Squid 3 - Reverse Proxy

marcelloc

"The connection is reseted" is the squid3 message for no rule match.

The default fqdn is the full dns name instead of domain name.

Take a screenshot with a sample config. Maybe it will be easier to help.

qwaven

Thanks for your help.

I've added some photo's (4 of them) with sample entries.

Where domain.com is my primary domain, and mysite.domain.com would be the address I am trying to use and point to a specific internal server.

I do have another NAT rule on a different external port which works fine when by-passing the proxy.

Thanks for your help!

Cheers.

reserse_proxy_general.JPG_thumb

reserse_proxy_mappings.JPG_thumb

reserse_proxy_web_servers.JPG_thumb

reverse_proxy_firewall_rule.JPG_thumb

qwaven

So after looking at my own screenshots I tried one more thing.

I unchecked "reset unauthorized connections" and I now see more info. I believe it is something with Squid blocking the connection?


The following error was encountered while trying to retrieve the URL: http://mysite.domain.com/

    Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is admin@domain.com.

Would you happen to know what option would effect "access"?

Thanks!

marcelloc

Change external fqdn to mysite.domain.com and check squid realtime tab / error logs.

qwaven

Thanks for your response.

I had already tried setting FQDM to mysite.domain.com ; tried it again and its still not working.

I'm not sure where to see the live logs, under SARG I see this:

2012-07-04 13:57 xxx.xxx.xxx.xxx - GET mysite.domain.com

I'm wondering if I use mysite.domain.com does that mean I cannot have more than one domain (website) behind the proxy?

Thanks!

qwaven

Hi again,

Thanks for your help.

I've stumbled upon Mod Security package which I think will better meet my needs. It seems to be working with my setup.

Thanks again. If you have any comments (should I not use this?) or something please let me know.

Cheers

marcelloc

@qwaven:

I've stumbled upon Mod Security package which I think will better meet my needs. It seems to be working with my setup.

I'm doind new package gui for modsecurity :D

It's almost done, maybe this week.

qwaven

Cool I'd be happy to try the new one out.

Thanks for your help.

Cheers. :)

yon

Hi, I am new use the Squid 3. I want to do like www.facebook.com.sixxs.org Reverse Proxy service. How I do it? Could you help me?!

qwaven

Hey marcelloc,

Been using your mod_security package and its still working great! Curious about the functionality. My understanding is that Mod_Security is supposed to be an "application firewall/IPS" for web servers… is this still the case or is this solely running in proxy only mode?

If its able to do the firewall bit, will the new package you're working on including customizations for this? (or how does one customize rules)

Thoughts or input?

Thanks for all your hard work! Very much appreciated. :)

Update: Figure I'm supposed to edit / add code to the bottom "custom mod security rules" and when I put one from the mod security site to change what my web server is reported as it does not seem to apply or nmap is able to still figure it out 100% correctly?

Thanks

marcelloc

@qwaven:

Been using your mod_security package and its still working great!

This is not my package, I'm just improving an existing package :)

@qwaven:

Curious about the functionality. My understanding is that Mod_Security is supposed to be an "application firewall/IPS" for web servers… is this still the case or is this solely running in proxy only mode?

If I'm not wrong modsecurity rules on current package are too old, so just some features are working

@qwaven:

If its able to do the firewall bit, will the new package you're working on including customizations for this? (or how does one customize rules)

New version will have a lot of new modsecurity_options, updated rules and rules customization

qwaven

haha whoops… well thanks to the creator then! ;)

I'll hold off playing with this older package and eagerly wait for your new one. Sounds like it will be quite nice! :)

Will it be seen as an update or a totally new package?

Thanks again.

Cheers!

marcelloc

@qwaven:

Will it be seen as an update or a totally new package?

Maybe as an update, but config will change a lot, save your config on a txt and/or backup file

qwaven

awesome thanks I'll look forward to it.

Cheers!