+ Post New Thread
Results 1 to 12 of 12
Internet Related/Filtering/Firewall Thread, wpad/pac or transparent proxy in Technical; what do you use with guest wireless? We had transparent proxy but it didn't work with SSL. So i've spent ...
  1. #1
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,540
    Thank Post
    112
    Thanked 89 Times in 75 Posts
    Blog Entries
    47
    Rep Power
    41

    wpad/pac or transparent proxy

    what do you use with guest wireless?

    We had transparent proxy but it didn't work with SSL. So i've spent ALL day making wpad/proxy.pac work only to discover whilst it works great with windows laptops if you tick autodiscover box, it's not as useful with mobiles. Iphones need to put in the pac url, not sure about android or blackberry.

    Transparent proxy worked better but no SSL was a problem..... /sigh

  2. #2
    DrCheese's Avatar
    Join Date
    Apr 2008
    Posts
    1,050
    Thank Post
    98
    Thanked 162 Times in 111 Posts
    Rep Power
    60
    Aye I'm stuck with the same issue for our public network. You can't transparently proxy SSL URL's as it would defeat the point if anyone could sit in the middle of an SSL connection.

    They suggest that you allow SSL urls to go straight out to the web, but that kinda defeats the point in setting up a captive portal & is impossible anyway for us as you have to go out via the main proxy anyway, so your back to the problems of having a .pac file
    >.< It's annoying!

  3. #3
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,540
    Thank Post
    112
    Thanked 89 Times in 75 Posts
    Blog Entries
    47
    Rep Power
    41
    Quote Originally Posted by DrCheese View Post
    Aye I'm stuck with the same issue for our public network. You can't transparently proxy SSL URL's as it would defeat the point if anyone could sit in the middle of an SSL connection.

    They suggest that you allow SSL urls to go straight out to the web, but that kinda defeats the point in setting up a captive portal & is impossible anyway for us as you have to go out via the main proxy anyway, so your back to the problems of having a .pac file
    >.< It's annoying!
    I've read you can get SSL through transparency to work by using a man-in-the-middle procedure but I'm wary of that idea.
    How do public wi-fi hotspots work...do they give you an actual internet ip address?

  4. #4

    Join Date
    Oct 2007
    Location
    Northamptonshire
    Posts
    315
    Thank Post
    22
    Thanked 83 Times in 70 Posts
    Rep Power
    45
    We use Smoothwall for our Guest Wifi which does HTTPS filtering using transparent proxy. The only requirement is that the client is running Windows Vista and above , XP using Firefox/Chrome, newer iOS versions for iPhones/iPads etc. If the client isn't running that they can still access HTTP sites but not HTTPS sites.

  5. Thanks to Ashm from:

    tom_newton (28th February 2012)

  6. #5
    DrCheese's Avatar
    Join Date
    Apr 2008
    Posts
    1,050
    Thank Post
    98
    Thanked 162 Times in 111 Posts
    Rep Power
    60
    Aye, I was afraid of that :P, having read that on an older post on this forum. I wouldn't mind smoothwall to replace my own custom Dansguardian/Squid system but it's a question of £££. I'd be interested as to how it gets around the man in the middle restriction tho.
    From what I remember, it's something to do with SNI? (server name indication) I wonder how hard it would be to recreate that on other systems (i.e I use pfsense for the captive portal at the moment)
    Last edited by DrCheese; 27th February 2012 at 09:14 PM.

  7. #6

    Join Date
    Oct 2007
    Location
    Northamptonshire
    Posts
    315
    Thank Post
    22
    Thanked 83 Times in 70 Posts
    Rep Power
    45

  8. #7

    Join Date
    Jan 2007
    Location
    Nottinghamshire
    Posts
    531
    Thank Post
    2
    Thanked 84 Times in 58 Posts
    Rep Power
    39
    What are you trying to achieve? Filtering? Logging? Stopping usage without a password?

  9. #8
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,540
    Thank Post
    112
    Thanked 89 Times in 75 Posts
    Blog Entries
    47
    Rep Power
    41
    I'm gonna stick with pac. You can get around transparency with ssl_bump, ie SQUID transparent SSL interception « Dvas0004's Blog
    but recompiling squid is getting too crazy for my liking. pac is fairly flexible~

    Works with XP/win7 if "Automatically detect settings" tickbox in IE is ticked
    Works with i-devices setting autodiscover WITH the url http://servername/proxy.pac
    Most likely to work with android + Opera mobile app + proxy settings
    Only Blackberry won't work. only works with transparent proxy. Doesn't support any other kind

  10. #9


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,507
    Thank Post
    871
    Thanked 862 Times in 681 Posts
    Rep Power
    199
    Yes - we DO use SNI for non-MITM transparent filtering.

  11. #10
    DrCheese's Avatar
    Join Date
    Apr 2008
    Posts
    1,050
    Thank Post
    98
    Thanked 162 Times in 111 Posts
    Rep Power
    60
    Aye :P I've arranged a trial of Smoothwall today to test this.
    I've been wanting to replace our proxy solution with smoothwall for a while, we've just not had the money to do so until recently. Being able to scrap our custom solution that has it's own issues and gaining the ability to do this will be a big bonus for us.

  12. #11
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,540
    Thank Post
    112
    Thanked 89 Times in 75 Posts
    Blog Entries
    47
    Rep Power
    41
    Seems to work better to use wpad.dat with ios. It's the same file as proxy.pac.

  13. #12


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,033 Times in 813 Posts
    Rep Power
    341
    we use wpad and pac files.
    It works best in 99% of cases.
    Older androids need transparent proxies though



SHARE:
+ Post New Thread

Similar Threads

  1. wpad / Pac Proxy with different ports
    By Optimus in forum Internet Related/Filtering/Firewall
    Replies: 1
    Last Post: 2nd January 2012, 06:19 PM
  2. Transparent or non-transparent proxy?
    By dave.81 in forum Internet Related/Filtering/Firewall
    Replies: 2
    Last Post: 18th October 2010, 01:45 PM
  3. ISA server as a transparent proxy
    By FN-GM in forum Wireless Networks
    Replies: 30
    Last Post: 25th February 2008, 05:33 PM
  4. Replies: 7
    Last Post: 7th February 2008, 09:43 PM
  5. Squid Transparent Proxy.
    By Jackd in forum Network and Classroom Management
    Replies: 2
    Last Post: 25th July 2007, 07:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •