Wpad, squid3 not working
-
wpad via https server will not work, Your firewall rules show pfsense on 443 with automatic redirect from 80 to 443.
Install package filer to edit your wpad files, you can edit it via gui and save on backup files.
On my setups, I configure pfsense gui using only https and another lighthttpd daemon only for wpad.
-
That makes sense!
I'm curious which rules show pfsense is on 443? Or is it implied by some of the rules that are only present with that config?
You're right, of course. I set the gui to use 443 and ssh in as well for all my editing/config/management. But I looked over this thread again and can't see any signs obvious to my noob eye that I'm on 443.
I'll try it again tonight with your suggestions and see how it goes. Otherwise I had almost resigned myself to just configuring all my devices to manually set the proxy ip/port.
-
On my setups, I configure pfsense gui using only https and another lighthttpd daemon only for wpad.
Any more information you care to provide on this subject would be much appreciated. I've just done a bunch of reading on lighttpd and there isn't much out there on multiple running instances. There's internet discussion of lighttpd listening on multiple ports, which would involve editing system.inc. There's discussion of redirection as config options, where I could specifically redirect https://my_lan/wpad_or_proxy to http://… But not much of an instance of lighttpd running just to serve wpad as well as the default that serves the rest of pfsense.
-
I'm curious which rules show pfsense is on 443? Or is it implied by some of the rules that are only present with that config?
Anti lock rule on lan ;)
-
Any more information you care to provide on this subject would be much appreciated.
basic steps:
-
disable on system->advanced redirect option form http to https
-
copy web configurator file to a new one (cp /var/etc/lighty-webConfigurator.conf /var/etc/lighty-proxy-wpad.conf for example)
-
edit new file to listen it on port 80 and change http dir to for example /usr/local/www/wpad
-
copy your wpad/pac files to /usr/local/www/wpad
-
start it with /usr/local/sbin/lighttpd -f /var/etc/lighty-proxy-wpad.conf
-
check/create a firewall rule that allow access to lighthttp listening ip:port
optional/additional steps
-
create a script to check if wpad lighthttp daemon is up and start it if it's down
-
install package filer to edit files via gui and keep it on pfsense xml backup
-
-
Thanks so much for your help marcelloc.
- disable on system->advanced redirect option form http to https
Done.
- copy web configurator file to a new one (cp /var/etc/lighty-webConfigurator.conf /var/etc/lighty-proxy-wpad.conf for example)
Done, cp'd to /usr/local/www/wpad/lighty-proxy-wpad.conf because I noticed a pfsense reboot wiped /var/etc/lighty-proxy-wpad.conf
- edit new file to listen it on port 80 and change http dir to for example /usr/local/www/wpad
Done, and commented out all the ssl stuff. Pointed to my bridged LAN ip:80.
-
copy your wpad/pac files to /usr/local/www/wpad
-
start it with /usr/local/sbin/lighttpd -f /var/etc/lighty-proxy-wpad.conf
-
check/create a firewall rule that allow access to lighthttp listening ip:port
Yep. Although as it turns out I don't need the LAN rule. I just disabled it and traffic continues to pass. Maybe one of my other rules is allowing it? I'm not sure which one though.
- create a script to check if wpad lighthttp daemon is up and start it if it's down
Like a cron job?
- install package filer to edit files via gui and keep it on pfsense xml backup
I did it all with vi over putty while I mess around, but the backup idea is good.
Some good news and some bad. The good is - it works!
The bad news:
-
Opera sort-of works. You have to check a box for auto-detect proxy but then fill in a pac file location anyway. Might as well just point it towards the proxy manually.
-
Firefox has two settings - use system proxy settings (doesn't work if "system" is set to auto-detect), or auto-detect proxy settings (works)
-
IE9 works (or it did initially but then stopped - can't be bothered working out why).
-
Chrome works
Chrome's my browser of choice so that's OK. But the problems with other browsers worries me that some of the other devices going on my network might not work.
-
The bad news:
-
Opera sort-of works. You have to check a box for auto-detect proxy but then fill in a pac file location anyway. Might as well just point it towards the proxy manually.
-
Firefox has two settings - use system proxy settings (doesn't work if "system" is set to auto-detect), or auto-detect proxy settings (works)
-
IE9 works (or it did initially but then stopped - can't be bothered working out why).
-
Chrome works
Chrome's my browser of choice so that's OK. But the problems with other browsers worries me that some of the other devices going on my network might not work.
Are you using dhcp or dns auto detect proxy configuration?
-
-
Both.
-
Both.
Try only dns. I did some tests only with dns instead of both and the result was better.
-
I might try this weekend but I've moved onto a new challenge now - pfsense -> dansguardian -> squid with wpad.
First attempts failed (wpad pointing to DG port, Squid as parent, NAT rdr http to DG (I think wpad should do this anyway?), NAT rdr Squid to DG, LAN passing DG, few other rules. I can see http traffic hitting DG but it doesn't seem to then pass on to Squid.
If I get that working I'd like to add on pfBlocker and then CaptivePortal/FreeRADIUS2.
-
pfSense -> DG -> Squid3 now working via DHCP/wpad and assorted rules (NAT rdr squid port to DG, LAN pass to lighttpd serving wpad, LAN pass any to DG, LAN block http and https), with a few issues to resolve.
My main hurdle was thinking to make Squid listen on pfSense's box's IP and localhost (previously just pfSense's IP), and make DG's parent proxy IP localhost instead of pfSense box IP.
My main issues with DG I'll ask about in the appropriate thread.
