Clients do not recognize wpad.dat

thorsten · September 1, 2018, 7:24am

NethServer Version: 7.5
Module: dhcp, proxy, proxy-filter

Hi,

currently I try to make my network to collect proxy information by autoconfig. In short word: I do not manage got get if operative.

However, neither, IE, firefox, system or any other seems to recognize wpad.dat.

Facts:

wpad.dat is available from http://wpad.myname.tld/wpad.dat
wpad.dat is available from http://wpad/wpad.dat
wpad.dat is available from http://FQDN/wpad.dat
option 252 is set up correctly within dnsmasq.conf

Conclusion:

Nethserver side seems to be correct

Firefox Config seems to be correct:

Strange:

I would expect that the mime type is handled differently according to:

application/x-ns-proxy-autoconfig

Questions:
I am used to /etc/apache2/httpd.conf, where is the corresponding file in nethserver to check if the mime type is set correctly. Does anybody by change know how to set up the mime type handling correctly for firefox manually?

Edit:
Is there any option / command to test which proxy a system uses effectively instead of try a web request presumably blocked?

TIA
Thorsten

mrmarkuz · September 1, 2018, 8:15pm

It seems like firefox doesn’t support DHCP WPAD, it uses DNS WPAD.
nslookup wpad.domain.com on the client should give back your proxy server.
In my case the clients don’t use the Nethserver proxy as DNS server so I had to add an entry (wpad.domain.com pointing to the proxy) to my DNS server.

https://findproxyforurl.com/browser-support

It should work in any case if you enter the wpad url in “automatic proxy config” in firefox.

thorsten · September 1, 2018, 9:05pm

Hi Markus,

I set up a serveralias within DNS module for wpad.myname.tld. Additionally, I changed DNS server provided by DHCP from

172.17.0.13 (the IP of Nethserver AD, but not the proxy IP)
to
172.17.0.12 (the IP of Nethserver itself).

but it does not work. Here is the output of nslookup:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Windows\System32>nslookup wpad
Server:  nethserver.myname.tld
Address:  172.17.0.12

Name:    wpad.myname.tld
Address:  172.17.0.12


C:\Windows\System32>nslookup wpad.myname.tld
Server:  nethserver.myname.tld
Address:  172.17.0.12

Nicht autorisierende Antwort:
Name:    wpad.myname.tld.myname.tld
Address:  mystaticIP

http://wpad.myname.tld/wpad.dat downloads the correct file.

mrmarkuz · September 1, 2018, 11:12pm

Firefox tries wpad.myname.tld so maybe firefox needs internal 172.17.0.12 instead of (external) mystaticIP?

Yes but I think you are downloading it via proxy. Firefox has to get the wpad file without proxy and access to wpad.dat from external is forbidden.

thorsten · September 2, 2018, 8:32pm

Following this, it should work for Windows System / for IE, but it does not.

I hope I do understand correctly: In my case clients do use Nethserver as proxy and DNS server (same IP).

This does not work either: I works simply if I assign proxy manually to each client - something I do not want to do

This is what I said: Direct, “aka green internal” contact seems to be possible, mostly evident by the initial part of nslookup and the fact that the file is downloaded and displayed:

> C:\Windows\System32>nslookup wpad
Server:  nethserver.myname.tld
Address:  172.17.0.12

> C:\Windows\System32>ping wpad.myname.tld
Ping wird ausgeführt für wpad.myname.tld [172.17.0.12] mit 32 Bytes Daten:

Antwort von 172.17.0.12: Bytes=32 Zeit=2ms TTL=64
Antwort von 172.17.0.12: Bytes=32 Zeit=1ms TTL=64

Ping-Statistik für 172.17.0.12:
    Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 1ms, Maximum = 2ms, Mittelwert = 1ms

> C:\Windows\System32>tracert wpad.mydomain.tld
Routenverfolgung zu wpad.mydomain.tld [172.17.0.12] über maximal 30 Abschnit
te:

  1     1 ms     1 ms     1 ms  nethserver.mydomain.tld [172.17.0.12]

Ablaufverfolgung beendet.

mrmarkuz · September 2, 2018, 8:52pm

Did you try the squid testing package?

yum --enablerepo=nethserver-testing update nethserver-squid

If the autoconfig wpad url does not work it’s maybe a firefox problem, you may try to start in safe mode or with a fresh profile.

thorsten · September 2, 2018, 9:14pm

None of that works:

started firefox in safe mode
installed update (checked: wpad.dat provides IP instead of FQDN)
IE / Windows 7 do not recognize proxy autoconfig.

-> Checked a different LInux / Ubuntu client:
same result for firefox and system…

thorsten · September 2, 2018, 9:28pm

By the way (maybe a question for another thread):

I run the proxy in transparent / SSL mode. When filters are active, the respective website responds of course a security beach (“Connection is not safe”).

In some cases strikt HTTPS is applied, aka: firefox refuses to install a security exception. Would be nice to have this for vhost, too
In some cases, where an https page is blocked, firefox allwos to install a security exception based on “blocked.nethserver.org”. As the page should be blocked, not certificate exception is required at al - just the “blocked page” needs to be displayed.
In other cases I do not understand how it works at all: pages such as https://www.test.de are displayed with the correct certificate. How does nethserver check such pages transparently?
In o

thorsten · September 3, 2018, 6:59am

By the way: how do I get back to the normal repro for this (any other) package?
Would I miss the "regular update package if not returned / removed the test installation?

TIA
Thorsten

giacomo · September 3, 2018, 12:11pm

Using the command above, the testing repository is enabled only one-shot.

No, you do not need any further modification.

Please bear in mind that wpad is useful only when using authenticated or manual proxy.