SquidGuard: Is there a way to for a PC to automatically detect proxy settings

mendilli

@jerk_shop:

alright I'll give that a try. Do I only need to upload the .dat file? I'm reading this link https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid but seems like it does not include the proxy.pac script.

create three files named wpad.dat, wpad.da and proxy.pac and use the same script in theese three files

jerk_shop

I'm looking for instructions in the interwebs on how to upload it using scp but I dunno how to change the permission if you do have a step by step guide then I would be thankful. :)

I'm trying using vi see if how it works. Reading vi commands :D this is giving me a challenge. - this works reading through how it works turned me into a child. <i'm on="" my="" 20's="" lol="">I tried to locate the usr/local/www under shell but it does not list that folder. Do I have to create that? - I found it :D silly me…</i'm>

Legion

It's not quite as simple as you think.

Permissions can probably be read-only, I would think. But from reading an old thread I saw I did set mine to 755.

In order for your client machines behind pfSense to find the wpad file(s), it needs to be served by a web server. If your pfSense gui is on http, then no problem. Otherwise, if you've changed it (like I have) to use https or even specified a custom port, then you need to set up a web server specifically to serve the wpad files.

Rather than type all the same stuff again, I went through the process you want to go through and used:

• wpad (like what you're doing now)
• lighttpd, using a second dedicated daemon specifically to serve http requests
• monit, to make sure my lighttpd is running and restart it if it stops
• Filer, maybe I used this in setting up files instead of winscp

If you search "site:forum.pfsense.org keyword" using any of those first three keywords and look for some recent threads I've participated in, you might see what I went through. Conceptually it's simple but it's kind of frustrating when you hit a brick wall. FWIW I did a lot of logging in to pfSense's shell and vi (and I installed vim because I'm more comfortable with it) and command line stuff while troubleshooting. vi's probably super hard to learn just for this, I would imagine.

You also have to maybe specify firewall rules and/or port forwarding to make sure things are allowed/blocked properly. I don't remember what my current rule state is but I tried both methods.

There are alternative approaches to what I did, but essentially it's the same thing - make sure you have a wpad setup that is being served via http.

It's (much) easier to just make sure all devices on the network have the proxy configured. I can do this because I control all the devices on my network but wpad still works and I can see it when I e.g. set up a new OS or add a new device - often I'll see the browser looking for and finding wpad before I remember to set up the proxy settings. I'm glad I've got it set up but it was a PITA.

Legion

Like this thread, where marcelloc helped me get set up. At the time I was using Dansguardian and Squid. Now it's SquidGuard and Squid3.

Or this thread, with some info about my rules.

And this thread discussing how I set up monit. You could probably use cron or other task managers like some package that I was reading about a few months ago that someone had set up.

And here's someone else who went through what you're doing and had problems with the gui on https.

Etc.

jerk_shop

yeah I 101% agree that it isn't simple, :(

But I'm kinda happy when I find out how to get to one point :) and it's a long way to go.

I'll read through the threads you had given me.

BTW I changed the port of the webgui so I won't be lockout when port 80 is blocked or something.

https://forum.pfsense.org/index.php/topic,62412.15.html[[WPAD] How to configure it?] oh I'm looking towards this thread since the beginning

An update right now I was able to save the .dat, .da, and .pac using vi

following the wpad autoconfig link did till DNS forwarder settings and blocking port 80 problem is it doesn't go to a website anymore when the rule is enable. So I'm pretty sure I'm doing something wrong here.

Legion

Can you download the wpad file directly from your browser? E.g. can you type in http://wpad.yourdomain.com/wpad.dat and does it load up your file?

If no, do you have firewall rules blocking it?

If yes, is your wpad file configured correctly, i.e. pointing to the correct proxy IP and port that you have Squid listening on? If so, Squid has a nice real time gui page that shows traffic it is intercepting. Anything happening there?

Also look at the pfSense gui system logs page, the firewall tab. It will show you if things are being blocked and which firewall rules are doing the blocking. I only have a home router so I generally make sure all rules have logging enabled. But the default ipv4 rule logs by default I think, so you normally always see that one when you haven't configured your Pass rules correctly.

Also see this. I use both DNS and DHCP but some browsers/OS combinations will ignore DHCP.

Legion

@jerk_shop:

BTW I changed the port of the webgui so I won't be lockout when port 80 is blocked or something.

Oh, then this is what is happening. Your browser(s) is looking for wpad via http (port 80) and your only pfSense web server is an instance of lighttpd running on the pfSense box and serving port whatever-your-gui-is-on. So your browser won't ever get served the wpad/proxy files. Read some of the links and see how to get around that. You need a dedicated web server for wpad. lighttpd or nginx or whatever. lighttpd is already on pfSense so that's easiest.

You need a lighttpd .conf file in the right spot. Copy my or marcelloc's or anyone else's ideas for that. It needs to be serving port 80 and you can restrict the settings a bit since all it will serve is that one file. You need to have a way to start lighttpd when pfSense starts and keep it running. Otherwise you could do it manually every time you reboot, but that would suck.

jerk_shop

I see… I get through the threads you recommended. BTW I'm using bridge mode coz we have a router and Pfsense is getting dhcp(just for testing I'm not deploying it until I get this filter right) on that router.

I will get back to you after trying some. :) thanks for your assistance. Please bear with me. :)

Legion

Read what marcelloc says halfway down this thread.

In there, the post with the code, you can see his .conf file. If you read it you can see that he has created a subdirectory on pfSense at /usr/local/www/wpad/ and put his wpad.dat, wpad.da and proxy.pac files in there. I did the same and put my lighttpd-proxy-wpad.conf file in there too (whereas he puts his file at /var/etc/lighty-proxy-js.conf). I just wanted all my wpad files in the one place.

One other thing he doesn't do in his .conf file is you need to add mimetypes for .dat and .da. Copy and paste the line:

".pac"          =>      "application/x-ns-proxy-autoconfig",

twice and change the .pac to .dat and .da so it reads:

".pac"          =>      "application/x-ns-proxy-autoconfig",
".dat"          =>      "application/x-ns-proxy-autoconfig",
".da"          =>      "application/x-ns-proxy-autoconfig",

and I guess just follow his instructions for the rest.

Or as I mentioned, I use monit (and an rc.d script) instead of cron. Your choice. Same result.

Legion

One important bonus point mentioned by marcelloc is:

"While using filer, you do not need sftp to transfer config files or or scripts."

The good thing about using Filer is that files are saved in configuration backups. So, if you reinstall pfSense and use a config backup, all your framework files are also restored. Whereas using vi and file transfer manually you have to remember to do all that again manually to restore your settings. If it's not written down you can be sure you'll miss things.

I've reinstalled the complete OS a few times and had to remember to do the manual thing, e.g. reinstalling monit (not a pfSense package) and some other stuff.

jerk_shop

Can you download the wpad file directly from your browser? E.g. can you type in http://wpad.yourdomain.com/wpad.dat and does it load up your file?

I can't download it via wpad coz my wrong is not creating a wpad inside usr/local/www but I was able to download via LAN_IP/wpad.dat
but when mydomain.com/wpad.dat it says ooopppsss google can't find that stuff.

wait quick question can I access the webgui using my inputted domain under general setup like for example under domain icantmakethisstuffwork.com. Can I put that at my browser to directly access the webgui?

Legion

Don't think so. In fact, I highly doubt it.

It doesn't matter where you put your files, as long as they are being served. All the /usr/local/www stuff is just stuff that the out-of-the-box webgui uses. It would be the directory where the pfSense lighttpd .conf points. So if you put wpad.dat in there and your gui is configured to use port 80, your browser will find it and use wpad how you want.

But as soon as you start to do custom stuff, like move pfSense gui to another port and use wpad, you need to have the second dedicated server and you can configure it however you want, e.g. put your files in /foo/bar/wpad/ and configure your second server to use that file location. Reading marcelloc's .conf file from that link a couple of posts ago, it points to:

server.document-root        = "/usr/local/www/wpad/"

That can be anything you want, like /foo/bar/wpad/.

From reading there are a few other lines you will also want to modify. Where it sends logs to, where it puts the pid file, comment out the SSL stuff, etc. It's fairly self-explanatory.

If you decide to use nginx or something else instead of lighttpd, I can't help you but there will be lots of resources.

mendilli

@jerk_shop:

Can you download the wpad file directly from your browser? E.g. can you type in http://wpad.yourdomain.com/wpad.dat and does it load up your file?

I can't download it via wpad coz my wrong is not creating a wpad inside usr/local/www but I was able to download via LAN_IP/wpad.dat
but when mydomain.com/wpad.dat it says ooopppsss google can't find that stuff.

wait quick question can I access the webgui using my inputted domain under general setup like for example under domain icantmakethisstuffwork.com. Can I put that at my browser to directly access the webgui?

if you are using firefox, you have to change the proxy dedection option to the second one from top(by default the third one is selected), in browser proxy settings
and be sure that your dns host override is correct

host=wpad (not the host name you give in pfsense general settings)
domain=domain name you have given in pfsense general settings
ip=your lan ip
description=anything you like