Web Proxy Autodiscovery Protocol

From Wikipedia, the free encyclopedia Jump to: navigation, search

This article may require cleanup to meet Wikipedia's quality standards. Please improve this article if you can. The talk page may contain suggestions. (October 2007)

The Web Proxy Auto-Discovery Protocol (WPAD) is a method used by clients to locate a URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete it can be executed to determine the proxy for a specified URL. The WPAD protocol only outlines the mechanism for discovering the location of this file, but the most commonly deployed configuration file format is the Proxy auto-config format originally designed by Netscape in 1996 for Netscape Navigator 2.0. The WPAD protocol was drafted by a consortium of companies including Inktomi Corporation, Microsoft Corporation, RealNetworks, Inc., and Sun Microsystems, Inc.. WPAD is documented in an INTERNET-DRAFT which expired in December 1999. However WPAD is still supported by all major browsers. WPAD was first included with Internet Explorer 5.0.

1 Context
2 Notes
3 Requirements
4 Security
5 References
6 Further reading
7 External links

Context

In order for all browsers in an organization to be supplied the same proxy policy, without configuring each browser manually, both the below technologies are required:

Proxy auto-config (PAC) standard: create and publish one central proxy configuration file. Details are discussed in a separate article.
Web Proxy Autodiscovery Protocol (WPAD) standard: ensure that an organization's browsers will find this file without manual configuration. This is the topic of this article.

The WPAD standard defines two alternative methods the system administrator can use to publish the location of the proxy configuration file, using the Dynamic Host Configuration Protocol (DHCP) or the Domain Name System (DNS):

Before fetching its first page, a web browser implementing this method sends the local DHCP server a DHCPINFORM query, and uses the URL from the WPAD option in the server's reply. If the DHCP server does not provide the desired information, DNS is used. If, for example, the network name of the user's computer is pc.department.branch.example.com, the browser will try the following URLs in turn until it finds a proxy configuration file within the domain of the client:

http://wpad.department.branch.example.com/wpad.dat
http://wpad.branch.example.com/wpad.dat
http://wpad.example.com/wpad.dat
http://wpad.com/wpad.dat (in incorrect implementations, see note in Security below)

(Note: These are examples and may not be live URLs.)

Notes

DHCP has a higher priority than DNS: if DHCP provides the WPAD URL, no DNS lookup is performed. Notice that Firefox and Chrome do not support DHCP, only DNS
DNS lookup removes the first part of the domain name (presumably the client identifier) and replaces it with wpad. Then, it "moves up" in the hierarchy by removing more parts of the domain name, until it finds a WPAD PAC file or leaves the current organisation.
The browser guesses where the organisation boundaries are. The guess is often right for domains like 'company.com' or 'university.edu', but wrong for 'company.co.uk' (see security below).
For DNS lookups, the path of the configuration file is always wpad.dat. For the DHCP protocol, any URL is usable. For traditional reasons, PAC files are often called proxy.pac (of course, files with this name will be ignored by the WPAD DNS search).
The MIME type of the configuration file must be "application/x-ns-proxy-autoconfig". Please read Proxy auto-config for more details.
Internet Explorer and Konqueror are currently the only browsers offering support for both the DHCP and DNS method, the DNS method is supported by most major browsers.

Requirements

In order for WPAD to work, a few requirements have to be met:

In order to use DHCP, the server must be configured to serve up the "site-local" option 252 ("auto-proxy-config") with a string value of "http://xxx.yyy.zzz.qqq/wpad.dat" (without the quotes) where xxx.yyy.zzz.qqq is the address of a web server (either IP or DNS).
In order to use DNS, then a DNS entry is needed for a host named WPAD.
The host WPAD must be able to serve a web page.
In both cases, the web server must be configured to set up dat files with a MIME type of "application/x-ns-proxy-autoconfig".
The file named wpad.dat must be located in the WPAD web site's root directory.
Examples for PAC files are shown in Proxy auto-config.
Use caution when configuring a WPAD server in a virtual hosting environment. When automatic proxy detection is used, WinHTTP and WinINET in Internet Explorer 6 and earlier send a "Host: <IP address>" header and IE7+ and Firefox send a "Host: wpad" header. Therefore, it is recommended that the wpad.dat file be hosted under the default Virtual Host rather than its own.
Internet Explorer version 6.0.2900.2180.xpsp_sp2_rtm request for "wpad.da" instead of "wpad.dat" to the web server.

Security

While greatly simplifying configuration of one organisation's web browsers, the WPAD protocol has to be used with care: simple mistakes can open doors for attackers to change what appears on a user's browser: