Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WPAD, HTTPs and an odd bug!

    Scheduled Pinned Locked Moved pfSense Packages
    16 Posts 5 Posters 7.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jonatas.baldin
      last edited by

      I have an issue here. I have an almost successful configuration with WPAD and HTTPs, but I came with an odd bug.

      I've configured DHCP/DNS for offering the WPAD, created the files wpad.dat and proxy.pac under the right directory, and configured the browsers for "Automatic detect configuration…" and I blocked all traffic from LAN to 80 and 443, letting just the proxy server doing this.

      For now, I can filter the traffic in HTTP(s) very well, but the problem is that some HTTPs requests can't work at first time, some figures or CSS/JS scripts don't load and sometimes the page returns an error "This web page is not available" then I have to refresh the page to recive the content properly.

      Can someone help me?

      1 Reply Last reply Reply Quote 0
      • M
        mendilli
        last edited by

        dear jonatas.baldin!

        Before getting into deep in this problem

        I suggest you to check all your clients if they can access blocked https sites or not, I believe you will see that in fact wpad/pac configuration is useless when it comes to https

        I used to get same results like you once, but when I checked randomly some clients, I saw that most of them can access blocked https sites, and very few can not

        1 Reply Last reply Reply Quote 0
        • J
          jonatas.baldin
          last edited by

          Thanks for the reply!

          Well, I have some VMs and physical machines at home and all of them are working just fine.
          I tried with Windows XP, Windows 7, Windows 8, Windows Server 2008, Fedora 16 in Google Chrome, Firefox and IE and every rule for blocking or allowing sites are working too!

          But as I said, sometimes it just work by refreshing the page…

          PS: I'm using Squid3 and squidGuard.

          1 Reply Last reply Reply Quote 0
          • M
            mendilli
            last edited by

            in squid3 ı found some bugs and quit using it if it is not mondatory for you try squid(2) package

            1 Reply Last reply Reply Quote 0
            • J
              jonatas.baldin
              last edited by

              @mendilli:

              in squid3 ı found some bugs and quit using it i it is not mondatory for you try squid(2) package

              Man, it just worked! I changed to squid2 and now everything is fine. Thank you so much!

              1 Reply Last reply Reply Quote 0
              • M
                mendilli
                last edited by

                you are welcome, it was just an idea,

                do you mind if a ask you to share your wpad file contents and dhcp/dns settings, ı would like to try on my system

                1 Reply Last reply Reply Quote 0
                • J
                  jonatas.baldin
                  last edited by

                  No problem man!

                  First, I create the files wpad.dat and proxy.pac (some OS can read just one file) in /usr/local/www with this content:
                  function FindProxyForURL(url,host)
                  {
                  return "PROXY ip.addr.proxy.server:port";
                  }

                  DNS Forwarded

                  • Enabled DNS
                  • Register DHCP static mappings in DNS forwarder
                  • Host Override
                    HOST                            DOMAIN                        IP                            DESCRIPTION
                    wpad                            your.domain.com            ip.addr.proxy.server  wpad

                  DHCP SERVER
                  Domain name: your.domain.com
                  Domain search list: your.domain.com
                  Additional BOOTP/DHCP Options:
                  NUMBER                      TYPE                            VALUE
                  252                                text                                http://wpad/wpad.dat

                  FIREWALL
                  In the firewall I create one rule from LAN SUB -> LAN ADDRESS allowing traffic for the squid port.
                  Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this).

                  SQUID
                  Disabled the Transparent Proxy options.
                  Using squidGuard for creating the rules. It's a lot more flexible.

                  CLIENTS
                  In the proxy clients, set the option like "Auto detect configuration for proxy server…"

                  Well, I guess this is it. Thanks one more time and I hope I could help too!

                  1 Reply Last reply Reply Quote 0
                  • M
                    mendilli
                    last edited by

                    thank you jonatas.baldin,

                    I will try and let you know

                    1 Reply Last reply Reply Quote 0
                    • J
                      jonatas.baldin
                      last edited by

                      Ok, anything I can help just ask.

                      1 Reply Last reply Reply Quote 0
                      • N
                        Nachtfalke
                        last edited by

                        Did you try with "Use IPv4 first" on squid3 package ?

                        I read some posts about problems if you are using IPv4 and did not check this option.

                        1 Reply Last reply Reply Quote 0
                        • B
                          batocy
                          last edited by

                          helo jonatas

                          I would like to  ask about what you say about this:
                          "Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this)."

                          What do you mean by this?
                          Do you mean I will not configure it on the fireWALL??
                          Please help me I really need this.

                          Thank you.

                          1 Reply Last reply Reply Quote 0
                          • N
                            Nachtfalke
                            last edited by

                            @batocy:

                            helo jonatas

                            I would like to  ask about what you say about this:
                            "Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this)."

                            What do you mean by this?
                            Do you mean I will not configure it on the fireWALL??
                            Please help me I really need this.

                            Thank you.

                            This means that you should block all traffic for port 80/443 which hast not your pfsense as destination IP.
                            This rule schould block 80/443 traffic which goes directly to the internet because you want that this traffic must go through squid proxy. So you must allow traffic for 80/443 directly to squid but deny it to the internet.

                            1 Reply Last reply Reply Quote 0
                            • B
                              batocy
                              last edited by

                              Thanks very much
                              I have tried your instruction but it seems I can only access the pfsense but I canh access the internet.
                              I have a question, is    http://wpad/wpad.dat  is correct for all configurations?

                              1 Reply Last reply Reply Quote 0
                              • T
                                thermo
                                last edited by

                                some clients might append the domain name to the request, eg: wpad.yourdomain.tld/wpad.dat check that this (and just http://wpad.dat) is resolvable/accessible from the client.

                                • manually enter the proxy:port settings to check whether the  problem is with the wpad detection, or with your firewall rules, and check the firewall logs.
                                1 Reply Last reply Reply Quote 0
                                • B
                                  batocy
                                  last edited by

                                  How to check if the wpad is correct is being used by the client?
                                  Thanks

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    thermo
                                    last edited by

                                    • Check the wpad web server logs. Beware that IE caches the wpad config and might not request a changed wpad.dat file again for some time.
                                    • Check the proxy logs, eg, SSL sites are appearing with CONNECT:www.site.kom:443
                                    • Firefox has an addon called 'Foxy Proxy', it has an option to auto detect and tells you whether the config was downloaded & parsed correctly.
                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.