Squid3 - Reverse Proxy Help

nutt318

So I've got it working sorta by doing a reboot however I'm still having a few problems. So at first I just had 2 dummy webservers running to test which worked great over http: but now the ones I really want to get working are over https: I create the same settings in the reverse proxy and also added our *.mydomain.com wildcart cert for the reverse SSL certificate.

Anyways our servers have self signed certificates which throw security errors because the cert isnt signed by a trusted authority. No big deal buy I would like to use our wildcard cert to override this warning and from the settings it looks like this is possible. However it still showing the original self signed one.

Also now the https sites are not wanting to resolve properly from the outside.

Any ideas?

nutt318

I'm still needing some help on this. Any reason for https reverse proxy not to work?

nutt318

I guess I'll just try to beat this thread to death, at this point I'm not sure if HTTPS works using the Reverse Proxy.

I'm getting this error when trying to access the 2 sites over HTTPS from outside the firewall. However 2 different sites work great using HTTP.

Under the Real Time monitor tab in the Reverse Proxy section I'm seeing these errors.

I would greatly appreciate any help/recommendations

Here is my squid.conf file. The sites I'm having problems with are called Jira and Confluence.

# This file is automatically generated by pfSense
# Do not edit manually !
http_port 10.10.0.1:3128
http_port 127.0.0.1:3128 intercept
icp_port 7

pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language English
icon_directory /usr/local/etc/squid/icons
visible_hostname localhost
cache_mgr myemail@mydomain.com
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
sslcrtd_children 0
logfile_rotate 30
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  10.10.0.0/16
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic
cache_mem 512 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 5000 16 256
minimum_object_size 0 KB
maximum_object_size 4 KB
offline_mode offcache_swap_low 90
cache_swap_high 95
acl donotcache dstdomain "/var/squid/acl/donotcache.acl"
cache deny donotcache
# No redirector configured

#Remote proxies

# Setup some default acls
acl allsrc src all
acl localhost src 127.0.0.1/32
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535
acl sslports port 443 563
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT

acl allowed_subnets src 10.10.0.0/16 192.168.33.0/24
acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
http_access allow manager localhost

# Allow external cache managers
acl ext_manager src 127.0.0.1
acl ext_manager src 10.10.0.1
acl ext_manager src
http_access allow manager ext_manager

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings
http_port 75.151.74.9:80 accel defaultsite=mydomain.com vhost
https_port 75.151.74.9:443 accel cert=/usr/local/etc/squid/5016c29e69a10.crt key=/usr/local/etc/squid/5016c29e69a10.key defaultsite=mydomain.com
#test1
cache_peer 10.10.0.39 parent 80 0 proxy-only no-query no-digest originserver login=PASS name=rvp_test1

#test2
cache_peer 10.10.30.5 parent 80 0 proxy-only no-query no-digest originserver login=PASS name=rvp_test2

#jira
cache_peer 10.10.0.17 parent 443 0 proxy-only no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_jira

#confluence
cache_peer 10.10.0.21 parent 443 0 proxy-only no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_confluence

acl rvm_test1 url_regex -i test1.mydomain.com
acl rvm_test2 url_regex -i test2.mydomain.com
acl rvm_jira url_regex -i jira.mydomain.com
acl rvm_confluence url_regex -i confluence.mydomain.com
cache_peer_access rvp_test1 allow rvm_test1
cache_peer_access rvp_test2 allow rvm_test2
cache_peer_access rvp_jira allow rvm_jira
cache_peer_access rvp_confluence allow rvm_confluence
cache_peer_access rvp_test1 deny allsrc
cache_peer_access rvp_test2 deny allsrc
cache_peer_access rvp_jira deny allsrc
cache_peer_access rvp_confluence deny allsrc
never_direct allow rvm_test1
never_direct allow rvm_test2
never_direct allow rvm_jira
never_direct allow rvm_confluence
http_access allow rvm_test1
http_access allow rvm_test2
http_access allow rvm_jira
http_access allow rvm_confluence

# Package Integration
redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
redirector_bypass on
redirect_children 3

# Custom options

# Always allow access to whitelist domains
http_access allow whitelist
# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow allowed_subnets
http_access allow localnet
# Default block all to be sure
http_access deny allsrc

[EDIT: removed unfetchable links causing password prompt -jimp]

louis-m

I'm having the same issue here with the latest squid on 2.1_x64
I can access my sites no problem using http. However, trying to use https is a different matter.
Server A (windows 2k8r2) & Server B (centos_6.3_x64) can both be reached internally on http & https.
However, they can only be reached on http externally. Any idea?

marcelloc

are you on latest package version?

firewall rules for https are also ok?

louis-m

your hands are are quick as your avatar!!
firewall rules are ok. i can test this by setting up nat and it goes straight to the SERVER A or B so that part is working.

firewall logs show pfsense passing 80 to the wan and the realtime on the reverse proxy shows the internal sites getting hit with http.

firewall logs show pfsense passing 443 to the wan but the realtime on the reverse proxy shows nothing with regards to https.

louis-m

SOLVED…..

for some reason it didn't work until I specified 443 in the port settings. Then boom! off it went! Strange that you can leave the http port blank but not the https port.

marcelloc

@louis-m:

Strange that you can leave the http port blank but not the https port.

I'll check this field when I have time, thanks for the feedback. :)

farrukhndm

Hi,
Thanks for your post , My reverse proxy goes good without any problem . But the porblem is my mail server is running on https://mail.mydomain.com .i want that mail server should also available if user type http://mail.mydomain.com and reverse proxy redirect to https://mail.mydomian.com ???

http://mail.mydomian.com -> how to Redirect https://mail.mydomain.com

Please how it can be established.
Currently using Squid 3 Reverse proxy.

@nutt318:

I've been trying to figure out the Reverse Proxy with squid and I am not having any luck. I found this post (http://forum.pfsense.org/index.php/topic,51128.0.html) but it wasnt much help and from what I saw I think everything is setup properly. So, correct me if I'm wrong but the reverse proxy will look at the http header and will redirect you to the proper private address in cases where you only have 1 public IP and trying to host multiple websites.

Below is my setup, Hopefully someone can tell me what I have wrong.

Thanks!

Version
2.0.1-RELEASE (i386)
built on Mon Dec 12 18:24:17 EST 2011
FreeBSD 8.1-RELEASE-p6
You are on the latest version.

Squid3 Version
3.1.20 pkg 2.0.5_3

My domain is Registered through DreamHost, so I've setup a test1.mydomain.com to point to MyPublicIP and I setup test2.mydomain.com to point to the same MyPublicIP.

Now for the Reverse Proxy setup in pfSense.

[EDIT: removed unfetchable links causing password prompt -jimp]

marcelloc

Create an index.html on your internal http server redirecting http requests to https.

for example:
http://yourdomain.com -> http://192.168.1.1/ (index.html redirection to https://youdomain.com)
https://yourdomain.com -> https://your_internal_mail_server

farrukhndm

I think If we hitting our server directly on Public IP like mail.mydomain.com:80: 102.11.1.93 then its the responsibility of apache to switch http->https.

As per reverse proxy what i think we need some rule when http request come to pfsense it redirects to https://mail.mydomain.com .As mail.mydomain.com is already configured on https.

I think squid reverse proxy dosn't support http -> https redirection .As i tested i made rule

i create rule which dons't work for http ->https redirection but only work when i open https://mail.mydomain.com

Reverse proxy-> webserver:
on mail 10.10.10.110 443 HTTPS
MAPING:
on https mail https
URI:
https://mail.mydomain.com
http://mail.mydomain.com        ( mean simple http traffic goes to 443!! but it dosn't change http to https ?? )

geijt

Squid support redirecting traffic from HTTP to HTTPS, also for reverse-proxy.
I modified the squid-reverse package to support this configuration and requested a merge with the pfsense package.

With my modification you can enter hostname(s) to listen on, enter a regex for the path and the destination where you want the request to be redirected to.
HTTP/HTTPS protocols are both supported.

You can redirect requests from mail.mydomain.com (protocol HTTP selected) to https://mail.mydomain.com (like farrukhndm want)
In case of Microsoft Exchange redirecting from mail.mydomain.com and webmail.mydomain.com (both protocols selected) to https://webmail.mydomain.com/owa is also supported.
You also can use it to support the Microsoft Exchange Autodiscover HTTP to HTTPS redirect function

I think you can expect the updated package soon.

marcelloc

geijt,

Thanks for the contribution!

Does Mappings and Redirects can be done one one single config page?

Isn't it a bit confusing to config?

geijt

Marcelloc,

Probably it will be possible to merge the mappings and redirects to one page but because of the differences in the required values for both I think it will be more confusing then and it also will result in loss of flexibility/power.
A redirect technically doesn't need a mapping (or web server), they can redirect to anything (e.g. pfsense.org)

daehnomel

I need help with a different aspect of suid 2.  FYI- running latest pf build 2.02 (i386), with latest squid reverse pkg.  I have my reverse prxy configured to serve multiple backend web servers to a single (home) ip.  Both HTTP and HTTPS configured and working…with one exception, java.  Anyhting running a java applet, http or https either times out or fails.  I'm guessing this is not a URL issue.  JIC here is an example of my standard url REGEX (I use a sub-domain for each backend server) :  subdomain.domain.tld(.*)?

Any suggestions would be appreciated.