Squid3 Reverse Proxy | URIs

canefield

Dear all,

I want to know how to use a singe as well as multiple URIs. So the settings found on 'Services -> Reverse Proxy' in General, Web servers and Mapping.
I want to make a difference by FQDN, what should I add/change to make it work?

Let's say I have four servers:

• 127.0.0.1 on 9443 => webGUI pfSense
• 192.168.150.3 on port 443 => MS Exchange OWA, Outlook Anywhere, Autodiscover
• 192.168.150.7 on port 443 => MS SharePoint
• 192.168.150.12 on port 80 => Corporate website

I would say first add choose to the 'web server' by IP-address and Listening port. Second add 'mappings'; so make a group and add the corresponding peers to it and make use of URIs. So for the first server (127.0.0.1) I have added the URI *; remote.domain.com (HTTPS), the second URI *; webmail.domain.com/owa, URI2 *; mail.domain.com/owa (HTTPS) and the third *; extranet.domain.com and the fourth URI *; www.domain.com (HTTP). But somehow the URI is not working as I thought it should be. I only want that is listenens to the specified URI. Everything else should be bounced. Could someone give me several examples?

Thanks a lot,
Canefield

marcelloc

@canefield:

• 127.0.0.1 on 9443 => webGUI pfSense
• 192.168.150.3 on port 443 => MS Exchange OWA, Outlook Anywhere, Autodiscover
• 192.168.150.7 on port 443 => MS SharePoint
• 192.168.150.12 on port 80 => Corporate website

The http host could be your second test before owa.

Remember that the squid-reverse code uses specific options for owa, so configure it's on general tab instead of publishing it as a web host. may be on a future release I could merge it in a more simple way.

@canefield:

Second add 'mappings'; so make a group and add the corresponding peers to it and make use of URIs.

first mapping:
peer 127.0.0.1
uri *
fqdn remote.domain.com

second mapping
peer 192.168.150.12
uri *
fqdn www.domain.com

third mapping
peer 192.168.150.7
uri *
fqdn extranet.domain.com

canefield

Marcello,

First of all, thanks again.

As you discribed above I had configured my Squid Reverse Proxy; in particular the part about the 'web servers' and 'mappings'. But when using more than one 'mapping', my configuration didn't work anymore. Despite of having the correct servers configured in the 'web servers' and pointing to the right peers in the 'mappings'. Beside that I encounter additional problems regarding to DNS. Meaning, when browsing to another DNS-name that is pointing to the same external IP-address, let's say server.domain.com, I get the same page in front of me. That is when I only use one 'mapping', otherwise nothings works. So my conclusion is that it ain't listening to the URI/host-header. Other than those configured should be ignored/rejected/bounced, right?. How come?

Regarding to Microsoft Exchange I don't follow the overall picture. Squid has on the 'General' tab the possibility to configure just one internal IP-address pointing to the Microsoft Exchange server and a lot of features which can be enabled. Having NLB (Network Load Balancer) in place gives my no issues when pointing to that specific IP-address. But like on the 'mappings' tab I can/could enter URI/host-header it (only?) should listen on. Where is that in the 'General' tab. Is that the 'external FQDN'? Some say just to enter your preferred DNS-name, others with my ISP machine name (PTR), my external IP-address, etcetera.
Then on the 'General' tab there is the option to fill in the 'reverse HTTP default site' and the 'reverse HTTPS default site'? As I understand it all request will at first point to the 'reverse HTTP/HTTPS default website' and regarding the configured 'web servers' and 'mappings' it will do otherwise, correct?

Thanks a lot,
Canefield

marcelloc

@canefield:

As you discribed above I had configured my Squid Reverse Proxy; in particular the part about the 'web servers' and 'mappings'. But when using more than one 'mapping', my configuration didn't work anymore. Despite of having the correct servers configured in the 'web servers' and pointing to the right peers in the 'mappings'. Beside that I encounter additional problems regarding to DNS. Meaning, when browsing to another DNS-name that is pointing to the same external IP-address, let's say server.domain.com, I get the same page in front of me. That is when I only use one 'mapping', otherwise nothings works. So my conclusion is that it ain't listening to the URI/host-header. Other than those configured should be ignored/rejected/bounced, right?. How come?

can you check on /usr/local/etc/squid/squid.conf if your mappings where correct applied on config?

@canefield:

Regarding to Microsoft Exchange I don't follow the overall picture. Squid has on the 'General' tab the possibility to configure just one internal IP-address pointing to the Microsoft Exchange server and a lot of features which can be enabled. Having NLB (Network Load Balancer) in place gives my no issues when pointing to that specific IP-address. But like on the 'mappings' tab I can/could enter URI/host-header it (only?) should listen on. Where is that in the 'General' tab. Is that the 'external FQDN'? Some say just to enter your preferred DNS-name, others with my ISP machine name (PTR), my external IP-address, etcetera.

This is a squid-reverse code that I did not had time to migrate/improve/test yet. I think owa will hit default fqdn the same way you thought.

@canefield:

Then on the 'General' tab there is the option to fill in the 'reverse HTTP default site' and the 'reverse HTTPS default site'? As I understand it all request will at first point to the 'reverse HTTP/HTTPS default website' and regarding the configured 'web servers' and 'mappings' it will do otherwise, correct?

It will always match fqdn mappings first.

canefield

Marcello, All,

I saw a new update related to Squid? Some new parts/configs? What will happen with my configuration after updating this package or let's say in general to all other packages? I always first make a backup for security reasons, but what happens normally?

In depth about URIs; what are other options I can configure? I see a lot of options above the config suggested, but what could be used?

URI          [http://|https://]vhost fqdn(optional)

So I used something like
*            webmail.domain.com
*            mail.domain.com

But is underneath also a valid configuration:
*            webmail.domain.com/*
    OR
*            https://webmail.domain.com/*
    OR
*            https://webmail.domain.com/owa
    ETC.

*; wildcard is in my understanding everything behind the FQDN. Saves a lot of typing different suffixes, only for MS Exchange: owa, ews, oab, autodiscover, etc.

I have a related question in the 'Alternative for MS TMG 2010 = pfSense ???', but here more details about the URIs.

Thanks a lot,
Canefield

marcelloc

@canefield:

I saw a new update related to Squid? Some new parts/configs? What will happen with my configuration after updating this package or let's say in general to all other packages? I always first make a backup for security reasons, but what happens normally?

Just in case, make a backup before update.
The changes are new options for captive portal, faster start-up during boot and dynamic cache options

@canefield:

In depth about URIs; what are other options I can configure? I see a lot of options above the config suggested, but what could be used?

*; wildcard is in my understanding everything behind the FQDN. Saves a lot of typing different suffixes, only for MS Exchange: owa, ews, oab, autodiscover, etc.

I think the same way, fqdn suggests a hostname not an url with wildcard. But I'm not sure if squid3 supports or not this config

canefield

Dear all,

Regarding to the 'wildcard' symbol, if I take a look at the config I already see that all URIs are automatically added a wildcard suffix by just entering the FQDN. So I suppose it is not needed at all. Isn't that strange? When I only want to host 'www.domain.com/test' it aint possible?

Please help me out. I want to have my Exchange (and all features) working behind pfSense.

Thanks,
Canefield