SQUID3 Reverse Proxy question
-
Man you're awesome.
Hi,
this cannot work. When you access "test.domain.com", you will get IP 10.0.3.50 and your browser will access the server directly. You are not using the Reverse Proxy at all. You should enable NAT Reflection in System > Advanced > Firewall/NAT and you should NOT use other DNS entries internally externally. If this is configured correctly, all internet machines will access your servers the same way, as if they were external.
I've never used this before.
In System > Advanced > Firewall/NAT
Which option do I chose… ENABLE (NAT + Proxy) ?And is there anything else to configure ?
I took out the DNS forwards.
- Looks ok
A) Let the Reverse Proxy listen on LAN and WAN
C) How does the mapping look like? It should be "^https://test.domain.com/.$" and "^http://test.domain.com/.$"Then it should work.
Regards,
Darko
I made sure LAN and WAN were selected for the Reverse proxy.
I have 3 URI for mapping :
-
test.DOMAIN.COM
-
http://test.DOMAIN.COM/
-
^http://test.DOMAIN.COM/.*$
I was wondering if I should add:
-
https://test.DOMAIN.COM/
-
^https://test.DOMAIN.COM/.*$
-
Bumping this because I'm an attention whore
-
Hi,
yes, you activate "NAT Reflection mode for port forwards" = "Enable (NAT + Proxy)". Using different IP addresses for internal and external leads to many problems, because computers tend to cache IP addresses. NAT reflection solves this. It works for everything except VoIP, but VoIP devices usually don't roam.
basically all of the mappings should work, the "^" at the beginning means "at the beginning" and the "$" at the end means "at the end". The "." means "any character" and the "*" means "zero or more", so
^https://test.domain.com/.$
^http://test.domain.com/.$is very fine and matches all requests to any URL of the given domain. It should work. Use lowercase (domain.com instead of DOMAIN.COM).
If you want to forward all HTTP to HTTPS, you can add an entry toServices > Reverse Proxy > Mappings
with the following configuration
Redirect name: Whatever
Redirect protocol: HTTP
Blocked domains: test.domain.com
Path regex: ^/.*$
URL to redirect to: https://test.domain.com/"Real time" does not seem to work, so don't get confused here. Try externally with "curl" or "wget" and look at the response.
-
One question: What is the port numbers under:
Services > Reverse Proxy > General
reverse HTTP port (in my case 8080)
reverse HTTPS port (in my case 8443)I have forwards from WAN 80 -> 8080 and 443 -> 8443
-
Hi,
yes, you activate "NAT Reflection mode for port forwards" = "Enable (NAT + Proxy)". Using different IP addresses for internal and external leads to many problems, because computers tend to cache IP addresses. NAT reflection solves this. It works for everything except VoIP, but VoIP devices usually don't roam.
basically all of the mappings should work, the "^" at the beginning means "at the beginning" and the "$" at the end means "at the end". The "." means "any character" and the "*" means "zero or more", so
^https://test.domain.com/.$
^http://test.domain.com/.$is very fine and matches all requests to any URL of the given domain. It should work. Use lowercase (domain.com instead of DOMAIN.COM).
All that is done.
If you want to forward all HTTP to HTTPS, you can add an entry to
Services > Reverse Proxy > Mappings
with the following configuration
Redirect name: Whatever
Redirect protocol: HTTP
Blocked domains: test.domain.com
Path regex: ^/.*$
URL to redirect to: https://test.domain.com/"Real time" does not seem to work, so don't get confused here. Try externally with "curl" or "wget" and look at the response.
I guess you meant in
Services > Reverse Proxy > Redirects
and not
Services > Reverse Proxy > MappingsI added that too.
One question: What is the port numbers under:
Services > Reverse Proxy > General
reverse HTTP port (in my case 8080)
reverse HTTPS port (in my case 8443)I have forwards from WAN 80 -> 8080 and 443 -> 8443
Before I left it blank so by design the ports were 80 and 443.
I had WAN Firewall rules that would just PASS 80 and 443.Now I changed the
Services > Reverse Proxy > General
http://snag.gy/m0wlj.jpgAnd I have updated my WAN firewall rules like so :
http://snag.gy/yOZCY.jpg
http://snag.gy/OBRwk.jpgStill, when I try CURL on the mapped address, it goes :
curl: (7) Failed to connect to XXX port 80: Operation timed outWhen I try to ping it, I get 100.0% packet loss
I think there might be something else wrong :S
-
Your firewall rules are wrong. You are opening ports 80 to 8080 and 443 to 8443, so you actually opened port 80 to 8443 to the public. Remove those rules!
If squid runs on ports 80/443, then it would be sufficient to add only two rules:
- Destination port 80 to 80 (and nothing more)
- Desintation port 443 to 443
but since we need to go from port 80 to 8080 and 443 to 8443, you need a port forward.
Remove the two rules and add two port forwards:
Interface: WAN
Protocol: TCP
Destination port range: From HTTP to HTTP (which is 80)
Redirect target IP: 127.0.0.1
Redirect target port: 8080
Filter rule association: Add associated filter ruleSame for 443/8443
They try again and report
-
Your firewall rules are wrong. You are opening ports 80 to 8080 and 443 to 8443, so you actually opened port 80 to 8443 to the public. Remove those rules!
If squid runs on ports 80/443, then it would be sufficient to add only two rules:
- Destination port 80 to 80 (and nothing more)
- Desintation port 443 to 443
but since we need to go from port 80 to 8080 and 443 to 8443, you need a port forward.
Remove the two rules and add two port forwards:
Interface: WAN
Protocol: TCP
Destination port range: From HTTP to HTTP (which is 80)
Redirect target IP: 127.0.0.1
Redirect target port: 8080
Filter rule association: Add associated filter ruleSame for 443/8443
They try again and report
Okay so I deleted the rule.
But to make a port forward, I couldn't find a way to do that in Firewall > Rules.
So I added it in Firewall > NAT > Port Forward
Here are the new rules :
http://snag.gy/rZEWU.jpgDetail :
http://snag.gy/hRmpz.jpg
http://snag.gy/jJJOe.jpgJust to make sure I rebooted the whole pfsense server.
Then I SSH'ed into an external server and still when I tried CURL on the mapped address, it goes :
Code: [Select]
curl: (7) Failed to connect to XXX port 80: Operation timed outWhen I tried to ping it, I still got 100.0% packet loss
Also, from INTERNAL, now that I've removed the DNS forwarder, I can't access the server by typing it's FQDN.
-
Hi,
the rules look ok now.
I have one idea left: Ensure that the reverse proxy listens on loopback, also. I forgot that, sorry.
Ping will only work if you enable it by rule. This has nothing to do with reverse proxy.
Regards,
Darko
-
Hi,
the rules look ok now.
I have one idea left: Ensure that the reverse proxy listens on loopback, also. I forgot that, sorry.
Ping will only work if you enable it by rule. This has nothing to do with reverse proxy.
Regards,
Darko
You ROCK!!
That worked almost perfectly!I should have figured it out, as I just did the port forwarding to the loopback :S
Such a n00b, such a n00b I am…So right now with reverse proxy I have 2 servers configured... a CRM (https) and an ERP (http)
From LAN : Both work !!!!! Yay !
From WAN : The CRM (https) does work, the ERP (http) does NOT work !
I rebooted just to make sure… it's the same...
So, like I said, it's almost perfectly working!
-
Hi,
I presume that the following happens: You go to http://test.domain.com/ and the internal web server does a redirect to https://test.internal.domain.com/application/ (or so). What is the URL after you have successfully accessed from internal network? One of the reasons is, that the peers is configured with HTTPS, but accessed with HTTP from outside. Some application allow, that you configure HTTP/HTTPS and the actual domain name to redirect to.
Anyway, I don't think it is a good idea, that you use HTTP for an application like CRM or ERP and therefore I suggest you do the following:
- Buy a wildcard certificate "*.domain.com", but for tests you can use any certificate which will surely give a warning in all browsers
- Configure both peers with HTTPS (I presume you did)
- Add two now entries to the DNS like "erp.domain.com" and "crm.domain.com". They can be CNAMEs to the existing name
- Add a mapping "^https://erp.domain.com/.*$" and use the peer ERP
- Add a mapping "^https://crm.domain.com/.*$" and use the peer CRM
- Now test if both work like "https://crm.domain.com" from external and internal. If external does not work for now, check what redirects happen. We can possibly fix that.
- Add a Redirect that maps HTTP to crm.domain.com (any path) to https://crm.domain.com/. You can also add the application path here (e.g. https://crm.domain.com/application/login.jsp), so the application will not try to redirect anymore!
- Same for erp.domain.com
- Now a "http://erp.domain.com" should redirect you to "https://erp.domain.com/" (including application path)
- Same for the other(s)
Test and report.
-
hi, i have quite the same problem, i have pfsense 2.2
i want to use the reverse proxy, i just need http protocol i just have a few testing website
squid http listen to port 81 (8080 is already used) (of course i've enabled the use of port lower than 1024 on pfsense)
so i've enabled listen to lan, wan loopback
on webserver i've created my webserver that listen on port 80 http
on mapping i've created a record, that point to the previous peer, and added the domain as you written (^http://sub.domain.com/.*$)
nothing on redirectsnow i've added a nat rule on the firewall
from 80 to 81 on 127.0.0.1no if i go to http://sub.domain.com i just receive failed (like is blocked)
if i go to http://sub.domain.com:81 i receive a timeout errorthe sub.domain.com have an A record that point to my ip address
what's wrong ?
-
Hi,
here is an example of how I did it:
Ensure NAT Reflection is active
General setting of the Reverse Proxy, in my case 8080 for HTTP and 8443 for HTTPS. It listens on loopback. I am not sure, if it is required to listen on the WAN interface.
The two Port Forwards for 80 to 8080 and 443 to 8443
Here is an example of observium.domain.com externally on HTTPS, internally HTTP (yes, this works).
The according Mapping for HTTPS only
This redirect points http://photo.domain.com/ and https://photo.domain.com/ (root path only) to https://photo.domain.com/photo/. If the app does the redirect, it will point to http://photo.internal.domain.com/photo/ which does not work :-)
Compare and report if it works.
-
thanks but i don't get where is my error i'll add some screenshot maybe you spot something
-
Looks ok so far, I have the following ideas to check:
-
Is the domain really pointing to the right IP address? If you changed it lately, it can still be outdated with caching DNS servers
-
Is a different behavior from inside and outside?
-
Does the internal HTTP host expect a name? Does http://<internal-ip>/ give the right web site?</internal-ip>
-
-
btw the error that i get with curl if i go to sub.domain.com is
Recv failure: Connection reset by peerit's possible that the pfsense web interface create a problem ? because i've disabled the access from outside but it listen to port 80
so the domain sub.domain.com point to my ip the domain.com point to another ip this can be a problem?
inside i have another dns server so it's work, but not because i'm going thour pfsensethe server need to have the domain name on the url otherwise it serve the default apache page but if i go to http://IP-ADDRESS/ directly from outside i receive the same error as above
-
Hi,
yes, that is possible. I have changed the port to HTTPS 442 and use the Reverse Proxy to access it on 443 as all other internal hosts.
Move it and try again.
-
i have just changed the pfsense port to 90
but nothing changed, i still receive
Recv failure: Connection reset by peer
-
Reporting back…
So I was starting to think there was a problem with my proxy / reverse-proxy config so I did the following :
So I've tried this :
To remove squid, squidguard, lightsquid, and anything else with 'squid' in its package name:
foreach (array_keys($config['installedpackages']) as $sec) { if (strpos($sec, "squid") !== false) unset($config['installedpackages'][$sec]); } write_config("Removed all squid-related settings");And it cleared everything.
I started to configure everything from scratch.
Right now the proxy is in HTTP transparent mode, without SSL filtering.
Hi,
I presume that the following happens: You go to http://test.domain.com/ and the internal web server does a redirect to https://test.internal.domain.com/application/ (or so). What is the URL after you have successfully accessed from internal network? One of the reasons is, that the peers is configured with HTTPS, but accessed with HTTP from outside. Some application allow, that you configure HTTP/HTTPS and the actual domain name to redirect to.
Anyway, I don't think it is a good idea, that you use HTTP for an application like CRM or ERP and therefore I suggest you do the following:
- Buy a wildcard certificate "*.domain.com", but for tests you can use any certificate which will surely give a warning in all browsers
- Configure both peers with HTTPS (I presume you did)
- Add two now entries to the DNS like "erp.domain.com" and "crm.domain.com". They can be CNAMEs to the existing name
- Add a mapping "^https://erp.domain.com/.*$" and use the peer ERP
- Add a mapping "^https://crm.domain.com/.*$" and use the peer CRM
- Now test if both work like "https://crm.domain.com" from external and internal. If external does not work for now, check what redirects happen. We can possibly fix that.
- Add a Redirect that maps HTTP to crm.domain.com (any path) to https://crm.domain.com/. You can also add the application path here (e.g. https://crm.domain.com/application/login.jsp), so the application will not try to redirect anymore!
- Same for erp.domain.com
- Now a "http://erp.domain.com" should redirect you to "https://erp.domain.com/" (including application path)
- Same for the other(s)
Test and report.
So :
-
For the reverse proxy interfaces, I just selected EVERYTHING (WAN, LAN and loopback)
-
I enabled HTTP reverse mode on 8080, and HTTPS reverse mode on 8443
-
My NAT forwarder rules are still there, unchanged and they seem good
-
For now I don't have a wildcard certificate, I have a self-signed one which is okay for what I need
-
I'm now testing only one peer in HTTPS. It is configured adequately
-
On my domain name, I added a CNAME for CRM.DOMAIN.COM
-
I added a peer with the internal IP
-
I added a mapping for ^https://crm.domain.com/.*$
-
I added a redirect from crm.domain.com to https://crm.domain.com/ (for HTTP protocol with path regex ^/$ )
-
I don't need application path, https://crm.domain.com/ is perfect
In conclusion :
https://crm.domain.com/ works from EXTERNAL, not from internal -
Can you add local overrides (split DNS) for the internal side instead of trying to bounce them off the firewall?
–
Andy -
Can you add local overrides (split DNS) for the internal side instead of trying to bounce them off the firewall?
–
AndyYou mean DNS forwards ?
That's what I was doing but I was instructed to stop doing so (see beginning of thread)
I can do that and exclude the LAN from the reverse proxy interfaces (the interfaces the reverse-proxy server will bind to)
But I still can't make the reverse proxy work from WAN for HTTP server (I have a web server which does not required HTTPs and it just won't work whatever I try).
I'm getting very annoyed at this… I'm almost at the point where I want to run a separate reverse proxy (apache or such) in a VM and forward the HTTP and HTTPS port from pfSense to that...
There's something broken... I've done a "textbook" configuration from scratch and the damn thing will not work...