Squid troubles, http not working

mr.fox

This is my first post. I am unable to get http access working with a squid proxy. I've googled around, tried a few guides, and no luck.

setup description:

WAN -> Proxmox -> pfSense/squid(VM) -> | vm: server 1 | vm: server 2|

intent:
2 servers/VM on one IP address
server 1 would match to xyz.com and handle regular web traffic
server 2 would match to sub1.xyz.com and handle some other stuff.

It's most likely some misconfiguration somewhere, but I'm just not sure where. Right now, I'm just focused on getting server 1 accessible.

server 1:
Alma Linux 9
apache has mod_proxy

site conf file

/etc/hosts file

one guide said to create a conf file with the following.

pfSense:
squid installed
squidGuard installed/disabled for now

squid conf

# This file is automatically generated by pfSense
# Do not edit manually !

http_port 192.168.1.1:3128
icp_port 0
digest_generation off
dns_v4_first off
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language en
icon_directory /usr/local/etc/squid/icons
visible_hostname voip-ly.com
cache_mgr admin@localhost
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger

logfile_rotate 0
debug_options rotate=0
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.1.0/24
forwarded_for on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic

cache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB
cache_dir ufs /var/squid/cache 100 16 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache deny all
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
refresh_pattern .    0  20%  4320


#Remote proxies


# Setup some default acls
# ACLs all, manager, localhost, and to_localhost are predefined.
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3129 1025-65535 
acl sslports port 443 563  

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src 192.168.1.0/24
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings
http_port 69.16.214.157:80 accel defaultsite=voip-ly.com vhost
#alma9 server
cache_peer 192.168.1.15 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin name=rvp_www

#debian12.pbx
cache_peer 192.168.1.16 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin name=rvp_pbx

acl rvm_public url_regex -i voip-ly.com
acl rvm_pbx url_regex -i voip-ly.com
cache_peer_access rvp_www allow rvm_public
cache_peer_access rvp_pbx allow rvm_pbx
cache_peer_access rvp_www deny !rvm_public
cache_peer_access rvp_pbx deny !rvm_pbx
never_direct allow rvm_public
never_direct allow rvm_pbx
http_access allow rvm_public
http_access allow rvm_pbx

deny_info TCP_RESET allsrc

# Custom options before auth


# Set YouTube safesearch restriction
acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
request_header_access YouTube-Restrict deny all
request_header_add YouTube-Restrict none youtubedst
# Setup allowed ACLs
# Allow local network(s) on interface(s)
http_access allow allowed_subnets
http_access allow localnet
# Default block all to be sure
http_access deny allsrc

JonathanLee

Squid has a default gateway directive.

https://www.squid-cache.org/Doc/config/tls_outgoing_options/

https://www.squid-cache.org/Doc/config/tcp_outgoing_address/

Option Name:	tcp_outgoing_address
Replaces:	
Requires:	
Default Value:	Address selection is performed by the operating system.
Suggested Config:	

	Allows you to map requests to different outgoing IP addresses
	based on the username or source address of the user making
	the request.

	tcp_outgoing_address ipaddr [[!]aclname] ...

	For example;
		Forwarding clients with dedicated IPs for certain subnets.

	  acl normal_service_net src 10.0.0.0/24
	  acl good_service_net src 10.0.2.0/24

	  tcp_outgoing_address 2001:db8::c001 good_service_net
	  tcp_outgoing_address 10.1.0.2 good_service_net

	  tcp_outgoing_address 2001:db8::beef normal_service_net
	  tcp_outgoing_address 10.1.0.1 normal_service_net

	  tcp_outgoing_address 2001:db8::1
	  tcp_outgoing_address 10.1.0.3

	Processing proceeds in the order specified, and stops at first fully
	matching line.

	Squid will add an implicit IP version test to each line.
	Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
	Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.


	NOTE: The use of this directive using client dependent ACLs is
	incompatible with the use of server side persistent connections. To
	ensure correct results it is best to set server_persistent_connections
	to off when using this directive in such configurations.

	NOTE: The use of this directive to set a local IP on outgoing TCP links
	is incompatible with using TPROXY to set client IP out outbound TCP links.
	When needing to contact peers use the no-tproxy cache_peer option and the
	client_dst_passthru directive re-enable normal forwarding such as this.

	This clause only supports fast acl types.
	See https://wiki.squid-cache.org/SquidFaq/SquidAcl for details.