Setting up proxy auto-configuration on pfSense has a handy documentation page, but sadly the first thing they say is that you have to run the webConfigurator GUI in HTTP mode, which is kind of annoying.
Given the auto-config of nginx (which runs the pfSense GUI) will likely blat any changes I make, I decided to use lighttpd instead.
In short, we’re going to:
- install a web server
- make a pac file
- make it available at a couple of different URLs via that web server
- have cake
Here’s how I did it…
Install lighttpd by running the following: sudo pkg install lighttpd
Enable lighttpd by editing rc.conf
and add lighttpd_enable=YES
to make sure it starts: sudo vi /etc/rc.conf
To find the lighttpd document root, where it serves files from - in case it’s been changed in future:
sudo grep server.document-root /usr/local/etc/lighttpd/lighttpd.conf | egrep -v "^#"
On my 2.4.1 pfSense box it was server.document-root = "/usr/local/www/data/"
If you want to change the web server location, edit /usr/local/etc/lighttpd/lighttpd.conf
and look for server.document-root
Create the data directory, to keep it separate from the GUI. Also create a default index.html because we like avoiding directory listings…
sudo mkdir -p /usr/local/www/data/
sudo touch /usr/local/www/data/index.html
Create the PAC file (sudo vi /usr/local/www/data/proxy.pac
) and put the following in - make sure to change the IP to match your squid box:
function FindProxyForURL(url,host)
{
return "PROXY 192.168.1.1:3128";
}
Create the wpad.dat
file as a link because some clients need it. This means you only have to edit one file:
sudo ln -s /usr/local/www/data/proxy.pac /usr/local/www/data/wpad.dat
Update the MIME type for wpad.dat
to send the right type to the browser, by editing mime.conf
. Add this line near the others:
"wpad.dat" => "application/x-ns-proxy-autoconfig",
Restart lighttpd to apply the changes
sudo service lighttpd restart
To make sure lighttpd will start on boot, install the Shellcmd
package in the UI, and add the following command (type: shellcmd):
/usr/sbin/service lighttpd start
Check your work
$ curl -vvv http://10.0.0.1/proxy.pac
* Trying 10.0.0.1...
* TCP_NODELAY set
* Connected to 10.0.0.1 (10.0.0.1) port 80 (#0)
> GET /proxy.pac HTTP/1.1
> Host: 10.0.0.1
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/x-ns-proxy-autoconfig
< Accept-Ranges: bytes
< ETag: "3644651125"
< Last-Modified: Wed, 07 Mar 2018 00:14:40 GMT
< Content-Length: 74
< Date: Wed, 07 Mar 2018 05:11:27 GMT
< Server: lighttpd/1.4.47
<
function FindProxyForURL(url,host)
{
return "PROXY 10.0.0.1:3128";
}
* Connection #0 to host 10.0.0.1 left intact
The key things you’re looking for are the Content-Type headers and making sure your file comes back. :)
Update (2018-04-03) - added shellcmd note for on-boot lighttpd.
Update (2018-06-02) - Just a note - if you’re using the letsencrypt
packge, use /usr/local/www/data/.well-known/acme-challenge/
as the location for letsencrypt’s webroot, and allow the traffic through on the firewall. :)