• 0 Votes
    18 Posts
    2k Views

    This is a better WPAD file

    server.modules = ( "mod_access", "mod_staticfile", "mod_expire", "mod_setenv" ) server.document-root = "/var/www/html" server.errorlog = "/var/log/lighttpd/error.log" server.pid-file = "/run/lighttpd.pid" server.username = "www-data" server.groupname = "www-data" server.port = 80 server.bind = "192.168.1.6" server.tag = "" server.range-requests = "disable" server.max-connections = 10 connect-timeout = 2 server.max-keep-alive-idle = 2 server.max-keep-alive-requests = 1 server.max-read-idle = 2 server.max-write-idle = 2 dir-listing = "disable" $HTTP["request-method"] =~ "^(TRACE|TRACK)$" { url.access-deny = ( "" ) } # Cache WPAD and proxy PAC files for 1 day (good practice) expire.url = ( "/wpad.dat" => "access plus 1 day", "/proxy.pac" => "access plus 1 day" ) # Disable access logs to reduce SD card wear (optional) accesslog = "" $HTTP["url"] =~ "^/(wpad\.dat|proxy\.pac)$" { setenv.add-response-header = ( "X-Content-Type-Options" => "nosniff", "X-Frame-Options" => "DENY", "Content-Security-Policy" => "default-src 'none';", "Cache-Control" => "public, max-age=86400", "Referrer-Policy" => "no-referrer", "X-Download-Options" => "noopen", "X-Permitted-Cross-Domain-Policies" => "none" ) # Allow only GET and HEAD methods $HTTP["request-method"] !~ "^(GET|HEAD)$" { url.access-deny = ( "" ) } # Restrict access by IP subnets $HTTP["remoteip"] == "192.168.1.0/27" { } else $HTTP["remoteip"] == "2001:470:8052:a::/64" { } else { url.access-deny = ( "" ) } } # Deny all other URL requests $HTTP["url"] !~ "^/(wpad\.dat|proxy\.pac)$" { url.access-deny = ( "" ) } # Strict URL parsing for security and consistency server.http-parseopts = ( "header-strict" => "enable", "host-strict" => "enable", "host-normalize" => "enable", "url-normalize-unreserved"=> "enable", "url-normalize-required" => "enable", "url-ctrls-reject" => "enable", "url-path-2f-decode" => "disable", "url-path-2f-reject" => "enable", "url-path-dotseg-remove" => "disable", "url-path-dotseg-reject" => "enable", ) url.access-deny = ( "~", ".inc" ) static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) # Add WPAD MIME type for correct browser handling mimetype.assign = ( ".dat" => "application/x-ns-proxy-autoconfig", ".pac" => "application/x-ns-proxy-autoconfig" )
  • 1 Votes
    32 Posts
    5k Views

    @michmoor
    Yes, it works for them, unfortunately only there :(

  • 0 Votes
    16 Posts
    4k Views

    @jdb67 You might also try to email the Squid users support email to get Squid help they are very helpful sometimes the original code writers chime in and help users.

    squid-users@lists.squid-cache.org

    FYI: You will have to register your email and wait for approval before you can send out a email to everyone on this however.

  • 0 Votes
    3 Posts
    1k Views

    @karimhaydar31 said in connection is not private when using Chrome:

    X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN

    The certificate is valid, but not co-signed by one of the major players, like Verisign etc. see here for a list.

    The thing is, your browser only accepts (and stays silent) certificates if they were co or toot signed by one of the authorities that are on 'the list' (in your device).
    You could actually empty this list, and your browser would not even trust https://www.micirostf.com any more.

    So, the easiest thing to do, is : export the certificate that is being used by the Webconfigurator, and import it into you browser / OS.
    Now, your browser / OS it trust it, and no more errors. That's all it takes !

    You could also get your hands on a certificate that is trusted out of the box.
    A trusted certificate is free.
    Example : if these are your general settings :

    5f251b0a-5c89-4ab6-aec6-556829c21c72-image.png

    and you actually own, or rent the some-domain.tld domain name, you could obtain certificate for *.some-domain.tld for free.
    The pfSense package "acme" is all about that functionality.
    Again : the certificate will be free, the domain name will cost some money.

  • 0 Votes
    1 Posts
    697 Views
    No one has replied
  • 0 Votes
    1 Posts
    421 Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.