WPAD
Implementing WPAD
This page explains how I implemented Web Proxy Auto-discover (WPAD) for my home network. The web browsers are set to "Auto-discover" their web proxies. In the absence of DHCP options (which I do not describe or attempt here), the browser relies on DNS and HTTP to discover what the Proxy settings should be.
Specifically, the browser looks up wpad.example.com (replace example.com for YOUR domain name) and then makes an HTTP request to that IP address, asking for http://wpad/wpad.dat
Thus, by setting proper DNS values (wpad and proxy CNAMEs) and web-based configuration file (/wpad.dat) in place we can determine how the browsers on the network behave.
Components and Ports
- sonar FreeBSD Sparc64 server running 6.2-RELEASE.
- dansguardian running on sonar 8080/tcp
- tinyproxy running on sonar 8888/tcp
- apache running on sonar 80/tcp
- bind running on resolvers (ns1/ns2) 53/udp
Software
I setup tinyproxy-1.7.0_1 as a WWW proxy cache and dansguardian-2.8.0.6_2 for Web content filtering on my FreeBSD server named sonar. Also, a web server was necessary to serve up the pac file, so installed apache-2.0.59. These all came from the FreeBSD ports collection. Finally I made sure all three servers were running and that I could use the web proxy running on port 8080 (dansguardian) using manual proxy configuration in my browser.
Don't forget to put the relevant enable lines in /etc/rc.conf
dansguardian_enable="YES" tinyproxy_enable="YES" apache2_enable="YES"
DNS Records
Next, I added a couple of DNS CNAMEs in my foster.dmz zone.
wpad IN CNAME sonar proxy IN CNAME sonar
Creating a usable proxy auto-configuration (PAC) file
On to WPAD. I needed to serve up a proxy.pac (proxy autoconfiguration file). I based it on the example from the SQUID FAQ. This is the contents of /usr/local/www/data/proxy.pac on sonar.
function FindProxyForURL (url, host) { return "PROXY proxy:8080"; }
Next, create the mime-type directive in apache's /usr/local/etc/apache2/mime-types file like so:
application/x-javascript-config dat pac
It's well worth mentioning that the mime-type used above is NOT the same one described on the Squid FAQ page... thanks to the Firefox Hacks page this information came to light.
An alternative way of doing this is to use the "AddType" directive.
I also use an Alias (not a Redirect) after seeing twice the necessary HTTP traffic (302 followed by a 200 on browser startup).
Alias /wpad.dat /usr/local/www/data/proxy.pac
Restart apache after these changes.
/usr/local/etc/rc.d/apache2 restart
Make sure that both http://proxy/proxy.pac and http://wpad/wpad.dat are accessible. The latter will be asked for by the browser for auto-configuration.
Verification
Now we want to make sure the browser will be successful in finding and using the PAC file on startup, so use wget to do a quick check.
horton:/tmp# wget http://wpad.foster.dmz/wpad.dat --23:23:26-- http://wpad.foster.dmz/wpad.dat => `wpad.dat' Resolving wpad.foster.dmz... 192.168.1.2 Connecting to wpad.foster.dmz[192.168.1.2]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2,545 [application/x-javascript-config] 100%[====================================>] 2,545 --.--K/s 23:23:26 (24.27 MB/s) - `wpad.dat' saved [2545/2545]
The import things to note are that the mime-type (application/x-javascript-config) and the response code of 200 look correct. Also an examination of the wpad.dat file has the correct contents.
It all comes together
After configuring my browser to Auto-detect proxy settings for this network and restarting it, I see DNS queries like so:
09-Dec-2006 21:42:16.134 queries: info: client 192.168.1.9#33083: query: wpad.foster.dmz IN AAAA + 09-Dec-2006 21:42:16.136 queries: info: client 192.168.1.9#33083: query: wpad.foster.dmz IN A + 09-Dec-2006 21:42:16.758 queries: info: client 192.168.1.9#33083: query: proxy.foster.dmz IN AAAA + 09-Dec-2006 21:42:16.759 queries: info: client 192.168.1.9#33083: query: proxy.foster.dmz IN A +
Here is a dump of the HTTP conversation that ensues.
Deleted, sorry
Gotcha!
Uh-oh! Upon rebooting, I discovered that dansguardian did not come up correctly. It wants the tinyproxy (port 8888) to be there when it starts. By renaming the boot scripts in /usr/local/etc/rc.d/ this problem was solved.
cd /usr/local/etc/rc.d/ mv tinyproxy.sh 00_tinyproxy.sh mv dansguardian.sh 01_dansguardian.sh
References
Finally, some references to information that helped make this all possible.
- IETF draft for WPAD
- Configuring Browsers for WPAD from the Squid Proxy FAQ
- Firefox Hacks
- Automatic proxy HTTP server configuration in web browsers
- Web Proxy Auto-Discovery (WPAD) Information Disclosure - some details about a MS vulnerability in searching for WPAD DNS records
- WLUGs WPAD information page
- DansGuardian with Tinyproxy