Squid3 - Reverse Proxy Help

louis-m

I'm having the same issue here with the latest squid on 2.1_x64
I can access my sites no problem using http. However, trying to use https is a different matter.
Server A (windows 2k8r2) & Server B (centos_6.3_x64) can both be reached internally on http & https.
However, they can only be reached on http externally. Any idea?

marcelloc

are you on latest package version?

firewall rules for https are also ok?

louis-m

your hands are are quick as your avatar!!
firewall rules are ok. i can test this by setting up nat and it goes straight to the SERVER A or B so that part is working.

firewall logs show pfsense passing 80 to the wan and the realtime on the reverse proxy shows the internal sites getting hit with http.

firewall logs show pfsense passing 443 to the wan but the realtime on the reverse proxy shows nothing with regards to https.

louis-m

SOLVED…..

for some reason it didn't work until I specified 443 in the port settings. Then boom! off it went! Strange that you can leave the http port blank but not the https port.

marcelloc

@louis-m:

Strange that you can leave the http port blank but not the https port.

I'll check this field when I have time, thanks for the feedback. :)

farrukhndm

Hi,
Thanks for your post , My reverse proxy goes good without any problem . But the porblem is my mail server is running on https://mail.mydomain.com .i want that mail server should also available if user type http://mail.mydomain.com and reverse proxy redirect to https://mail.mydomian.com ???

http://mail.mydomian.com -> how to Redirect https://mail.mydomain.com

Please how it can be established.
Currently using Squid 3 Reverse proxy.

@nutt318:

I've been trying to figure out the Reverse Proxy with squid and I am not having any luck. I found this post (http://forum.pfsense.org/index.php/topic,51128.0.html) but it wasnt much help and from what I saw I think everything is setup properly. So, correct me if I'm wrong but the reverse proxy will look at the http header and will redirect you to the proper private address in cases where you only have 1 public IP and trying to host multiple websites.

Below is my setup, Hopefully someone can tell me what I have wrong.

Thanks!

Version
2.0.1-RELEASE (i386)
built on Mon Dec 12 18:24:17 EST 2011
FreeBSD 8.1-RELEASE-p6
You are on the latest version.

Squid3 Version
3.1.20 pkg 2.0.5_3

My domain is Registered through DreamHost, so I've setup a test1.mydomain.com to point to MyPublicIP and I setup test2.mydomain.com to point to the same MyPublicIP.

Now for the Reverse Proxy setup in pfSense.

[EDIT: removed unfetchable links causing password prompt -jimp]

marcelloc

Create an index.html on your internal http server redirecting http requests to https.

for example:
http://yourdomain.com -> http://192.168.1.1/ (index.html redirection to https://youdomain.com)
https://yourdomain.com -> https://your_internal_mail_server

farrukhndm

I think If we hitting our server directly on Public IP like mail.mydomain.com:80: 102.11.1.93 then its the responsibility of apache to switch http->https.

As per reverse proxy what i think we need some rule when http request come to pfsense it redirects to https://mail.mydomain.com .As mail.mydomain.com is already configured on https.

I think squid reverse proxy dosn't support http -> https redirection .As i tested i made rule

i create rule which dons't work for http ->https redirection but only work when i open https://mail.mydomain.com

Reverse proxy-> webserver:
on mail 10.10.10.110 443 HTTPS
MAPING:
on https mail https
URI:
https://mail.mydomain.com
http://mail.mydomain.com        ( mean simple http traffic goes to 443!! but it dosn't change http to https ?? )

geijt

Squid support redirecting traffic from HTTP to HTTPS, also for reverse-proxy.
I modified the squid-reverse package to support this configuration and requested a merge with the pfsense package.

With my modification you can enter hostname(s) to listen on, enter a regex for the path and the destination where you want the request to be redirected to.
HTTP/HTTPS protocols are both supported.

You can redirect requests from mail.mydomain.com (protocol HTTP selected) to https://mail.mydomain.com (like farrukhndm want)
In case of Microsoft Exchange redirecting from mail.mydomain.com and webmail.mydomain.com (both protocols selected) to https://webmail.mydomain.com/owa is also supported.
You also can use it to support the Microsoft Exchange Autodiscover HTTP to HTTPS redirect function

I think you can expect the updated package soon.

marcelloc

geijt,

Thanks for the contribution!

Does Mappings and Redirects can be done one one single config page?

Isn't it a bit confusing to config?

geijt

Marcelloc,

Probably it will be possible to merge the mappings and redirects to one page but because of the differences in the required values for both I think it will be more confusing then and it also will result in loss of flexibility/power.
A redirect technically doesn't need a mapping (or web server), they can redirect to anything (e.g. pfsense.org)

daehnomel

I need help with a different aspect of suid 2.  FYI- running latest pf build 2.02 (i386), with latest squid reverse pkg.  I have my reverse prxy configured to serve multiple backend web servers to a single (home) ip.  Both HTTP and HTTPS configured and working…with one exception, java.  Anyhting running a java applet, http or https either times out or fails.  I'm guessing this is not a URL issue.  JIC here is an example of my standard url REGEX (I use a sub-domain for each backend server) :  subdomain.domain.tld(.*)?

Any suggestions would be appreciated.