Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wpad, squid3 not working

    Scheduled Pinned Locked Moved pfSense Packages
    23 Posts 3 Posters 10.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • marcellocM
      marcelloc
      last edited by

      wpad via https server will not work, Your firewall rules show pfsense on 443 with automatic redirect from 80 to 443.

      Install package filer to edit your wpad files, you can edit it via gui and save on backup files.

      On my setups, I configure pfsense gui using only https and another lighthttpd daemon only for wpad.

      Treinamentos de Elite: http://sys-squad.com

      Help a community developer! ;D

      1 Reply Last reply Reply Quote 0
      • L
        Legion
        last edited by

        That makes sense!

        I'm curious which rules show pfsense is on 443? Or is it implied by some of the rules that are only present with that config?

        You're right, of course. I set the gui to use 443 and ssh in as well for all my editing/config/management. But I looked over this thread again and can't see any signs obvious to my noob eye that I'm on 443.

        I'll try it again tonight with your suggestions and see how it goes. Otherwise I had almost resigned myself to just configuring all my devices to manually set the proxy ip/port.

        1 Reply Last reply Reply Quote 0
        • L
          Legion
          last edited by

          @marcelloc:

          On my setups, I configure pfsense gui using only https and another lighthttpd daemon only for wpad.

          Any more information you care to provide on this subject would be much appreciated. I've just done a bunch of reading on lighttpd and there isn't much out there on multiple running instances. There's internet discussion of lighttpd listening on multiple ports, which would involve editing system.inc. There's discussion of redirection as config options, where I could specifically redirect https://my_lan/wpad_or_proxy to http://… But not much of an instance of lighttpd running just to serve wpad as well as the default that serves the rest of pfsense.

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            @Legion:

            I'm curious which rules show pfsense is on 443? Or is it implied by some of the rules that are only present with that config?

            Anti lock rule on lan  ;)

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • marcellocM
              marcelloc
              last edited by

              @Legion:

              Any more information you care to provide on this subject would be much appreciated.

              basic steps:

              • disable on system->advanced redirect option form http to https

              • copy web configurator file to a new one (cp /var/etc/lighty-webConfigurator.conf /var/etc/lighty-proxy-wpad.conf  for example)

              • edit new file to listen it on port 80 and change http dir to for example /usr/local/www/wpad

              • copy your wpad/pac files to /usr/local/www/wpad

              • start it with /usr/local/sbin/lighttpd -f /var/etc/lighty-proxy-wpad.conf

              • check/create a firewall rule that allow access to lighthttp listening ip:port

              optional/additional steps

              • create a script to check if wpad lighthttp daemon is up and start it if it's down

              • install package filer to edit files via gui and keep it on pfsense xml backup

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • L
                Legion
                last edited by

                Thanks so much for your help marcelloc.

                @marcelloc:

                • disable on system->advanced redirect option form http to https

                Done.

                @marcelloc:

                • copy web configurator file to a new one (cp /var/etc/lighty-webConfigurator.conf /var/etc/lighty-proxy-wpad.conf  for example)

                Done, cp'd to /usr/local/www/wpad/lighty-proxy-wpad.conf because I noticed a pfsense reboot wiped /var/etc/lighty-proxy-wpad.conf

                @marcelloc:

                • edit new file to listen it on port 80 and change http dir to for example /usr/local/www/wpad

                Done, and commented out all the ssl stuff. Pointed to my bridged LAN ip:80.

                @marcelloc:

                • copy your wpad/pac files to /usr/local/www/wpad

                • start it with /usr/local/sbin/lighttpd -f /var/etc/lighty-proxy-wpad.conf

                • check/create a firewall rule that allow access to lighthttp listening ip:port

                Yep. Although as it turns out I don't need the LAN rule. I just disabled it and traffic continues to pass. Maybe one of my other rules is allowing it? I'm not sure which one though.

                @marcelloc:

                • create a script to check if wpad lighthttp daemon is up and start it if it's down

                Like a cron job?

                @marcelloc:

                • install package filer to edit files via gui and keep it on pfsense xml backup

                I did it all with vi over putty while I mess around, but the backup idea is good.

                Some good news and some bad. The good is - it works!

                The bad news:

                • Opera sort-of works. You have to check a box for auto-detect proxy but then fill in a pac file location anyway. Might as well just point it towards the proxy manually.

                • Firefox has two settings - use system proxy settings (doesn't work if "system" is set to auto-detect), or auto-detect proxy settings (works)

                • IE9 works (or it did initially but then stopped - can't be bothered working out why).

                • Chrome works

                Chrome's my browser of choice so that's OK. But the problems with other browsers worries me that some of the other devices going on my network might not work.

                1 Reply Last reply Reply Quote 0
                • marcellocM
                  marcelloc
                  last edited by

                  @Legion:

                  The bad news:

                  • Opera sort-of works. You have to check a box for auto-detect proxy but then fill in a pac file location anyway. Might as well just point it towards the proxy manually.

                  • Firefox has two settings - use system proxy settings (doesn't work if "system" is set to auto-detect), or auto-detect proxy settings (works)

                  • IE9 works (or it did initially but then stopped - can't be bothered working out why).

                  • Chrome works

                  Chrome's my browser of choice so that's OK. But the problems with other browsers worries me that some of the other devices going on my network might not work.

                  Are you using dhcp or dns auto detect proxy configuration?

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  1 Reply Last reply Reply Quote 0
                  • L
                    Legion
                    last edited by

                    Both.

                    1 Reply Last reply Reply Quote 0
                    • marcellocM
                      marcelloc
                      last edited by

                      @Legion:

                      Both.

                      Try only dns. I did some tests only with dns instead of both and the result was better.

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • L
                        Legion
                        last edited by

                        I might try this weekend but I've moved onto a new challenge now - pfsense -> dansguardian -> squid with wpad.

                        First attempts failed (wpad pointing to DG port, Squid as parent, NAT rdr http to DG (I think wpad should do this anyway?), NAT rdr Squid to DG, LAN passing DG, few other rules. I can see http traffic hitting DG but it doesn't seem to then pass on to Squid.

                        If I get that working I'd like to add on pfBlocker and then CaptivePortal/FreeRADIUS2.

                        1 Reply Last reply Reply Quote 0
                        • L
                          Legion
                          last edited by

                          pfSense -> DG -> Squid3 now working via DHCP/wpad and assorted rules (NAT rdr squid port to DG, LAN pass to lighttpd serving wpad, LAN pass any to DG, LAN block http and https), with a few issues to resolve.

                          My main hurdle was thinking to make Squid listen on pfSense's box's IP and localhost (previously just pfSense's IP), and make DG's parent proxy IP localhost instead of pfSense box IP.

                          My main issues with DG I'll ask about in the appropriate thread.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.