -f /var/etc/lighty-proxy-js.conf fi
cron
-
-
-
-
- root /root/check_proxyjs.sh
-
-
-
-
-
Thank you for your effort
I did your method ones with "Filer" and ones created manual file and upload them over sftp and did the Cron job
but I have no luck
I reboot the pfsense to execute cron job and change pfsense to https, clear client bowers still can't download the script when pfs on https
should I change wpad config in DHCP-Server BOOTP to https like "https://wpad/wpad.dat" ?? -
While using filer, you do not need sftp to transfer config files or or scripts.
Do not forget to create a firewall rule to allow traffic on 80 and also check if you have disabled web gui redirect rule on system advanced.
-
thank you
the real working method for me I got from HERE http://forum.pfsense.org/index.php/topic,59073.msg317570.html#msg317570
look for my setup in attachment
after I did your steps I enabled HTTPS and unchecked "Disable webConfigurator redirect rule" the client browser can't download wpad script
-
there is no other help for issue
-
Can you download the script if you put it directly in your browser? E.g. http://wpad/wpad.dat for you or http://my_pfsense_ip/wpad.dat for me.
-
yes
everythings working fine , Browsers can download script with Server_IP or wpad/wpad.dat
my problem when change pfSense Web Access to HTTPS, the browsers can't read the wpad script -
Personally I found it easiest to just install the package vhost and then create vhost for wpad.
-
Oh, duh, I know why. The only web server you have running is the one running the pfSense gui. So when you have your pfSense gui set up to serve via http, requests for wpad via http are also served. When you set your pfSense gui to https, you are reconfiguring your server to port 443 and clients on your network are requesting wpad via http but there is no server on port 80.
This is why I have a dedicated lighttpd serving port 80 running just for wpad (as detailed in the thread I linked). marcelloc does too, he mentioned it earlier in this thread (and others). My pfSense gui is run on https, but not port 443, another port so that I can have special 443 rules that don't affect the gui.
-
thank you all for helping me
vHost working for me
I create
Host: wpad.dat
Port : 80
Directory : /usr/local/wwwbut squidGuard error pages not working, can you u give any idea to configure this