Web gui, ssl/https connectivity, squid, and wpad



  • First off, if this isn't the correct sub forum, please let me know where to move this to.

    Anyways, I'd like to know how to properly set up WPAD in pfsense to properly configure squid auto configuration in pfsense, for explicit proxy configuration, using squid as an explicit MITM proxy for my lan, while retaining ssl/https configuration for pfsense web gui.

    Can anyone point me to a way to set this up correctly?? If it helps, i have dual pihole dns servers on my lan, pfsense uses them for inter lan dns, with cloudflare and quad9 upstream dns using unbound with forwarding mode enabled.



  • @High_Voltage

    hi,

    Good configuration of Squid (Squid Guard) requires a lot of attention and times.
    https://docs.netgate.com/pfsense/en/latest/cache-proxy/wpad-autoconfigure-for-squid.html
    https://wiki.squid-cache.org/Technology/WPAD

    No external DNS server required (but everyone chooses this according to their own taste)
    -this is done very well by pfSense (Unbound)
    -specifically recommended for pfBlockerNG-devel

    -pfBlockerNG knows (do) almost the same as pihole
    I think even better too....



  • I was trying to follow the guide in that first link, however I want to EXPLICITLY use ssl/https on the webgui of pfsense, and the guide specifically says you cannot do that, so that's kind of the stumbling block that I have been trying to figure out how to avoid being required to run the web gui on http without ssl, given my entire reasons for using pfsense to begin with was to increase my inter network security, and in my opinion, that goal, while being forced to use unsecured http access JUST to run wpad is a total deal breaker, so I'm insistent to find out how to do both. thoughts @DaddyGo ?


  • LAYER 8 Global Moderator

    Your misreading it - what it says it you can not use transparent mode.. Which would be the whole point of setting up wpad is to explicitly point your browser to your proxy..

    If you want to use pfsense to serve up the wpad data via http, then yes you would need something on pfsense to do that.. But wpad data can be served from dhcp or just any other server on your network that can run httpd.



  • okay, I just realized I was having an epic moment of DERP....so, I had been doing nslookups on my lan, to find out who has the wpad config right? right, and one of my rpis was replying to the nslookup for wpad on the lan, I JUST REALIZED WHY AND WHY THAT WAS CONFUSING ME....my derping brain forgot that that's how you get replies, FROM YOUR DNS SERVER, duh, derp moment 100, my pi was replying before feeding that my firewall IP had wpad as a response, and that was tripping me up till just now, thank you everyone, its indeed confirmed as working, and being fed over ssl connectivity!

    just took me a bit to realize I was having a moment of brain dead, THANK YOU ALL!

    also, super thank you just now for that added info @johnpoz for me, I'm not totally sure I grasp the differentiation between explicit squid mode and transparent, because of the fact that, although I am specifying exactly to use explicit squid connectivity, I'm also using it in transparent mode to intercept all traffic, including ssl traffic, given Its MY network, and I want to scan AND proxy/cache EVERYTHING I can that I use often enough to be worth caching, so I have it set up to intercept everything, and scan/read encrypted ssl traffic, so for me, I think that's partially whats tripping me up on knowing exactly if I'm using transparent or explicit squid mode, and having a hard time differentiating between them for the sake of understanding setups.

    I do have wpad set up as dhcp fed arguments by way of 252, and I'm also setting my pihole dns servers, both in HA mode, to also send wpad.home.lan as a domain pointing at my pfsense ip, so I have basically all of the things set up, cause I'm trying to get it as full coverage of a setup configuration as possible so that nothing can try and slip past squid, my goal, end game, is to force everything on the lan, to be fed through squid, so nothing can get past it, and its a long term setup project of mine, but this is the spot I'm at right now honestly... chipping away a little bit more each day.



  • @High_Voltage said in Web gui, ssl/https connectivity, squid, and wpad:

    just took me a bit to realize I was having a moment of brain dead, THANK YOU ALL! - THX 😉

    BTW:
    if you want to perform a serious Squid + Squid Guard installation.
    I have an acquaintance here on the forum and I can bring you together with him...☺