SQUID proxy authentication

KOM

Of course they still have access.  Squid in Transparent mode just redirects the traffic from port 80 to 3128.  It doesn't block port 80, so anyone not using the proxy has full, direct access.  That's why it's usually a good idea to block ports 80/443 on LAN.  Then nobody get around the proxy.

BlazeStar

Yup that was stupid indeed.

I still can't make the WPAD to work.

But after blocking the port I tried manually configuring the proxy address in firefox.

It does ask for authentification right away!

But when I enter the credentials of a user I put in

Service > Proxy Server > Users

It will not work.

The proxy log shows TCP DENIED/407

Any idea?

marcelloc

Try to use squid3-dev on pfsense 2.1. Squid3 package is still on old 3.1.

And then check firewall rules on lan to deny direct access to 80,443,etc http ports.

And on client browers, check if detect proxy settings are checked.

BlazeStar

Okay I thought squid3-dev was beta or something.

Will try and report back, thanks !

BlazeStar

Now using squid3-dev / 3.3.10 pkg 2.2.8

Same problem :(

To sum it up:

I've been using SQUID proxy for a while now in transparent mode and it works fine.

My goal is to make it to non transparent mode.

Then toggle authentification.

Then install SquidGuard.

So first step to non transparent mode :

1. Services > Proxy Server
   I uncheck the Transparent HTTP proxy checkbox.

2. Firewall > Rules > LAN
   I block HTTP port (80) for TCP

3. To make auto-configuration I followed this:
   https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

After creating the files I added additional DHCP options like so:
http://cl.ly/image/430u022O3N3T

I also added a DNS host override like so:
http://cl.ly/image/3k382b461r3N

Then I fire up a browser (I used Firefox and Safari)
None will work.

If I input the WPAD file manually in Firefox, it WILL work perfectly !
(In the network settings, specify the auto-config address, I add: http://10.0.1.1/wpad.dat)

If I leave it to "auto-detect proxy settings" it will NOT work.

So proxy in non transparent mode WORKS.

Auto detection does NOT work.

Again, I followed each single steps in this document:
https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

Any idea how to make it work please?

I've been stuck on this for so long I'm about to cry ;)

PS: Before you ask, I did reboot pfSense after all changes have been made.

marcelloc

Do you have a firewall rule allowing traffic to squid port on lan?

Try a tcpdump or a package capture to see what packages you get from your client to firewall.

BlazeStar

@marcelloc:

Do you have a firewall rule allowing traffic to squid port on lan?

Try a tcpdump or a package capture to see what packages you get from your client to firewall.

Like I said: squid WILL work in non transparent mode.

When I input manually the WPAD.DAT file address, Firefox will find it and connect to the proxy on port 3128, and will be able to access the Web.

So proxy is reachable on LAN.

The problem is browser auto-config.

I absolutely need this to work because we have road warrior laptops that come in and out of the network so I just want to tick "auto-detect proxy settings" and then all works well.

marcelloc

Google for: check dhcp received options

This way you will find if the problem is with dhcp config/options or Windows client.

BlazeStar

Thanks for the recommendation!

But I'm even more confused now!

ipconfig getpacket en0
op = BOOTREPLY
htype = 1
flags = 0
hlen = 6
hops = 0
xid = 186469971
secs = 1
ciaddr = 0.0.0.0
yiaddr = 10.0.1.10
siaddr = 0.0.0.0
giaddr = 0.0.0.0
chaddr = 10:9a:dd:50:62:63
sname = 
file = 
options:
Options count is 9
dhcp_message_type (uint8): ACK 0x5
server_identifier (ip): 10.0.1.1
lease_time (uint32): 0x15180
subnet_mask (ip): 255.255.0.0
router (ip_mult): {10.0.1.1}
domain_name_server (ip_mult): {10.0.1.1}
proxy_auto_discovery_url (string): http://10.0.1.1/proxy.pac
end (none): 

So it DOES see it :S

What's up with that ?

BlazeStar

Did some more testing…

It appears that only Firefox does not work.

Safari and Chrome do auto-discover proxy settings :S

My computer is OS X 10.10.2 and both Safari and Chrome use the network settings in the system preferences.

I just set it to auto-discovery and both work fine.

Both Firefox will not work when on auto-detect.

marcelloc

So, SO and pfsense config are fine. Did you captured traffic while using firefox?

Most times, we need to close firefox and reopen to get proxy settings changes applied correctly.

BlazeStar

@marcelloc:

So, SO and pfsense config are fine. Did you captured traffic while using firefox?

Most times, we need to close firefox and reopen to get proxy settings changes applied correctly.

To test, I rebooted the whole computer, so Firefox was restarted by design ;)

What do you mean by "capture traffic while using firefox" ?

How can I do that?

For now, on the desktops that are using firefox, I made the input manually for the WPAD file in the settings.

But I'd really like to make the auto-detect work.

Upon searching on the Google, I found out some old articles stating that Firefox does not support the DHCP way to get the WPAD file, it only supports the DNS way.

But following this article:
https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

I did add a DNS host override like so:
http://cl.ly/image/3k382b461r3N

So it "works" but not like I wanted it to be.. that is, only setting needed on any computer is to make it auto-detect proxy settings.

I tested with IE, Safari and Chrome : all work.

Only Firefox is whimsical