Squid3 reverse https proxy
-
OK ;D
When you have the pfsense in front with squid and MSE on an other computer; the solution I give works flawlessly !
If you want to keep NAT you HAVE to listen on loopback and reroute port (many post on this subject)
-
Stan, I'm sorry to say you are not correct. I have a pfsense firewall with one public IP and it is doing NAT for my internal network where I also have several webservers.
In my setup squid is not listening on the loopback adapter, its listening on my WAN address, and my reverse proxy works flawlessly to all the internal webservers. So either your config somehow works by accident, or your setup is just different.Raj, I'm not sure why it doesn't work for your cloud service. Are you sure it runs as a HTTPS site on the Cloud server itself (you have stated so in the WEBSERVERS dialog)?
When sitting on the inside network (same subnet) as the cloudserver, can you reach it by using https://internalname.internaldomain.xxx? (whatever name it has on the inside). -
Ok managed to get exchange the my website working.
Now would this also work if there are different domain, let say https://mydoamin.com and https://mystuff.co.uk
Cheers,
Raj
-
Hi Raj
I'm not quite sure I understand your question, but I think you are asking if you can reach your exchange server with other domainnames than just the first one (entered in the external FQDN).
If that's the question, then yes, that can be configured. Basically you also need to create your Exchange Server as a WEBSERVER, and then you need to create a new mapping using the Exchange Server as peer. On this mapping you can enter the new URI's ( ^https//mydomain.com/.$ and ^https//mystuff.co.uk/.$)
-Keyser
-
Hi Keyser,
Thanks for the assistance first of all. I will host a few domains on https and I have only one wan ip.
I have been able to achieve the same type of setup with http by using varnish3.
So currently for my own domain, with an exchage server and another https website with the same domain, and your help I got that working.
Now the question is can I add different domains to point to their own sites ( https) basically varnish for https.
Cheers,
Raj
-
Keyser … this is the best course of action from MARCELLOC himself and one of the senior member.
Reverse proxy on the wan WITH NAT lead to issues !
-
So is there a way for me to achieve what i am looking to do with pfsense pls?
-
Well Stan you might be right as I have only done what seems logical and intuitive - which i might add is where pfsense is one of the best firewalls I have seen.
But I have not had any issues with my reverse proxy listening on the WAN interface. In terms of networking that is also by far and away the most "clean" looking and intuitive solution.So i guess you are suggesting to make a NAT portforward of 80/443 to the loopback adapter and have squid listen on that interface instead? That seems really cumbersome.
What are the potential issues with having squid listen on WAN directly?-Keyser
-
Raj
Yes, you should definately be able to run several different HTTPS based services (with different domain names) on just one public IP. I know I do ;-)
The trick is - if you dont want certificate warnings - that you need a SAN (Subject Alternate Name) Certificate on your pfsense as the certificate used in the squid reverse proxy config. This certificate has all of the different domain names you wish to publish, and from then on, you can simply make as many internal WEBSERVERS as needed, and as many mappings as needed. One mapping rule can easily hold several different URI's (to point several different domains/sites) to the same backend webserver.-Keyser
-
Raj
Yes, you should definately be able to run several different HTTPS based services (with different domain names) on just one public IP. I know I do ;-)
The trick is - if you dont want certificate warnings - that you need a SAN (Subject Alternate Name) Certificate on your pfsense as the certificate used in the squid reverse proxy config. This certificate has all of the different domain names you wish to publish, and from then on, you can simply make as many internal WEBSERVERS as needed, and as many mappings as needed. One mapping rule can easily hold several different URI's (to point several different domains/sites) to the same backend webserver.-Keyser
Hi Keyser,
This would be for two different domains…ex domainA.com and domainB.com?
If it is the same domain, a wild card cert should be fine....correct?
so something.domainA.com and otherthing.domainA.com will both work with a wildcard using reverse proxy. -
Yes, a SAN certificate is for different domain named services (ex: https://www.domain1.com and https://www.domain2.com). That works well with squid3 reverse proxy like i wrote to raj.
A wildcard certificate also works just fine on squid3 reverse (i have tried that too). But like you said that can only be used for different services with the same domainname (ex: https://site1.domain1.com and https://site2.domain1.com). The wildcard certificate in this example would have a common name like this: *.domain1.com
-
Yes exactly
Listen on loopback
2 NAT : 80 to loopback on squid IP
443 to loopback on squid IPWorks like a charm
With this course of action, you can keep NAT AND ! Squid reverse proxy
-
Stan
What are the issues with having squid listening on WAN directly? I haven't seen any yet, and I do NAT outbound.
I'm running a fairly new snapshot of 2.1 x64