Squid3 - Reverse Proxy Help
-
I've been trying to figure out the Reverse Proxy with squid and I am not having any luck. I found this post (http://forum.pfsense.org/index.php/topic,51128.0.html) but it wasnt much help and from what I saw I think everything is setup properly. So, correct me if I'm wrong but the reverse proxy will look at the http header and will redirect you to the proper private address in cases where you only have 1 public IP and trying to host multiple websites.
Below is my setup, Hopefully someone can tell me what I have wrong.
Thanks!
Version
2.0.1-RELEASE (i386)
built on Mon Dec 12 18:24:17 EST 2011
FreeBSD 8.1-RELEASE-p6
You are on the latest version.Squid3 Version
3.1.20 pkg 2.0.5_3My domain is Registered through DreamHost, so I've setup a test1.mydomain.com to point to MyPublicIP and I setup test2.mydomain.com to point to the same MyPublicIP.
Now for the Reverse Proxy setup in pfSense.
[EDIT: removed unfetchable links causing password prompt -jimp]
-
So I've got it working sorta by doing a reboot however I'm still having a few problems. So at first I just had 2 dummy webservers running to test which worked great over http: but now the ones I really want to get working are over https: I create the same settings in the reverse proxy and also added our *.mydomain.com wildcart cert for the reverse SSL certificate.
Anyways our servers have self signed certificates which throw security errors because the cert isnt signed by a trusted authority. No big deal buy I would like to use our wildcard cert to override this warning and from the settings it looks like this is possible. However it still showing the original self signed one.
Also now the https sites are not wanting to resolve properly from the outside.
Any ideas?
-
I'm still needing some help on this. Any reason for https reverse proxy not to work?
-
I guess I'll just try to beat this thread to death, at this point I'm not sure if HTTPS works using the Reverse Proxy.
I'm getting this error when trying to access the 2 sites over HTTPS from outside the firewall. However 2 different sites work great using HTTP.
Under the Real Time monitor tab in the Reverse Proxy section I'm seeing these errors.
I would greatly appreciate any help/recommendations
Here is my squid.conf file. The sites I'm having problems with are called Jira and Confluence.
# This file is automatically generated by pfSense # Do not edit manually ! http_port 10.10.0.1:3128 http_port 127.0.0.1:3128 intercept icp_port 7 pid_filename /var/run/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language English icon_directory /usr/local/etc/squid/icons visible_hostname localhost cache_mgr myemail@mydomain.com access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none sslcrtd_children 0 logfile_rotate 30 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 10.10.0.0/16 uri_whitespace strip acl dynamic urlpath_regex cgi-bin \? cache deny dynamic cache_mem 512 MB maximum_object_size_in_memory 32 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA cache_dir ufs /var/squid/cache 5000 16 256 minimum_object_size 0 KB maximum_object_size 4 KB offline_mode offcache_swap_low 90 cache_swap_high 95 acl donotcache dstdomain "/var/squid/acl/donotcache.acl" cache deny donotcache # No redirector configured #Remote proxies # Setup some default acls acl allsrc src all acl localhost src 127.0.0.1/32 acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 1025-65535 acl sslports port 443 563 acl manager proto cache_object acl purge method PURGE acl connect method CONNECT acl allowed_subnets src 10.10.0.0/16 192.168.33.0/24 acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl" http_access allow manager localhost # Allow external cache managers acl ext_manager src 127.0.0.1 acl ext_manager src 10.10.0.1 acl ext_manager src http_access allow manager ext_manager http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings http_port 75.151.74.9:80 accel defaultsite=mydomain.com vhost https_port 75.151.74.9:443 accel cert=/usr/local/etc/squid/5016c29e69a10.crt key=/usr/local/etc/squid/5016c29e69a10.key defaultsite=mydomain.com #test1 cache_peer 10.10.0.39 parent 80 0 proxy-only no-query no-digest originserver login=PASS name=rvp_test1 #test2 cache_peer 10.10.30.5 parent 80 0 proxy-only no-query no-digest originserver login=PASS name=rvp_test2 #jira cache_peer 10.10.0.17 parent 443 0 proxy-only no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_jira #confluence cache_peer 10.10.0.21 parent 443 0 proxy-only no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_confluence acl rvm_test1 url_regex -i test1.mydomain.com acl rvm_test2 url_regex -i test2.mydomain.com acl rvm_jira url_regex -i jira.mydomain.com acl rvm_confluence url_regex -i confluence.mydomain.com cache_peer_access rvp_test1 allow rvm_test1 cache_peer_access rvp_test2 allow rvm_test2 cache_peer_access rvp_jira allow rvm_jira cache_peer_access rvp_confluence allow rvm_confluence cache_peer_access rvp_test1 deny allsrc cache_peer_access rvp_test2 deny allsrc cache_peer_access rvp_jira deny allsrc cache_peer_access rvp_confluence deny allsrc never_direct allow rvm_test1 never_direct allow rvm_test2 never_direct allow rvm_jira never_direct allow rvm_confluence http_access allow rvm_test1 http_access allow rvm_test2 http_access allow rvm_jira http_access allow rvm_confluence # Package Integration redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf redirector_bypass on redirect_children 3 # Custom options # Always allow access to whitelist domains http_access allow whitelist # Setup allowed acls # Allow local network(s) on interface(s) http_access allow allowed_subnets http_access allow localnet # Default block all to be sure http_access deny allsrc[EDIT: removed unfetchable links causing password prompt -jimp]
-
I'm having the same issue here with the latest squid on 2.1_x64
I can access my sites no problem using http. However, trying to use https is a different matter.
Server A (windows 2k8r2) & Server B (centos_6.3_x64) can both be reached internally on http & https.
However, they can only be reached on http externally. Any idea? -
are you on latest package version?
firewall rules for https are also ok?
-
your hands are are quick as your avatar!!
firewall rules are ok. i can test this by setting up nat and it goes straight to the SERVER A or B so that part is working.firewall logs show pfsense passing 80 to the wan and the realtime on the reverse proxy shows the internal sites getting hit with http.
firewall logs show pfsense passing 443 to the wan but the realtime on the reverse proxy shows nothing with regards to https.
-
SOLVED…..
for some reason it didn't work until I specified 443 in the port settings. Then boom! off it went! Strange that you can leave the http port blank but not the https port.
-
Strange that you can leave the http port blank but not the https port.
I'll check this field when I have time, thanks for the feedback. :)
-
Hi,
Thanks for your post , My reverse proxy goes good without any problem . But the porblem is my mail server is running on https://mail.mydomain.com .i want that mail server should also available if user type http://mail.mydomain.com and reverse proxy redirect to https://mail.mydomian.com ???http://mail.mydomian.com -> how to Redirect https://mail.mydomain.com
Please how it can be established.
Currently using Squid 3 Reverse proxy.I've been trying to figure out the Reverse Proxy with squid and I am not having any luck. I found this post (http://forum.pfsense.org/index.php/topic,51128.0.html) but it wasnt much help and from what I saw I think everything is setup properly. So, correct me if I'm wrong but the reverse proxy will look at the http header and will redirect you to the proper private address in cases where you only have 1 public IP and trying to host multiple websites.
Below is my setup, Hopefully someone can tell me what I have wrong.
Thanks!
Version
2.0.1-RELEASE (i386)
built on Mon Dec 12 18:24:17 EST 2011
FreeBSD 8.1-RELEASE-p6
You are on the latest version.Squid3 Version
3.1.20 pkg 2.0.5_3My domain is Registered through DreamHost, so I've setup a test1.mydomain.com to point to MyPublicIP and I setup test2.mydomain.com to point to the same MyPublicIP.
Now for the Reverse Proxy setup in pfSense.
[EDIT: removed unfetchable links causing password prompt -jimp]
-
Create an index.html on your internal http server redirecting http requests to https.
for example:
http://yourdomain.com -> http://192.168.1.1/ (index.html redirection to https://youdomain.com)
https://yourdomain.com -> https://your_internal_mail_server -
I think If we hitting our server directly on Public IP like mail.mydomain.com:80: 102.11.1.93 then its the responsibility of apache to switch http->https.
As per reverse proxy what i think we need some rule when http request come to pfsense it redirects to https://mail.mydomain.com .As mail.mydomain.com is already configured on https.
I think squid reverse proxy dosn't support http -> https redirection .As i tested i made rule
i create rule which dons't work for http ->https redirection but only work when i open https://mail.mydomain.com
Reverse proxy-> webserver:
on mail 10.10.10.110 443 HTTPS
MAPING:
on https mail https
URI:
https://mail.mydomain.com
http://mail.mydomain.com ( mean simple http traffic goes to 443!! but it dosn't change http to https ?? ) -
Squid support redirecting traffic from HTTP to HTTPS, also for reverse-proxy.
I modified the squid-reverse package to support this configuration and requested a merge with the pfsense package.With my modification you can enter hostname(s) to listen on, enter a regex for the path and the destination where you want the request to be redirected to.
HTTP/HTTPS protocols are both supported.You can redirect requests from mail.mydomain.com (protocol HTTP selected) to https://mail.mydomain.com (like farrukhndm want)
In case of Microsoft Exchange redirecting from mail.mydomain.com and webmail.mydomain.com (both protocols selected) to https://webmail.mydomain.com/owa is also supported.
You also can use it to support the Microsoft Exchange Autodiscover HTTP to HTTPS redirect functionI think you can expect the updated package soon.
-
geijt,
Thanks for the contribution!
Does Mappings and Redirects can be done one one single config page?
Isn't it a bit confusing to config?
-
Marcelloc,
Probably it will be possible to merge the mappings and redirects to one page but because of the differences in the required values for both I think it will be more confusing then and it also will result in loss of flexibility/power.
A redirect technically doesn't need a mapping (or web server), they can redirect to anything (e.g. pfsense.org) -
I need help with a different aspect of suid 2. FYI- running latest pf build 2.02 (i386), with latest squid reverse pkg. I have my reverse prxy configured to serve multiple backend web servers to a single (home) ip. Both HTTP and HTTPS configured and working…with one exception, java. Anyhting running a java applet, http or https either times out or fails. I'm guessing this is not a URL issue. JIC here is an example of my standard url REGEX (I use a sub-domain for each backend server) : subdomain.domain.tld(.*)?
Any suggestions would be appreciated.
