WPAD HAProxy Section in Wiki

wiki.ipfire.org - Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC) shows lines in the config which might need to be adjusted in order to get it working.

I’ve changed

reqadd X-Forwarded-Proto:\ http


http-request add-header X-Forwarded-Proto http

The other one throws the warning “option httpchk : hiding headers or body at the end of the version string is deprecated. Please, consider to use ‘http-check send’ directive instead.”

option httpchk HEAD /wpad.dat HTTP/1.1\r\nHost:\

Is the first change I googled correct and how could I circumvent the warning?

I think it would be really useful if you could open a bug report. I would use this bug report as a model.

1 Like

Would you please be so kind and have a look upon the configuration code segments of haproxy.cfg.

Could this element:

backend wpad
  option httpchk HEAD /wpad.dat HTTP/1.1\r\nHost:\
  server ipfire check

be replaced by this one:

 backend wpad
  mode http
  option httpchk
  http-check send meth HEAD uri /wpad.dat ver HTTP/1.1 hdr Host
  http-check expect status 200
  server wpad check

Thank you for clarification.

The haproxy.cfg has the lin

Example configuration for a possible web application. See the
full configuration options online.

So you can change it to whatever is appropriate for your situation. It is only an example.

The haproxy.cfg is included in the backup files so any changes you make to it are maintained during any Core Updates.

1 Like

Sorry, again I’m referring to the haproxy wpad configuration as shown in iPFire’s Wiki “Web Proxy Auto-Discovery Protocol (WPAD)”.

haproxy stopped working after the recent updates due to the option httpchk line to be not supported any more.

I just want the initial lines of code work again. It would be of great help if someone could have a look upon that.

1 Like

@firewire , I’ve just edited the wiki page.
Is it okay now?
You can edit it your own. The credentials are the same as for the community.


@bbitsch Bernhard, do you know what the section

Firewall Rule


was meant to be? Another way to distribute the proxy setting using the firewall? I was always a bit puzzled by that.

@cfusco , no.
I never thought about it, because the distribution with DHCP is functioning for me.

That section was in the wiki page when it was first created in 2019.

Maybe the creator of that page, @starkstromkonsument , can provide some input on what was intended with that section or if that section should now be removed.

1 Like

Possibly @starkstromkonsument wanted to explain how to change the firewall so that the wpad file was accessible also from the red interface. Just a guess.

EDIT: no, in the document it is expressly said that you could serve the wpad to browsers in 3 ways: 1) vhost in apache; 2) a reverse proxy using HAProxy and 3) with rule(s) in the firewall. I cannot imagine how is it possible. Forward the traffic from port 80 to port 81?

According to various documentation I found I understood so far that both DHCP and DNS based proxy.pac/wpad.dat need to be served in order to allow automatic proxy recognition under various circumstances. This is referenced in the wiki by

“In some cases, the supplies of the DHCP server could be ignored.”

My understanding is that e.g. in Windows there are various basic API technologies which need to be configured; that is, as eg. depicted in this link WinHTTP and WinINet (and so on).

According to the table here Firefox does not support DHCP based WPAD distribution …

… however, when activating proxy setting “Auto detect” rather than “Operating system”, both DNS and DHCP based wpad distributions seem to work (tested this by alternatively stopping DNS and DHCP based distribution services, finally stopping both of them which naturally disabled proxifying the client).

So the wiki shows two different versions of wpad distribution as I understood; the simpler one for one subdomain with Apache vhost and the more complex option with haproxy for multi domain.

So, in this discussion, the Wiki would make sense to me with all these options.

Off-Topic: However, the root cause for my digging is that my Microsoft Store, which uses WinHTTP, has (again) stopped working with automatic proxy detection enabled in Windows 11. When configuring the proxy manually, it works.

1 Like

Hello all together,

I’ll try to remember what my motivation was back in 2019. As I had to move away from IPFire, I’m not using / maintaining this anymore and my memories fade …

First off all: when you only distribute your WPAD-Config via DHCP, it works almost out of the box, because you can specify the port in the DHCP config option.

Using DNS-Distribution requires you to serve the files on port 80. As I had haproxy already up and running for my public services anyway, I chose this way to do it. Of course only for the internal interfaces, as you can see in the specified acl’s.

And for the section “Firewall Rule”: I simply never managed to write a text and provide a proper screenshot for it (Forward Port 80 → 81). And no, not for the red interface :wink:

This should do the trick:

  • Source: your internal network (you need one rule per zone!)
  • NAT: disabled
  • Destination: Firewall (choose the Interface for the Zone)
  • Protocol: TCP / Source: 80 / Destination: 81

I hope this helps you. WPAD is kind of poorly documented in general.


@starkstromkonsument Alexander, thank you so much for the time you spent writing your knowledge in the wiki (this applies to all the earlier contributors and builders as well). I read your words so many times when I was setting up IPFire. From my point of view, you made a difference.

Having said that, your post here clarify all my questions. I will try to implement a set of rules based to your explanation and if I succeed I will complete that wiki page.

Best of luck with your present projects.

@starkstromkonsument EDIT: here is the link to the missing section. I would appreciate anyone testing that this rule works as intended.