WPAD, HTTPs and an odd bug!



  • I have an issue here. I have an almost successful configuration with WPAD and HTTPs, but I came with an odd bug.

    I've configured DHCP/DNS for offering the WPAD, created the files wpad.dat and proxy.pac under the right directory, and configured the browsers for "Automatic detect configuration…" and I blocked all traffic from LAN to 80 and 443, letting just the proxy server doing this.

    For now, I can filter the traffic in HTTP(s) very well, but the problem is that some HTTPs requests can't work at first time, some figures or CSS/JS scripts don't load and sometimes the page returns an error "This web page is not available" then I have to refresh the page to recive the content properly.

    Can someone help me?



  • dear jonatas.baldin!

    Before getting into deep in this problem

    I suggest you to check all your clients if they can access blocked https sites or not, I believe you will see that in fact wpad/pac configuration is useless when it comes to https

    I used to get same results like you once, but when I checked randomly some clients, I saw that most of them can access blocked https sites, and very few can not



  • Thanks for the reply!

    Well, I have some VMs and physical machines at home and all of them are working just fine.
    I tried with Windows XP, Windows 7, Windows 8, Windows Server 2008, Fedora 16 in Google Chrome, Firefox and IE and every rule for blocking or allowing sites are working too!

    But as I said, sometimes it just work by refreshing the page…

    PS: I'm using Squid3 and squidGuard.



  • in squid3 ı found some bugs and quit using it if it is not mondatory for you try squid(2) package



  • @mendilli:

    in squid3 ı found some bugs and quit using it i it is not mondatory for you try squid(2) package

    Man, it just worked! I changed to squid2 and now everything is fine. Thank you so much!



  • you are welcome, it was just an idea,

    do you mind if a ask you to share your wpad file contents and dhcp/dns settings, ı would like to try on my system



  • No problem man!

    First, I create the files wpad.dat and proxy.pac (some OS can read just one file) in /usr/local/www with this content:
    function FindProxyForURL(url,host)
    {
    return "PROXY ip.addr.proxy.server:port";
    }

    DNS Forwarded

    • Enabled DNS
    • Register DHCP static mappings in DNS forwarder
    • Host Override
      HOST                            DOMAIN                        IP                            DESCRIPTION
      wpad                            your.domain.com            ip.addr.proxy.server  wpad

    DHCP SERVER
    Domain name: your.domain.com
    Domain search list: your.domain.com
    Additional BOOTP/DHCP Options:
    NUMBER                      TYPE                            VALUE
    252                                text                                http://wpad/wpad.dat

    FIREWALL
    In the firewall I create one rule from LAN SUB -> LAN ADDRESS allowing traffic for the squid port.
    Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this).

    SQUID
    Disabled the Transparent Proxy options.
    Using squidGuard for creating the rules. It's a lot more flexible.

    CLIENTS
    In the proxy clients, set the option like "Auto detect configuration for proxy server…"

    Well, I guess this is it. Thanks one more time and I hope I could help too!



  • thank you jonatas.baldin,

    I will try and let you know



  • Ok, anything I can help just ask.



  • Did you try with "Use IPv4 first" on squid3 package ?

    I read some posts about problems if you are using IPv4 and did not check this option.



  • helo jonatas

    I would like to  ask about what you say about this:
    "Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this)."

    What do you mean by this?
    Do you mean I will not configure it on the fireWALL??
    Please help me I really need this.

    Thank you.



  • @batocy:

    helo jonatas

    I would like to  ask about what you say about this:
    "Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this)."

    What do you mean by this?
    Do you mean I will not configure it on the fireWALL??
    Please help me I really need this.

    Thank you.

    This means that you should block all traffic for port 80/443 which hast not your pfsense as destination IP.
    This rule schould block 80/443 traffic which goes directly to the internet because you want that this traffic must go through squid proxy. So you must allow traffic for 80/443 directly to squid but deny it to the internet.



  • Thanks very much
    I have tried your instruction but it seems I can only access the pfsense but I canh access the internet.
    I have a question, is    http://wpad/wpad.dat  is correct for all configurations?



  • some clients might append the domain name to the request, eg: wpad.yourdomain.tld/wpad.dat check that this (and just http://wpad.dat) is resolvable/accessible from the client.

    • manually enter the proxy:port settings to check whether the  problem is with the wpad detection, or with your firewall rules, and check the firewall logs.


  • How to check if the wpad is correct is being used by the client?
    Thanks



    • Check the wpad web server logs. Beware that IE caches the wpad config and might not request a changed wpad.dat file again for some time.
    • Check the proxy logs, eg, SSL sites are appearing with CONNECT:www.site.kom:443
    • Firefox has an addon called 'Foxy Proxy', it has an option to auto detect and tells you whether the config was downloaded & parsed correctly.

Log in to reply