Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!

Looking for something?

Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.

IPFire Community

Differences in Revisions: Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC)

Older Revision
August 23 at 5:46 pm
»
Newer Revision
Monday at 10:12 pm
fixed code blocks (formatting)
# Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC)
 
## Automatic distribution of the proxy settings
 
**[Back to proxy main Page](/configuration/network/proxy)**
 
 
## Introduction
There are basically two ways to include a Proxy server in the configuration of the clients. On the one hand, you can enter it manually in the browser or system, and on the other hand it can be defined transparently. Both options have advantages and disadvantages which should not be listed in here. However the main difference of the two versions concerns to me in here. If the Proxy operates in transparent mode there is usually no need to make adjustments on the clients, the HTTP traffic goes through the Proxy automatically. This also means, that you are not able to configure any exceptions. Unfortunately, there are some sites that don't work properly, if accessed through a proxy. This is exactly why you sometimes need exceptions. So we don't want the Proxy to operate transparently, but we also do not want to touch every client to make the manual entries for the proxy configuration, and the exceptions. Everything should be configured at a central point ( the IPFire appliance ) with automatic distribution to all clients.
 
 
## Browser Support
The distribution can be be done **via DHCP** or **via DNS**.
 
| Browser / Configuration | DHCP | DNS |
| --- | --- | --- |
| Internet Explorer | Y | ? |
| Chrome | Y | ? |
| Firefox | N | Y |
 
 
## The generated file
There is a proxy configuration script provided by IPFire by default. It can be found under:
```
`http://[IPFireIP]:81/proxy.pac`
http://[IPFireIP]:81/proxy.pac
```
 
### Distribution via DHCP-option
For a system to use this script, there is the need to distribute it.
![](/configuration/network/proxy_config_automatic_distribution_dhcp_options_en.jpg)
 
To achieve this, there are two possibilities which we arrange in the course of this guidance. The first possibility is the distribution by DHCP options. Therefore we define the following option under the*"network"* tab in the*"DHCP Server"* configuration.
 
```text
wpad code 252=text
wpad "http://[IPFireIP]:81/proxy.pac"
```
 
### Distribution via DNS and HTTP
In some cases, the supplies of the DHCP server could be ignored. However, most browsers will be able to detect the proxy configuration automatically. In such a case, the Browser/Program will search the URL:
 
```text
http://wpad.[localdomain]/wpad.dat
```
-or-
```text
http://wpad/wpad.dat
```
for the WPAD-File.
 
There are different ways to provide this file. You can apply another http-vhost on port 80, a firewall-redirect-rule, a haparoxy-frontend/backend or similar, which only has the proxy.pac and wpad.dat in his Webroot.
 
### vhost for Apache
Therefor we initially create the directory */srv/web/ipfire/wpad*
 
```
`mkdir /srv/web/ipfire/wpad`
mkdir /srv/web/ipfire/wpad
```
 
and subsequently the file */etc/httpd/conf/vhosts.d/wpad.conf*
 
```
`touch /etc/httpd/conf/vhosts.d/wpad.conf`
touch /etc/httpd/conf/vhosts.d/wpad.conf
```
 
with the following content:
 
filename = /etc/httpd/conf/vhosts.d/wpad.conf
 
```text
Listen 80
<VirtualHost *:80>
DocumentRoot "/srv/web/ipfire/wpad"
ServerName wpad.[localdomain]
Alias /wpad.dat /srv/web/ipfire/html/proxy.pac
Alias /proxy.pac /srv/web/ipfire/html/proxy.pac
</VirtualHost>
```
 
To give the directory the desired content, we create two links to the already existing proxy.pac / wpad.dat.
 
```text
ln -s /srv/web/ipfire/html/proxy.pac /srv/web/ipfire/wpad/proxy.pac
 
ln -s /srv/web/ipfire/html/proxy.pac /srv/web/ipfire/wpad/wpad.dat
```
 
Afterwards we restart the Apache2 with:
```
`/etc/init.d/apache restart`
/etc/init.d/apache restart
```
 
### haproxy Frontend & Backend
The following code-snippets are examples for adding a WPAD-Backend to a multi-domain-frontend on Port 80 (note: this is not a complete configfile for haproxy!):
The following code-snippets are examples for adding a WPAD-Backend to a multi-domain-frontend on Port 80:
 
| Note! |
|---|
| This is not a complete config file for haproxy! |
 
 
filename = /etc/haproxy/haproxy.cfg
```text
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend http
bind :80
reqadd X-Forwarded-Proto:\ http
 
# Logging
capture request header host len 40
 
# wpad
acl is_wpad_domain hdr_beg(host) -i wpad.[localdomain] wpad [IPFireIP_on_green] [IPFireIP_on_blue]
acl is_wpad_path path_reg ^/wpad.dat$ ^/proxy.pac$
acl is_local_ip src [localsubnet/localsubnetmask]
use_backend wpad if is_local_ip is_wpad_domain is_wpad_path
 
# default
default_backend no_match
 
 
#---------------------------------------------------------------------
# Backend: WPAD
#---------------------------------------------------------------------
backend wpad
option httpchk HEAD /wpad.dat HTTP/1.1\r\nHost:\ 127.0.0.1:81
server ipfire 127.0.0.1:81 check
 
 
#---------------------------------------------------------------------
# Backend: No Match
#---------------------------------------------------------------------
backend no_match
http-request deny deny_status 400
```
 
### Firewall Rule
 
FIXME
 
### Add a DNS-Host
Now an additional entry under "Edit Hosts" (findable under the tab *"network"* -> *"Edit Hosts"*) named **wpad** with the IPFire-IP still has to be created,
 
![](/configuration/network/proxy_config_automatic_distribution_addhost_eng.jpg)
 
to get the script under:
 
http://wpad.[localdomain]/proxy.pac and http://wpad.[localdomain]/wpad.dat
 
 
## Configuring exceptions
The exceptions can be entered into the corresponding fields in the WebGUI of IPFire (Network --> Proxy --> WPAD). Please note:
 
* Subnets are expected in the format /255.255.255.0 and **not** /24
* URL's need to be entered completely or using wildcards (`*`).
 
 
## Credits
The IPFire team would like to say thanks for this Wiki to [WhyTea](http://forum.ipfire.org/index.php?action=profile;u=3565)
 
**[Back to proxy main Page](/configuration/network/proxy)**