HTTP and HTTPs redirect to Dansguardian IP Address and Port

dodong

Hi Guys,

Can anyone help me to configure on PFSense 2.2.4 how to redirect HTTP and HTTPS to Dansguardian IP Address and Port.

Thanks in advance.

Best,
Dodong

agixdota

@dodong:

Hi Guys,

Can anyone help me to configure on PFSense 2.2.4 how to redirect HTTP and HTTPS to Dansguardian IP Address and Port.

Thanks in advance.

Best,
Dodong

Hey buddy, why use dansguardian?  ;D

dodong

My test environment :

On PFSense 2.2.4 Box, I've installed services such as Squid3 and Danguardian. I don't want to configure transparent(HTTP and HTTPS) mode on Squid3 nor configure client web browsers.

HTTP and HTTPS > Dansguardian 3128 > Web Sites.

I will appreciate any and every suggestion.

Thanks,
Dodong

dodong

Guys,

Any updates?

Thanks,
Dodong

dodong

For HTTP setup is quite good. All HTTP requests are redirected to Dansguardian's Port 8080. However, adding HTTPS on NAT Port Forward it seems not working.

Any suggestions?

Thanks in advance!

Best,
Dodong


chris4916

As discussed elsewhere, WPAD will nicely answer to most of the questions you have because, by default, most of browsers are configured to automatically search for proxy.pac file.

I realized that this WPAD concept is sometimes not well understood so I'll try to explain it again.

• Once you understand why explicit proxy is far better than transparent proxy, configuring proxy setting on each browser or application is painful.

• The answer is to use proxy.pac file which describes where is your proxy and how to use it.

• proxy.pac file location can be configured manually in most browsers. It requires web server to host and serve this file.

• Instead of manually configure browser to tell where proxy.pac file is, there is a mechanism implement by almsot all browsers and web based applications known as WPAD aiming at discovering this location relying on DHCP or DNS: this is WPAD

This means that implementation can be achieved step by step with easy control stages:

• learn how to write proxy.pac file: this is easy and you will find plenty of examples here and there

• host this file on your preferred web server (within your LAN, not hosted outside !!!). not mandatory here but useful for the next steps: pay attention to the various aliases this proxy.pac may need

• test this file manually configuring you browser so that it loads it. Once this works, you can focus on the WPAD specific aspects

• configure DHCP option 252

• configure DNS using the "well known alias" method as well as "service" method. more on this here, e.g. but you will find other example easily if needed

• configure your browser to automatically discover proxy.pac file…. et voila

chris4916

Reading your PM (and suggesting to discuss this here as it may help other members  ;)):

• you may use different names for proxy.pac file but not wpad.pac  ;)  proxy.pac, proxy.dat, proxy.dat  some aliases depending on browsers and platform but as far as I know, wpad.pac doesn't work
• your proxy.pac file should redirect to Squid which will handle connection to Dansguardian. IMHO, you should not redirect HTTP requests directly to Dansguardian.

dodong

Hi Chris,

Doing WPAD Configuration as you suggest. Here's my setup :

Active Directory, DHCP Server, DNS Server, Web Server : 172.16.0.1 (OS - Windows Server 2012 R2)
PFSense 2.2.4 ( I installed squid3(port 3128) and dansguardian(port 8080)) : 172.16.255.254

Client : Windows 8.1 and using web browsers such as IE11, FF 41.0.1, and Chrome 45.0.2454

My pac code is

function FindProxyURL(url, host)
{ return "PROXY 172.16.255.254:8080; DIRECT"}

And save this code as wpad.pac in wwwroot folder of my Web Server.

For testing, using IE11 browser, Internet Option > Connections > LAN Settings > Use automatic configuration script.

Address : http://172.16.0.1/wpad.pac

Uncheck the boxes Automatically detect settings and Use proxy server for your LAN…

The test was FAILED.

Any suggestions?

Thanks in advance!

Best,
Dodong

chris4916

I suggest that:

• your web server serves proxy.pac file instead of wpad.pac file. it doesn't really matter at this stage but will help later  ;)
• your pac file redirect to Squid port instead of Dansguardian port. (i.e. 3128 instead of 8080)

The idea here is that browser relies on proxy which uses Dansguardian rather than having browser accessing directly Dansguardian, leaving Squid proxy unused.

dodong

Chirs - I revised the pac code and save it as proxy.pac

function FindProxyURL(url, host)
{ return "PROXY 172.16.255.254:3128; DIRECT"}

Same result. Not working..  :'( (No logs on /var/squid/log/access.log)

For IIS Web Server, I followed this instruction: http://findproxyforurl.com/deploying-pac/

chris4916

@dodong:

Same result. Not working..  :'( (No logs on /var/squid/log/access.log)

Aside lack of log, what is the behaviour client side ?

what if you access directly http://172.16.0.1/proxy.pac from your browser ? can you read file content ?

dodong

I corrected my code :

function FindProxyForURL(url, host)
{ return "PROXY 172.16.255.254:3128; DIRECT"}

On FF is working. However on IE no success..

dodong

Finally, I've successfully configured on both IE11 and FF40. You just need to change the file extension from proxy.pac into proxy.dat

function FindProxyForURL(url, host)
{ return "PROXY 172.16.255.254:3128; DIRECT"}.

Chris, instead of using squid's port 3128, I've used dansguardian's port 8080.. In dansguardian config file you can set parent proxy to squid..

Thanks to all!!

Best,
Dodong

chris4916

@dodong:

Finally, I've successfully configured on both IE11 and FF40. You just need to change the file extension from proxy.pac into proxy.dat

in the automatic discovery mode only, if I'm not wrong. When you hardcode URL, does it matter?

Chris, instead of using squid's port 3128, I've used dansguardian's port 8080.. In dansguardian config file you can set parent proxy to squid..

What's the purpose then ?

dodong

@chris4916:

@dodong:

Finally, I've successfully configured on both IE11 and FF40. You just need to change the file extension from proxy.pac into proxy.dat

in the automatic discovery mode only, if I'm not wrong. When you hardcode URL, does it matter?

Chris, instead of using squid's port 3128, I've used dansguardian's port 8080.. In dansguardian config file you can set parent proxy to squid..

What's the purpose then ?

Both Christ, automatic discovery mode and hardcode URL(http://findproxyforurl.com/deploying-pac/). My plan is to implement this on DCHP/DNS Server.

The purpose of setting up Dansguardian Port is to have content filtering..

By the way, many thanks Chris!!

chris4916

BTW you're right: Dansguardian does act like Squidguard, as Squid redirector but Dansguardian is an additional layer between bowser and Squid  :-[

Pay attention to your file name:
some browser and applications will need proxy.pac while other will need .dat or even .da
The easiest way to achieve it still maintaining only one file is to create logical links (aliases)

dodong

@chris4916:

BTW you're right: Dansguardian does act like Squidguard, as Squid redirector but Dansguardian is an additional layer between bowser and Squid  :-[

Pay attention to your file name:
some browser and applications will need proxy.pac while other will need .dat or even .da
The easiest way to achieve it still maintaining only one file is to create logical links (aliases)
[/quote]

Thanks for the reminder Chris! Do you have any "how-to" to do this?

chris4916

As you operating system supporting proxy.pac file is Windows, you will have to create such symbolic links using mklink command and create as many logical links as needed.

e.g.

mklink wpad.dat proxy.pac

will create a new (logical) file wpad.dat linked to proxy.pac
If you modify proxy.pac content, it will modify wpad.dat too.