Personal tools

WPAD Autoconfigure for Squid

From PFSenseDocs

Jump to: navigation, search
This article is part of the HOWTO series.

WPAD Proxy Auto-Configure with squid

Summary

You can configure pfSense to serve up automatic proxy configuration data to your clients, assuming their systems settings are configured for this behavior. This can also be done from another local web server to point users to squid running either on pfSense or another local system.

This process is known as WPAD, short for Web Proxy AutoDiscovery Protocol. If a web browser is configured for autodiscovery, it will try a few methods to figure out a proxy's location.

You can supply a WPAD host in DHCP, but in pfSense 1.2.x that would require hand editing the PHP file which generates the configuration for DHCP, with lots of room for error. It also uses DNS, which is easy to do with the built-in DNS forwarder.

Why would I want to do this?

If you want to use squid authentication, you cannot use squid in transparent mode. If you use squid in normal mode, you must configure a proxy IP and port on each machine, which can be tedious. This can also cause problems on road warrior laptops that come in and out of your network. Rather than resetting their proxy configuration each time they enter and leave, autoconfigure will let them come and go without much trouble.

Most, if not all, modern browsers ship with the autoconfigure setting turned off, so you may still need to push/enter this setting to your client PCs. Even so, another advantage of using autoconfigure is that should you decide to move squid to another IP, you only have to change one file to inform the clients of the updated IP. (This may be easy to pull off in a windows domain with AD, but not for many others!)

Prerequisites

This howto assumes you already have squid operating in a non-transparent configuration. If you need help with that, look elsewhere on the Wiki and Forums.

Create wpad.dat

Before starting, you will need to craft a wpad.dat file. This is just a single file with a javascript function in it which tells the browser how to find a proxy hostname and port. This function can be as simple or as complex as you like, there are many examples on the web. In this example, we will direct all clients to our squid instance.

The contents of my test wpad.dat file look like this:

 function FindProxyForURL(url,host)
 {
 return "PROXY 192.168.1.1:3128";
 }

The function in that file tells the browser to look for a proxy on 192.168.1.1 at port 3128.

Now you need to upload this file to pfSense (or another locally accessible web server) with scp, or create it using the built-in file editor. The file needs to go under /usr/local/www/.

Due to the different ways that various browser versions try to access the file, you should put this same code in at least three different places:

/usr/local/www/wpad.dat
/usr/local/www/wpad.da
/usr/local/www/proxy.pac

(More advanced users might do this from the shell and use ln to link the files.)

To make this work using pfSense to serve this file, local IPs will need to be able to access the local interface IP of your pfSense router. They do not need to access the webgui with a password, this file will be served up without authentication.

If this is not acceptable in your environment, which is quite common, then point wpad.<yourdomain> to another internal web server which can answer requests for the wpad.dat and associated files. It can be any web server, but typically must be served from both the default VirtualHost as well as one named "wpad", due to differences in how browsers request the file.

Configure DNS

Now to setup the DNS portion. WPAD will take the domain name given to the machine, likely assigned by DHCP, and prepend "wpad." to it. If your domain is example.com, it will look for wpad.example.com. You can do this with the DNS forwarder in pfSense or with another internal DNS server used by your client PCs.

A client browser will ultimately try to access http://wpad.example.com/wpad.dat - among others. More details on just what hostnames will be tried by WPAD are available in the WPAD article on Wikipedia.

To add the entry using the DNS forwarder on pfSense, navigate to Services -> DNS Forwarder. Click the + to add a new host override.

Enter the following (Replace the domain with your own, and the IP of your webserver):

  • Host: wpad
  • Domain: example.com
  • IP Address: 192.168.1.1
  • Description: WPAD Autoconfigure Host

Click Save, and that's it.

Block Port 80 Out from LAN

Create a firewall rule at the TOP of the LAN tab (or appropriate interface) that blocks anything from <internal subnet> to * on port 80.

NOTE: If you have disabled the webgui anti-lockout rule, you will also need to allow web traffic to the pfSense box itself. If this is not acceptable in your environment, which is quite possible, then point wpad.<yourdomain> to another internal web server which can answer requests for the wpad.dat and associated files.

Test Clients

Fire up a browser on a client behind pfSense, and see what happens. If you have squid setup for authentication, you should be greeted with a login prompt. Otherwise, you'll need to check squid's logs to ensure you are going through the proxy.

If nothing happened, check your browser settings. Many modern browsers ship with the autoconfigure settings off.

Internet Explorer

  • Open Internet Options
  • Connections tab
  • LAN Settings button
  • Check "Automatically Detect Settings"
  • Click OK, and OK again.

Firefox

  • Click Tools
  • Click Options
  • Click Advanced
  • Click the Network tab
  • Click the Settings button
  • Check "Auto-detect proxy settings for this network"
  • Click OK