Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC)
Automatic distribution of the proxy settings
Introduction
There are basically two ways to include a Proxy server in the configuration of the clients. On one hand, you can enter it manually in the browser or the operating system specific option. On the other hand, it can be defined transparently.
Both options have advantages and disadvantages, however their in depth discussion is outside the scope of this document. We are going only to mention here that If the Proxy operates in transparent mode there is usually no need to make adjustments on the client side, as the HTTP traffic goes through the Proxy automatically.
However, there are two trade offs to transparent proxy that should be evaluated when choosing whether using the manual configuration or not. First, with transparent proxy, you cannot configure exceptions. Unfortunately, there are sites that don't work properly if accessed through a proxy. This is exactly why you sometimes need exceptions. Second, the HTTPS protocol cannot work in transparent mode in IPfire.
Therefore if we don't want the Proxy to operate transparently, we need to resort to a manual configuration. However, opening every client configuration to enter the manual entries for the proxy and their exceptions could be very tedious. A much better way would be to automatically distribute to the clients the configuration directives at a central point (the IPFire appliance). Here we explain how to achieve this goal in the most efficient way possible.
Browser Support
The distribution can be be done via DHCP or via DNS.
| Browser / Configuration | DHCP | DNS |
|---|---|---|
| Internet Explorer | Y | ? |
| Chrome | Y | ? |
| Firefox | N | Y |
The generated file
There is a proxy configuration script provided by IPFire by default. It can be found under:
http://[IPFireIP]:81/proxy.pac
For a system to use this script, there is the need to distribute it.
To achieve this, there are two possibilities which we arrange in the course of this guidance.
Distribution via DHCP-option
The first possibility is the distribution by DHCP options. Therefore we define the following option under the"network" tab in the"DHCP Server" configuration.
wpad code 252=text
wpad "http://[IPFireIP]:81/proxy.pac"
The result should read
Distribution via DNS and HTTP
In some cases, the supplies of the DHCP server could be ignored. However, most browsers will be able to detect the proxy configuration automatically. In such a case, the Browser/Program will search the URL:
http://wpad.[localdomain]/wpad.dat
-or-
http://wpad/wpad.dat
for the WPAD-File.
There are different ways to provide this file. You can apply another http-vhost on port 80, a firewall-redirect-rule, a haparoxy-frontend/backend or similar, which only has the proxy.pac and wpad.dat in his Webroot.
vhost for Apache
To distribute the WPAD-file using Apache http-vhost, we initially create the directory
/srv/web/ipfire/wpad
mkdir /srv/web/ipfire/wpad
and subsequently we create also the file /etc/httpd/conf/vhosts.d/wpad.conf using the touch command
touch /etc/httpd/conf/vhosts.d/wpad.conf
and we populate /etc/httpd/conf/vhosts.d/wpad.conf with the following directives:
Listen 80
<VirtualHost *:80>
DocumentRoot "/srv/web/ipfire/wpad"
ServerName wpad.localdomain
ServerAlias wpad
Alias /wpad.dat /srv/web/ipfire/html/proxy.pac
Alias /proxy.pac /srv/web/ipfire/html/proxy.pac
</VirtualHost>
To give the directory the desired content, we create two links to the already existing proxy.pac / wpad.dat.
ln -s /srv/web/ipfire/html/proxy.pac /srv/web/ipfire/wpad/proxy.pac
ln -s /srv/web/ipfire/html/proxy.pac /srv/web/ipfire/wpad/wpad.dat
Afterwards we restart the Apache2 with:
/etc/init.d/apache restart
HAProxy Frontend & Backend
HAProxy is a load balancer available as an IPFire add-on.
The following code-snippets are examples for adding a WPAD-Backend to a multi-domain-frontend on Port 80:
| Note! |
|---|
| This is not a complete config file for haproxy! |
filename = /etc/haproxy/haproxy.cfg
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend http
bind :80
http-request add-header X-Forwarded-Proto http
# Logging
capture request header host len 40
# wpad
acl is_wpad_domain hdr_beg(host) -i wpad.[localdomain] wpad [IPFireIP_on_green] [IPFireIP_on_blue]
acl is_wpad_path path_reg ^/wpad.dat$ ^/proxy.pac$
acl is_local_ip src [localsubnet/localsubnetmask]
use_backend wpad if is_local_ip is_wpad_domain is_wpad_path
# default
default_backend no_match
#---------------------------------------------------------------------
# Backend: WPAD
#---------------------------------------------------------------------
backend wpad
mode http
option httpchk
http-check send meth HEAD uri /wpad.dat ver HTTP/1.1 hdr Host 127.0.0.1:81
http-check expect status 200
server wpad 127.0.0.1:81 check
#---------------------------------------------------------------------
# Backend: No Match
#---------------------------------------------------------------------
backend no_match
http-request deny deny_status 400
Firewall Rule
FIXME explain port-forwarding rule for 80 --> 81 on the firewall interface of the zone WPAD should be enabled for.
Add a DNS-Host
Now an additional entry under "Edit Hosts" (findable under the tab "network" -> "Edit Hosts") named wpad with the IPFire-IP still has to be created,
to get the script under:
http://wpad.[localdomain]/proxy.pac and http://wpad.[localdomain]/wpad.dat
Configuring exceptions
The exceptions can be entered into the corresponding fields in the WebGUI of IPFire (Network --> Proxy --> WPAD). Please note:
- Subnets are expected in the format /255.255.255.0 and not /24
- URL's need to be entered completely or using wildcards (
*).
Credits
The IPFire team would like to say thanks for this Wiki to WhyTea!
Older Revisions • March 6 at 6:30 pm • Martin Koller