A proxy server can be useful to reduce the number of requests and data when browsing over the internet. Especially when files are downloaded repeatedly, like opening facebook multiple times a day or downloading the same file frequently (updating multiple vm’s).
Since I have a Synology NAS I wanted to experiment with a squid proxy and a zero-touch configuration for my clients using WPAD.
Step 1 – Squid proxy
First we need to install the squid proxy package on the Synology NAS. For that we need ipkg. If you haven’t installed ipkg yet, please install it first (link).
You can install the package squid in with the command: ipkg install squid
Optionally you can change the size of the disk cache. By default the size of the cache is 100MB, not really much, so I increased this to 4GB. The size of the cache is stored in the parameter cache_dir in the file /opt/ec/squid/squid.conf. The third parameter (4096) is the size in megabytes.
Then we want to validate the configuration with squid –k parse and create the temp (or swap directory) with the command squid –z.
The startup script is by default not placed in the startup directory of Synology DSM, therefor we create a symbolic link: ln –s /opt/etc/init.d/S80squid /usr/syno/etc/rc.d/
And then we’re ready to start the squid daemon: /opt/etc/init.d/S80squid start
Congratulations! You know got a operational proxy server All you have to do is configuring you’re client to use the proxy server <fqdn-or-ip-address-of-your-nas>:3128
Step 2 – WPAD
If you don’t want to configure the FQDN or IP address and port number on each client you can use the Web Proxy Autodiscovery Protocol (WPAD). This is a method used by clients to locate a URL of a configuration URL using DHCP and/or DNS discovery methods. Source: wikipedia
The WPAD uses a JavaScript file (named WPAD.DAT) that can direct browsers to the correct proxy server. Since this is a JavaScript file some intelligence can be used, like excluding certain websites. In this case I’ll use a simple wpad configuration file which always directs the users to my fresly install proxy server.
function FindProxyForURL(url, host) { return "PROXY 10.0.1.23:3128; DIRECT"; }
This file is stored in the root of the Apache server (installed by default): /volume1/web/wpad.dat
Next we need to add a mime.type in the apache configuration to enable automatic proxy configuration. This is done by adding the following line in the file /usr/syno/apache/conf/mime.types
application/x-ns-proxy-autoconfig dat
Now you can configure your browser to use the automatic configuration script.
Step 3 – DHCP
Now if you’re really lazy and don’t want to configure the location of the wpad configuration file on every client, you can configure WPAD via DHCP or DNS. The most reliable method is providing the location of the wpad configuration file via a DHCP option.
Since we have a Synology NAS, and because we can use this device, we’re using the NAS as a DHCP server. For that we need to install a DHCP package which is an optional package provided by Synology.
- Select ‘Package Center’
- Click on the tab ‘Available’
- Locate the package ‘DHCP Server’ and click ‘Install’
Now first we need to setup a basic configuration so DHCP leases can be offered.
- Click on the ‘Start’ button on the top left
- Click on the icon ‘DHCP Server’
- Click on the button ‘DHCP Server’
- Specify your Synology NAS as the DNS server and add a list of addresses the DHCP server is allowed to lease
- Click Apply
In case the DHCP server doesn’t work you should check the /var/log/message file. If this contains the message ‘Can not open DHCP lease file’ you should ‘issue the following commands:
touch /var/packages/DHCPServer/target/etc/dhcp.conf.leases touch /var/packages/DHCPServer/target/etc/dhcp-leases.log
Now we need to add the DHCP option 252 (auto-proxy-config) with the location of the wpad configuraton file. The configuraton file is stored in the /etc/dhcp/ directory. Note that the /etc/rc.network script regenerates the /etc/dhcpd.conf when the DHCP server is started. The content of all /etc/dhcpd/dhcpd-*.conf files with a corresponsing /etc/dhcpd/dhcpd-*.info file, stating it is enabled, will be merged in the applied configuration.
Updated on 11-01-2013 with correct filename
Add the following two files:
/etc/dhcpd/dhcpd-server-options.conf
dhcp-option=252,”https://<location-of-your-synology-nas>/wpad.dat”
Very important: Add a line feed after the first line (press Enter) otherwise lines will merge in dhcpd.conf with this as a result.
/etc/dhcpd/dhcpd-server-options.info
enable=”yes”
You have to logon with user root, the user admin has insufficient privileges.
(Re)start the DHCP server to apply the settings.
Now you can configure your browser to detect the automatic configuration.
4. Is it working
You can verify if you’re using a proxy server by visiting https://www.whatismyip.com/. Not only will it show you you’re IP address but also if and what proxy server you’re using.
Reference
- According to the FAQ of dnsmasq configuring option 252 is required for Windows 7.
- If WPAD is not working on your Windows machine, please read the Microsoft Technet article: https://technet.microsoft.com/en-us/library/cc302643.aspx
Hello. Ecxellent article. Two questions: 1) I can use the proxy server either by using step one or step two. However, step 3 does not work. Any troubleshooting tips? 2) Any tips for easily configuring the squid proxy server?
I confirmed at first the the dhcpd.conf file was not updating. I got it configured now. Here are the contents of the file.
interface=bond0
dhcp-range=set:bond00,192.168.1.175,192.168.1.250,255.255.255.0,43200
dhcp-option=tag:bond00,option:router,192.168.1.10
dhcp-option=tag:bond00,option:dns-server,192.168.1.50
dhcp-option=252,”http://192.168.1.50/wpad.dat”
dhcp-option=tag:static,option:dns-server,127.0.0.1
dhcp-option=tag:static,option:router,127.0.0.1
interface=static
dhcp-option=252,”http://192.168.1.50/wpad.dat”
dhcp-range=set:static,127.0.0.1,127.0.0.1,255.255.255.0,86400
dhcp-leasefile=/etc/dhcpd/dhcpd.conf.leases
dhcp-script=/var/packages/DHCPServer/target/scripts/dhcpd-script.sh
you’ll notice the dhcp option is there and my browser is configured to automatically detect. Still no luck.
Hi Aaron,
The dhcp-option 252 should be added in the “/etc/dhcpd/dhcpd-server-options.conf” file instead of the dhcpd.conf, otherwise you’ll loose the configuration.
For the “automatically detect” feature to work using DHCP you need this DHCP option, no configuration is required on squid.
Troubleshooting tips:
– First try the WPAD file manually to see if this is working
– Completely release the DHCP lease (ipconfig /release) and then renew the lease (ipconfig /renew)
– Monitor with Wireshare (use capture filter: ‘port 67 or port 68’) to see if DHCP option 252 is working
http://wiki.wireshark.org/DHCP
HI,
you wrote .. “Now we need to add the DHCP option 252 (auto-proxy-config) with the location of the wpad configuraton file. The configuraton file is stored in the /etc/dhcp/ direktory” ….
.. but i dont have there any file with name WPAD.DAT
Why? I have to create it?
I personally had to create the file. But it’s really not a big deal. Just create the file and edit it in a text editor. He gives you the code above.
Hi LC,
I didn’t write thay very clearly, my bad. As Aaron wrote you need to create the file manually, a basic wpad.dat file should at least contain the following :
function FindProxyForURL(url, host):3128; DIRECT”;
{
return “PROXY
}
You are correct. But the other .conf files feed the dhcpd.conf file when the server starts. I was merely showing that those files are feeding the main .conf file correctly.
When I do steps 1 and 2, whatismyip.com registers that I have a proxy server. When I move on to step 3, no more proxy. I tried release/renew. My network configuration shows that I’m coming through the Synology DHCP server.
I ran wireshark and I could see a reference to auto proxy config and referencing GET /wpad.get. So I THINK that means it is working, but I have no clue what I’m looking at or how to really use wireshark.
Aaron,
Not sure if you fixed this already, but it could be that you have the same issue as Daeroth. Can you check if you added a line feed in the file /etc/dhcpd/dhcpd-server-options.conf?
Hy,
Thanks for the post. Steps 1-2 are working, but I have some problems with Step 3. If I make what you write, than I become an Error in Chrome: Cannot resolve DNS address…
But if I use Step2 than it is working. Should I need to setup something in DNS???
Thanks in advance.
DNS is not required if you specify the IP of your Synology in DHCP option 252.
Can you post the content of the /etc/dhcpd/dhcpd-server-options.conf file?
Hy,
it only contains:
dhcp-option=252,”http://<192.168.1.252/wpad.dat”
—
Sorry, in my post above I made a mistake.
dhcp-option=252,”http://192.168.1.252/wpad.dat”
This is only line in the file.
The configuration file seems to be correct. Are you sure the Synology can resolve DNS?
Because the Synology now has to resolve the hostname to IP (aka DNS) and download the content of the webpages it needs to have full internet access.
Can you try to ping http://www.ingmarverheij.com from a terminal session on your Synology?
http://www.ingmarverheij.com/how-to-enable-terminal-access-to-synology-nas/
— http://www.ingmarverheij.com ping statistics —
73 packets transmitted, 72 packets received, 1 duplicates, 1% packet loss
round-trip min/avg/max = 66.098/282.976/3142.334 ms
Now I’am getting: ERROR: 118 (net::ERR_CONNECTION_TIMED_OUT) when I try the auto detection.
Based on the result of your ping command we can conclude two things 1) DNS is working (www.ingmarverheij.com is resolved to an IP) and 2) the Synology has internet acccess.
Just to be sure, can you confirm that if you manually add “http://192.168.1.252/wpad.dat” in your browser it does work?
If so, can you copy the content of your wpad.dat?
Yes, if I manually add “http://192.168.1.252/wpad.dat” to the browser settings than it is working.
The content of my wpad.dat file is:
function FindProxyURL(url,host)
{
return “PROXY 192.168.1.252:3128; DIRECT”;
}
The function should be “FindProxyForURL” not “FindProxyURL”, you’ve missed the ‘For’ in the function name.
Checked again.
It contains: fuction FindProxyForURL(url,host)
In the post above I made a mistake… sorry.
Can you verify the following three things:
1) Is your proxy detected (http://www.whatismyip.com/) when you specify the wpad.dat manually?
2) Are the quotes in the wpad.dat file actual quotes? In the comment it are “fancy” quotes, can you try to replace them and save the file again?
3) Is the file /etc/dhcpd/dhcpd-server-options.info created (and filled)?
If of all of this applies, it’s time to create a trace with WireShark (from 1) the DHCP request and 2) opening a webpage).
1) I get: Your IP Address is:
Proxy Detected:
1.1 DiskStation (squid/3.1.8)
2) Checked the quotes. They were quotes, but I have replaced them for safety.
3) /etc/dhcpd/dhcpd-server-options.info it is created and filled. It contains:
enable=”yes”
But! Now I see, that there are 2 new files. dhcp-server-static.conf
dhcp-server-static.inf
Could it happen that theese 2 files are causing the trouble?
Now I try to create a trace with WireShark.
In case step 3 (DHCP) is not working this might be caused by a missing “line feed” at the end of the file /etc/dhcpd/dhcpd-server-options.conf.
MAKE SURE YOU DO
If no linefeed is added (as the case was with Daeroth) wrong lines gets merged. As a result the DHCPOFFER contains the wrong location to the wpad.dat file.
See screenshot
http://www.ingmarverheij.com/wp-content/uploads/2013/04/Wireshark.png
Thank you for this excellent article. I have configured my DS413 according to your Step 1 and it works perfectly from my local network computers, but I want to be able to access it remotely as well. But the DS413 only has a local IP (192.168.etc). I do know my router’s IP (which is dynamic, but it changes very rarely). What am I missing? Is there a way to do this? Thank you for any assistance you can provide.
Thanks a lot for the dutch IT guy! 🙂
The proxy is working on my DS1512+ since months without any errors!
Alan! It doesn’t matter. Just make a DDNS for your Synology and forward the IP and ports of it on your router.
Daeroth, thank you–I have configured the port forwarding on the router according to your suggestion, but am unsure about DDNS–do I need to subscribe to a service or is that also within the router’s settings somewhere? I’m new to this aspect of networking. Thank you!
1. Register to one of DDNS services, for example dyndns.org or noip.com.
2. After registering add a domain. (example.no-ip.org)
3. Go to Synology ->Control Panel ->DDNS
4. Add the registered data to your Synology.
5. Save and now it will work.
This is very helpful, Daeroth–I followed your instructions and I think I have all the pieces right but I have not yet been able to test it from outside my network; it doesn’t work from inside it (access denied). I have configured my router to forward port 3128 to the local address of the Synology. I confirmed that Squid is started and working. Am I supposed to do something with the Synology Router Configuration control panel? I created a setting with port 3128. Thank you again for your assistance.
Hmm.
You need to check witch port is Synology using. Normally it is :5000. You need to forward the SynologyIP:5000 on your router. I do not know if the Squid is blocking it, but you can add theese port to the Safe_ports in the squid_config file.
I think I understand my problem–the tutorial here says to use port 3128. You have suggested port 5000. I have now changed my router’s port forwarding to the Synology’s local IP:5000. But how do I get to 3128?
I should also mention that after I went into the Synology Router Configuration area, Ports 5000 and 5001 are already being used by the Management UI, File Station, etc. Can it also be used for the proxy? I notice that 3128 is not listed anywhere. Perhaps I need to check my squid.conf file for the port that is expected? Note that I have a DS413, which might be different from whatever was used in the tutorial.
Hi Alan, Daeroth,
Good to see you’re solving this together. In my environment I haven’t enabled external access so unfortunately I can’t give you practical tips.
Do keep in mind that if you enable your proxy server from outside without authentication everyone can use your proxy server (using your bandwidth, exposing your network and perform illigal actions). So I would definitely recommend enabling some sort of authentication 😉
Cheers
Ingmar
Thank you, Ingmar, I agree that authentication is essential and will make sure once I get this working to have that in place.
Hi Ingmar
I’ve installed it and works fine. My idea is to setup the proxy to capture all internal traffic as a parental control (OpenDNS and other commercial solutions I considder flawed).
Is this possible? Can I define rules? Thanks (I’m a newby to proxies…so forgive stupid questions on the matter 🙂 )
Hi Lex,
I don’t have any experience with parental controls.
You might want to check out DansGuardian – http://dansguardian.org/- they integrate in the Squid proxy.
Unfortunately I can’t help you with an easy howto guide but I noticed there are some guides available on the internet.
Cheers,
Ingmar
Thanks Ingmar, will do
groeten, Lex
Hi.
I have a problem creating a symbpolic link with the command
ln –s /opt/etc/init.d/S80squid /usr/syno/etc/rc.d/
I get this message:
Petsi_NAS> ln –s /opt/etc/init.d/S80squid /usr/syno/etc/rc.d/
ln: –s: No such file or directory
ln: /usr/syno/etc/rc.d/S80squid: Invalid cross-device link
Thanks in advance.
Hy Peeter!
It happend the same for me. If you have DSM version 4.x than if you install ipkg you need to comment in the /root/.profile file the following:
#PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/syno/sbin:/usr/syno/bin:/usr/local/sbin:/usr/local/bin
#export PATH
Check this file. Because I forget it, and I got the same like you.
Hope I could help.
Daeroth
Ingmar, did you ever consider setting up Squid as a transparent proxy so that you wouldn’t even have to set the proxy configuration at the client end?
Actually I haven’t, but sounds like a nice project. Once I got time (…) I might update the article (but if you have the info, I’ll happily update it with your content).
That will be very nice, better than have a proxy, is to be able to use it with zero-configuration on the clients side.
All our places are plenty of devices, and configure all of them,is a big trouble.
I’m going to try and set it up in the next few weeks. I’ve been wanting a good proxy server and now I don’t have to dedicate an entire machine (or VM) to it.
The last one I ran was as a transparent proxy, so it was easy to ensure that all traffic went through it via DHCP.
Once I get to it, I will post you the info.
Regards,
Hi Ingmar,
this is a very good site about the dhcp on synology.
I perform this dhcp server on ds207+ and this works.
I only have problem with step 3.
My dhcpd.conf ist here /opt/etc/
So I put the files dhcp-server-options.conf and dhcp-server-options.info also in this directory /opt/etc/
I also try the directory /opt/etc/dhcpd and /etc/dhcpd/
It seems that the dhcp server do not recognize this files.
The content of the dhcpd-server-options.* files is correct, and there is a linefeed at the end. I also verify the configurations of the wpad.dat file in the browser. Now I have no more ideas….
Perhaps you can help?
Thanx.
Thomas.
Hi Thomas,
The dhcp-server-options.conf and dhcp-server-options.info should be in /etc/dhcpd. Did you restart the dhcp daemon for the changes to take effect?
You could try to add a simple dhcp option and verify if your client receives the options. I wrote a PowerShell script that shows you all received dhcp options:
http://www.ingmarverheij.com/read-dhcp-options-received-by-the-client/
Cheers,
Ingmar
Hi Ingmar,
now I put those dhcp-server-options.* files into both directories. /etc/dhcpd and /opt/etc/dhcpd.
I restart the whole Synology Box, and I capture this dhcp request from (virtual linux) with wireshark:
In the Bootstrap Protocol I can See:
…
Option: (t=55,l=17) Parameter Request List
…
252 = Private/Proxy autodiscovery
…
Is this the option I search for?
Is it right, that i have problem with the client,
not with the dhcp server?
Thanx in advance.
Thomas.
If the parameter is sent then the configuration is probably right 😉 What does the PowerShell script show on the client?
ok, I try this ps-script on Virtual Win7(64) and there is NO 252 option. I don’t try it on my linux client because i’m not sure that the ps script work on linux. I verify one more time the configuration of the dhcp server with wireshark and i always see the 252 option. the problem is on the client. what can i do?
Did you Win 7 machine got an IP address of the DHCP server (see ipconfig /all)? The PowerShell script won’t work on Linux 😉
There’s nothing you can (or should) configure on a Windows client for DHCP to work, except for configuring the NIC for a dynamic address.
no chance….
i try now the third evenig, and i find no solution for this problem. i verify that there is only one dhcp server in the local network, i restart the dhcp server, i clean all leases for all ip-adress and i’m not able to get the 252 option on my windows client, and on my linux client. in the wireshark output i can see the 252 option in the server, but the client did not recognize this….
now i have no more ideas….
Can you email me the complete wireshark trace starting from the DHCPREQUEST and the configuration files (e-mail is on the about tab).
I’ll see what I can do.
i have sand you the log and the config files to your mail account. thanx!
See your mailbox 🙂
Hi, do you know how can I get the Squid proxy run on port 80 on the Synology ? I configured it to use port 80 but it seems that also Synology does some redirect from port 80 to the default 5000 when accessing his web interface
By default the webserver runs on port 80 which prevents the proxy server to run on this port.
There’s a thread on the synology forum how to remove this redirection:
http://forum.synology.com/enu/viewtopic.php?f=39&t=21242
Thanks Ingmar !
Ingmar, thanks for your post. I use a 213j and I dont have bootstrap. So I’ve installed SquidManager from SynCommunity and as it has the squid package. But when I try to acess it gives me access dineid. How can I configure to use user/pass to acess the squid and use my NAS as a Proxy ??
Thanks
Sadly whhen i install Squid on my DS214 i allways get this error Message
FATAL: Bungled Default Configuration line 11: cache_mem 8 MB
( even with the default configuration file )
and wont do anything at all 🙁
Hi,
How can I bypass all the local IP from using Proxy?
I had my domain example xxx.domain.com
I cannot access the url above if I had my transparent proxy.
But I do can access if I disable the proxy.
Hi,
And I had 1 more issue.
My IE work on the DHCP for the proxy.
But, my firefox did not work.
When I test manually using the http://192.x.x.x/wpad.dat
it work..
Beste Ingmar, mooi artikel!.
Step 1 uitgevoerd, port 3128 opengezet op router,
http://192.168.178.11:5000/webman/3rdparty/squidguard/squidguardmgr.cgi zegt Please login as admin first, before using this webpage. gebruik van de proxy. ben ingelogd als admin in dsm.. hoe nu verder?
Have you by any chance tried this with DSM5?
DHCP is built into network settings now, There is an official beta proxy server now too (using squid)
I’m still having an issue getting the DHCP option set up with DSM5
Hi ingmar, I have setup the proxy server on DS. I have also configured the settings on chrome to use proxy server. Proxy server is working some times other times It seems the proxy is not able to resolve the hostname. I have not enabled DHCP or DNS server on DS. I am getting the following message:
ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: http://www……..com/
Unable to determine IP address from host name http://www……..com
The DNS server returned:
DNS Domain/IP ‘www…….com’ exists without any FQDN/IPs: Name or service not known.
This means that the cache was not able to resolve the hostname presented in the URL. Check if the address is correct.
Your cache administrator is ………@gmail.com.
Generated Wed, 01 Apr 2015 11:39:51 GMT by DiskStation (squid/3.4.3)
Kindly help.
Sukhvir
I have the same error. @Sukhvir do you already have a solution perhaps?
I too have the
ERROR
The requested URL could not be retrieved
any suggestions please