How to Configure Proxy Settings via DHCP for Network-Wide Web Proxy Usage


2 views

Yes, you can configure proxy settings through DHCP using Option 252 (Proxy Auto-Configuration or WPAD). This method is particularly useful for network administrators who want to automatically deploy proxy settings across all DHCP clients.

For your Ubuntu-based dnsmasq DHCP server, add this to your /etc/dnsmasq.conf:

dhcp-option=252,"http://your-proxy-ip:port/proxy.pac"

On your proxy server (Ubuntu box), create a simple Proxy Auto-Config (proxy.pac) file:

function FindProxyForURL(url, host) {
    // Bypass proxy for local addresses
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(host, "10.0.0.0", "255.0.0.0") ||
        isInNet(host, "172.16.0.0", "255.240.0.0") ||
        isInNet(host, "192.168.0.0", "255.255.0.0"))
        return "DIRECT";
        
    // Use proxy for all other traffic
    return "PROXY your-proxy-ip:port; DIRECT";
}

Make the PAC file accessible via HTTP by configuring your web server (e.g., Apache or Nginx):

# For Apache:
Alias /proxy.pac /path/to/proxy.pac
<Directory /path/to/>
    Require all granted
</Directory>

# For Nginx:
location /proxy.pac {
    alias /path/to/proxy.pac;
    default_type application/x-ns-proxy-autoconfig;
}

Most modern operating systems support DHCP-delivered proxy settings:

  • Windows: Automatically applies DHCP Option 252 settings
  • macOS: Supports WPAD via DHCP
  • Linux: Depends on network manager implementation

After implementation, verify proxy settings on clients:

# On Linux:
$ dhcpcd --dump
# Check for option 252

# On Windows:
> ipconfig /all
# Look for "WPAD Server" entry

If DHCP-based configuration proves unreliable, consider static configuration via dnsmasq:

# Assign specific proxy settings to MAC addresses
dhcp-option=tag:00:11:22:33:44:55,252,"http://your-proxy-ip:port/proxy.pac"

1. PAC file not loading: Ensure HTTP server is accessible from clients
2. DHCP option ignored: Verify client OS support for WPAD
3. Proxy bypass not working: Double-check PAC file logic for local addresses

Yes, DHCP can indeed distribute proxy settings to clients through Option 252 (WPAD) or custom options. This is particularly useful in managed networks where you want to enforce proxy usage without manual client configuration.

  • DHCP Server: dnsmasq on Ubuntu (your current setup)
  • Proxy Server: Squid or similar (your Ubuntu proxy box)
  • Client devices supporting DHCP proxy options

Edit your dnsmasq configuration file (/etc/dnsmasq.conf):


# Basic DHCP configuration
dhcp-range=192.168.1.100,192.168.1.200,12h

# WPAD (Web Proxy Auto-Discovery) Method
dhcp-option=252,"\nhttp://your-proxy-ip:3128/wpad.dat"

# Alternative: PAC file location
dhcp-option=252,"http://your-proxy-ip:3128/proxy.pac"

# For direct proxy specification (less common)
dhcp-option=121,10.0.0.1,8080

On your proxy server, create /var/www/html/proxy.pac:


function FindProxyForURL(url, host) {
    // Bypass proxy for local addresses
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(host, "192.168.1.0", "255.255.255.0")) {
        return "DIRECT";
    }
    // Use proxy for all other requests
    return "PROXY your-proxy-ip:3128";
}

Most modern operating systems support WPAD:

  • Windows: Enabled by default in Internet Options
  • macOS: Supports WPAD via System Preferences
  • Linux: May require additional packages like libproxy

After restarting dnsmasq (sudo systemctl restart dnsmasq), verify on clients:


# Linux: Check DHCP options
dhclient -v eth0

# Windows: Check with
ipconfig /all | find "WPAD"

For environments where WPAD isn't suitable, you can push explicit proxy settings through custom vendor options:


# In dnsmasq.conf
dhcp-option=vendor:MSFT,2,1B,http://your-proxy:8080
  • Ensure port 3128 (or your proxy port) is open on the firewall
  • Verify the PAC/WPAD file is accessible via HTTP
  • Check client DHCP logs for option 252 reception
  • Some Android/iOS devices may ignore proxy DHCP options