new fun and odd issue with squid/wpad on pfsense with android!



  • okay, so I finally got wpad working PROPERLY AFTER MONTHS OF FIGHTING IT

    (spoiler alert, if you use pfsense on a DIFFERENT PORT for the webconfigurator, YOU MUST SPECIFY THAT PORT FOR THE WPAD DISCOVERY URL.....that was what was making things NOT work for me for this entire time, I figured that out by accident!)

    anywho, so in my efforts to try and figure out what the hell aint working now, I found an oddity!

    say, for example, I go to reddit.com

    reddit.com loads 100% fine, exactly as expected, IN A BROWSER on android, but the same phone, same setup, if I use the reddit application itself, fails to load anything other than my profile picture before throwing "oops, something went wrong"

    yes, I am using ssl for pfsense webconfig, yes I have installed the certificate on all my machines including my phone, and yes as far as android goes, I installed it twice, once for wifi, another for apps/vpn, and I installed the root ca for pfsense, I'm going to double check that the webconfig cert is also the same, but I believe it is...anybody got any ideas here?



  • @High_Voltage said in new fun and odd issue with squid/wpad on pfsense with android!:

    if I use the reddit application itself

    A browser uses a port. Before, port 80 was popular, and these days it's port 443 all over the place. You also know that browser don't actually show the port used. A proxy often uses another port, like 8080, which should be part of the proxy URL/IP. See http://findproxyforurl.com/pac-code-snippets-examples/ for examples.

    What about this one : application don't use port 80 or port 443. An app could 'emulate' browser http:https requests, but why should they ? Aps permit to highly optimize the data traffic, without sending over page layout etc.

    Quiet easy to find out what is used : you have pfSense. Goto Diagnostics => Packet Capture

    Good luck proxies that one ...



  • okay then....this is odd...I found a video on youtube, and this guy had the same issue as me, apparently for what ever reason, squid, when set to whitelist/bump other, is not actually doing what it should be??

    set it to custom, and specifically listing splice_it for .reddit.com loads the site through the app now, but media wont load, so apparently I also had the issue this guy describes in this video, not sure if thats normal, or abnormal, but figure its worth pointing out that CUSTOM set the thing in motion to work more than it was a moment ago!

    Youtube Video

    custom MITM additions

    # My custom options in the SSL/MITM text box:
    # Windows Update domains that should be spliced, not bumped
    acl splice_it ssl::server_name .microsoft.com
    acl splice_it ssl::server_name .windowsupdate.com
    acl splice_it ssl::server_name .akamaitechnologies.com
    acl splice_it ssl::server_name .akadns.net
    acl splice_it ssl::server_name .reddit.com                   <---THAT being what got it to load in the app, vs not before hand.
    acl step1 at_step SslBump1
    ssl_bump peek step1
    ssl_bump splice splice_it
    ssl_bump bump all
    


  • @High_Voltage said in new fun and odd issue with squid/wpad on pfsense with android!:
    These
    .microsoft.com .windowsupdate.com .akamaitechnologies.com .akadns.net
    should not (never) be cached.
    Example : if the windows update isn't guaranteed to from "the source" then every windows install is at risk. Microsoft couldn't tolerate that situation, it could kill the company overnight.

    So this

    acl splice_it ssl::server_name .reddit.com

    handles everything going to / coming from is handled the same way.
    ( no need to read a a manual to understand that ^^ )


Log in to reply