Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Guide to configure squid, squidguard, https?

    Scheduled Pinned Locked Moved pfSense Packages
    38 Posts 10 Posters 9.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jambro1964
      last edited by

      I used GPO to push the cert to all domain computers, the pain was all the BYODs and had to manually import the cert. I just stuck it on the internal webserver and gave all instructions to get to it and import it. Wasn't that bad.

      My problem now is that Squid has problems with https sites that are using TLS 1.2.  Any one know how to fix that in the Squid-dev so I can continue to use MitM?

      Thanks,

      Jim

      1 Reply Last reply Reply Quote 0
      • T
        thecableguy
        last edited by

        @KOM:

        The guide I linked to was much easier for me to understand (I just did this whole exercise two weeks ago!) than the one you provided.  Really, it's a lot easier than you think:

        1.  Login to pfSense via SSH and go to /usr/local/www
        2.  Create wpad.dat and stuff it with:

        function FindProxyForURL(url,host)
        {
        return "PROXY Your.Proxy.IP.Address:3128";
        }

        3.  Copy wpad.dat to wpad.da and proxy.pac to support other auto-discovery methods
        4.  Create a DNS entry for wpad and point it to your pfSense LAN IP
        5.  Create a DHCP Option 252 entry and point it to your pfSense WPAD URL: http://Your_pfSense_LAN_IP:Port/wpad.dat
        6.  Add LAN rules that block port 80 and port 43

        Done.

        I understand this however, is there a step by step guide? I am still learning BSD and Linux and don't want to make any mistakes..

        Thanks

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          KOM steps are a step by step guide.  The dhcp stuff you can configure on your active directory (Windows)  but you will also find good guides looking for wpad + dhcp configuration on forum, Google and/or youtube.

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • cwagzC
            cwagz
            last edited by

            @marcelloc:

            While using transparent proxy,  create a host alias with  hosts/ips (not domains)  you want to bypass the transparent proxy  and then put this alias on squid general tab(bypass proxy to these Destination ips).

            I tried this again and realized I was missing a required host.  It works!  Minecraft needs the following bypassed:
            s3.amazonaws.com
            authserver.mojang.com

            Thanks again

            Netgate 6100 MAX

            1 Reply Last reply Reply Quote 0
            • marcellocM
              marcelloc
              last edited by

              The real time tab is really useful for these diagnostics  :)

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • cwagzC
                cwagz
                last edited by

                Maybe this will help some for thecableguy.  From KOM guide which I followed:

                I put my wpad.dat on a virtual machine running ubuntu but the same stuff works in pfsense i believe.  There are a lot of blogs and posts that show how to use this stuff as well.

                1.  Login to pfSense via SSH and go to /usr/local/www
                I use Putty on windows to do this.  You have to turn SSH access on in pfsense

                2.  Create wpad.dat and stuff it with:
                you can also do this from inside pfsense using the "edit file" page
                or cd to the directory above and then use nano to create the file (hopefully nano is included in pfsense otherwise google how to use vi)

                #nano wpad.dat

                function FindProxyForURL(url,host)
                {
                return "PROXY Your.Proxy.IP.Address:3128";
                }

                3.  Copy wpad.dat to wpad.da and proxy.pac to support other auto-discovery methods
                #cp wpad.dat wpad.da
                #cp wpad.dat proxy.pac

                4.  Create a DNS entry for wpad and point it to your pfSense LAN IP

                5.  Create a DHCP Option 252 entry and point it to your pfSense WPAD URL: http://Your_pfSense_LAN_IP:Port/wpad.dat

                6.  Add LAN rules that block port 80 and port 43

                Done.

                Netgate 6100 MAX

                1 Reply Last reply Reply Quote 0
                • M
                  MrGlasspoole
                  last edited by

                  I can't get WPAD to work.

                  What i did is installing vHosts and there i made this setting:

                  Host: wpad.mydomain.net
                  IP Address: 192.168.0.1
                  Port: 80
                  

                  I uploaded .dat, .da and .pac to /usr/local/vhosts/wpad.mydomain.net
                  I checked lighty-webConfigurator.conf and the mimetypes are there.

                  webConfigurator is set to HTTPS and "Disable webConfigurator redirect rule"

                  DNS Resolver Host Overrides has:

                  Host: wpad
                  Domain: mydomain.net
                  IP: 192.168.0.1
                  

                  DHCP Server LAN Additional BOOTP/DHCP Options has:

                  255 TEXT http://192.168.0.1:80/wpad.dat
                  255 TEXT http://192.168.0.1:80/wpad.da
                  255 TEXT http://192.168.0.1:80/proxy.pac
                  

                  I can download the files in the browser with wpad.mydomain.net/wpad.dat
                  It also works if i add the path to the wpad.dat into the browser proxy settings
                  but Auto-Proxy does not work.

                  I also wonder about blocking port 80. If i do that no side is reachable anymore.

                  And just as i wrote that i had the idea to check if 192.168.0.1:80/wpad.dat downloads
                  the file in the browser - it doesn't. Maybe thats the problem?

                  1 Reply Last reply Reply Quote 0
                  • W
                    wiz561
                    last edited by

                    A question about the wpad configuration and squid in standard mode with HTTPS.  Can you cache HTTPS pages?  Do you have to do the MitM and install the self signed certificate on the client workstations in order for you to cache HTTPS?

                    1 Reply Last reply Reply Quote 0
                    • marcellocM
                      marcelloc
                      last edited by

                      Yes and yes.  :)

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • V
                        vbentley
                        last edited by

                        @Cino:

                        WPAD is the way to go..  There are ways around it but its the easiest to block pages HTTP/HTTPS without setting up MILM and dealing with certs.

                        However, WPAD has some security vulnerabilities that will run Javascript. It doesn't matter if Javascript is blocked in the browser or switched off. You should prevent WPAD from executing someone else's code should the client fail to find wpad.dat at your intended location.

                        For example…
                        Your Squid proxy is on 192.168.1.1
                        Your client device has a hostname of 'pc7'
                        DHCP puts it into the domain 'pfsense.co.uk' so that it's FQDN is pc7.pfsense.co.uk

                        Then you need these in your DNS forwarder before using WPAD

                        wpad.pfsense.co.uk resolve to your proxy, 192.168.1.1
                        wpad.co.uk  resolve to your proxy, 192.168.1.1
                        wpad.uk resolve to your proxy, 192.168.1.1

                        If you have additional search domains pushed by DHCP, say pfsense.org.uk, you will also need these...

                        wpad.pfsense.org.uk resolve to your proxy, 192.168.1.1
                        wpad.org.uk resolve to your proxy, 192.168.1.1

                        Now that we have many new TLDs, we probably should also have...

                        wapd resolve to your proxy, 192.168.1.1

                        ...If a client device DHCP's outside of your cosy secure network into someone else's, WPAD will go looking for a wpad.dat anywhere down that domain's hierarchy.

                        Trademark Attribution and Credit
                        pfSense® and pfSense Certified® are registered trademarks of Electric Sheep Fencing, LLC in the United States and other countries.

                        1 Reply Last reply Reply Quote 0
                        • M
                          MrGlasspoole
                          last edited by

                          Some help please :)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.