How to block browsers to bypass proxy?

jetberrocal

This is probably answer somewhere but I could not find the correct search terms to find the answer.

I have squid installed in normal mode (non transparent) in the pfsense box on port 3128.  Also have E2guardian installed in separate box (Centos) on port 8080 that connects to squid.

Browsers are configured to use the port 8080 for proxy access, but  I need to make rules or port forward to block access to http/https from browsers with no proxy configuration or hacked proxy configuration.

For information:
pfsense LAN IP: 192.168.56.1
Centos LAN IP: 192.168.56.15

Subnet 192.168.56.0 255.255.255.0

chris4916

This is as simple as adding rule (at the right place of course, depending on other existing rules), on LAN interface to drop requests from LAN to internet on ports 80 and 443  8)

jetberrocal

@chris4916:

This is as simple as adding rule (at the right place of course, depending on other existing rules), on LAN interface to drop requests from LAN to internet on ports 80 and 443  8)

That I tried but I need help with it.

I created an Alias named Firewall which includes two hosts that I want to let use HTTP(s) directly without proxy.

I have included a screenshot of the Rules that I added to try to block access to all other computers.

chris4916

Indeed this doesn't work.

Why?
Because your rules do not apply and are followed by rules allowing everything to pass through.

These rules do not apply because destination is wrong.
When you access internet directly, your destination is not "WAN Net" (which is the subnet including your WAN IP, thus potentially very small) but "*"

1 - change "WAN Net" for "*"  (and this is enough to solve the problem)
2 - remove or at least disable these rules allowing everything: with such rule, bypassing proxy is very easy. e.g. configure your browser to access external proxy on port 8080 or 3128 or whatever.

You can do it the way you want but as long as efficiency is targeted, control at FW is easier if you only authorize allowed flows rather than blocking denied flows… before allowing everything  8)

jetberrocal

I though * means everything including the internal network and WAN net the outside network.

With your info I removed the block rules and made Port Forward rules to move all !Firewall requests to an internal web page with a notice that they must use the Proxy to access Internet Web pages.

jetberrocal

After creating the Port Forward rules it work for some time but now it stopped working.  Also the Port Forward lines that I created generated a virtual block for internal network, I had to create another Port forward to work around the problem.  Still it does not do what I want.

I need help.

What I want is to make the internal computers with no proxy configuration (except pfsense and LAMP) to be forwarded to a Welcome Web Page in one internal Web Server when they try to reach an Internet (external) site, but when requesting an internal site to reach the requested internal site.

The internal Web Server (LAMP) IP is 192.168.1.20 listening on port 80
The Alias "Firewall" are Internal Servers  with special Roles (pfsense and LAMP)
The Alias "Internal" is the internal network (including the pfsense and LAMP)

I hope I am clear enough on my goal.

chris4916

I don't understand why you would need to forward anything  ???
If goal is to prevent users bypassing proxy, then what you have to add is rule (not forward!) denying access from LAN to "not LAN".
This will prevent any "outgoing" flow" which means that in case you want to authorize other protocols, you need to take it in account and organize your rules accordingly.

KOM

There is no need to forward anything.  Just block 80/443 on LAN and you're done.

jetberrocal

I am no expert, maybe what I need is not called Forwarding.

Any way, lets try to explain by example what I want.

I have my network setup with proxy settings and everyone connects happily. (It is not a transparent proxy by the way, is squid with freeradius authenticatiopn) Then someone brings a personal laptop and connects to the network and have no knowledge that it has to configure proxy to get to the outside.  This computer is a Windows computer that has a bug which does not read wpad so it does not get the proxy configuration, it needs to be configured manually.

Now, lets say that I have a blocking rule to the http(s) port, then the user opens the browser to reach google and gets an ugly browser error saying it does not have connectivity.  (This rule already found how to create it)

Instead of that browser error,  I want the user to reach a Welcome page from one internal Web server describing the problem and even with instructions to setup the proxy manually.

I hope my need is more clear.

chris4916

Clearer.

Answer is quite simple.

1 - set-up WPAD  ;) then you should not need this page any more.
2 - As I previously wrote, configure captive portal (without authentication) and display page explaining that proxy needs to be manually configured. This page will not be reached but in any case, for devices not WPAD aware, this may help

jetberrocal

@chris4916:

1 - set-up WPAD  ;) then you should not need this page any more.

There is a problem using WPAD.  Windows in fact has a flaw design for proxy setting.  It is design to ignore WPAD configurations after some time running in a network without proxy.  Which is mostly every regular PC.

@chris4916:

2 - As I previously wrote, configure captive portal (without authentication) and display page explaining that proxy needs to be manually configured. This page will not be reached but in any case, for devices not WPAD aware, this may help

This is an idea that I could try.  I will write down the outcome after trying.

jetberrocal

@jetberrocal:

@chris4916:

2 - As I previously wrote, configure captive portal (without authentication) and display page explaining that proxy needs to be manually configured. This page will not be reached but in any case, for devices not WPAD aware, this may help

This is an idea that I could try.  I will write down the outcome after trying.

OK.  It worked nicely.  I did not use the default CP page as it includes authentication fields, I loaded a ngnix sample test page and it work as expected

Thank you for the idea. 
I was trying CP with authentication before and it did not work. (But that is another thread)

Just one more question.  With this I do not need the block rules anymore?

chris4916

@jetberrocal:

There is a problem using WPAD.  Windows in fact has a flaw design for proxy setting.  It is design to ignore WPAD configurations after some time running in a network without proxy.  Which is mostly every regular PC.

:o :o :o
Who told you this ???

Any source is more than welcome.

WPAD works smoothly with any Windows device, once configured. Trust me and give a try.

jetberrocal

@chris4916:

@jetberrocal:

There is a problem using WPAD.  Windows in fact has a flaw design for proxy setting.  It is design to ignore WPAD configurations after some time running in a network without proxy.  Which is mostly every regular PC.

:o :o :o
Who told you this ???

Any source is more than welcome.

WPAD works smoothly with any Windows device, once configured. Trust me and give a try.

Yes. WPAD works but sometimes have some issues that are really difficult to fix, at least to me.  In fact I could not.

See the following links for the problem and their solutions:
http://kb.k12usa.com/Knowledgebase/Proxy-Auto-Detect-WPAD-Issues-With-IE-Windows-7
http://serverfault.com/questions/54567/internet-explorer-isnt-auto-discovering-http-wpad-wpad-dat-auto-config
https://infratalk.wordpress.com/2011/09/10/troubleshooting-windows-proxy-autodiscovery-wpad/

If you are willing to read the links, will see the problem that I am talking about on this thread.

KOM

IIRC, WPAD will not work if you're serving it from an HTTPS web server.  It must be HTTP.  This means you can't use pfSense to host the file if you have WebGUI running in HTTPS mode.

jetberrocal

@KOM:

IIRC, WPAD will not work if you're serving it from an HTTPS web server.  It must be HTTP.  This means you can't use pfSense to host the file if you have WebGUI running in HTTPS mode.

I am not serving the WPAD file from the pfsense server, but from another internal Web server.

And the wpad file is served alright it is windows that even though it gets the file does not use it. 
It is a design flaw in Windows which is not so easy to overcome.

Instead of banging my head I decided to create a group policy to force the machines in the domain to use the proxy.  But machines that are not in the domain wont get the policy have to rely on wpad process which is flawed.  Some machines refuse to use the wpad file even if they get it.

chris4916

@jetberrocal:

Some machines refuse to use the wpad file even if they get it.

Based on link you provided, beaviour is sliglty different: these machines do not "refuse" to use WPAD. Browser won't even search for WPAD.

e.g. did you check with another browser, just for your knowledge?

jetberrocal

I checked earlier with Chrome but it uses the same proxy configuration as IE.  Firefox I think did the job because it does not share the proxy settings on all options.

But I can not force my clients to use a particular browser.

jetberrocal

@jetberrocal:

@jetberrocal:

@chris4916:

2 - As I previously wrote, configure captive portal (without authentication) and display page explaining that proxy needs to be manually configured. This page will not be reached but in any case, for devices not WPAD aware, this may help

This is an idea that I could try.  I will write down the outcome after trying.

OK.  It worked nicely.  I did not use the default CP page as it includes authentication fields, I loaded a ngnix sample test page and it work as expected

Thank you for the idea. 
I was trying CP with authentication before and it did not work. (But that is another thread)

Just one more question.  With this I do not need the block rules anymore?

I answer my self the block rule question.  I removed them to test and it work without them.