HOWTO - Setup working wpad.dat with web gui on alternative port

[hbc]

Problem

The default OPNsense auto proxy configuration is designed to work best with plain http (port 80). As soon as you use port redirect to https (443) you will run into problems, since

• some auto proxy configurations mechanism rely on http
• you may run into certificate issues (self-signed) with https

The best option is to provide wpad.dat via http, so you can even restrict your web gui port just to your admin pcs.

How to configure

• redirect your web gui to https or other port
• restrict this port to your admin pcs
• install nginx web server

Configure nginx

• Nginx: Configuration --> HTTP(S) --> Location
• Description: WPAD
• URL pattern: wpad.dat
• Match type: Excact match("=")
• File system root: /usr/local/www


• Nginx: Configuration --> HTTP(S) --> HTTP server
  
  
  • Listen port: 80
  • Server name : localhost
  • Location: WPAD
  • File system root: /usr/local/www
  
  
• Nginx: Configuration --> General settings
• Enable nginx: enabled

Now nginx will listen on port 80 and provide the original wpad.dat file created via gui.

DHCP and Unbound provide gui options to enable WPAD support, but these options will (partitual) create configuration entries that point to your (inaccessible) web gui port. So we have to add those option manually instead.

Configure DHCP service

• Services: DHCPv4: [Interface]
  
  
  • WPAD: unchecked
  • Additional Options:
    
    • Number: 252
    • Type: text
    • Value: http://[interface-ip]/wpad.dat

Configure Unbound
The A and AAAA records would already be right with the WPAD option, since these records cannot provide ports anyway, but there are also TXT records with port entries created that would be wrong. So we skip TXT records (not supported via gui) and just add A and AAAA records.

• Services: Unbound DNS: General
  
  
  • Advanced: Show advanced options
  • WPAD Records: unchecked
    
    
• Services: Unbound DNS: Overrides
  
  
  • Host: wpad
  • Domain: your [interface-domain]
  • Type: A or AAAA
  • IP: [interface ip]

Configure firewall
Add a rule that allows [interface net]:1024-65535 --> This firewall:80

With this configuration clients should be able to acquire either via DNS or DHCP a valid proxy configuration via port http (80).

[fabian]

you can move the file system root from the HTTP server to the location to make the rest of the web interface not available

[hbc]

You mean /usr/local/www/wpad.dat as root? One single file? That works? I thought the location match as restriction. As you mentioned in one of my other posts, it should create 404s for other resources.

[fabian]

no the normal www directory. the root is a directory from which the normalized path (the /wpad.dat) is relative.  For example:

Root: /usr/local/www
URL: http://localhost/wpad.dat
Result: /usr/local/www/wpad.at
The root can be set in locations and in http servers in the plugin.
If it is set up for the location only, the main server is not affected and you can point it to an empty directory (or leave the default) so it won't deliver anything else. If your location does not set a root, it will use the one from the server. I hope this helps to understand the internals of nginx a bit.

[hbc]

Ok, I see. There is another file system root option in location. I added it and fixed the connection server to location. When writing howto I missed that the WPAD location has to be chosen in server setting.

[fabian]

No problem, since the plugin is quite big, so it is simple to oversee a config option.
Sometimes even I have to search for them.

[ssbarnea]

One related issue that I found is that if you disable redirection from 80->443 you lose the ability to load wpad from HTTP. See https://github.com/opnsense/core/issues/3416

[hbc]

One related issue that I found is that if you disable redirection from 80->443 you lose the ability to load wpad from HTTP. See https://github.com/opnsense/core/issues/3416

For this reason, I wrote this HOWTO. No matter what port you use for webgui, WPAD will be provided via HTTP.

[rickygm]

Hi , Firewall rule does not apply , only 1 - 65535, What would be the correct rule?

[hbc]

Hi , Firewall rule does not apply , only 1 - 65535, What would be the correct rule?

The rule is correct. A range from 1024:65535 should work for source ports. But you can also just use "any"

[rickygm]

Hi , Firewall rule does not apply , only 1 - 65535, What would be the correct rule?

The rule is correct. A range from 1024:65535 should work for source ports. But you can also just use "any"

Hi , I made the change in the firewall rule, but I can not test the wpad, nginx does not start I see the log and it says that port 80 is in usao, I think it's because of the gui

[emerg] 60602#100295: bind() to [::]:80 failed (48: Address already in use)
2019/05/21 17:02:51 [emerg] 60602#100295: still could not bind()

root     lighttpd   49720 5  tcp4   *:444                 *:*
root     lighttpd   49720 6  tcp6   *:444                 *:*
root     lighttpd   49720 7  tcp4   *:80                  *:*
root     lighttpd   49720 8  tcp6   *:80                  *:*

there will be some way to change port 80 of the gui?

[fabian]

in the administation page in the system section

[rickygm]

I already did, but still using port 80

[fabian]

you need to disable the web ui redirect rule.

[rickygm]

excelente , later need reboot de OPNsense , work gr8