Squid3 reverse https proxy

rajbps

Ok managed to get exchange the my website working.

Now would this also work if there are different domain, let say https://mydoamin.com and https://mystuff.co.uk

Cheers,

Raj

keyser

Hi Raj

I'm not quite sure I understand your question, but I think you are asking if you can reach your exchange server with other domainnames than just the first one (entered in the external FQDN).

If that's the question, then yes, that can be configured. Basically you also need to create your Exchange Server as a WEBSERVER, and then you need to create a new mapping using the Exchange Server as peer. On this mapping you can enter the new URI's ( ^https//mydomain.com/.$  and  ^https//mystuff.co.uk/.$)

-Keyser

rajbps

Hi Keyser,

Thanks for the assistance first of all. I will host a few domains on https and I have only one wan ip.

I have been able to achieve the same type of setup with http by using varnish3.

So currently for my own domain, with an exchage server and another https website with the same domain, and your help I got that working.

Now the question is can I add different domains to point to their own sites ( https) basically varnish for https.

Cheers,

Raj

stanthewizard

Keyser … this is the best course of action from MARCELLOC himself and one of the senior member.

Reverse proxy on the wan WITH NAT lead to issues !

rajbps

So is there a way for me to achieve what i am looking to do with pfsense pls?

keyser

Well Stan you might be right as I have only done what seems logical and intuitive - which i might add is where pfsense is one of the best firewalls I have seen.
But I have not had any issues with my reverse proxy listening on the WAN interface. In terms of networking that is also by far and away the most "clean" looking and intuitive solution.

So i guess you are suggesting to make a NAT portforward of 80/443 to the loopback adapter and have squid listen on that interface instead? That seems really cumbersome.
What are the potential issues with having squid listen on WAN directly?

-Keyser

keyser

Raj

Yes, you should definately be able to run several different HTTPS based services (with different domain names) on just one public IP. I know I do ;-)
The trick is - if you dont want certificate warnings - that you need a SAN (Subject Alternate Name) Certificate on your pfsense as the certificate used in the squid reverse proxy config. This certificate has all of the different domain names you wish to publish, and from then on, you can simply make as many internal WEBSERVERS as needed, and as many mappings as needed. One mapping rule can easily hold several different URI's (to point several different domains/sites) to the same backend webserver.

-Keyser

vito

@keyser:

Raj

Yes, you should definately be able to run several different HTTPS based services (with different domain names) on just one public IP. I know I do ;-)
The trick is - if you dont want certificate warnings - that you need a SAN (Subject Alternate Name) Certificate on your pfsense as the certificate used in the squid reverse proxy config. This certificate has all of the different domain names you wish to publish, and from then on, you can simply make as many internal WEBSERVERS as needed, and as many mappings as needed. One mapping rule can easily hold several different URI's (to point several different domains/sites) to the same backend webserver.

-Keyser

Hi Keyser,

This would be for two different domains…ex domainA.com and domainB.com?
If it is the same domain, a wild card cert should be fine....correct?
so something.domainA.com and otherthing.domainA.com will both work with a wildcard using reverse proxy.

keyser

Yes, a SAN certificate is for different domain named services (ex: https://www.domain1.com and https://www.domain2.com). That works well with squid3 reverse proxy like i wrote to raj.

A wildcard certificate also works just fine on squid3 reverse (i have tried that too). But like you said that can only be used for different services with the same domainname (ex: https://site1.domain1.com and https://site2.domain1.com). The wildcard certificate in this example would have a common name like this: *.domain1.com

stanthewizard

Yes exactly
Listen on loopback
2 NAT :  80 to loopback on squid IP
              443 to loopback on squid IP

Works like a charm

With this course of action, you can keep NAT AND ! Squid reverse proxy

keyser

Stan

What are the issues with having squid listening on WAN directly? I haven't seen any yet, and I do NAT outbound.
I'm running a fairly new snapshot of 2.1 x64