Push certain URL to a specific proxy server



  • I have pfsense 1.2.3-RELEASE running on a pretty basic network.  Currently there is a DMZ, WAN, and LAN interface.

    I have a need to have a specific website go through an external proxy server.  I would like all other traffic to access the internet normally without the proxy.  How would I set this up in pfsense, is this something that i can setup in pfsense stock, or is there a addon that will allow this?


  • Rebel Alliance Developer Netgate

    It's not something that can easily be done, but it may be possible.

    If the IP of the site never changes, you could manually add a redirect to force traffic going to that IP through the proxy.

    Failing that, you might set your clients for auto proxy detection and read up on WPAD (see the doc wiki link in my sig for some info on how to set that up). With WPAD you can use a little bit of JavaScript to teach the browser to choose a proxy based on the URL, which is exactly what you want to do.



  • Thanks for the help.  Is this something that would be easier to implement as a local solution on the client PC that is going to primarily be doing this then it would be to implement on pfsense for the whole network?


  • Rebel Alliance Developer Netgate

    I'm not sure that the proxy settings on a PC are flexible/smart enough to handle that. You'd have to read up on the individual application proxy settings.



  • I am trying to revisit this "issue" i am having.  This seems to be a more common problem now and it is getting worse.  It seems that many sites are Geo-Blocking sites (abc, nbc, bbc, cbs, hulu, sporting events, jumptv, etc) so they either can't be viewed if in the US or can't be viewed from outside the US or other country.

    I am looking for a way to specify the site, and then forward the request to a proxy server outside of the US (this would all need to be able to be set in the GUI so i can modify the proxy servers as needed) so that the site thinks i am in mexico or something and allows me to view the video.  This way I can access the content that is being blocked.

    Is this something that can be setup with something like squid?  Or is there anyone that is willing to write an addon that would do this?  I am not loaded but willing to pay a little for someone willing to do it.

    Sadly I am willing to pay these sites to watch the specific channels, but unfortunately that is not possible because of the GEO-Blocking.

    Ideally I would like to implement this on PFSense that way all computers on the network can watch the channels, but if that is not feasible, more idea's on what can be done client side would be great.



  • You would do it with a proxy.pac file, you tell the browser where to find it, which tells the browser when to use a proxy. You could also do it with Squid (and I've done that before) though a proxy.pac file is probably simpler.

    For example:
    function FindProxyForURL(url,host)
    {
    if(dnsDomainIs(host, ".bbc.co.uk") || dnsDomainIs(host, ".abc.com") )
    {
    return "PROXY proxy.example.com:3128;"
    }
        else
    {
    return "DIRECT";
    }
    }

    Would route requests for anything ending in bbc.co.uk or abc.com through the proxy at proxy.example.com. A quick Google will find you lots of documentation on the options and how to use it.



  • @Cry:

    You would do it with a proxy.pac file, you tell the browser where to find it, which tells the browser when to use a proxy. You could also do it with Squid (and I've done that before) though a proxy.pac file is probably simpler.

    For example:
    function FindProxyForURL(url,host)
    {
    if(dnsDomainIs(host, ".bbc.co.uk") || dnsDomainIs(host, ".abc.com") )
    {
    return "PROXY proxy.example.com:3128;"
    }
        else
    {
    return "DIRECT";
    }
    }

    Would route requests for anything ending in bbc.co.uk or abc.com through the proxy at proxy.example.com. A quick Google will find you lots of documentation on the options and how to use it.

    Thanks, I will look into this, i appreciate the help.  It sounds like i need to install squid.  Will i need all the clients to manually be set up to look for the proxy server or can everything be managed from pfsense in this configuration?



  • proxy.pac is a client configuration, nothing to do with pfSense.

    You can use it to push the use of an external proxy, such as you referred to in your post:

    @cooter:

    I am looking for a way to specify the site, and then forward the request to a proxy server outside of the US (this would all need to be able to be set in the GUI so i can modify the proxy servers as needed)

    To do it only in pfSense you'd have to install Squid and use Squid's configuration to place connections through a remote proxy for certain domains.



  • @Cry:

    proxy.pac is a client configuration, nothing to do with pfSense.

    You can use it to push the use of an external proxy, such as you referred to in your post:

    @cooter:

    I am looking for a way to specify the site, and then forward the request to a proxy server outside of the US (this would all need to be able to be set in the GUI so i can modify the proxy servers as needed)

    To do it only in pfSense you'd have to install Squid and use Squid's configuration to place connections through a remote proxy for certain domains.

    I googled it and see what you mean.  Thanks, I am going to take a crack at it.



  • I was able to setup the proxy.pac file on the client.  This setup worked for previewing the channel, however i am having trouble logging into the a specific site (which i need to do for normal viewing) that i need to log into when I have the proxy.pac being used.  But I think I am in the right direct.  Thanks for the help.



  • So after some testing i have not been able to get around the geoblock.  I was able to get the proxy.pac file up, it worked for browsing (google showed the country i was proxying through), but the geoblock for the site still got me.

    any other ideas.



  • VPN - possibly to a server you own since the common VPN providers will almost certainly be blocked.

    I've taken that approach in the past and it's worked well for me.


Log in to reply