Squid-reverse
-
Sorted it.
I was trying to publish the root of the site.
Turns out you have to put a * in there for that.
So, my config looks like this:
Peer Definitions:
prometheushttp;192.1.22.6;80;HTTPURI Definitions:
atlantisweb;;http://www.atlantis.me.uk
atlantisweb;;http://atlantis.me.uk
atlantiswi;*;http://wi.atlantis.me.ukACL Definitions:
prometheushttp;atlantisweb
prometheushttp;atlantiswiI added my subnet into the top box in access control.
Then I enabled logging in the general settings, SSH'd to the box and entered the shell.
I ran tail -F /var/squid/logs/access.log so i could see all the incoming HTTP requests.
Now to get OWA, Outlook anywhere and active sync working over HTTPS.
Any ideas if this can do other HTTPS streaming things? I have a citrix secure gateway server that uses HTTPS to connect on port 443. It's not a web page though. I guess it's similar to activesync. At the moment it's running on 4430 but i'd like to run that through squid too.
-
I have a citrix secure gateway server that uses HTTPS to connect on port 443. It's not a web page though. I guess it's similar to activesync.
If its not http, you may need to use haproxy or native pfSense load balancer to balance tcp connections.
-
Actually I've just realised a day after getting it working that it doesn't support Exchange 2010 Web Services, this makes the package totally useless for me.
I just want a reverse proxy, like in forefront TMG/ISA Server!
-
Actually I've just realised a day after getting it working that it doesn't support Exchange 2010 Web Services, this makes the package totally useless for me.
I just want a reverse proxy, like in forefront TMG/ISA Server!
I have it working with varnish, haproxy and apache.
To get balance with https without having certificate issues, you may need a wildcard certificate.
Varnish does all http balance/cache
Haproxy does the https balance
Apache has the certificates and mod_security -
I think I'll just go back to using Forefront TMG.
As good as pfsense is, it does't work for me. I need something up and running, and with documentation, not something put together by people in their spare time with next to no documentation.
No offence to the community, it's a great work in progress, but its not for me.
thanks for your time.
-
I think I'll just go back to using Forefront TMG.
As good as pfsense is, it does't work for me. I need something up and running, and with documentation, not something put together by people in their spare time with next to no documentation.
No offence to the community, it's a great work in progress, but its not for me.
thanks for your time.
There are so many things wrong with that statement I don't know where to begin. But you are right, there is no one perfect solution for everyone, use whatever works best for you.
-
There are so many things wrong with that statement I don't know where to begin. But you are right, there is no one perfect solution for everyone, use whatever works best for you.
I second that.
pfSense works great to me.
-
I think a big difference has to do with the scale of such setups:
iirc marcelloc is overseeing a large-scale setup (Exchange 2010 with tens of thousands of mailboxes), so he can probably justify spending many hours to intimately learn those different packages in order to integrate and properly test them.
Someone with a much smaller installation, say 100-200 users, may just want a reverse-proxy solution that "simply works" and offers commercial support, because he's probably busy with a dozen other IT-related subjects.
So, as jimp noted, there is no one perfect solution for everyone.
-
I think a big difference has to do with the scale of such setups:
iirc marcelloc is overseeing a large-scale setup (Exchange 2010 with tens of thousands of mailboxes), so he can probably justify spending many hours to intimately learn those different packages in order to integrate and properly test them.
Someone with a much smaller installation, say 100-200 users, may just want a reverse-proxy solution that "simply works" and offers commercial support, because he's probably busy with a dozen other IT-related subjects.
So, as jimp noted, there is no one perfect solution for everyone.
You are 100% right.
All features that I needed in pfsense that was not part of it, I have published to help many others to reach same result with less effort.Seeing Sam0r difficult on get a simple web proxy solution, maybe I can improve varnish package to require less configuration or dependencies for example.
-
maybe have a wizard to setup exchange forwarding in Varnish. Steps through and asks, host name, IP, etc.
No need to dumb down the whole GUI just find a way to make some common tasks easier.
-
maybe have a wizard to setup exchange forwarding in Varnish. Steps through and asks, host name, IP, etc.
No need to dumb down the whole GUI just find a way to make some common tasks easier.
great idea! :)
I'll try it when I finish dansguardian.
-
Hey guys,
I'm very new to pfSense, but I like the box and packages :)
EDIT #2:
Sorry… My fault. haven't seen it... squid.inc.. now it works like a charm :) I really like this boxI also use squid as reverse-proxy to get access to OWA and ActiveSync. My main problem is, that I had to manually edit the .conf, because I need more than one https port. Everything is working great, until I reboot pfSense…
What I found in the forum is, that this seems to be a general problem. But how can I fix it?! I already added "-f /path/to/my/conf.conf" to the startup script in /usr/local/etc/rc.d/squid.sh, but this won't work. Squid startsup with the "empty" config in /usr/local/etc/squid.
Could someone please point me to the right direction, so the config will survive a reboot of pf Sense?
Thanks in advance
EDIT:
pfSense 2.0.1 release and squid 2.7.9_2 -
It's just the lack of documentation that frustrates me.
If the documentation had said "To forward the root directory of a website, insert a * in the URI." That would've saved me weeks.
If I had weeks to spend on this I would, because I like what you guys do, we use untangle in some setups, because the OpenVPN works a treat. Others we use pfsense where we need a simple gateway, and in our enterprise setups we use TMG.
I desperately wanted to prove that I could use pfsense in an enterprise rig, but I don't have the time to do it myself, or the funding to pay someone else to do it.
Like i said, its the documentation that always falls sort when it comes to open source software, this isn't just a dig at pfsense, most open source software has this issue. It's easy to see why, documenting things is the boring bit. But to be successful it needs to be done.
-
The base system is fairly well documented, but some packages lack it here and there. Squid-reverse (and varnish) are relatively new, and they are packages, so they tend to be less documented than the base system itself.
-
When I was testing varnish on my box.. I was confused and varnish's website was really no help but I posted questions on the forum. Marcelloc replied within hours to help me out.. Took a couple of days but he helped me out and made changes to the package as we found road blocks.
-
Something That helped me a lot during package devel was "googling" for recomended setup, tutorial as well documentation.
Varnish itself is difficult to setup, gui helps But you still need to know about varnish.
Sorry for the poor documentation. I alway try to include hints and link to documentation. I'm not That good on tutorials.
If you still want to try varnish, use forum to post questions. I'll do my best to help you.
-
Heyho,
thanks for this great package!
If needed, I could help extending the gui setup of squid-reverse to support more options of squid…?!
-
Dear all,
I have managed to setting squid-reverse properly. It works for two domain to 2 webservers.
How can I manage to get all other domain to go to one server without having to list all the domains in the setting? -
Actually I've just realised a day after getting it working that it doesn't support Exchange 2010 Web Services, this makes the package totally useless for me.
publishing /EWS* does not help…
any ints ? -
If needed, I could help extending the gui setup of squid-reverse to support more options of squid…?!
you're welcome ;)
