Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Web gui, ssl/https connectivity, squid, and wpad

    Scheduled Pinned Locked Moved General pfSense Questions
    wpadsquidhttpsssl
    6 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • High_VoltageH
      High_Voltage
      last edited by

      First off, if this isn't the correct sub forum, please let me know where to move this to.

      Anyways, I'd like to know how to properly set up WPAD in pfsense to properly configure squid auto configuration in pfsense, for explicit proxy configuration, using squid as an explicit MITM proxy for my lan, while retaining ssl/https configuration for pfsense web gui.

      Can anyone point me to a way to set this up correctly?? If it helps, i have dual pihole dns servers on my lan, pfsense uses them for inter lan dns, with cloudflare and quad9 upstream dns using unbound with forwarding mode enabled.

      DaddyGoD 1 Reply Last reply Reply Quote 0
      • DaddyGoD
        DaddyGo @High_Voltage
        last edited by DaddyGo

        @High_Voltage

        hi,

        Good configuration of Squid (Squid Guard) requires a lot of attention and times.
        https://docs.netgate.com/pfsense/en/latest/cache-proxy/wpad-autoconfigure-for-squid.html
        https://wiki.squid-cache.org/Technology/WPAD

        No external DNS server required (but everyone chooses this according to their own taste)
        -this is done very well by pfSense (Unbound)
        -specifically recommended for pfBlockerNG-devel

        -pfBlockerNG knows (do) almost the same as pihole
        I think even better too....

        Cats bury it so they can't see it!
        (You know what I mean if you have a cat)

        1 Reply Last reply Reply Quote 0
        • High_VoltageH
          High_Voltage
          last edited by

          I was trying to follow the guide in that first link, however I want to EXPLICITLY use ssl/https on the webgui of pfsense, and the guide specifically says you cannot do that, so that's kind of the stumbling block that I have been trying to figure out how to avoid being required to run the web gui on http without ssl, given my entire reasons for using pfsense to begin with was to increase my inter network security, and in my opinion, that goal, while being forced to use unsecured http access JUST to run wpad is a total deal breaker, so I'm insistent to find out how to do both. thoughts @DaddyGo ?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            Your misreading it - what it says it you can not use transparent mode.. Which would be the whole point of setting up wpad is to explicitly point your browser to your proxy..

            If you want to use pfsense to serve up the wpad data via http, then yes you would need something on pfsense to do that.. But wpad data can be served from dhcp or just any other server on your network that can run httpd.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • High_VoltageH
              High_Voltage
              last edited by

              okay, I just realized I was having an epic moment of DERP....so, I had been doing nslookups on my lan, to find out who has the wpad config right? right, and one of my rpis was replying to the nslookup for wpad on the lan, I JUST REALIZED WHY AND WHY THAT WAS CONFUSING ME....my derping brain forgot that that's how you get replies, FROM YOUR DNS SERVER, duh, derp moment 100, my pi was replying before feeding that my firewall IP had wpad as a response, and that was tripping me up till just now, thank you everyone, its indeed confirmed as working, and being fed over ssl connectivity!

              just took me a bit to realize I was having a moment of brain dead, THANK YOU ALL!

              also, super thank you just now for that added info @johnpoz for me, I'm not totally sure I grasp the differentiation between explicit squid mode and transparent, because of the fact that, although I am specifying exactly to use explicit squid connectivity, I'm also using it in transparent mode to intercept all traffic, including ssl traffic, given Its MY network, and I want to scan AND proxy/cache EVERYTHING I can that I use often enough to be worth caching, so I have it set up to intercept everything, and scan/read encrypted ssl traffic, so for me, I think that's partially whats tripping me up on knowing exactly if I'm using transparent or explicit squid mode, and having a hard time differentiating between them for the sake of understanding setups.

              I do have wpad set up as dhcp fed arguments by way of 252, and I'm also setting my pihole dns servers, both in HA mode, to also send wpad.home.lan as a domain pointing at my pfsense ip, so I have basically all of the things set up, cause I'm trying to get it as full coverage of a setup configuration as possible so that nothing can try and slip past squid, my goal, end game, is to force everything on the lan, to be fed through squid, so nothing can get past it, and its a long term setup project of mine, but this is the spot I'm at right now honestly... chipping away a little bit more each day.

              DaddyGoD 1 Reply Last reply Reply Quote 0
              • DaddyGoD
                DaddyGo @High_Voltage
                last edited by

                @High_Voltage said in Web gui, ssl/https connectivity, squid, and wpad:

                just took me a bit to realize I was having a moment of brain dead, THANK YOU ALL! - THX 😉

                BTW:
                if you want to perform a serious Squid + Squid Guard installation.
                I have an acquaintance here on the forum and I can bring you together with him...☺

                Cats bury it so they can't see it!
                (You know what I mean if you have a cat)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.