Squid3 transparent proxy - commodo cert?

KOM

So with the DNS entry and different sites, etc.  there is no one spot I can put a web server that can be hit on all corporate networks AND all guest networks from each site - any clue on how to set that DNS piece up?

If these networks can't talk then DNS won't save you.  You will need to spin up a web server reachable by everyone if you want to implement WPAD.

A better question is - how important is the "wpad.somedoamin.com" entry in this functioning?

It is critical.  The way WPAD works is the client will do a DNS lookup on wpad.domain, and then go to the IP address it gets back and asks for wpad.dat|proxy.pac (depending on the browser, or OS).  I don't know if you could get away with just doing it only via DHCP because I've never tried, but it might work.  You will still need HTTP servers that everyone can reach.  Doesn't need to be the same server.  If you have 4 LANs that can't talk to each other, you will need 4 HTTP servers, one on each LAN, to handle WPAD requests.

chris4916

@KOM:

That's it.  You need DNS and DHCP to fully cover it, but you can get away with just DNS.  You also need an HTTP web server to serve the wpad.dat, wpad.da and proxy.pac files.  You can use your pfSense box for this if you have WebGUI set to HTTP mode.

I'm 100% in line with your comments regarding use of WPAD  :)
I really don't understand why one would ever use transparent proxy, neither, this is even worst, implement MITM SSL  :o ::)

This said, in term of implementation, when relying on DNS, at least using "Well Known Aliases" mechanism,  I though it requires A record for "wpad.domain", at least according to RFC3040.
As you're not supposed to have multiple DNS "A records" for same IP, the only way you can achieve it is to set an additional IP to your LAN interface so that your http://wpad.domain URL points to it.

Am I correct?  ???

(WPAD is also described here)

KOM

I'm not sure.  I have my alias as an A record and it seems to work fine.  I don't know if it makes a functional difference if it's an A or a CNAME.

chris4916

@KOM:

I'm not sure.  I have my alias as an A record and it seems to work fine.  I don't know if it makes a functional difference if it's an A or a CNAME.

I don't understand why it would make any difference neither. This is something strange to me and from functional standpoint, I don't see any difference.
However, if client side, DNS requests expects RR type 1 and do not accept type 5, it may fail.

As I'm curious, I decided to look further at this because if client implements what RFC describes, then only A record should be supported.

This is what I found: (here) (yes this is only the draft but may explain my previous comment, also I still don('t understand reason behind this)

4.4.3.    DNS A/CNAME  "Well Known Aliases" 
   
  Client implementations MUST support this mechanism. This should be
  straightforward since only basic DNS lookup of A records is
  required. See RFC 2219 [5] for a description of using "well known"
  DNS aliases for resource discovery. We propose the "well known
  alias of "wpad" for web proxy auto-discovery.
   
  The client performs the following DNS lookup:
  QNAME=wpad.TGTDOM., QCLASS=IN, QTYPE=A
   
  Each A RR, which is returned, contains an IP address which is used
  to replace the <host>default in the CURL.
   
  Each candidate CURL so created should be pursued as specified in
  section 4.5 and beyond.</host>

One step further, reading RFC 2219, I'm lost  :-[  because this RFC explains rational using CNAME…
So no real progress here but this may explain why it doesn't always work.

Anyone having better understanding ?  ???

KOM

So no real progress here but this may explain why it doesn't always work.

Oh?  You have clients that can't find the proxy on their own?  I had a few Windows boxes like that and I had to set them to manual.

chris4916

Not currently but I remember I had few some years ago and it pushed me to implement DHCP option 252  and SRV/TXT records.

marcelloc

@KOM:

For those few users who can't properly detect the proxy, they will have to manually configure it.

KOM,
How do you get wpad working on mobile devices? Most of my ignores the dns and dhcp config and try to access internet directly. SSL cert for a guest network is also really hard to handle with.

KOM

How do you get wpad working on mobile devices?

I'm not a mobile guy, but it seems to work for me here with Android (5.0) but it is still dumb.  While it supports auto-detection, you still must manually give it the URL to the proxy.pac|wpad.dat file.  So stupid.  Apparently they've never heard of WPAD.  I don't have any experience with Apple or Microsoft.

marcelloc

@KOM:

Apparently they've never heard of WPAD.  I don't have any experience with Apple or Microsoft.

Or don't care about it, the thread is open for years…
https://code.google.com/p/android/issues/detail?id=42696

azmodeuz

Try this

https://datalogus.blogspot.com/2016/06/pfsense-231-security-explicit-squid.html