Personal tools
You are here: Home Web Http Web Proxy Auto-Discovery Protocol (WPAD) support using Nginx
 

Web Proxy Auto-Discovery Protocol (WPAD) support using Nginx

Howto to add WPAD support for a domain with both IPv4 and IPv6 addressing.

Prerequisites:

  • DNS infrastrucuture for the domain
  • A Squid web proxy
  • A Nginx web server to server wpad.dat 

Out of scope

DNS

Internal authoritative DNS is provided by NSD (split horizon DNS is implemented using two instances of NSD). This configuration will support DNS autoconfiguration with:

  • A records
  • Service records
  • Text service records

Add the following DNS records to the lucidsolutions.co.nz internal zone file:

wpad               IN A     10.20.7.2
wpad               IN AAAA  2001:4428:225:7::2
@                  IN       TXT     "service: wpad:http://wpad.lucidsolutions.co.nz:80/wpad.dat"
wpad.tcp           IN       SRV     0 0 80 wpad.lucidsolutions.co.nz

Note: The Squid proxy is in the DNS with the name

Nginx

Nginx is used to serve the wpad.dat configuration file. This requires:

  • configuring nginx
  • creating the wpad.dat file

Warning: As clearly documented, the ability of wpad clients to correctly set the http host header correctly is marginal at best. Although I tried to use a 'wpad' virtual host to serve the content, it must also be available on:

  • the default host (i.e. the host header not set)
  • the 'wpad' host (but without a domain)
  • the full host name as specified by the DNS A, SRV, and TXT service records

Use caution when configuring a WPAD server in a virtual hosting environment. When automatic proxy detection is used, WinHTTP and WinINET in Internet Explorer 6 and earlier send a "Host: <IP address>" header and IE7+ and Firefox send a "Host: wpad" header. Therefore, it is recommended that the wpad.dat file be hosted under the default Virtual Host rather than its own.

Nginx Configuration

Create a configuration file for the Nginx server to serve files for the 'wpad.lucidsolutions.co.nz' virtual host. The main nginx.conf file will include this from within a 'server {}' block with the statement 'include /etc/nginx/conf.d/*.conf;'.  The configuration:

  • sets the content type
  • has the virtual host name 'wpad' as well as FQDN virtual host
  • listens on http only (no https)
  • has it's own log file
  • has a content tree for the wpad.dat file ('/var/www/html/wpad.lucidsolutions.co.nz')
#
#  Web Proxy Auto-Discovery Protocol (WPAD)
#
#  see http://wiki.nginx.org/WSUSProxy
#  see http://en.wikipedia.org/wiki/Proxy_auto-config
#  see http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
#
types {
    application/x-ns-proxy-autoconfig     dat;
}

server {
    listen       [::]:80;
    server_name  wpad.lucidsolutions.co.nz wpad;

    access_log  /var/log/nginx/wpad.lucidsolutions.co.nz.access.log  main;

    location / {
        # The only content is wpad.dat
        root /var/www/html/wpad.lucidsolutions.co.nz;
    }
}

Within the Nginx 'default' server configuration add a location alias. Ideally this could be a permanent redirect, but I suspect clients that can't set the host header correctly won't be able to follow a redirect (and set the host header). Instead of directly serving the wpad.dat file with an alias command, I proxied it to the 'wpad' server configuration so that all requests can be logged in one place. With Nginx v0.8.53 it was not possible to proxy_pass to the ipv6 localhost address (i.e. proxy_pass http://[::1]:80;), so I used localhost which defaults to IPv4.

 server {
        listen       [::]:80 default_server;
        server_name  _ "";

        access_log  /var/log/nginx/default.access.log  main;

        location /wpad.dat {
          proxy_pass        http://localhost:80;
          proxy_set_header  Host       wpad;
          proxy_set_header  X-Real-IP  $remote_addr;
        }
      
        location / {
            root /var/www/html/default;
            index index.html;
        }
    }

WPAD.DAT

The Nginx configuration about expects the 'wpad.dat' file to be located on the filesystem as '/var/www/html/wpad.lucidsolutions.co.nz/wpad.dat'. Below is a trivial wpad.dat configuration file that will only work for hosts inside the firewall and doesn't have any IPv6 support. 
function FindProxyForURL(url, host) {

    if (host == "localhost" ||
          host == "localhost.localdomain" ||
          host == "127.0.0.1" ) {
         return "DIRECT";
      }

      // All other requests go throughi the local squid proxy
      return "PROXY proxy.lucidsolutions.co.nz:3128; DIRECT";
}

Todo: work out how to match the IPv6 locahost address (ie http://[::1]/...)

Links

Appendices

Sample http get of wpad.dat to verify mime type. Note that the mime type is listed as 'application/x-ns-proxy-autoconfig'. 
$ wget --no-proxy wpad.lucidsolutions.co.nz/wpad.dat
--2011-06-02 14:19:38--  http://wpad.lucidsolutions.co.nz/wpad.dat
Resolving wpad.lucidsolutions.co.nz... 10.20.7.2, 2001:4428:225:7::2
Connecting to wpad.lucidsolutions.co.nz|10.20.7.2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 498 [application/x-ns-proxy-autoconfig]
Saving to: `wpad.dat'

100%[=======================================>] 498         --.-K/s   in 0s

2011-06-02 14:19:38 (29.7 MB/s) - `wpad.dat' saved [498/498]

Using IPv6

$ wget -6 --no-proxy wpad.lucidsolutions.co.nz/wpad.dat
--2011-06-02 14:18:44--  http://wpad.lucidsolutions.co.nz/wpad.dat
Resolving wpad.lucidsolutions.co.nz... 2001:4428:225:7::2
Connecting to wpad.lucidsolutions.co.nz|2001:4428:225:7::2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 498 [application/x-ns-proxy-autoconfig]
Saving to: `wpad.dat'

100%[=======================================>] 498         --.-K/s   in 0s

2011-06-02 14:18:44 (29.7 MB/s) - `wpad.dat' saved [498/498]

 

Document Actions