Reverse Proxy - 403 Denied



  • Hi,

    sorry but i am at the end of my understanding and didnt found something which resolves my problem. So after freaking out i hope someone can help.

    Interfaces:
      192.168.178.254 WAN PFSENSE LAN 10.10.55.254

    Real HTTP Server:
      10.10.55.10:80

    VIP PFSENSE:
      192.168.178.253

    What pfsense did to my squid.conf:

    
    # This file is automatically generated by pfSense
    # Do not edit manually !
    
    http_port 10.10.55.254:10 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
    
    http_port 10.10.66.254:10 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
    
    http_port 192.168.178.254:10 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
    
    icp_port 0
    dns_v4_first off
    pid_filename /var/run/squid/squid.pid
    cache_effective_user squid
    cache_effective_group proxy
    error_default_language en
    icon_directory /usr/local/etc/squid/icons
    visible_hostname t0r
    cache_mgr admin@localhost
    access_log /var/squid/logs/access.log
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    netdb_filename /var/squid/logs/netdb.state
    pinger_enable on
    pinger_program /usr/local/libexec/squid/pinger
    sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
    sslcrtd_children 5
    sslproxy_capath /usr/local/share/certs/
    sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
    sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
    
    logfile_rotate 2
    debug_options rotate=2
    shutdown_lifetime 3 seconds
    # Allow local network(s) on interface(s)
    acl localnet src  10.10.55.0/24 10.10.66.0/24 192.168.178.0/24
    forwarded_for on
    uri_whitespace strip
    
    acl dynamic urlpath_regex cgi-bin \?
    cache deny dynamic
    
    cache_mem 64 MB
    maximum_object_size_in_memory 256 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    minimum_object_size 0 KB
    maximum_object_size 4 MB
    
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95
    cache allow all
    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp:    1440  20%  10080
    refresh_pattern ^gopher:  1440  0%  1440
    refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
    refresh_pattern .    0  20%  4320
    
    #Remote proxies
    
    # Setup some default acls
    # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
    # acl localhost src 127.0.0.1/32
    acl allsrc src all
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  10 3129 1025-65535
    acl sslports port 443 563
    
    # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
    #acl manager proto cache_object
    
    acl purge method PURGE
    acl connect method CONNECT
    
    # Define protocols used for redirects
    acl HTTP proto HTTP
    acl HTTPS proto HTTPS
    http_access allow manager localhost
    
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports
    
    # Always allow localhost connections
    # From 3.2 further configuration cleanups have been done to make things easier and safer.
    # The manager, localhost, and to_localhost ACL definitions are now built-in.
    # http_access allow localhost
    
    request_body_max_size 0 KB
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow allsrc
    
    # Reverse Proxy settings
    http_port 192.168.178.254:8080 accel defaultsite=blabla.myfritz.net vhost
    http_port 192.168.178.253:8080 accel defaultsite=blabla.myfritz.net vhost
    #
    cache_peer 10.10.55.10 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin name=rvp_pi
    
    acl rvm_pi_extern url_regex -i http://blabla.myfritz.net:8080
    acl rvm_pi_extern url_regex -i ^http://blabla.myfritz.net/.*$
    acl rvm_pi_intern url_regex -i http://192.168.178.253:8080
    cache_peer_access rvp_pi allow rvm_pi_extern
    cache_peer_access rvp_pi allow rvm_pi_intern
    cache_peer_access rvp_pi deny allsrc
    cache_peer_access rvp_pi deny allsrc
    never_direct allow rvm_pi_extern
    never_direct allow rvm_pi_intern
    http_access allow rvm_pi_extern
    http_access allow rvm_pi_intern
    
    # Package Integration
    url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
    url_rewrite_bypass off
    url_rewrite_children 16 startup=8 idle=4 concurrency=0
    
    # Custom options before auth
    
    always_direct allow all
    ssl_bump server-first all
    # Setup allowed ACLs
    # Allow local network(s) on interface(s)
    http_access allow localnet
    # Default block all to be sure
    http_access deny allsrc
    
    

    what i get in access.log when trying to access internally http://192.168.178.253:8080/

    
    1477741282.255      1 192.168.178.254 TCP_MISS/403 4361 GET http://192.168.178.253:8080/ - HIER_NONE/- text/html
    1477741282.256      4 192.168.178.20 TCP_MISS/403 4443 GET http://192.168.178.253:8080/ - HIER_DIRECT/192.168.178.253 text/html
    1477741282.548      3 192.168.178.20 TCP_MEM_HIT/200 13046 GET http://t0r:10/squid-internal-static/icons/SN.png - HIER_NONE/- image/png
    
    

    I get a response of pfsense "access denied" in browser.
    Can someone tell me what i didnt understood?



  • hm … its so strange. tried different ways.

    if i access my reverse proxy virtual ip 192.168.178.253 address i got this:

    WAN IP to Virtual IP:

    
    1477940015.140      5 192.168.178.254 TCP_MISS/403 4356 GET http://192.168.178.253:8080/ - HIER_NONE/- text/html
    
    

    then meanwhile i get something from pfsense DMZ interface to my real server:

    
    12:53:04.874615 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [s], seq 3006057150, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 208631927 ecr 0], length 0
    12:53:04.875290 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [S.], seq 815078285, ack 3006057151, win 28960, options [mss 1460,sackOK,TS val 51709255 ecr 208631927,nop,wscale 6], length 0
    12:53:04.876337 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1, win 517, options [nop,nop,TS val 208631928 ecr 51709255], length 0
    12:53:04.876947 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [P.], seq 1:211, ack 1, win 517, options [nop,nop,TS val 208631929 ecr 51709255], length 210: HTTP: GET /squid-internal-dynamic/netdb HTTP/1.1
    12:53:04.877620 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [.], ack 211, win 470, options [nop,nop,TS val 51709255 ecr 208631929], length 0
    12:53:04.893512 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 1:559, ack 211, win 470, options [nop,nop,TS val 51709257 ecr 208631929], length 558: HTTP: HTTP/1.1 404 Not Found
    12:53:04.894511 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 559, win 513, options [nop,nop,TS val 208631947 ecr 51709257], length 0
    12:53:04.898668 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 559:990, ack 211, win 470, options [nop,nop,TS val 51709257 ecr 208631947], length 431: HTTP
    12:53:04.899609 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 990, win 514, options [nop,nop,TS val 208631952 ecr 51709257], length 0
    12:53:04.903232 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 990:1220, ack 211, win 470, options [nop,nop,TS val 51709258 ecr 208631952], length 230: HTTP
    12:53:04.904087 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1220, win 515, options [nop,nop,TS val 208631956 ecr 51709258], length 0
    12:53:04.904682 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 1220:1393, ack 211, win 470, options [nop,nop,TS val 51709258 ecr 208631952], length 173: HTTP
    12:53:04.905511 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1393, win 516, options [nop,nop,TS val 208631958 ecr 51709258], length 0
    12:53:04.906187 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 1393:1401, ack 211, win 470, options [nop,nop,TS val 51709258 ecr 208631958], length 8: HTTP
    12:53:04.907124 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1401, win 517, options [nop,nop,TS val 208631959 ecr 51709258], length 0
    12:53:09.912178 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [F.], seq 1401, ack 211, win 470, options [nop,nop,TS val 51709759 ecr 208631959], length 0
    12:53:09.913057 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1402, win 517, options [nop,nop,TS val 208636966 ecr 51709759], length 0
    12:53:09.913718 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [F.], seq 211, ack 1402, win 517, options [nop,nop,TS val 208636966 ecr 51709759], length 0
    12:53:09.914285 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [.], ack 212, win 470, options [nop,nop,TS val 51709759 ecr 208636966], length 0
    
    but this only contains a http get to a netdb, which i didnt request:
    
    [code]
        GET /squid-internal-dynamic/netdb HTTP/1.1\r\n
        Via: 1.1 t0r (squid/3.5.19)\r\n
        X-Forwarded-For: ::\r\n
        Host: 10.10.55.10:8080\r\n
    [/code]
    
    and finally this ends with the CLIENT IP requesting the Virtual IP in logging
    [code]
    1477940039.298  24173 192.168.178.24 TCP_MISS/403 4443 GET http://192.168.178.253:8080/ - HIER_DIRECT/192.168.178.253 text/html
    1477940039.544      7 192.168.178.24 TCP_MEM_HIT/200 13046 GET http://t0r:10/squid-internal-static/icons/SN.png - HIER_NONE/- image/png
    [/code]
    which displays me the access denied.[/s]
    




  • both doesnt change behavior

    1477975456.203      5 192.168.178.254 TCP_MISS/403 4403 GET http://blabla.myfritz.net:8080/ - HIER_NONE/- text/html
    1477975456.215     22 192.168.178.24 TCP_MISS/403 4485 GET http://blabla.myfritz.net:8080/ - HIER_DIRECT/192.168.178.253 text/html
    1477975456.297      6 192.168.178.24 TCP_MEM_HIT/200 13046 GET http://t0r:10/squid-internal-static/icons/SN.png - HIER_NONE/- image/png
    
    

    i dont understand this part: HIER_DIRECT/192.168.178.253 this should be the realserver instead of the accessed virtualIP of reverse proxy, isnt it?



  • so reverse proxy is working for all of you? layer8 problem?  :-[



  • ive updated packages to latest, reconfigured everything and jeeeh, now i get another error which i am not able to fix too:

    1482081072.306      1 192.168.178.254 TAG_NONE/400 3795 NONE error:request-too-large - HIER_NONE/- text/html
    1482081072.322     28 192.168.178.254 TCP_MISS/400 3858 GET http://blabla.myfritz.net:8080/ - HIER_DIRECT/192.168.178.253 text/html
    

    in browser i get squid error page:

    ERROR
    
    The requested URL could not be retrieved
    
    The following error was encountered while trying to retrieve the URL: error:request-too-large
    
    The request or reply is too large.
    ...
    

    config:

    http_port 192.168.178.253:8080 accel defaultsite=blabla.myfritz.net vhost
    cache_peer 10.10.55.10 parent 8080 0 proxy-only no-query no-digest originserver login=PASS name=rvp_pi_peer
    acl rvm_pi_uri url_regex -i ^http://blabla.myfritz.net:8080/.*
    cache_peer_access rvp_pi_peer allow rvm_pi_uri
    cache_peer_access rvp_pi_peer deny allsrc
    never_direct allow rvm_pi_uri
    http_access allow rvm_pi_uri
    

    its very frustrating  :o