Accessing WPAD on /usr/local/www with port 80 (SOLVED)

exa_gon · May 31, 2016, 4:03 PM

Hi,
i'm not able to access on /usr/local/www on port 80 for take a proxy.pac or wpad.dat.

1. The rules on firewall ar all open
2. the Disable webConfigurator redirect rule is checked
3. the permission on files are correct :

/usr/local/www: ls -ltr wpad*
lrwxr-xr-x  1 www  www  14 May 30 15:34 wpad.dat -> wpad/proxy.pac
lrwxr-xr-x  1 www  www  14 May 30 15:34 wpad.da -> wpad/proxy.pac

wpad:
total 4
-rw-r--r--  1 www  www  1681 Mar  5  2015 proxy.pac

But when I wget the wpad :

Connecting to 10.x.x.x:80... failed: Connection timed out.
Retrying.

some ideas ?

exa_gon · May 31, 2016, 10:03 AM

I've solved with that guide :

https://nguvu.org/pfsense/pfSense-WPAD-PAC-proxy-configuration-guide/

Enjoy.

aGeekhere · May 31, 2016, 12:58 PM

NAT backup

To catch any PCs which aren’t configured with ‘auto configure’ in their settings, you could implement a port forward for any traffic directed at port 80 through to 3128.

Can I have an example of how you can do this?

KOM · May 31, 2016, 1:08 PM

some ideas ?

Are you running WebGUI in HTTP mode or HTTPS mode?

exa_gon · May 31, 2016, 1:49 PM

@aGeekHere:

NAT backup

To catch any PCs which aren’t configured with ‘auto configure’ in their settings, you could implement a port forward for any traffic directed at port 80 through to 3128.

Can I have an example of how you can do this?

Here in attach.

exa_gon · May 31, 2016, 1:50 PM

@KOM:

some ideas ?

Are you running WebGUI in HTTP mode or HTTPS mode?

HTTPS.
So I used another lighttpd for the wpad.

But I have another problem with sgerrro.php.. ( the last one problem )

KOM · May 31, 2016, 2:13 PM

To catch any PCs which aren’t configured with ‘auto configure’ in their settings, you could implement a port forward for any traffic directed at port 80 through to 3128.

That's what Transparent mode basically is. Don't do it this way or you lose the advantages of an explicit proxy in regard to client certificates with HTTPS sites.

aGeekhere · May 31, 2016, 10:21 PM

This is what I was trying hard to understand as the guide suggest you can have a wpad and create a Nat rule to redirect all remaing traffic from port 80 to 3128.

KOM · Jun 1, 2016, 1:15 PM

If you're running Transparent (boo!) then you don't need WPAD. If you're running explicit then you don't need manually-added NAT rules.

aGeekhere · Jun 1, 2016, 1:40 PM

And for programs that have no proxy setting and want to go direct you have to create a bypass on port 80 and 443 for each program. Google play and other apps on Android have too many servers to find and bypass (though chrome on Android uses the wpad). I am just thinking there has got to be a better way to handel programs that have no proxy settings and want to go direct with using a wpad.

KOM · Jun 1, 2016, 2:58 PM

I am just thinking there has got to be a better way to handel programs that have no proxy settings and want to go direct with using a wpad.

If these things aren't smart enough to handle a manual proxy, what makes you think they're WPAD-aware???

What you do is simple here:

Run your proxy in explicit mode
Create your wpad files and put them on an HTTP server
Edit DNS & DHCP to support wpad.YourDomain.blah and point it to pfSense LAN IP
Create firewall rule that blocks access to ports 80/443 on LAN for all
Create a rule just above that rule that allows the Roku and whatever other devices to access ports 80/443 on LAN

The only downside is that nothing the Roku accesses will be cached.

aGeekhere · Jun 1, 2016, 11:34 PM

That is exactly my set up