WPAD, HTTPs and an odd bug!

jonatas.baldin

I have an issue here. I have an almost successful configuration with WPAD and HTTPs, but I came with an odd bug.

I've configured DHCP/DNS for offering the WPAD, created the files wpad.dat and proxy.pac under the right directory, and configured the browsers for "Automatic detect configuration…" and I blocked all traffic from LAN to 80 and 443, letting just the proxy server doing this.

For now, I can filter the traffic in HTTP(s) very well, but the problem is that some HTTPs requests can't work at first time, some figures or CSS/JS scripts don't load and sometimes the page returns an error "This web page is not available" then I have to refresh the page to recive the content properly.

Can someone help me?

mendilli

dear jonatas.baldin!

Before getting into deep in this problem

I suggest you to check all your clients if they can access blocked https sites or not, I believe you will see that in fact wpad/pac configuration is useless when it comes to https

I used to get same results like you once, but when I checked randomly some clients, I saw that most of them can access blocked https sites, and very few can not

jonatas.baldin

Thanks for the reply!

Well, I have some VMs and physical machines at home and all of them are working just fine.
I tried with Windows XP, Windows 7, Windows 8, Windows Server 2008, Fedora 16 in Google Chrome, Firefox and IE and every rule for blocking or allowing sites are working too!

But as I said, sometimes it just work by refreshing the page…

PS: I'm using Squid3 and squidGuard.

mendilli

in squid3 ı found some bugs and quit using it if it is not mondatory for you try squid(2) package

jonatas.baldin

@mendilli:

in squid3 ı found some bugs and quit using it i it is not mondatory for you try squid(2) package

Man, it just worked! I changed to squid2 and now everything is fine. Thank you so much!

mendilli

you are welcome, it was just an idea,

do you mind if a ask you to share your wpad file contents and dhcp/dns settings, ı would like to try on my system

jonatas.baldin

No problem man!

First, I create the files wpad.dat and proxy.pac (some OS can read just one file) in /usr/local/www with this content:
function FindProxyForURL(url,host)
{
return "PROXY ip.addr.proxy.server:port";
}

DNS Forwarded

• Enabled DNS
• Register DHCP static mappings in DNS forwarder
• Host Override
  HOST                            DOMAIN                        IP                            DESCRIPTION
  wpad                            your.domain.com            ip.addr.proxy.server  wpad

DHCP SERVER
Domain name: your.domain.com
Domain search list: your.domain.com
Additional BOOTP/DHCP Options:
NUMBER                      TYPE                            VALUE
252                                text                                http://wpad/wpad.dat

FIREWALL
In the firewall I create one rule from LAN SUB -> LAN ADDRESS allowing traffic for the squid port.
Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this).

SQUID
Disabled the Transparent Proxy options.
Using squidGuard for creating the rules. It's a lot more flexible.

CLIENTS
In the proxy clients, set the option like "Auto detect configuration for proxy server…"

Well, I guess this is it. Thanks one more time and I hope I could help too!

mendilli

thank you jonatas.baldin,

I will try and let you know

jonatas.baldin

Ok, anything I can help just ask.

Nachtfalke

Did you try with "Use IPv4 first" on squid3 package ?

I read some posts about problems if you are using IPv4 and did not check this option.

batocy

helo jonatas

I would like to  ask about what you say about this:
"Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this)."

What do you mean by this?
Do you mean I will not configure it on the fireWALL??
Please help me I really need this.

Thank you.

Nachtfalke

@batocy:

helo jonatas

I would like to  ask about what you say about this:
"Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this)."

What do you mean by this?
Do you mean I will not configure it on the fireWALL??
Please help me I really need this.

Thank you.

This means that you should block all traffic for port 80/443 which hast not your pfsense as destination IP.
This rule schould block 80/443 traffic which goes directly to the internet because you want that this traffic must go through squid proxy. So you must allow traffic for 80/443 directly to squid but deny it to the internet.

batocy

Thanks very much
I have tried your instruction but it seems I can only access the pfsense but I canh access the internet.
I have a question, is    http://wpad/wpad.dat  is correct for all configurations?

thermo

some clients might append the domain name to the request, eg: wpad.yourdomain.tld/wpad.dat check that this (and just http://wpad.dat) is resolvable/accessible from the client.

• manually enter the proxy:port settings to check whether the  problem is with the wpad detection, or with your firewall rules, and check the firewall logs.

batocy

How to check if the wpad is correct is being used by the client?
Thanks

thermo

• Check the wpad web server logs. Beware that IE caches the wpad config and might not request a changed wpad.dat file again for some time.
• Check the proxy logs, eg, SSL sites are appearing with CONNECT:www.site.kom:443
• Firefox has an addon called 'Foxy Proxy', it has an option to auto detect and tells you whether the config was downloaded & parsed correctly.