WPAD not detected while pfSense on https in "webConfigurator"



  • Hello
    I've done block some https site like facebook with wpad file by configure DHCP BOOTP/DNS Forwarder
    and everything working fine , client browsers can detect wpad script
    when I configure another pfSense with the same settings the can't downloading the wpad
    I discover that when pfSense on http the the can get wpad from pfsense, and when pfSense on https in webConfigurator
    the browser can't download the script
    is there any solution ????  I need to use pfSense with https but this not working with wpad method



  • Configure another lighthttpd daemon to listen on 80 and point to a dir with wpad script only.



  • thanks for replay
    can you point me how to ?



  • This is how I do it - using monit



  • Sorry for the late reply.

    this is the way I'm doing using filer and cron package

    file /var/etc/lighty-proxy-js.conf

    #
    # lighttpd configuration file
    #
    # use a it as base for lighttpd 1.0.0 and above
    #
    ############ Options you really have to take care of ####################
    
    ## FreeBSD!
    server.event-handler	= "freebsd-kqueue"
    server.network-backend 	= "writev"
    
    ## modules to load
    server.modules              =   (
    
    									"mod_access", "mod_accesslog", "mod_expire", "mod_compress", "mod_redirect",
    									"mod_fastcgi", "mod_cgi"
    								)
    
    ## Unused modules
    #                               "mod_setenv",
    #                               "mod_rewrite",
    #                               "mod_ssi",
    #                               "mod_usertrack",
    #                               "mod_expire",
    #                               "mod_secdownload",
    #                               "mod_rrdtool",
    #                               "mod_auth",
    #                               "mod_status",
    #                               "mod_alias",
    #                               "mod_proxy",
    #                               "mod_simple_vhost",
    #                               "mod_evhost",
    #                               "mod_userdir",
    #                               "mod_cgi",
    
    server.max-keep-alive-requests = 15
    server.max-keep-alive-idle = 30
    
    ## a static document-root, for virtual-hosting take look at the
    ## server.virtual-* options
    server.document-root        = "/usr/local/www/wpad/"
    
    # Maximum idle time with nothing being written (php downloading)
    server.max-write-idle = 999
    
    ## where to send error-messages to
    server.errorlog = "/var/log/lighttpd-prxy-js.error.log"
    accesslog.filename = "/var/log/lighttpd-prxy-js.access.log"
    
    # files to check for if .../ is requested
    server.indexfiles           = ( "index.php", "index.html",
                                    "index.htm", "default.htm" )
    
    # mimetype mapping
    mimetype.assign             = (
      ".pdf"          =>      "application/pdf",
      ".sig"          =>      "application/pgp-signature",
      ".spl"          =>      "application/futuresplash",
      ".class"        =>      "application/octet-stream",
      ".ps"           =>      "application/postscript",
      ".torrent"      =>      "application/x-bittorrent",
      ".dvi"          =>      "application/x-dvi",
      ".gz"           =>      "application/x-gzip",
      ".pac"          =>      "application/x-ns-proxy-autoconfig",
      ".swf"          =>      "application/x-shockwave-flash",
      ".tar.gz"       =>      "application/x-tgz",
      ".tgz"          =>      "application/x-tgz",
      ".tar"          =>      "application/x-tar",
      ".zip"          =>      "application/zip",
      ".mp3"          =>      "audio/mpeg",
      ".m3u"          =>      "audio/x-mpegurl",
      ".wma"          =>      "audio/x-ms-wma",
      ".wax"          =>      "audio/x-ms-wax",
      ".ogg"          =>      "audio/x-wav",
      ".wav"          =>      "audio/x-wav",
      ".gif"          =>      "image/gif",
      ".jpg"          =>      "image/jpeg",
      ".jpeg"         =>      "image/jpeg",
      ".png"          =>      "image/png",
      ".xbm"          =>      "image/x-xbitmap",
      ".xpm"          =>      "image/x-xpixmap",
      ".xwd"          =>      "image/x-xwindowdump",
      ".css"          =>      "text/css",
      ".html"         =>      "text/html",
      ".htm"          =>      "text/html",
      ".js"           =>      "text/javascript",
      ".asc"          =>      "text/plain",
      ".c"            =>      "text/plain",
      ".conf"         =>      "text/plain",
      ".text"         =>      "text/plain",
      ".txt"          =>      "text/plain",
      ".dtd"          =>      "text/xml",
      ".xml"          =>      "text/xml",
      ".mpeg"         =>      "video/mpeg",
      ".mpg"          =>      "video/mpeg",
      ".mov"          =>      "video/quicktime",
      ".qt"           =>      "video/quicktime",
      ".avi"          =>      "video/x-msvideo",
      ".asf"          =>      "video/x-ms-asf",
      ".asx"          =>      "video/x-ms-asf",
      ".wmv"          =>      "video/x-ms-wmv",
      ".bz2"          =>      "application/x-bzip",
      ".tbz"          =>      "application/x-bzip-compressed-tar",
      ".tar.bz2"      =>      "application/x-bzip-compressed-tar"
     )
    
    # Use the "Content-Type" extended attribute to obtain mime type if possible
    #mimetypes.use-xattr        = "enable"
    
    #### accesslog module
    #accesslog.filename          = "/dev/null"
    
    ## deny access the file-extensions
    #
    # ~    is for backupfiles from vi, emacs, joe, ...
    # .inc is often used for code includes which should in general not be part
    #      of the document-root
    url.access-deny             = ( "~", ".inc" )
    
    ######### Options that are good to be but not neccesary to be changed #######
    
    ## bind to port (default: 80)
    server.port = 80
    server.bind = "your_ip_address_here"
    
    ## error-handler for status 404
    #server.error-handler-404   = "/error-handler.html"
    #server.error-handler-404   = "/error-handler.php"
    
    ## to help the rc.scripts
    server.pid-file            = "/var/run/lighty-proxy-js.pid"
    
    ## virtual directory listings
    server.dir-listing         = "disable"
    
    ## enable debugging
    debug.log-request-header   = "disable"
    debug.log-response-header  = "disable"
    debug.log-request-handling = "disable"
    debug.log-file-not-found   = "disable"
    
    # gzip compression
    compress.cache-dir = "/tmp/lighttpdcompress/"
    compress.filetype  = ("text/plain","text/css", "text/xml", "text/javascript" )
    
    server.upload-dirs = ( "/root/", "/tmp/", "/var/" )
    
    server.max-request-size    = 2097152
    
    #### fastcgi module
    ## read fastcgi.txt for more info
    fastcgi.server = ( ".php" =>
    	( "localhost" =>
    		(
    			"socket" => "/tmp/php-fastcgi-proxy-js.socket",
    			"min-procs" => 0,
    			"max-procs" => 2,
    			"bin-environment" => (
    				"PHP_FCGI_CHILDREN" => "2",
    				"PHP_FCGI_MAX_REQUESTS" => "500"
    			),
    			"bin-path" => "/usr/local/bin/php"
    		)
    	)
    )
    
    #### CGI module
    cgi.assign                 = ( ".cgi" => "" )
    
    expire.url = (
    				"" => "access 50 hours",	
            )
    
    ## ssl configuration
    #ssl.engine = "enable"
    #ssl.pemfile = "/var/etc/cert.pem"
    
    #ssl.use-sslv2 = "disable"
    #ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES #@STRENGTH"
    

    file /root/check_proxyjs.sh

    #!/bin/sh
    
    /bin/ps ax | /usr/bin/grep /var/etc/lighty-proxy-js.conf | /usr/bin/grep -v grep 
    if [ $? -eq 0 ];then 
      /bin/echo ok
    else
      /usr/local/sbin/lighttpd -f /var/etc/lighty-proxy-js.conf
    fi
    

    cron

            • root /root/check_proxyjs.sh


  • Thank you for your effort
    I did your method ones with "Filer" and ones created manual file and upload them over sftp and did the Cron job
    but I have no luck
    I reboot the pfsense to execute cron job and change pfsense to https, clear client bowers still can't download the script when pfs on https
    should I change wpad config in DHCP-Server BOOTP to https like "https://wpad/wpad.dat" ??



  • While using filer, you do not need sftp to transfer config files or or scripts.

    Do not forget to create a firewall rule to allow traffic on 80 and also check if you have disabled web gui redirect rule on system advanced.



  • thank you
    the real working method for me I got from HERE http://forum.pfsense.org/index.php/topic,59073.msg317570.html#msg317570
    look for my setup in attachment
    after I did your steps I enabled HTTPS and unchecked "Disable webConfigurator redirect rule" the client browser can't download wpad script








  • there is no other help for  issue



  • Can you download the script if you put it directly in your browser? E.g. http://wpad/wpad.dat for you or http://my_pfsense_ip/wpad.dat for me.



  • yes
    everythings working fine , Browsers can download script with Server_IP or wpad/wpad.dat
    my problem when change pfSense Web Access to HTTPS, the browsers can't read the wpad script



  • Personally I found it easiest to just install the package vhost and then create vhost for wpad.



  • Oh, duh, I know why. The only web server you have running is the one running the pfSense gui. So when you have your pfSense gui set up to serve via http, requests for wpad via http are also served. When you set your pfSense gui to https, you are reconfiguring your server to port 443 and clients on your network are requesting wpad via http but there is no server on port 80.

    This is why I have a dedicated lighttpd serving port 80 running just for wpad (as detailed in the thread I linked). marcelloc does too, he mentioned it earlier in this thread (and others). My pfSense gui is run on https, but not port 443, another port so that I can have special 443 rules that don't affect the gui.



  • thank you all for helping me
    vHost working for me
    I create
    Host: wpad.dat
    Port : 80
    Directory : /usr/local/www

    but squidGuard error pages not working, can you u give any idea to configure this


Log in to reply