Squid Reverse Proxy without SSL Offloading



  • HI first post so I apologize if it's in the wrong spot.  Also new keyboard so sorry for typo's.

    I currently have a pfSense firewall setup for a small organization that uses exchange.  I successfully setup squid reverse proxy for exchange and their website, but I noticed that if we tell apache to redirect from http->https it creates a redirect loop.  After much searching I realized that this is due to the SSL Termination/offloading/acceleration/any name you want.  Since we are using a wildcard cert and since everyything is running on the same domain how can I go about disabling the ssl offloading so that the web/exchange server deals with it instead.

    Basically the current way is https->WAN->Squid->HTTP->web/exchange.  How can I configure this to be the following https->WAN->Squid->HTTPS->web/exchange?

    I am not against changing the proxy that I use to get this done (squid3, haproxy, apache, nginx) I just want it done right so that SSL isn't intercepted by the reverse proxy.  I understand that the idea is to offload the ssl so that the cpu isn't hit that hard but me (and the people who pay me) are ok with having to buy more servers (and more powerful ones if necessary in the future) to make sure this portion works.

    I know from this site: https://blog.cortanadesign.com.au/2014/01/31/outlook-rpchttp-impossible-with-apache-reverse-proxy/ that you can use squid for exchange and something like apache for everything else, but how do I go about doing this in pfSense?  I know that I can set advanced ACL options, but IDK which box to use or if this is even possible with the pfSense package version.

    Thank you in advanced for your help,

    Andre

    p.s. any additional information will gladly be given upon request.



  • As a reply to this in case people in the future are looking, I ended up going with HAProxy.  Not only was the setup 10x easier than squid, but it works with SNI so there's end to end encryption.  The ONLY downside is that clients who don't support SNI will need to be dealt with somehow, but I'm not sure what HAProxy does for them.  At some point in the future I will be testing this so if mods could leave this open for a bit longer so I can report that bit of information (or a solution for those users).