This is a better WPAD file server.modules = ( "mod_access", "mod_staticfile", "mod_expire", "mod_setenv" ) server.document-root = "/var/www/html" server.errorlog = "/var/log/lighttpd/error.log" server.pid-file = "/run/lighttpd.pid" server.username = "www-data" server.groupname = "www-data" server.port = 80 server.bind = "192.168.1.6" server.tag = "" server.range-requests = "disable" server.max-connections = 10 connect-timeout = 2 server.max-keep-alive-idle = 2 server.max-keep-alive-requests = 1 server.max-read-idle = 2 server.max-write-idle = 2 dir-listing = "disable" $HTTP["request-method"] =~ "^(TRACE|TRACK)$" { url.access-deny = ( "" ) } # Cache WPAD and proxy PAC files for 1 day (good practice) expire.url = ( "/wpad.dat" => "access plus 1 day", "/proxy.pac" => "access plus 1 day" ) # Disable access logs to reduce SD card wear (optional) accesslog = "" $HTTP["url"] =~ "^/(wpad\.dat|proxy\.pac)$" { setenv.add-response-header = ( "X-Content-Type-Options" => "nosniff", "X-Frame-Options" => "DENY", "Content-Security-Policy" => "default-src 'none';", "Cache-Control" => "public, max-age=86400", "Referrer-Policy" => "no-referrer", "X-Download-Options" => "noopen", "X-Permitted-Cross-Domain-Policies" => "none" ) # Allow only GET and HEAD methods $HTTP["request-method"] !~ "^(GET|HEAD)$" { url.access-deny = ( "" ) } # Restrict access by IP subnets $HTTP["remoteip"] == "192.168.1.0/27" { } else $HTTP["remoteip"] == "2001:470:8052:a::/64" { } else { url.access-deny = ( "" ) } } # Deny all other URL requests $HTTP["url"] !~ "^/(wpad\.dat|proxy\.pac)$" { url.access-deny = ( "" ) } # Strict URL parsing for security and consistency server.http-parseopts = ( "header-strict" => "enable", "host-strict" => "enable", "host-normalize" => "enable", "url-normalize-unreserved"=> "enable", "url-normalize-required" => "enable", "url-ctrls-reject" => "enable", "url-path-2f-decode" => "disable", "url-path-2f-reject" => "enable", "url-path-dotseg-remove" => "disable", "url-path-dotseg-reject" => "enable", ) url.access-deny = ( "~", ".inc" ) static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) # Add WPAD MIME type for correct browser handling mimetype.assign = ( ".dat" => "application/x-ns-proxy-autoconfig", ".pac" => "application/x-ns-proxy-autoconfig" )

@michmoor Yes, it works for them, unfortunately only there :(

@jdb67 You might also try to email the Squid users support email to get Squid help they are very helpful sometimes the original code writers chime in and help users. squid-users@lists.squid-cache.org FYI: You will have to register your email and wait for approval before you can send out a email to everyone on this however.

@karimhaydar31 said in connection is not private when using Chrome: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN The certificate is valid, but not co-signed by one of the major players, like Verisign etc. see here for a list. The thing is, your browser only accepts (and stays silent) certificates if they were co or toot signed by one of the authorities that are on 'the list' (in your device). You could actually empty this list, and your browser would not even trust https://www.micirostf.com any more. So, the easiest thing to do, is : export the certificate that is being used by the Webconfigurator, and import it into you browser / OS. Now, your browser / OS it trust it, and no more errors. That's all it takes ! You could also get your hands on a certificate that is trusted out of the box. A trusted certificate is free. Example : if these are your general settings : [image: 1681197872695-5f251b0a-5c89-4ab6-aec6-556829c21c72-image.png] and you actually own, or rent the some-domain.tld domain name, you could obtain certificate for *.some-domain.tld for free. The pfSense package "acme" is all about that functionality. Again : the certificate will be free, the domain name will cost some money.