new fun and odd issue with squid/wpad on pfsense with android!

High_Voltage

okay, so I finally got wpad working PROPERLY AFTER MONTHS OF FIGHTING IT

(spoiler alert, if you use pfsense on a DIFFERENT PORT for the webconfigurator, YOU MUST SPECIFY THAT PORT FOR THE WPAD DISCOVERY URL.....that was what was making things NOT work for me for this entire time, I figured that out by accident!)

anywho, so in my efforts to try and figure out what the hell aint working now, I found an oddity!

say, for example, I go to reddit.com

reddit.com loads 100% fine, exactly as expected, IN A BROWSER on android, but the same phone, same setup, if I use the reddit application itself, fails to load anything other than my profile picture before throwing "oops, something went wrong"

yes, I am using ssl for pfsense webconfig, yes I have installed the certificate on all my machines including my phone, and yes as far as android goes, I installed it twice, once for wifi, another for apps/vpn, and I installed the root ca for pfsense, I'm going to double check that the webconfig cert is also the same, but I believe it is...anybody got any ideas here?

Gertjan

@High_Voltage said in new fun and odd issue with squid/wpad on pfsense with android!:

if I use the reddit application itself

A browser uses a port. Before, port 80 was popular, and these days it's port 443 all over the place. You also know that browser don't actually show the port used. A proxy often uses another port, like 8080, which should be part of the proxy URL/IP. See http://findproxyforurl.com/pac-code-snippets-examples/ for examples.

What about this one : application don't use port 80 or port 443. An app could 'emulate' browser http:https requests, but why should they ? Aps permit to highly optimize the data traffic, without sending over page layout etc.

Quiet easy to find out what is used : you have pfSense. Goto Diagnostics => Packet Capture

Good luck proxies that one ...

High_Voltage

okay then....this is odd...I found a video on youtube, and this guy had the same issue as me, apparently for what ever reason, squid, when set to whitelist/bump other, is not actually doing what it should be??

set it to custom, and specifically listing splice_it for .reddit.com loads the site through the app now, but media wont load, so apparently I also had the issue this guy describes in this video, not sure if thats normal, or abnormal, but figure its worth pointing out that CUSTOM set the thing in motion to work more than it was a moment ago!

https://www.youtube.com/watch?reload=9&v=2hVZ5sZ-nNw&feature=youtu.be

custom MITM additions

# My custom options in the SSL/MITM text box:
# Windows Update domains that should be spliced, not bumped
acl splice_it ssl::server_name .microsoft.com
acl splice_it ssl::server_name .windowsupdate.com
acl splice_it ssl::server_name .akamaitechnologies.com
acl splice_it ssl::server_name .akadns.net
acl splice_it ssl::server_name .reddit.com                   <---THAT being what got it to load in the app, vs not before hand.
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice splice_it
ssl_bump bump all

Gertjan

@High_Voltage said in new fun and odd issue with squid/wpad on pfsense with android!:
These
.microsoft.com .windowsupdate.com .akamaitechnologies.com .akadns.net
should not (never) be cached.
Example : if the windows update isn't guaranteed to from "the source" then every windows install is at risk. Microsoft couldn't tolerate that situation, it could kill the company overnight.

So this

acl splice_it ssl::server_name .reddit.com

handles everything going to / coming from is handled the same way.
( no need to read a a manual to understand that ^^ )