iOS's Safari and iPFire Proxy

Hello, is it normal that an iOS device such as an iPhone circumvents the non transparent proxy, as seen by example with blacklisted sites?

I suspect that iOS tries to connect via proxy, and then, if not successful, it does somehow connect directly via 443/tcp to the target web site sucessfully anyway.

If I create a firewall rule which blocks 80/tcp and 443/tcp from blue to red, the proxie’s blacklists seems to work; anyhow, some http/s based applications other than browsers don’t work anymore, both on mobille devices and workstations, so this doesn’t seem to be an option.

Help very appreciated, thank you!

In case you did not do it, set up the WPAD and in ios settings for the wifi network, you can set the device in autodiscovery mode. When I had an ios device it worked well for me both for safari and for any app. If this does not solve the problem, I think maybe using apple configurator is the best way to go. You can also consider the possibility to put the device in supervised mode (in this case, backup the data) which introduces a global setting for proxy.

Regardless, you should block any connection in the firewall for port 80/443 and then one by one, identify the software that malfunctions and either try to convince it to use the proxy, or if impossible introduce an exception only for that machine in the firewall. Security is a gigantic headache, there is no way around it, but is much less expensive than the alternative.

Hi, thanks for clarifying. I’ve set up wpad and it seems to work as iPFire logs blacklisted site access in “URL filter logs” when surfing these with Safari on iOS, however, the page loads anyway with WPAD configured.

In case of “hard configuring” the proxy via IP and port (setting “manual” in iOS WLAN settings), Safari blocks blacklisted web sites correctly but some web related apps, e.g. Instagram, stop working as they can’t load content any more.

I’ve googled around the past days but wasn’t successful.

How about setting up an OpenVPN server and make your clients connect to it? Even in the blue zone of your lan you can have a OpenVPN tunnel. Maybe instagram app will then behave?

I did this to see if I could block the blue network from doing anything, including going to the red zone and connecting to the the DNS, the proxy and the IPFire machine, and it works. With a rule in the firewall I allow only the OpenVPN ip range to reach the proxy. In case you want to try, here some pointer.

In the configuration file for the clients (.ovpn) you identify the server with the local lan ip address of the IPFire machine (you can put in there the dns name pointning to the public IP too, if you want it reachable from internet ). Then you set up /var/ipfire/ovpn/scripts/server.conf.local with something like this (from my own setting):

#### Viscosity proxy setting for macbook ####
push "dhcp-option HTTPPROXY 10.1.1.1:800"
push "dhcp-option HTTPSPROXY 10.1.1.1:800"

### iOS proxy setting for the browser ###
push "dhcp-option PROXY_HTTP 10.1.1.1 800"
push "dhcp-option PROXY_HTTPS 10.1.1.1 800"

### iOS setting for internal network connection, see manpage --float ###
push "dhcp-option float"

To clarify my setting, you can push any string in there. It happens that I use as a client for my macbook Viscosity that accepts the DHCP option in a slightly different syntax compared to iOS.

Aside from your suggestion regarding OVPN I played around with iOS a bit and I wonder why when setting up eg. 192.168.1.1:800 for the green proxy on my iOS’s wirelesss network (on BLUE) everything works in contrast to using 192.168.2.1:800 for the blue proxy.

I’d really like to know what I need to configure to get the proxy working fine on BLUE. It seems to me it doesn’t have to do with wpad settings anyway.

A good hint would greatly be appreciated.

I need to ask, did you enable the blue network on the proxy settings?

1 Like

Yes, I did. Per accident I discovered some other problems I seem to have not just on iOS but also on Windows 11.

It appears that my proxy auto config file may not work with Windows Store and it’s apps, though it works with the browsers (e.g. Edge, Crome) as well as with Windows Update. Setting the proxy manually by

netsh winhttp set proxy 192.168.1.1:800

lets Windows Store work, too. Also, disabling Proxy Autoconfig in Windows 11 and adding the proxy manually leads to a working environment.

So I assume there is something with the WinHTTP Proxy Autodiscovery Service and my iPFire config for wpad.dat / proxy.pac.

I really have no clue what that could be as I did it just as described in the howtos. This is not satisfying, especially on BLUE, where the problem resides, too, as e.g. the laptop should be able to be flexible on different WLANs.

Okay. I redid some configs on the iPFire and the Windows 11 workstations (both on green and blue) work nicely now with proxy. So, sorry for breaking in with that topic.

What remains is that setting the BLUE proxy IP on iOS in the WLAN settings does not work, neither per wpad nor manually. Setting the GREEN proxy IP manually works well.

I think I will try the OpenVPN solution now you’ve suggested.

Used a different iPhone with iOS 14 and the proxy worked so far; well Youtube wasn’t working, but … the proxy worked with it’s blacklist as well as everything else.

Then found this: Safari 15 iOS Bypasses proxy.pac P… | Apple Developer Forums

[Edit]

According to here Apple Developer Documentation, Section “Depreciations”, iOS 15 doesn’t support HTTP URL schemes for PAC any more, just HTTPS.

Is this possible with iPFire?