Squid-reverse
-
Hi !
the squid-reverse package is a replacement for the "normal" squi package since pfSense 2.0 and combines reverse functionality with the normal squid caching proxy.
you can use the squid-reverse package to replace the squid package when you're using squid in pfSense 2.0. the configuration should be kept.
squid-reverse is not available in pfSense 1.x.
i'll bump the squid version in squid-reverse to squid 3.x when squid 3.x is running stable…
-
Could you post a sample configuration?
I've been trying on and off to get this working for months, and still can't.
Everything looks right, but it just won't forward anything!
-
Hi !
You are trying to use the reverse part and it does not work ?
First:
Did you add Firewall-Rules from ANY to WAN-Address for 80 / 443 ?The three config fields are as follows:
HOST_SSL;192.168.1.1;443;HTTPS
HOST;192.168.1.1;80;HTTPWEBAPP_SSL;faq;https://gw.domainname.com
WEBAPP;faq;http://gw.domainname.comHOST_SSL;WEBAPP_SSL
HOST;WEBAPPhere it works great !
-
Are there instructions anywhere, or do I simply follow something like this? http://wiki.squid-cache.org/SquidFaq/ReverseProxy
Thanks,
Mark
-
Hi !
the packages should be self-explanatory, under each input field there are explanations…for further held, please ask ;-)
-
I've configured it like you suggested, and all I get when I try to browse to a page on it is:
While trying to retrieve the URL: http://wi.atlantis.me.uk/
The following error was encountered:
Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. -
is your subnet allowed under access control ?
or any destimation blocked ? -
Ive left everything on default except the reverse proxy section, should i change anything on the other tabs?
Also, on your URI Definitions, what does the faq part mean?
-
you should check the access tab if your subnet is allowed and if there are any sites blocked…
the faq reflects the uri- after the fqdn http://server.domain.tld: for http://server.domain.tld/faq
FAQ_HTTP;faq;http://server.domain.tld will be http://server.domain.tld/faq
-
Sorted it.
I was trying to publish the root of the site.
Turns out you have to put a * in there for that.
So, my config looks like this:
Peer Definitions:
prometheushttp;192.1.22.6;80;HTTPURI Definitions:
atlantisweb;;http://www.atlantis.me.uk
atlantisweb;;http://atlantis.me.uk
atlantiswi;*;http://wi.atlantis.me.ukACL Definitions:
prometheushttp;atlantisweb
prometheushttp;atlantiswiI added my subnet into the top box in access control.
Then I enabled logging in the general settings, SSH'd to the box and entered the shell.
I ran tail -F /var/squid/logs/access.log so i could see all the incoming HTTP requests.
Now to get OWA, Outlook anywhere and active sync working over HTTPS.
Any ideas if this can do other HTTPS streaming things? I have a citrix secure gateway server that uses HTTPS to connect on port 443. It's not a web page though. I guess it's similar to activesync. At the moment it's running on 4430 but i'd like to run that through squid too.
-
I have a citrix secure gateway server that uses HTTPS to connect on port 443. It's not a web page though. I guess it's similar to activesync.
If its not http, you may need to use haproxy or native pfSense load balancer to balance tcp connections.
-
Actually I've just realised a day after getting it working that it doesn't support Exchange 2010 Web Services, this makes the package totally useless for me.
I just want a reverse proxy, like in forefront TMG/ISA Server!
-
Actually I've just realised a day after getting it working that it doesn't support Exchange 2010 Web Services, this makes the package totally useless for me.
I just want a reverse proxy, like in forefront TMG/ISA Server!
I have it working with varnish, haproxy and apache.
To get balance with https without having certificate issues, you may need a wildcard certificate.
Varnish does all http balance/cache
Haproxy does the https balance
Apache has the certificates and mod_security -
I think I'll just go back to using Forefront TMG.
As good as pfsense is, it does't work for me. I need something up and running, and with documentation, not something put together by people in their spare time with next to no documentation.
No offence to the community, it's a great work in progress, but its not for me.
thanks for your time.
-
I think I'll just go back to using Forefront TMG.
As good as pfsense is, it does't work for me. I need something up and running, and with documentation, not something put together by people in their spare time with next to no documentation.
No offence to the community, it's a great work in progress, but its not for me.
thanks for your time.
There are so many things wrong with that statement I don't know where to begin. But you are right, there is no one perfect solution for everyone, use whatever works best for you.
-
There are so many things wrong with that statement I don't know where to begin. But you are right, there is no one perfect solution for everyone, use whatever works best for you.
I second that.
pfSense works great to me.
-
I think a big difference has to do with the scale of such setups:
iirc marcelloc is overseeing a large-scale setup (Exchange 2010 with tens of thousands of mailboxes), so he can probably justify spending many hours to intimately learn those different packages in order to integrate and properly test them.
Someone with a much smaller installation, say 100-200 users, may just want a reverse-proxy solution that "simply works" and offers commercial support, because he's probably busy with a dozen other IT-related subjects.
So, as jimp noted, there is no one perfect solution for everyone.
-
I think a big difference has to do with the scale of such setups:
iirc marcelloc is overseeing a large-scale setup (Exchange 2010 with tens of thousands of mailboxes), so he can probably justify spending many hours to intimately learn those different packages in order to integrate and properly test them.
Someone with a much smaller installation, say 100-200 users, may just want a reverse-proxy solution that "simply works" and offers commercial support, because he's probably busy with a dozen other IT-related subjects.
So, as jimp noted, there is no one perfect solution for everyone.
You are 100% right.
All features that I needed in pfsense that was not part of it, I have published to help many others to reach same result with less effort.Seeing Sam0r difficult on get a simple web proxy solution, maybe I can improve varnish package to require less configuration or dependencies for example.
-
maybe have a wizard to setup exchange forwarding in Varnish. Steps through and asks, host name, IP, etc.
No need to dumb down the whole GUI just find a way to make some common tasks easier.
-
maybe have a wizard to setup exchange forwarding in Varnish. Steps through and asks, host name, IP, etc.
No need to dumb down the whole GUI just find a way to make some common tasks easier.
great idea! :)
I'll try it when I finish dansguardian.
