Problem with WPAD excluded url's

I am posting here, I hope is ok: my squid dies because of a domain added inside section Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC), Excluded URL s (one per line):

Any idea why I get an error when I try to add an entire domain ‘digicert.cn’ in there?
For some reason the Chinese phones contact digicert.cn for certificate validation process instead of digicert.com, and URL Filter is set to block anything in ccTLD .cn → so the proxy bypass seem the easiest way to avoid blocking CRL and OCSP validation for this certificate provider

Creating Squid swap directories...                                                                                                                                                  [ FAIL ]
Starting Squid Proxy Server...
2024/09/12 09:18:34| ERROR: aclIpParseIpData: Bad host/IP: 'digicert.cn' in 'digicert.cn', flags=0 : (-2) Name or service not known
2024/09/12 09:18:34| Not currently OK to rewrite swap log.
2024/09/12 09:18:34| storeDirWriteCleanLogs: Operation aborted.
2024/09/12 09:18:34| FATAL: Bungled /etc/squid/squid.conf line 87: acl DST_NOPROXY_URL src "/var/ipfire/proxy/advanced/acls/dst_noproxy_url.acl"
2024/09/12 09:18:34| Squid Cache (Version 6.9): Terminated abnormally.                                                                                                              [  OK  ]

Late edit: this UI (Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC), Excluded URL s (one per line):) does nothing: the wpad.dat is not modified (last modified date is way back in time)

So I had to edit wpad.dat manually…

Did you press the Save and Restart button after adding the excluded url into the box.

I just added digicert.cn into the excluded urls section on my IPFire and it worked for me. It ended up in my wpad file.

1 Like

Yes, I did - and the string “digicert.cn” was written inside /var/ipfire/proxy/advanced/acls/dst_noproxy_url.acl but not in wpad.dat.

Yes, I did - and the string “digicert.cn” was written inside /var/ipfire/proxy/advanced/acls/dst_noproxy_url.acl but not in wpad.dat.

I see that wpad.dat is a symlink toward /srv/web/ipfire/html/proxy.pac

So when I check last modified date of WPAD.dat I see when the symlink was created - and that is when I installed CU186.

This is why I see a date way in the past for wpad.dat

However, content of proxy.pac does not change when I press save and reload in the UI…

Just tried it again and for me it is in that.acl file but clicking on the wpad link also shows it present in that.

function FindProxyForURL(url, host)
{
if (
(isPlainHostName(host)) ||
(isInNet(host, “127.0.0.1”, “255.0.0.0”)) ||
(isInNet(host, “192.168.26.0”, “255.255.255.0”)) ||
(isInNet(host, “192.168.27.0”, “255.255.255.0”)) ||
(isInNet(host, “192.168.128.0”, “255.255.255.0”)) ||
(shExpMatch(url, “digicert.cn”)) ||
(isInNet(host, “169.254.0.0”, “255.255.0.0”))
)
return “DIRECT”;

else

if (
(isInNet(myIpAddress(), “192.168.26.0”, “255.255.255.0”)) ||
(isInNet(myIpAddress(), “10.110.26.6”, “255.255.255.252”)) ||
(isInNet(myIpAddress(), “10.110.26.2”, “255.255.255.252”))
)
return “PROXY 192.168.26.254:800”;
}

If the code is not doing that in your system then it must have got corrupted somehow.

Might be worth doing a hash comparison between the proxy.cgi code in your ipfire system and the same code in the git repo in CU187 (I am presuming you are on CU187).

The last official change to proxy.cgi code was done in January this year.

1 Like

One problem Solved: problem was in ownership for /srv/web/ipfire/html/proxy.pac
I set ownership for above file to nobody:nobody and now the UI does write in it the content.

BUT!
Squid does not start if I add ‘digicert.cn’ in the Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC) , Excluded URL s (one per line):

Second problem detected and solved by editing squid.conf: when Save, Save and Reload or Save and Restart buttons are used from proxy.cgi the script incorrectly assumes that what is inside section Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC) , Excluded URL s (one per line): are SRC and tries to use them as SRC ACL.

Copied from squid.conf after using any of the Save buttons from proxy.cgi:

#Proxy bypass for some IP and some URL
acl DST_NOPROXY_IP src "/var/ipfire/proxy/advanced/acls/dst_noproxy_ip.acl"
acl DST_NOPROXY_URL src "/var/ipfire/proxy/advanced/acls/dst_noproxy_url.acl"
always_direct allow DST_NOPROXY_IP DST_NOPROXY_URL

Those lines from squid.conf must be using destination (name of the files sugest that inside them are destinations and not sources): dst_noproxy_ip.acl and dst_noproxy_url.acl

So it makes sense to use acl dstdomain for dst_noproxy_url.acl and acl dst for dst_noproxy_ip.acl

Like this - and now the squid starts!

#Proxy bypass for some IP and some URL
acl DST_NOPROXY_IP dst "/var/ipfire/proxy/advanced/acls/dst_noproxy_ip.acl"
acl DST_NOPROXY_URL dstdomain "/var/ipfire/proxy/advanced/acls/dst_noproxy_url.acl"
always_direct allow DST_NOPROXY_IP DST_NOPROXY_URL

The buttons are working fine for me as they were designed to work and squid starts fine.

If the Proxy WUI buttons are not working for you then there is still something wrong somewhere in your code or in permissions or in ownerships.

As you had these lines in your squid.conf then you must have entered them, either directly or you put them in /var/ipfire/proxy/advanced/acls/include.acl in which they are in squid.conf in the section that starts and ends with

#Start of custom includes

#End of custom includes

The proxy.cgi code takes the dst_noproxy_ip.acl and dst_noproxy_url.acl files and only places their content into the WPAD file. It does not enter those ACL’s into the squid.conf file.

Your modification to the squid.conf file is a risky one because if you ever press any of the buttons in the Web Proxy WUI then the file will be overwritten. As it mentions in the wiki and at the top of the squid.conf file you should place any additional ACL’s you desire to use in the include.acl file but for the No Proxy option you don’t need to do that because it is built in to the wpad & pac files. I have it working like that for my system with the proxy bypassed for a certain URL and I don’t have those dst_noproxy_url entries in my squid.conf at all.

https://www.ipfire.org/docs/configuration/network/proxy/extend/conf_edit

1 Like

The WPAD does solve machines that use WPAD…
But machines that are not using WPAD the problem still exists: the transparent proxy will capture their HTTP traffic.

So WPAD solves only a portion of the machines…

About those custom lines: why WUI changes them?
Those are in the section you mentioned: between
#Start of custom includes

#End of custom includes

Still, WUI changes them…

That can’t be. The lines between

#Start of custom includes

#End of custom includes

are taken from the include.acl line.

Are you saying that the contents in include.acl do not match the lines between the Start and End of the custom includes.

The section you complained about being modified

Is this in the custom includes section of your squid.conf file.

All the cgi code does is copy what is in include.acl to that section.

I have checked my custom include section in squid.conf and it matches exactly what I put in include.acl

1 Like

You are right: the lines inside squid.conf are inserted by WUI from that include.acl (which has last modified in 2022 - so comes from a backup-restore process I have used on this new HW after installing from scratch core 186)

Problem solved - editing the very old content of /var/ipfire/proxy/advanced/acls/include.acl and after that presing “Reload” in WUI does refresh the squid.conf section you mentioned.

Thanks!

Glad you got it resolved.