Automatic distribution of the proxy settings

Back to proxy main Page


There are basically two ways to include a Proxy server in the configuration of the clients. On one hand, you can enter it manually in the browser or the operating system specific option. On the other hand, it can be defined transparently.

Both options have advantages and disadvantages, however their in depth discussion is outside the scope of this document. We are going only to mention here that If the Proxy operates in transparent mode there is usually no need to make adjustments on the client side, as the HTTP traffic goes through the Proxy automatically.

However, there are two trade offs to transparent proxy that should be evaluated when choosing whether using the manual configuration or not. First, with transparent proxy, you cannot configure exceptions. Unfortunately, there are sites that don't work properly if accessed through a proxy. This is exactly why you sometimes need exceptions. Second, the HTTPS protocol cannot work in transparent mode in IPfire.

Therefore if we don't want the Proxy to operate transparently, we need to resort to a manual configuration. However, opening every client configuration to enter the manual entries for the proxy and their exceptions could be very tedious. A much better way would be to automatically distribute to the clients the configuration directives at a central point (the IPFire appliance). Here we explain how to achieve this goal in the most efficient way possible.

Browser Support

The distribution can be be done via DHCP or via DNS.

Browser / Configuration DHCP DNS
Internet Explorer Y ?
Chrome Y ?
Firefox Y Y

The generated file

There is a proxy configuration script provided by IPFire by default. It can be found under:


For a system to use this script, there is the need to distribute it.
To achieve this, there are two possibilities which we arrange in the course of this guidance.

Distribution via DHCP-option

The first possibility is the distribution by DHCP options. Therefore we define the following option under the"network" tab in the"DHCP Server" configuration.

wpad code 252=text
wpad "http://[IPFireIP]:81/proxy.pac"

The result should read

Next example adding the wpad.dat to be distributed via DHCP-option too:
wpad "http://[IPFireIP]:81/wpad.dat"

Distribution via DNS and HTTP

In some cases, the supplies of the DHCP server could be ignored. However, most browsers will be able to detect the proxy configuration automatically. In such a case, the Browser/Program will search the URL:




for the WPAD-File.

There are different ways to provide this file. You can apply another http-vhost on port 80, a firewall-redirect-rule, an haproxy-frontend/backend or similar, which only has the proxy.pac and wpad.dat in his Webroot.

vhost for Apache

To distribute the WPAD-file using Apache http-vhost, we initially create the directory

mkdir /srv/web/ipfire/wpad

and subsequently we create also the file /etc/httpd/conf/vhosts.d/wpad.conf using the touch command

touch /etc/httpd/conf/vhosts.d/wpad.conf

and we populate /etc/httpd/conf/vhosts.d/wpad.conf with the following directives:

Listen 80
<VirtualHost *:80>
DocumentRoot "/srv/web/ipfire/wpad"
ServerName wpad.localdomain
ServerAlias wpad
Alias /wpad.dat /srv/web/ipfire/html/proxy.pac
Alias /proxy.pac /srv/web/ipfire/html/proxy.pac

To give the directory the desired content, we create two links to the already existing proxy.pac / wpad.dat.

ln -s /srv/web/ipfire/html/proxy.pac /srv/web/ipfire/wpad/proxy.pac

ln -s /srv/web/ipfire/html/proxy.pac /srv/web/ipfire/wpad/wpad.dat

Afterwards we restart the Apache2 with:

/etc/init.d/apache restart

HAProxy Frontend & Backend

HAProxy is a load balancer available as an IPFire add-on.
The following code-snippets are examples for adding a WPAD-Backend to a multi-domain-frontend on Port 80:

This is not a complete config file for haproxy!

filename = /etc/haproxy/haproxy.cfg

# main frontend which proxys to the backends
frontend http
      bind :80
      http-request add-header X-Forwarded-Proto http

      # Logging
      capture request header host len 40

      # wpad
      acl is_wpad_domain hdr_beg(host) -i wpad.[localdomain] wpad [IPFireIP_on_green] [IPFireIP_on_blue]
      acl is_wpad_path path_reg ^/wpad.dat$ ^/proxy.pac$
      acl is_local_ip src [localsubnet/localsubnetmask]
      use_backend wpad if is_local_ip is_wpad_domain is_wpad_path

      # default
      default_backend no_match

# Backend: WPAD
backend wpad
  mode http
  option httpchk
  http-check send meth HEAD uri /wpad.dat ver HTTP/1.1 hdr Host
  http-check expect status 200
  server wpad check

# Backend: No Match
backend no_match
      http-request deny deny_status 400

Firewall Rule

FIXME explain port-forwarding rule for 80 --> 81 on the firewall interface of the zone WPAD should be enabled for.

Add a DNS-Host

Now an additional entry under "Edit Hosts" (findable under the tab "network" -> "Edit Hosts") named wpad with the IPFire-IP still has to be created,

to get the script under:

http://wpad.[localdomain]/proxy.pac and http://wpad.[localdomain]/wpad.dat

Configuring exceptions

The exceptions can be entered into the corresponding fields in the WebGUI of IPFire (Network --> Proxy --> WPAD). Please note:

  • Subnets are expected in the format / and not /24
  • URL's need to be entered completely or using wildcards (*).


The IPFire team would like to say thanks for this Wiki to WhyTea!

Back to proxy main Page