Pfsense Squid wpad https mitm
-
If you:
1 - serve proxy.pac from pfSense
2 - prevent users accessing pfSense web server that is exposing proxy.pacthen I don't see how this could work. Y
You read my mind, this is exactly why i hijacked this thread from @alxbob. b'cos everybody(most of 'em) on this forum seems to have got it working on a similar way.. @aGeekHere even has made step by step which mentions the same thing.
But looks like i'm doing something wrong here. however i don't have any rules on top of that expect the anti-lockout rule. Please find the attached screenshot.
As i mentioned it's difficult to it manually for so many and i don't have an option of pushing it out dynamically for all of them. This (wpad)seemed to be an better option in my environment.
-
to chris4916
I would add a bypass proxy rule for the external webserver to pfsense if that is where the wpad is coming from.I'm not sure you get my point (or I don't get your :D)
When deploying proxy, there is an obvious point that is to prevent users accessing directly internet without using this proxy. This is usually done adding FW rule that is preventing direct internet access from LAN to internet, at least on port 80 & 443.
So far so good 8)When deploying WPAD, browser will have to download proxy.pac file in order to launch proxy setting configuration.
If server that is exposing this file is pfSense web server and if you don't set specific FW rule that is authorizing to access at least pfSense on its internal interface on port 80, there is no way proxy.pac file can ever be downloaded.
Adding rule to bypass proxy doesn't apply here ;)
Am I correct?
-
I'm not sure you get my point (or I don't get your :D)
We will get there :)
When deploying proxy, there is an obvious point that is to prevent users accessing directly internet without using this proxy. This is usually done adding FW rule that is preventing direct internet access from LAN to internet, at least on port 80 & 443.
So far so good 8)That is correct, port 80 and 443 need to be blocked or else users can bypass the proxy.
When deploying WPAD, browser will have to download proxy.pac file in order to launch proxy setting configuration.
That is correct, it can also get that information from the system settings.
If server that is exposing this file is pfSense web server and if you don't set specific FW rule that is authorizing to access at least pfSense on its internal interface on port 80, there is no way proxy.pac file can ever be downloaded.
This would be download locally and would not be going through the firewall (correct me if i am wrong) that's why it does not get blocked by the rule.
So try the system setting way and see how you go.
-
This would be download locally and would not be going through the firewall (correct me if i am wrong) that's why it does not get blocked by the rule.
That's exactly where I'm not in line, at least with your statement.
The point is that we have, with this screen copy, only a partial view of FW rules.However, problem is not to go through or not.
With FW rules, you define source, destination and port. It doesn't matter if you go through. If destination is "*****", then it also covers pfSense LAN interface.
What can be done, if not already applied, is to ensure that "Anti-Lockout Rule" rule (on LAN interface) already contains port 80 ;)So try the system setting way and see how you go.
I'm not using pfSense neither as HTTP proxy nor as WPAD web server ;) furthermore my anti-lockout rule already includes ports 80 and 22 ;D
On top of that, if it doesn't work like what I describe, then I will have to spend a lot of time reading documentation to better understand how iptables and netfilter work 8) -
This would be download locally and would not be going through the firewall (correct me if i am wrong) that's why it does not get blocked by the rule.
That's exactly where I'm not in line, at least with your statement.
The point is that we have, with this screen copy, only a partial view of FW rules.However, problem is not to go through or not.
With FW rules, you define source, destination and port. It doesn't matter if you go through. If destination is "*****", then it also covers pfSense LAN interface.
What can be done, if not already applied, is to ensure that "Anti-Lockout Rule" rule (on LAN interface) already contains port 80 ;)So try the system setting way and see how you go.
I'm not using pfSense neither as HTTP proxy nor as WPAD web server ;) furthermore my anti-lockout rule already includes ports 80 and 22 ;D
On top of that, if it doesn't work like what I describe, then I will have to spend a lot of time reading documentation to better understand how iptables and netfilter work 8)I think…......... this is how the firewall rules supposed to look like based on the explanation by chris4916! :) (If i'm reading it properly!!! :P) which makes sense.
I'm yet to try it out and i don't know whether this will or not... will update later.
-
Better but not yet perfect ;D
I would suggest that source is set to "this LAN" instead of "*" so that you only authorize access to pfSense on port 80 from YOUR LAN.What do you think?
-
Better but not yet perfect ;D
I would suggest that source is set to "this LAN" instead of "*" so that you only authorize access to pfSense on port 80 from YOUR LAN.What do you think?
I already made that change chris…. 8) 8) 8). will let you guys know how this works out.
Thanks for your help guys! -
Guys i got wpad working… but can anyone help me with this..
if i set a ip on a machine manually the wpad doesn' t seem to work.. it works only through dhcp!!!
And can anyone give me info about the NAT rule that needs to be configured.?
Thanks!
-
if i set a ip on a machine manually the wpad doesn' t seem to work.. it works only through dhcp!!!
If you set the IP address manually, you will either have to manually set the proxy too, or at least ensure Automatically detect proxy is set in your client browser.
-
if i set a ip on a machine manually the wpad doesn' t seem to work.. it works only through dhcp!!!
This is most likely because you are discovering proxy using the "well known alias" that will (DNS) search for "wpad.your_domain".
"your_domain" is pushed by youyr DHCP configuration while I suspect you do not set it up or with different settings when configuring your client manually. This also could be due to use of different (or no) DNS when done manually.WPAD can rely on different mechanisms.
the "well known alias" is the one mainly used but you could also use DHCP option or DNS services definition.
Notice that nothing prevents you to use all of them ;-) because depending on clients, some will better work (or not :-[)I wrote [url=https://wiki.zentyal.org/wiki/Select_Right_HTTP_Proxy_Design]something in a previous life that may help you making right decision in term of design
-
Guys…. Thank you all for your help... I got it running perfectly.
One small issue has anyone come across with this "when using citrix receiver to connect to RDP i get the following error only through proxy. "There is no Citrix SSL Server configured on the specified address". I tried out usual troubleshooting like using "proxy server options" and "bypass proxy for local address" on IE and using newer clients and all.
Thank you for your time.
