Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Reverse Proxy - 403 Denied

    Scheduled Pinned Locked Moved Cache/Proxy
    6 Posts 2 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      Hi,

      sorry but i am at the end of my understanding and didnt found something which resolves my problem. So after freaking out i hope someone can help.

      Interfaces:
        192.168.178.254 WAN PFSENSE LAN 10.10.55.254

      Real HTTP Server:
        10.10.55.10:80

      VIP PFSENSE:
        192.168.178.253

      What pfsense did to my squid.conf:

      
      # This file is automatically generated by pfSense
      # Do not edit manually !
      
      http_port 10.10.55.254:10 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
      
      http_port 10.10.66.254:10 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
      
      http_port 192.168.178.254:10 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
      
      icp_port 0
      dns_v4_first off
      pid_filename /var/run/squid/squid.pid
      cache_effective_user squid
      cache_effective_group proxy
      error_default_language en
      icon_directory /usr/local/etc/squid/icons
      visible_hostname t0r
      cache_mgr admin@localhost
      access_log /var/squid/logs/access.log
      cache_log /var/squid/logs/cache.log
      cache_store_log none
      netdb_filename /var/squid/logs/netdb.state
      pinger_enable on
      pinger_program /usr/local/libexec/squid/pinger
      sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
      sslcrtd_children 5
      sslproxy_capath /usr/local/share/certs/
      sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
      sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
      
      logfile_rotate 2
      debug_options rotate=2
      shutdown_lifetime 3 seconds
      # Allow local network(s) on interface(s)
      acl localnet src  10.10.55.0/24 10.10.66.0/24 192.168.178.0/24
      forwarded_for on
      uri_whitespace strip
      
      acl dynamic urlpath_regex cgi-bin \?
      cache deny dynamic
      
      cache_mem 64 MB
      maximum_object_size_in_memory 256 KB
      memory_replacement_policy heap GDSF
      cache_replacement_policy heap LFUDA
      minimum_object_size 0 KB
      maximum_object_size 4 MB
      
      offline_mode off
      cache_swap_low 90
      cache_swap_high 95
      cache allow all
      # Add any of your own refresh_pattern entries above these.
      refresh_pattern ^ftp:    1440  20%  10080
      refresh_pattern ^gopher:  1440  0%  1440
      refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
      refresh_pattern .    0  20%  4320
      
      #Remote proxies
      
      # Setup some default acls
      # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
      # acl localhost src 127.0.0.1/32
      acl allsrc src all
      acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  10 3129 1025-65535
      acl sslports port 443 563
      
      # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
      #acl manager proto cache_object
      
      acl purge method PURGE
      acl connect method CONNECT
      
      # Define protocols used for redirects
      acl HTTP proto HTTP
      acl HTTPS proto HTTPS
      http_access allow manager localhost
      
      http_access deny manager
      http_access allow purge localhost
      http_access deny purge
      http_access deny !safeports
      http_access deny CONNECT !sslports
      
      # Always allow localhost connections
      # From 3.2 further configuration cleanups have been done to make things easier and safer.
      # The manager, localhost, and to_localhost ACL definitions are now built-in.
      # http_access allow localhost
      
      request_body_max_size 0 KB
      delay_pools 1
      delay_class 1 2
      delay_parameters 1 -1/-1 -1/-1
      delay_initial_bucket_level 100
      delay_access 1 allow allsrc
      
      # Reverse Proxy settings
      http_port 192.168.178.254:8080 accel defaultsite=blabla.myfritz.net vhost
      http_port 192.168.178.253:8080 accel defaultsite=blabla.myfritz.net vhost
      #
      cache_peer 10.10.55.10 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin name=rvp_pi
      
      acl rvm_pi_extern url_regex -i http://blabla.myfritz.net:8080
      acl rvm_pi_extern url_regex -i ^http://blabla.myfritz.net/.*$
      acl rvm_pi_intern url_regex -i http://192.168.178.253:8080
      cache_peer_access rvp_pi allow rvm_pi_extern
      cache_peer_access rvp_pi allow rvm_pi_intern
      cache_peer_access rvp_pi deny allsrc
      cache_peer_access rvp_pi deny allsrc
      never_direct allow rvm_pi_extern
      never_direct allow rvm_pi_intern
      http_access allow rvm_pi_extern
      http_access allow rvm_pi_intern
      
      # Package Integration
      url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
      url_rewrite_bypass off
      url_rewrite_children 16 startup=8 idle=4 concurrency=0
      
      # Custom options before auth
      
      always_direct allow all
      ssl_bump server-first all
      # Setup allowed ACLs
      # Allow local network(s) on interface(s)
      http_access allow localnet
      # Default block all to be sure
      http_access deny allsrc
      
      

      what i get in access.log when trying to access internally http://192.168.178.253:8080/

      
      1477741282.255      1 192.168.178.254 TCP_MISS/403 4361 GET http://192.168.178.253:8080/ - HIER_NONE/- text/html
      1477741282.256      4 192.168.178.20 TCP_MISS/403 4443 GET http://192.168.178.253:8080/ - HIER_DIRECT/192.168.178.253 text/html
      1477741282.548      3 192.168.178.20 TCP_MEM_HIT/200 13046 GET http://t0r:10/squid-internal-static/icons/SN.png - HIER_NONE/- image/png
      
      

      I get a response of pfsense "access denied" in browser.
      Can someone tell me what i didnt understood?

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        hm … its so strange. tried different ways.

        if i access my reverse proxy virtual ip 192.168.178.253 address i got this:

        WAN IP to Virtual IP:

        
        1477940015.140      5 192.168.178.254 TCP_MISS/403 4356 GET http://192.168.178.253:8080/ - HIER_NONE/- text/html
        
        

        then meanwhile i get something from pfsense DMZ interface to my real server:

        
        12:53:04.874615 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [s], seq 3006057150, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 208631927 ecr 0], length 0
        12:53:04.875290 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [S.], seq 815078285, ack 3006057151, win 28960, options [mss 1460,sackOK,TS val 51709255 ecr 208631927,nop,wscale 6], length 0
        12:53:04.876337 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1, win 517, options [nop,nop,TS val 208631928 ecr 51709255], length 0
        12:53:04.876947 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [P.], seq 1:211, ack 1, win 517, options [nop,nop,TS val 208631929 ecr 51709255], length 210: HTTP: GET /squid-internal-dynamic/netdb HTTP/1.1
        12:53:04.877620 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [.], ack 211, win 470, options [nop,nop,TS val 51709255 ecr 208631929], length 0
        12:53:04.893512 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 1:559, ack 211, win 470, options [nop,nop,TS val 51709257 ecr 208631929], length 558: HTTP: HTTP/1.1 404 Not Found
        12:53:04.894511 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 559, win 513, options [nop,nop,TS val 208631947 ecr 51709257], length 0
        12:53:04.898668 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 559:990, ack 211, win 470, options [nop,nop,TS val 51709257 ecr 208631947], length 431: HTTP
        12:53:04.899609 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 990, win 514, options [nop,nop,TS val 208631952 ecr 51709257], length 0
        12:53:04.903232 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 990:1220, ack 211, win 470, options [nop,nop,TS val 51709258 ecr 208631952], length 230: HTTP
        12:53:04.904087 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1220, win 515, options [nop,nop,TS val 208631956 ecr 51709258], length 0
        12:53:04.904682 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 1220:1393, ack 211, win 470, options [nop,nop,TS val 51709258 ecr 208631952], length 173: HTTP
        12:53:04.905511 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1393, win 516, options [nop,nop,TS val 208631958 ecr 51709258], length 0
        12:53:04.906187 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 1393:1401, ack 211, win 470, options [nop,nop,TS val 51709258 ecr 208631958], length 8: HTTP
        12:53:04.907124 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1401, win 517, options [nop,nop,TS val 208631959 ecr 51709258], length 0
        12:53:09.912178 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [F.], seq 1401, ack 211, win 470, options [nop,nop,TS val 51709759 ecr 208631959], length 0
        12:53:09.913057 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1402, win 517, options [nop,nop,TS val 208636966 ecr 51709759], length 0
        12:53:09.913718 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [F.], seq 211, ack 1402, win 517, options [nop,nop,TS val 208636966 ecr 51709759], length 0
        12:53:09.914285 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [.], ack 212, win 470, options [nop,nop,TS val 51709759 ecr 208636966], length 0
        
        but this only contains a http get to a netdb, which i didnt request:
        
        [code]
            GET /squid-internal-dynamic/netdb HTTP/1.1\r\n
            Via: 1.1 t0r (squid/3.5.19)\r\n
            X-Forwarded-For: ::\r\n
            Host: 10.10.55.10:8080\r\n
        [/code]
        
        and finally this ends with the CLIENT IP requesting the Virtual IP in logging
        [code]
        1477940039.298  24173 192.168.178.24 TCP_MISS/403 4443 GET http://192.168.178.253:8080/ - HIER_DIRECT/192.168.178.253 text/html
        1477940039.544      7 192.168.178.24 TCP_MEM_HIT/200 13046 GET http://t0r:10/squid-internal-static/icons/SN.png - HIER_NONE/- image/png
        [/code]
        which displays me the access denied.[/s]
        
        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

          1 Reply Last reply Reply Quote 0
          • ?
            Guest
            last edited by

            both doesnt change behavior

            1477975456.203      5 192.168.178.254 TCP_MISS/403 4403 GET http://blabla.myfritz.net:8080/ - HIER_NONE/- text/html
            1477975456.215     22 192.168.178.24 TCP_MISS/403 4485 GET http://blabla.myfritz.net:8080/ - HIER_DIRECT/192.168.178.253 text/html
            1477975456.297      6 192.168.178.24 TCP_MEM_HIT/200 13046 GET http://t0r:10/squid-internal-static/icons/SN.png - HIER_NONE/- image/png
            
            

            i dont understand this part: HIER_DIRECT/192.168.178.253 this should be the realserver instead of the accessed virtualIP of reverse proxy, isnt it?

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              so reverse proxy is working for all of you? layer8 problem?  :-[

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                ive updated packages to latest, reconfigured everything and jeeeh, now i get another error which i am not able to fix too:

                1482081072.306      1 192.168.178.254 TAG_NONE/400 3795 NONE error:request-too-large - HIER_NONE/- text/html
                1482081072.322     28 192.168.178.254 TCP_MISS/400 3858 GET http://blabla.myfritz.net:8080/ - HIER_DIRECT/192.168.178.253 text/html
                

                in browser i get squid error page:

                ERROR
                
                The requested URL could not be retrieved
                
                The following error was encountered while trying to retrieve the URL: error:request-too-large
                
                The request or reply is too large.
                ...
                

                config:

                http_port 192.168.178.253:8080 accel defaultsite=blabla.myfritz.net vhost
                cache_peer 10.10.55.10 parent 8080 0 proxy-only no-query no-digest originserver login=PASS name=rvp_pi_peer
                acl rvm_pi_uri url_regex -i ^http://blabla.myfritz.net:8080/.*
                cache_peer_access rvp_pi_peer allow rvm_pi_uri
                cache_peer_access rvp_pi_peer deny allsrc
                never_direct allow rvm_pi_uri
                http_access allow rvm_pi_uri
                

                its very frustrating  :o

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.