Squid reverse proxy : access through http instead of https
-
Hello,
I juste made a fresh install due to some strange behaviors of my pfsense (see https://forum.pfsense.org/index.php?topic=115957.msg643427#msg643427 for instance).
My new install is with pfsense 2.3.2 and Squid3.
I probably missed something during the configuration but the web sites that should be accessible only through HTTPS, are instead accessible through HTTP…I installed my Certum certificate (looks ok), configure squid reverse proxy (both HTTP and HTTPS because I need both), added servers (some on port 80, others on port 443) and mappings, allowed routing (on all ports)...
HTTP sites are running well (through HTTP).
HTTPS sites do not work on HTTPS (secured connexion can't be established), but are accessible through HTTP (with strange behavior, of course).Any idea?
-
I've to admit that I even don't understand your configuration neither what you intend to achieve :(
Is it a typo or do you intend to run Squid as reverse proxy ?Of course "http accelerator" works but true reverse proxy offers much more features than this.
What I mean to say is that Squid, at least to me, is very far from being the best choice in term of reverse proxy.
As far as I understand, aside the "cache" aspect, implementing URL rewriting and similar stuff (like URL sanitisation) is not where Squid shines.You will get better results and much more flexibility with Apache or Nginx.
-
Thanks for your reply.
Squid3 pfsense plugin offers reverse proxy features.In my case, I rent a dedicated server (OVH) with VMWare ESXi and many VM inside with various tools/websites.
I access these tools with various sub-domains, but I have only two IPs (one for VMWare administration, one to access the VMs).
Squid reverse proxy allow me to access each VM (many LAN IPs) with one WAN IP and several sub-domains.sub1.domain.com –> Server 1 for sub1.domain.com (LAN IP 1)
sub2.domain.com --> WAN IP --> Squid reverse proxy --> Server 2 for sub2.domain.com (LAN IP 2)
sub3.domain.com --> Server 3 for sub3.domain.com (LAN IP 3)Some sub-domains should be HTTP only, some should be HTTPS only.
It worked very well for almost one year.I'm not sure you can do this only with apache or nginx (but I'm not an expert...).
I hope it is clearer. Sorry, my english is not very good...
-
Don't worry, your English is good enough, at least I understand what you mean (perhaps because I'm French too :P)
For sure both Apache and Nnix can achieve this, like any other reverse proxy.
My understanding, bt I might be wrong, is that Squid reverse proxy features are very basic but if it fits your needs, I'm not pushing you to change for another solution.One important aspect you should keep in mind is that Squid package being… a package, there is no guaranty that it works smoothly with all pfSense releases.
It looks like number of posts about Squid issues with pfSense 2.3.x increased significantly.If I had to achieve what you are looking for, I would rather rely on external dedicated reverse proxy (could be another VM) on which you can configure whatever you want but at least this will not br linked with pfSense releases and version ;)
1 - did you try with another pfSense version?
2 - you wrote "it worked very well..." do you mean it was working fine but you changed something? I'm a bit lost here? (except if change refers to pfSense upgrade, which would confirm what I wrote above) -
You're totally right, I upgraded pfsense (2.2.5 -> 2.3.2).
Didn't think it was bad! ;)
Still not sure if it is the root cause. I could have miss a little detail somewhere in the configuration… or maybe a new option somewhere with bad default value (just like during previous upgrade).I think I tried to do it (reverse proxy) with apache on a dedicated VM at the very beginning, but I had issues to manage several sub-domains on several servers with same IP and same port. Then I found some tutos with pfsense...
If you can link me to a tutorial with apache, I would be pleased to give a try! -
From my view point, Nginx is a better choice mainly because it is both faster and lighter than Apache.
You will easily find plenty of HowTo e.g. this one.