Squid Proxy and Squidguard and WPAD



  • Hi,

    I'm trying to block facebook,youtube,and dropbox in our network using squid and squidguard, and wpad.

    I've been successful in doing this in a basic network setup ( wan + lan interfaces )

    basically squid runs in lan and I configured WPAD in DHCP settings and the DNS resolver as well.

    with this config.

    function FindProxyForURL(url, host)
    {
        if (isPlainHostName(host) ||
            shExpMatch(host, "*.local") ||
            isInNet(dnsResolve(host), "192.168.1.1",  "255.255.255.0"))
            return "DIRECT";

    return "PROXY 192.168.1.1:3128";
    }

    and in DHCP settings its configured :

    number: 252 type: string value: "http://192.168.1.1/wpad.dat"
    number: 252 type: string value: "http://192.168.1.1/wpad.da"
    number: 252 type: string value: "http://192.168.1.1/proxy.pac"

    and in DNS resolver :

    Host: wpad
    Domain: mylocaldomain.local
    IP Address: 192.168.1.1
    Description: WPAD Autoconfigure Host

    in Google chrome
    They block all succesfully (facebook,youtube)

    But it fails to block in firefox

    Now My question is ,

    If I uncheck the Check to enable the Squid proxy.

    My internet will be cut off ( in Google Chrome browser, its saying that I don't have internet connection but can ping 8.8.8.8(google) ).

    If I use Firefox browser I can browse through anywhere as well..

    What seems to be causing this problem?

    Plus can WPAD be configured to cater to VLANS but only using DNS resolver/forwarder as well? if so How? (is there a sample config?)

    TIA



  • Firefox has its own connection management settings. Most likely it's bypassing the proxy altogether, just block ports 80 - 443 to enforce usage of the proxy.

    Why chrome doesn't work when you turn off Squid? That's because Chrome uses Windows proxy settings, WPAD is telling it to use a proxy that is no longer working. And as I said earlier, Firefox uses it's own connection settings, therefore it'll work until you make that detect proxy settings automatically.



  • Yes, you need to ensure that FF is set to Auto-detect proxy for this network.  It's usually a good idea to block 80/443 tcp on LAN so that people can't just ignore the proxy.



  • well recently been noticing auto detect takes a tab bit slow, i found out putting a GPO to automatic proxy URL makes the navigation quicker as it finds it faster. Also some sites do not like blocking port 80 so just block port 443  and let transparent squid take care of the port 80



  • If you're running in transparent mode then there is no need to block anything on LAN.