Squid reverse proxy errors
-
Using PFsense 2.2.6 (AMD64)
Squid 3 0.4.7
snort 3.2.9.1
pfblockerng 2.0.5
ntopng 0.8.2Trying to use and activate the Squid 3 reverse proxy and getting errors when activating. Followed the various tutorials on how to configure but they all seem to be out-of-date. Here is what I created and the errors I'm receiving.
Followed the tutorial most often referred to: http://sdrv.ms/V8qLfK
Created my WEB servers and Mapping for HTTP and HTTPS.
Tried to activate the HTTP first as a starting point and I get the error:
'Reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value(1023).
To listen on low ports, change portrange.reservedhigh sysctl value to 0 in System: Advanced: System Tunables and restart Squid daemon.Went to the PFsense Advanced/ Tunables setting and create a new value for "portrange.reservedhigh with a value of 0.
Tried starting Reverse Squid and now I receive the error:
[ Squid is disabled. You must enable Squid proxy under Services - Squid Proxy Server - General.]
I do not want to use squid just the reverse proxy part. The tutorials does not say we need to start this service.
Next step is I tried starting the Squid 3 service and now I'm getting the following error:
php-fpm[6517]: /pkg_edit.php: The command '/usr/pbi/squid-amd64/sbin/squid -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf' returned exit code '1', the output was '2016/04/01 10:11:44| FATAL: Invalid ACL type 'Help' FATAL: Bungled /usr/pbi/squid-amd64/local/etc/squid/squid.conf line 97: acl rvm_Remote Help url_regex -i remotehelp.accra.ca Squid Cache (Version 3.4.10): Terminated abnormally. CPU Usage: 0.011 seconds = 0.011 user + 0.000 sys Maximum Resident Size: 38032 KB Page faults with physical i/o: 0'
Is there an up-to-date tutorial on how to make the reverse proxy work? or can somebody help with some explanation or is there a better reverse proxy option available?
Thanks
cjb
-
I'm just a beginner myself but:
First step was to create a virtual IP (10.0.0.1) on my wan interface
Second step was to create 1:1 nat from 80 and 443 on external to 10.0.0.1 5080 5443 (that gets around the problem of using ports below 1024)
third step was to enable proxy (I think you have to do that since the reverse proxy is a part of the proxy package)
fourth step is to create the reverse prxoy ip to 10.0.0.1. I also selected Ignore Internal Certificate Validation -
php-fpm[6517]: /pkg_edit.php: The command '/usr/pbi/squid-amd64/sbin/squid -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf' returned exit code '1', the output was '2016/04/01 10:11:44| FATAL: Invalid ACL type 'Help' FATAL: Bungled /usr/pbi/squid-amd64/local/etc/squid/squid.conf line 97: acl rvm_Remote Help url_regex -i remotehelp.accra.ca Squid Cache (Version 3.4.10): Terminated abnormally. CPU Usage: 0.011 seconds = 0.011 user + 0.000 sys Maximum Resident Size: 38032 KB Page faults with physical i/o: 0'
To correct the fatal error remove the spaces in your 'Group Name' under 'Mappings'.
-
Recently I've been trying pfSense for publishing and caching web servers; I was doing well with Varnish.
Pitifully, with the recent 2.3 upgrade this package is no longer available. So I tried Squid.Went to the PFsense Advanced/ Tunables setting and create a new value for "portrange.reservedhigh with a value of 0.
Tried starting Reverse Squid and now I receive the error:
[ Squid is disabled. You must enable Squid proxy under Services - Squid Proxy Server - General.]
I do not want to use squid just the reverse proxy part. The tutorials does not say we need to start this service.
Next step is I tried starting the Squid 3 service and now I'm getting the following error:
php-fpm[6517]: /pkg_edit.php: The command '/usr/pbi/squid-amd64/sbin/squid -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf' returned exit code '1', the output was '2016/04/01 10:11:44| FATAL: Invalid ACL type 'Help' FATAL: Bungled /usr/pbi/squid-amd64/local/etc/squid/squid.conf line 97: acl rvm_Remote Help url_regex -i remotehelp.accra.ca Squid Cache (Version 3.4.10): Terminated abnormally. CPU Usage: 0.011 seconds = 0.011 user + 0.000 sys Maximum Resident Size: 38032 KB Page faults with physical i/o: 0'
Instead of "portrange.reservedhigh" you have to set "net.inet.ip.portrange.reservedhigh" with the same value of "0".
After that you'll be able to configure "Reverse HTTP Port" (on "Squid Reverse HTTP Settings") to listen on port 80.
Then, you must enable Squid proxy under Services -> Squid Proxy Server -> General. Obviously you don't want to enable it as a Proxy Server but as a Reverse Proxy Server, aparently both use the same process, so you have to.
When you try to do this, it'll ask you to configure the "Local Cache", go to that tab, set your options, save the changes, and then try to "Enable Squid proxy" and save the changes.
You could verify if the "Squid" process is running on Status -> Services. And doing some "nmap -v -p 80 10.0.0.1" (<– your public IP or DNS here!) to check that your pfSense firewall is listening on port 80.
A firewall Rule have to allow traffic on port 80 to your public IP/virtual IP/CARP address; it's not necessary to set a NAT rule on your firewall (as far as I know), so if the Squid service is runnning there shouldn't be a problem to listen on port 80.