WPAD, HTTPs and an odd bug!
-
No problem man!
First, I create the files wpad.dat and proxy.pac (some OS can read just one file) in /usr/local/www with this content:
function FindProxyForURL(url,host)
{
return "PROXY ip.addr.proxy.server:port";
}DNS Forwarded
- Enabled DNS
- Register DHCP static mappings in DNS forwarder
- Host Override
HOST DOMAIN IP DESCRIPTION
wpad your.domain.com ip.addr.proxy.server wpad
DHCP SERVER
Domain name: your.domain.com
Domain search list: your.domain.com
Additional BOOTP/DHCP Options:
NUMBER TYPE VALUE
252 text http://wpad/wpad.datFIREWALL
In the firewall I create one rule from LAN SUB -> LAN ADDRESS allowing traffic for the squid port.
Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this).SQUID
Disabled the Transparent Proxy options.
Using squidGuard for creating the rules. It's a lot more flexible.CLIENTS
In the proxy clients, set the option like "Auto detect configuration for proxy server…"Well, I guess this is it. Thanks one more time and I hope I could help too!
-
thank you jonatas.baldin,
I will try and let you know
-
Ok, anything I can help just ask.
-
Did you try with "Use IPv4 first" on squid3 package ?
I read some posts about problems if you are using IPv4 and did not check this option.
-
helo jonatas
I would like to ask about what you say about this:
"Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this)."What do you mean by this?
Do you mean I will not configure it on the fireWALL??
Please help me I really need this.Thank you.
-
helo jonatas
I would like to ask about what you say about this:
"Blocked all traffic from LAN -> WAN from ports 80/443 (let just the pfSense box (with squid) do this)."What do you mean by this?
Do you mean I will not configure it on the fireWALL??
Please help me I really need this.Thank you.
This means that you should block all traffic for port 80/443 which hast not your pfsense as destination IP.
This rule schould block 80/443 traffic which goes directly to the internet because you want that this traffic must go through squid proxy. So you must allow traffic for 80/443 directly to squid but deny it to the internet. -
Thanks very much
I have tried your instruction but it seems I can only access the pfsense but I canh access the internet.
I have a question, is http://wpad/wpad.dat is correct for all configurations? -
some clients might append the domain name to the request, eg: wpad.yourdomain.tld/wpad.dat check that this (and just http://wpad.dat) is resolvable/accessible from the client.
- manually enter the proxy:port settings to check whether the problem is with the wpad detection, or with your firewall rules, and check the firewall logs.
-
How to check if the wpad is correct is being used by the client?
Thanks -
- Check the wpad web server logs. Beware that IE caches the wpad config and might not request a changed wpad.dat file again for some time.
- Check the proxy logs, eg, SSL sites are appearing with CONNECT:www.site.kom:443
- Firefox has an addon called 'Foxy Proxy', it has an option to auto detect and tells you whether the config was downloaded & parsed correctly.