Alternative to rdr games if you have your own squid and/or havp



  • I got squid 2.7 and havp running just fine on my freebsd8 server.  Only problem was: how to forward outbound http requests to it.  Due to limitations in pf, you can't redirect back out the same LAN interface, so I had to configure a separate subnet that pfsense and the gateway use for the proxy traffic.  Okay, that worked fine, only I then ran into a limitation in the current GUI where I was not able to add rules that are as fine-grained as I would like.  The problem: you basically have this: LAN-client => pfsense (LAN) => proxy-server (XXX) => pfsense (LAN) => internet.  The problem here is that the GUI only lets you define a simple rdr rule (as far as I can tell), so the attempt by the proxy server to send the traffic out to the real host won't work (it gets re-forwarded back to itself.)  Squid on the pfsense avoids this by having 'no rdr' rules it adds, but you can't do this via the GUI.  Alternatively, I could try to have squid talk to the internet via the squid interface, but that would require some kind of policy routing hack on the freebsd server - not very appealing.  So, after all that, I was googling around and found an easy way around all of this (that eliminates the need for pf rules, 2nd interfaces, etc…)  Any new enough browser supports auto configuration of proxy settings (WPAD - Web Proxy Auto Detection).  There are a couple of ways to do this, one with a special DHCP option - the other a simpler way involving DNS.  Basically, a browser will look for the host 'wpad.xxx.com' (replacing 'xxx.com with the real domain).  If it gets a positive response, it tries to load the javascript 'wpad.xxx.com/wpad.dat' and executes it.  This took me all of 5 minutes to get working.  I ginned up a wpad.dat and put it in the document root of my web server and added a host alias in pfsense called wpad, which was the same as the LAN IP of the web server.  Here is the script:

    
    function FindProxyForURL(url, host)
    {
       if (isInNet(host, "10.0.0.0", "255.255.0.0")) {
          return "DIRECT";
       } else {
          if (shExpMatch(url, "http:*")) 
             return "PROXY sphinx.xxx.com:3128" ;
          if (shExpMatch(url, "https:*"))
             return "PROXY sphinx.xxx.com:3128" ;
          return "DIRECT";
       }
    }
    
    

    Obviously, you want to change the subnet and the server name.


  • Rebel Alliance Developer Netgate

    I have some instructions up for this already, though a little different than what you have for the function:

    http://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid



  • Cool, I hadn't noticed that one :)


Log in to reply