PFSense reverse proxy to https site does not work



  • Hi

    I am trying to setup the Squid reverse proxy to a HTTPS website, but get time out errors:

    • Public DNS has a record for the site hostname pointing to a public IP of the firewall (another NIC added, dedicated to Squid Reverse Proxy)
    • I have created a NAT Port forwarding rule, defined as:

    INTERFACE Protocol Source Address Source Ports Dest. Address NAT IP NAT Ports
    OPT1 TCP * * 443 [IP of web server) 443

    The expectation is it can forward all traffic from outside the firewall directly to the web server itself, where IIS is listening.

    • I have a firewall rule on the interface used by Squid reverse proxy to allow any traffic from anywhere to the web server IP on port 443

    I used this link below to setup the certs:
    http://exxczyk.blogspot.co.uk/2015/01/my-lync-2013-lab.html

    But copied everything between private key and certificate, respectively.

    The web server is not load balanced.

    • The actual web server has the same certificate in its certificate store and IIS bindings, as uploaded to PFSense.

    Any advice would be appreciated!



  • Ok, I'm new but I'll do my best.

    Your first issue is that you're trying to do two separate things.  You can just forward all web traffic from 443 that goes to the second NIC to that internal IP.  That works just fine, no squid is even needed.  In fact if you've dedicated an entire NIC for the lync then you shouldn't even need squid.  Just make sure you're setting the right NIC on the firewall, the right server IP, and disable squid, then see if it works.

    However, if you want to use squid you should send the incoming NAT rule to 127.0.0.1 and set squid to use the loopback (Services->Squid Reverse Proxy->General) and instead of port 443 internally use something like 8443.

    Remember that pfSense, as of 2.0 IIRC, doesn't like things coming through on 443 locally.  Also check the interface that you're using as I see that it's OPT1.  On my server hn0 is WAN, hn1 is local so the next one added (assuming I don't swap the local and the second WAN) would be hn2.  So for you OPT0 is probably your WAN1, OPT1 might be your internal network, and OPT2 might be your Wan2.

    Let me know if this helps.  Pics below of my NAT rules: