1. The Web Interface
  2. Network
  3. Web Proxy
  4. Proxy extensions
  5. Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC)

Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC)

Automatic distribution of the proxy settings

Back to proxy main Page

Introduction

There are basically two ways to include a Proxy server in the configuration of the clients. On the one hand, you can enter it manually in the browser or system, and on the other hand it can be defined transparently. Both options have advantages and disadvantages which should not be listed in here. However the main difference of the two versions concerns to me in here. If the Proxy operates in transparent mode there is usually no need to make adjustments on the clients, the HTTP traffic goes through the Proxy automatically. This also means, that you are not able to configure any exceptions. Unfortunately, there are some sites that don't work properly, if accessed through a proxy. This is exactly why you sometimes need exceptions. So we don't want the Proxy to operate transparently, but we also do not want to touch every client to make the manual entries for the proxy configuration, and the exceptions. Everything should be configured at a central point ( the IPFire appliance ) with automatic distribution to all clients.

Browser Support

The distribution can be be done via DHCP or via DNS.

Browser / Configuration DHCP DNS
Internet Explorer Y ?
Chrome Y ?
Firefox N Y

The generated file

There is a proxy configuration script provided by IPFire by default. It can be found under:

http://[IPFireIP]:81/proxy.pac

For a system to use this script, there is the need to distribute it.
To achieve this, there are two possibilities which we arrange in the course of this guidance.

Distribution via DHCP-option

The first possibility is the distribution by DHCP options. Therefore we define the following option under the"network" tab in the"DHCP Server" configuration.

wpad code 252=text
wpad "http://[IPFireIP]:81/proxy.pac"

The result should read

Distribution via DNS and HTTP

In some cases, the supplies of the DHCP server could be ignored. However, most browsers will be able to detect the proxy configuration automatically. In such a case, the Browser/Program will search the URL:

http://wpad.[localdomain]/wpad.dat

-or-

http://wpad/wpad.dat

for the WPAD-File.

There are different ways to provide this file. You can apply another http-vhost on port 80, a firewall-redirect-rule, a haparoxy-frontend/backend or similar, which only has the proxy.pac and wpad.dat in his Webroot.

vhost for Apache

Therefor we initially create the directory /srv/web/ipfire/wpad

mkdir /srv/web/ipfire/wpad

and subsequently the file /etc/httpd/conf/vhosts.d/wpad.conf

touch /etc/httpd/conf/vhosts.d/wpad.conf

with the following content:

filename = /etc/httpd/conf/vhosts.d/wpad.conf

Listen 80
<VirtualHost *:80>
DocumentRoot "/srv/web/ipfire/wpad"
ServerName wpad.[localdomain]
Alias /wpad.dat /srv/web/ipfire/html/proxy.pac
Alias /proxy.pac /srv/web/ipfire/html/proxy.pac
</VirtualHost>

To give the directory the desired content, we create two links to the already existing proxy.pac / wpad.dat.

ln -s /srv/web/ipfire/html/proxy.pac /srv/web/ipfire/wpad/proxy.pac

ln -s /srv/web/ipfire/html/proxy.pac /srv/web/ipfire/wpad/wpad.dat

Afterwards we restart the Apache2 with:

/etc/init.d/apache restart

haproxy Frontend & Backend

The following code-snippets are examples for adding a WPAD-Backend to a multi-domain-frontend on Port 80:

Note!
This is not a complete config file for haproxy!

filename = /etc/haproxy/haproxy.cfg

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend http
      bind :80
      reqadd X-Forwarded-Proto:\ http

      # Logging
      capture request header host len 40

      # wpad
      acl is_wpad_domain hdr_beg(host) -i wpad.[localdomain] wpad [IPFireIP_on_green] [IPFireIP_on_blue]
      acl is_wpad_path path_reg ^/wpad.dat$ ^/proxy.pac$
      acl is_local_ip src [localsubnet/localsubnetmask]
      use_backend wpad if is_local_ip is_wpad_domain is_wpad_path

      # default
      default_backend no_match


#---------------------------------------------------------------------
# Backend: WPAD
#---------------------------------------------------------------------
backend wpad
      option httpchk HEAD /wpad.dat HTTP/1.1\r\nHost:\ 127.0.0.1:81
      server ipfire 127.0.0.1:81 check


#---------------------------------------------------------------------
# Backend: No Match
#---------------------------------------------------------------------
backend no_match
      http-request deny deny_status 400

Firewall Rule

FIXME

Add a DNS-Host

Now an additional entry under "Edit Hosts" (findable under the tab "network" -> "Edit Hosts") named wpad with the IPFire-IP still has to be created,

to get the script under:

http://wpad.[localdomain]/proxy.pac and http://wpad.[localdomain]/wpad.dat

Configuring exceptions

The exceptions can be entered into the corresponding fields in the WebGUI of IPFire (Network --> Proxy --> WPAD). Please note:

  • Subnets are expected in the format /255.255.255.0 and not /24
  • URL's need to be entered completely or using wildcards (*).

Credits

The IPFire team would like to say thanks for this Wiki to WhyTea!

Back to proxy main Page

Edit Page ‐ Yes, you can edit!

Older Revisions • May 31 at 9:40 am • Bernhard Bitsch