{"id":19051,"date":"2020-07-29T16:58:50","date_gmt":"2020-07-29T20:58:50","guid":{"rendered":"https:\/\/nuxx.net\/blog\/?p=19051"},"modified":"2021-08-06T11:21:43","modified_gmt":"2021-08-06T15:21:43","slug":"simple-pac-file-pilot-testing-including-wpad","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2020\/07\/29\/simple-pac-file-pilot-testing-including-wpad\/","title":{"rendered":"Simple PAC File Pilot Testing (including WPAD)"},"content":{"rendered":"\n

In a network that’s isolated from the public internet, such as many enterprise networks, proxy servers are typically used to broker internet access for client computers. Configuring the client computers to use these proxies is often done via a Proxy Auto-Config (PAC) file<\/a>, code that steers requests so traffic for internal sites stays internal, and public sites go through the proxies.<\/p>\n\n\n\n

Commonly these PAC files are made available via Web Proxy Auto-Discovery Protocol (WPAD)<\/a> as well, because some systems need to automatically discover them. Specifically, in a Windows 10 environment which uses proxies, WPAD is needed because many components of Windows (including the Microsoft Store and Azure Device Registration) will not use the browser’s PAC file settings; it’s dependent on WPAD to find a path to the internet.<\/p>\n\n\n\n

WPAD is typically configured via DNS, with a hostname of wpad.companydomain.com (or anything in the DNS Search Suffix List) resolving to the IP of a webserver [1]. This server must then answer an HTTP request for http:\/\/x.x.x.x\/wpad.dat<\/code> (where x.x.x.x is the server’s IP) or http:\/\/wpad.company.com\/wpad.dat<\/code> with a PAC file, with a Content-Type<\/code> of x-ns-proxy-autoconfig<\/code> [2].<\/p>\n\n\n\n

Because WPAD requires DNS, something which can’t easily be changed for a subset of users, putting together a mechanism to perform a pilot deployment of a new PAC file can be a bit complicated. When attempting to perform a pilot deployment engineers will often send out a test PAC file URL to be manually configured, but this misses WPAD and does not result in a complete system test.<\/p>\n\n\n\n

In order to satisfy WPAD, one can set up a simple webserver to host the new PAC file and a DNS server to answer the WPAD queries. This DNS server forwards all requests except for those for the PAC file to the enterprise DNS, so everything else works as normal. Testing users then only need to change their DNS to receive the pilot PAC file and everything else will work the same; a true pilot deployment.<\/p>\n\n\n\n

Below I’ll detail how I use simplified configurations of Unbound<\/a> and nginx<\/a> to pilot a PAC file deployment. This can be done from any Windows machine, or with very minor config changes from something as simple as a Raspberry Pi<\/a> running Linux.<\/p>\n\n\n\n

[1] WPAD can be configured via DHCP, but this is only supported by a handful of Microsoft applications. DNS-based WPAD works across all modern OS’.<\/p>\n\n\n\n

[2] Some WPAD clients put the server’s IP in the Host: field of the HTTP request.<\/p>\n\n\n\n

DNS via Unbound<\/strong><\/p>\n\n\n\n

Unbound<\/a> is a DNS server that’s straightforward to run and is available on all modern platforms. It’s perfect for our situation where we need to forward all DNS queries to the production infrastructure, modifying only the WPAD\/PAC related queries to point to our web server. While it’s quite robust and has a lot of DNSSEC validation options, we don’t need any of that.<\/p>\n\n\n\n

This simple configuration forwards all requests to corporate Active Directory-based DNS’ (10.0.1.2 and 10.0.2.2) for everything except the PAC file servers. For these, pacserver.example.com<\/code> and wpad.example.com<\/code>, it’ll intercept the request and return our webserver’s address of 10.0.3.25.<\/p>\n\n\n\n

\n
\n

server:
interface: 0.0.0.0
access-control: 0.0.0.0\/0 allow
module-config: \"iterator\"

local-zone: \"wpad.example.com.\" static
local-data: \"wpad.example.com. IN A 10.0.3.25\"

local-zone: \"pacserver.example.com.\" static
local-data: \"pacserver.example.com. IN A 10.0.3.25\"

stub-zone:
name: \".\"
stub-addr: 10.0.1.2
stub-addr: 10.0.2.2<\/code><\/p>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\n

This configuration allows recursive queries from any hosts, but by specifying one or more subnets using access-control<\/code> clauses to you can restrict from where it is usable. The stub-zone<\/code> clause to send all requests up to two DNS’. If these upstream DNS’ handle recursion for the client, the forward-zone<\/code> clause can be used instead.<\/p>\n\n\n\n

PAC File via nginx<\/strong><\/p>\n\n\n\n

For serving up the PAC file, both for direct queries and those from WPAD, we’ll use nginx<\/a>, a powerful but easy to use web server to which we can give a minimal config.<\/p>\n\n\n\n

Put a copy of your PAC file at \u2026\/html\/wpad.dat<\/code> under nginx’s install directory so the server can find it. (There is great information on writing PAC files at FindProxyForUrl.com<\/a>.)<\/p>\n\n\n\n

This simple configuration will set up a web server which serves all files as MIME type application\/x-ns-proxy-autoconfig<\/code>, offering up the wpad.dat<\/code> file by default (eg: http:\/\/pacserver.example.com) <\/a>or when directly referenced (eg: http:\/\/10.0.3.25\/wpad.dat<\/a> or http:\/\/wpad.example.com\/wpad.dat<\/a>), satisfying both standard PAC file and WPAD requests.<\/p>\n\n\n\n

events {
worker_connections 1024;
}

http {
default_type application\/x-ns-proxy-autoconfig;
sendfile on;
keepalive_timeout 65;

server {
listen 80;
server_name localhost;

location \/ {
root html;
index wpad.dat;
}
}
}<\/code><\/p>\n\n\n\n

Putting It All Together<\/strong><\/p>\n\n\n\n

With all the files in place and unbound and nginx running, you’re ready to go. Instruct pilot users to manually configure the new DNS, or push this setting out via Group Policy, VPN settings, or some other means. These users will then get the special DNS response for your PAC and WPAD servers, get the pilot PAC file from your web server, and be able to test.<\/p>\n","protected":false},"excerpt":{"rendered":"

In a network that’s isolated from the public internet, such as many enterprise networks, proxy servers are typically used to broker internet access for client…<\/p>\n

Continue readingSimple PAC File Pilot Testing (including WPAD)<\/span><\/a><\/div>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-19051","post","type-post","status-publish","format-standard","hentry","category-computers","entry"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/19051","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=19051"}],"version-history":[{"count":10,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/19051\/revisions"}],"predecessor-version":[{"id":19411,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/19051\/revisions\/19411"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=19051"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=19051"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=19051"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}