Reverse proxy + HTTPS/SSL interception

slevi

Why when I enable HTTPS/SSL interception (Enable SSL filtering) in Squid3-dev 3.3.10 Proxy server, the service Reverse Proxy doesn't work?
In Squid Reverse HTTP setting it's enable HTTP reverse mode.

aGeekhere

did you tic Enable HTTPS reverse proxy ?

slevi

@aGeekHere:

did you tic Enable HTTPS reverse proxy ?

Yes, but it doesn't work.

slevi

can someone help me?

jhochwald

@slevi:

can someone help me?

Did your clients have the root CA installed?

If you intercept SSL Traffic, all Clients need to trust the Certificate as master.
SSL Interception is nearly the same as a "man in the middle Attack".

aGeekhere

Hi, I do not your setup (or what you have not done) so please read through these two links

https://forum.pfsense.org/index.php?topic=73640.0

https://forum.pfsense.org/index.php?topic=79389.0

After that tell me if it fixed the problem.

slevi

SquidGuard isn't the problem, it's not enabled.
I have 2 internal lan:

LAN with: windows server 2008 r2 with Active directory; windows users; ubuntu server 14.04 with LAMP, so it's my first web server.
DMZ with only the second web server, an other ubuntu 14.04 with LAMP.

Reverse proxy works when:

Proxy server: Authentication –> Authentication method: None
SSL interceptin ON or OFF

or

Proxy server: Authentication –> Authentication method: LDAP or Local
SSL interceptin OFF

Reverse proxy doesn't work when:

Proxy server: Authentication –> Authentication method: LDAP or Local
SSL interceptin ON

@aGeekHere:

Hi, I do not your setup (or what you have not done) so please read through these two links

https://forum.pfsense.org/index.php?topic=73640.0

https://forum.pfsense.org/index.php?topic=79389.0

After that tell me if it fixed the problem.

It doesn't fix the problem.

In squid real time log STATUS:
TCP_MISS/200 is reverse proxy working
TCP_MISS/503 reverse proxy is not working

![04 reverse proxy.JPG](/public/imported_attachments/1/04 reverse proxy.JPG)
![04 reverse proxy.JPG_thumb](/public/imported_attachments/1/04 reverse proxy.JPG_thumb)
![05 proxy.JPG](/public/imported_attachments/1/05 proxy.JPG)
![05 proxy.JPG_thumb](/public/imported_attachments/1/05 proxy.JPG_thumb)
![06 proxy.JPG](/public/imported_attachments/1/06 proxy.JPG)
![06 proxy.JPG_thumb](/public/imported_attachments/1/06 proxy.JPG_thumb)
![11 error.JPG](/public/imported_attachments/1/11 error.JPG)
![11 error.JPG_thumb](/public/imported_attachments/1/11 error.JPG_thumb)
![12 tcp miss.JPG](/public/imported_attachments/1/12 tcp miss.JPG)
![12 tcp miss.JPG_thumb](/public/imported_attachments/1/12 tcp miss.JPG_thumb)

aGeekhere

Hi, ok a few ideas

in "reverse SSL certificate" it is set as "webConfigurator default" should be certif1

tic "Transparent http proxy" as well

What is in your "Integrations"

What is in your "Custom ACLS (Before_Auth)"

In webConfigurator

What is your "SSL Certificate" set to? (should be certif1 not webConfigurator default)

And lastly when you created your Certificate was Server set to Yes (see link)

http://www.sxl.net/guides/how-to-setup-pfsense-ssl-certificate-authority/

I hope this helps