How to block browsers to bypass proxy?
-
I don't understand why you would need to forward anything ???
If goal is to prevent users bypassing proxy, then what you have to add is rule (not forward!) denying access from LAN to "not LAN".
This will prevent any "outgoing" flow" which means that in case you want to authorize other protocols, you need to take it in account and organize your rules accordingly. -
There is no need to forward anything. Just block 80/443 on LAN and you're done.
-
I am no expert, maybe what I need is not called Forwarding.
Any way, lets try to explain by example what I want.
I have my network setup with proxy settings and everyone connects happily. (It is not a transparent proxy by the way, is squid with freeradius authenticatiopn) Then someone brings a personal laptop and connects to the network and have no knowledge that it has to configure proxy to get to the outside. This computer is a Windows computer that has a bug which does not read wpad so it does not get the proxy configuration, it needs to be configured manually.
Now, lets say that I have a blocking rule to the http(s) port, then the user opens the browser to reach google and gets an ugly browser error saying it does not have connectivity. (This rule already found how to create it)
Instead of that browser error, I want the user to reach a Welcome page from one internal Web server describing the problem and even with instructions to setup the proxy manually.
I hope my need is more clear.
-
Clearer.
Answer is quite simple.
1 - set-up WPAD ;) then you should not need this page any more.
2 - As I previously wrote, configure captive portal (without authentication) and display page explaining that proxy needs to be manually configured. This page will not be reached but in any case, for devices not WPAD aware, this may help -
1 - set-up WPAD ;) then you should not need this page any more.
There is a problem using WPAD. Windows in fact has a flaw design for proxy setting. It is design to ignore WPAD configurations after some time running in a network without proxy. Which is mostly every regular PC.
2 - As I previously wrote, configure captive portal (without authentication) and display page explaining that proxy needs to be manually configured. This page will not be reached but in any case, for devices not WPAD aware, this may help
This is an idea that I could try. I will write down the outcome after trying.
-
2 - As I previously wrote, configure captive portal (without authentication) and display page explaining that proxy needs to be manually configured. This page will not be reached but in any case, for devices not WPAD aware, this may help
This is an idea that I could try. I will write down the outcome after trying.
OK. It worked nicely. I did not use the default CP page as it includes authentication fields, I loaded a ngnix sample test page and it work as expected
Thank you for the idea.
I was trying CP with authentication before and it did not work. (But that is another thread)Just one more question. With this I do not need the block rules anymore?
-
There is a problem using WPAD. Windows in fact has a flaw design for proxy setting. It is design to ignore WPAD configurations after some time running in a network without proxy. Which is mostly every regular PC.
:o :o :o
Who told you this ???Any source is more than welcome.
WPAD works smoothly with any Windows device, once configured. Trust me and give a try.
-
There is a problem using WPAD. Windows in fact has a flaw design for proxy setting. It is design to ignore WPAD configurations after some time running in a network without proxy. Which is mostly every regular PC.
:o :o :o
Who told you this ???Any source is more than welcome.
WPAD works smoothly with any Windows device, once configured. Trust me and give a try.
Yes. WPAD works but sometimes have some issues that are really difficult to fix, at least to me. In fact I could not.
See the following links for the problem and their solutions:
http://kb.k12usa.com/Knowledgebase/Proxy-Auto-Detect-WPAD-Issues-With-IE-Windows-7
http://serverfault.com/questions/54567/internet-explorer-isnt-auto-discovering-http-wpad-wpad-dat-auto-config
https://infratalk.wordpress.com/2011/09/10/troubleshooting-windows-proxy-autodiscovery-wpad/If you are willing to read the links, will see the problem that I am talking about on this thread.
-
IIRC, WPAD will not work if you're serving it from an HTTPS web server. It must be HTTP. This means you can't use pfSense to host the file if you have WebGUI running in HTTPS mode.
-
@KOM:
IIRC, WPAD will not work if you're serving it from an HTTPS web server. It must be HTTP. This means you can't use pfSense to host the file if you have WebGUI running in HTTPS mode.
I am not serving the WPAD file from the pfsense server, but from another internal Web server.
And the wpad file is served alright it is windows that even though it gets the file does not use it.
It is a design flaw in Windows which is not so easy to overcome.Instead of banging my head I decided to create a group policy to force the machines in the domain to use the proxy. But machines that are not in the domain wont get the policy have to rely on wpad process which is flawed. Some machines refuse to use the wpad file even if they get it.
-
Some machines refuse to use the wpad file even if they get it.
Based on link you provided, beaviour is sliglty different: these machines do not "refuse" to use WPAD. Browser won't even search for WPAD.
e.g. did you check with another browser, just for your knowledge?
-
I checked earlier with Chrome but it uses the same proxy configuration as IE. Firefox I think did the job because it does not share the proxy settings on all options.
But I can not force my clients to use a particular browser.
-
2 - As I previously wrote, configure captive portal (without authentication) and display page explaining that proxy needs to be manually configured. This page will not be reached but in any case, for devices not WPAD aware, this may help
This is an idea that I could try. I will write down the outcome after trying.
OK. It worked nicely. I did not use the default CP page as it includes authentication fields, I loaded a ngnix sample test page and it work as expected
Thank you for the idea.
I was trying CP with authentication before and it did not work. (But that is another thread)Just one more question. With this I do not need the block rules anymore?
I answer my self the block rule question. I removed them to test and it work without them.
