wpad.dat is served only on https when redirection is not enabled

[ssbarnea]

Documentation states that using automatic redirection from HTTP to HTTPS port can negatively impact the abiity to load wpad.dat file.

If the user disables the redirection, mainly allowing access to web interface on both 80, 443 something weird is happening regarding the wpad file: it seems to be returned only on the HTTPS port.

This works against the idea of making the wpad file availabe without HTTP in order to avoid errors related self-signed certificates.

[Kimotu]

I do not think it is weird behaviour, but works as configured. If you disabled the redirect from port 80 to 443, then port 80 is closed and the user expected to connect directly to port 443.

But you are right that this prevents serving wpad.dat via HTTP like expected when using DNS for wpad (DHCP allows to add port to option 252).
Same happens if you define an alternate port for web gui or restrict access to web gui to admin users.

For this reason I wrote this guide: HOWTO - Setup working wpad.dat with web gui on alternative port

The best would be to separate web server for wpad and web gui, like realized in my guide with 2nd web server just for wpad. So the solution would be an alternate default port for web gui while wpad will be served via port 80/http.

[AdSchellevis]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository,
please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue,
just let us know, so we can reopen the issue and assign an owner to it.

[glasid]

We would like to have the WeBGUI being redirected to port 443 and wpad.dat file being accessible via port 80 and port 443 simultaneously.

This can be achieved by omitting https redirects for wpad.dat file in the webgui configuration script /usr/local/etc/inc/plugins.inc.d/webgui.inc.

According to lighttpd mod_redirect documentation short-circuiting the redirect rules without triggering a redirect is possible by specifying a blank target.

Hence, the redirect expression in the webgui configuration script /usr/local/etc/inc/plugins.inc.d/webgui.inc should be amended as follows:

    /* add HTTP to HTTPS redirect */
    if (
        $config['system']['webgui']['protocol'] == 'https' &&
        !isset($config['system']['webgui']['disablehttpredirect'])
    ) {
        $redirectport = $lighty_port != "443" ? ":{$lighty_port}" : '';
        foreach ($listeners as $listener) {
            if (is_ipaddrv6($listener)) {
                $listener = "[{$listener}]";
            }
            $lighty_config .= <<<EOD

\$SERVER["socket"] == "{$listener}:80" {
    \$HTTP["host"] =~ "(.*)" {
        url.redirect = ( "^/wpad.dat" => "" ,
                         "^/(.*)" => "https://%1{$redirectport}/$1" )
    }
}

I would be more than happy if this issue can be reopened.

Many thanks.

[johannesfranken]

Hi @AdSchellevis, I would appreciate you reopening this issue and accepting the patch provided by @glasid

[AdSchellevis]

@johannesfranken best open a PR if you want to merge some feature, although I'm not sure if this specific change will make it into the release.