+ Post New Thread
Results 1 to 12 of 12
Internet Related/Filtering/Firewall Thread, wpad/pac or transparent proxy in Technical; what do you use with guest wireless? We had transparent proxy but it didn't work with SSL. So i've spent ...
  1. #1
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,524
    Thank Post
    106
    Thanked 88 Times in 74 Posts
    Blog Entries
    46
    Rep Power
    40

    wpad/pac or transparent proxy

    what do you use with guest wireless?

    We had transparent proxy but it didn't work with SSL. So i've spent ALL day making wpad/proxy.pac work only to discover whilst it works great with windows laptops if you tick autodiscover box, it's not as useful with mobiles. Iphones need to put in the pac url, not sure about android or blackberry.

    Transparent proxy worked better but no SSL was a problem..... /sigh

  2. #2
    DrCheese's Avatar
    Join Date
    Apr 2008
    Posts
    1,023
    Thank Post
    97
    Thanked 158 Times in 107 Posts
    Rep Power
    58
    Aye I'm stuck with the same issue for our public network. You can't transparently proxy SSL URL's as it would defeat the point if anyone could sit in the middle of an SSL connection.

    They suggest that you allow SSL urls to go straight out to the web, but that kinda defeats the point in setting up a captive portal & is impossible anyway for us as you have to go out via the main proxy anyway, so your back to the problems of having a .pac file
    >.< It's annoying!

  3. #3
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,524
    Thank Post
    106
    Thanked 88 Times in 74 Posts
    Blog Entries
    46
    Rep Power
    40
    Quote Originally Posted by DrCheese View Post
    Aye I'm stuck with the same issue for our public network. You can't transparently proxy SSL URL's as it would defeat the point if anyone could sit in the middle of an SSL connection.

    They suggest that you allow SSL urls to go straight out to the web, but that kinda defeats the point in setting up a captive portal & is impossible anyway for us as you have to go out via the main proxy anyway, so your back to the problems of having a .pac file
    >.< It's annoying!
    I've read you can get SSL through transparency to work by using a man-in-the-middle procedure but I'm wary of that idea.
    How do public wi-fi hotspots work...do they give you an actual internet ip address?

  4. #4

    Join Date
    Oct 2007
    Location
    Northamptonshire
    Posts
    310
    Thank Post
    20
    Thanked 80 Times in 68 Posts
    Rep Power
    43
    We use Smoothwall for our Guest Wifi which does HTTPS filtering using transparent proxy. The only requirement is that the client is running Windows Vista and above , XP using Firefox/Chrome, newer iOS versions for iPhones/iPads etc. If the client isn't running that they can still access HTTP sites but not HTTPS sites.

  5. Thanks to Ashm from:

    tom_newton (28th February 2012)

  6. #5
    DrCheese's Avatar
    Join Date
    Apr 2008
    Posts
    1,023
    Thank Post
    97
    Thanked 158 Times in 107 Posts
    Rep Power
    58
    Aye, I was afraid of that :P, having read that on an older post on this forum. I wouldn't mind smoothwall to replace my own custom Dansguardian/Squid system but it's a question of . I'd be interested as to how it gets around the man in the middle restriction tho.
    From what I remember, it's something to do with SNI? (server name indication) I wonder how hard it would be to recreate that on other systems (i.e I use pfsense for the captive portal at the moment)
    Last edited by DrCheese; 27th February 2012 at 08:14 PM.

  7. #6

    Join Date
    Oct 2007
    Location
    Northamptonshire
    Posts
    310
    Thank Post
    20
    Thanked 80 Times in 68 Posts
    Rep Power
    43

  8. #7

    Join Date
    Jan 2007
    Location
    Nottinghamshire
    Posts
    530
    Thank Post
    1
    Thanked 84 Times in 58 Posts
    Rep Power
    38
    What are you trying to achieve? Filtering? Logging? Stopping usage without a password?

  9. #8
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,524
    Thank Post
    106
    Thanked 88 Times in 74 Posts
    Blog Entries
    46
    Rep Power
    40
    I'm gonna stick with pac. You can get around transparency with ssl_bump, ie SQUID transparent SSL interception Dvas0004's Blog
    but recompiling squid is getting too crazy for my liking. pac is fairly flexible~

    Works with XP/win7 if "Automatically detect settings" tickbox in IE is ticked
    Works with i-devices setting autodiscover WITH the url http://servername/proxy.pac
    Most likely to work with android + Opera mobile app + proxy settings
    Only Blackberry won't work. only works with transparent proxy. Doesn't support any other kind

  10. #9


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,461
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Yes - we DO use SNI for non-MITM transparent filtering.

  11. #10
    DrCheese's Avatar
    Join Date
    Apr 2008
    Posts
    1,023
    Thank Post
    97
    Thanked 158 Times in 107 Posts
    Rep Power
    58
    Aye :P I've arranged a trial of Smoothwall today to test this.
    I've been wanting to replace our proxy solution with smoothwall for a while, we've just not had the money to do so until recently. Being able to scrap our custom solution that has it's own issues and gaining the ability to do this will be a big bonus for us.

  12. #11
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,524
    Thank Post
    106
    Thanked 88 Times in 74 Posts
    Blog Entries
    46
    Rep Power
    40
    Seems to work better to use wpad.dat with ios. It's the same file as proxy.pac.

  13. #12


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    we use wpad and pac files.
    It works best in 99% of cases.
    Older androids need transparent proxies though

SHARE:
+ Post New Thread

Similar Threads

  1. wpad / Pac Proxy with different ports
    By Optimus in forum Internet Related/Filtering/Firewall
    Replies: 1
    Last Post: 2nd January 2012, 05:19 PM
  2. Transparent or non-transparent proxy?
    By dave.81 in forum Internet Related/Filtering/Firewall
    Replies: 2
    Last Post: 18th October 2010, 12:45 PM
  3. ISA server as a transparent proxy
    By FN-GM in forum Wireless Networks
    Replies: 30
    Last Post: 25th February 2008, 04:33 PM
  4. Replies: 7
    Last Post: 7th February 2008, 08:43 PM
  5. Squid Transparent Proxy.
    By Jackd in forum Network and Classroom Management
    Replies: 2
    Last Post: 25th July 2007, 06:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •