Reverse Proxy - 403 Denied

Guest

Hi,

sorry but i am at the end of my understanding and didnt found something which resolves my problem. So after freaking out i hope someone can help.

Interfaces:
  192.168.178.254 WAN PFSENSE LAN 10.10.55.254

Real HTTP Server:
  10.10.55.10:80

VIP PFSENSE:
  192.168.178.253

What pfsense did to my squid.conf:

# This file is automatically generated by pfSense
# Do not edit manually !

http_port 10.10.55.254:10 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE

http_port 10.10.66.254:10 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE

http_port 192.168.178.254:10 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE

icp_port 0
dns_v4_first off
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language en
icon_directory /usr/local/etc/squid/icons
visible_hostname t0r
cache_mgr admin@localhost
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
sslcrtd_children 5
sslproxy_capath /usr/local/share/certs/
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

logfile_rotate 2
debug_options rotate=2
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  10.10.55.0/24 10.10.66.0/24 192.168.178.0/24
forwarded_for on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic

cache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB

offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
refresh_pattern .    0  20%  4320

#Remote proxies

# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  10 3129 1025-65535
acl sslports port 443 563

# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
# From 3.2 further configuration cleanups have been done to make things easier and safer.
# The manager, localhost, and to_localhost ACL definitions are now built-in.
# http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings
http_port 192.168.178.254:8080 accel defaultsite=blabla.myfritz.net vhost
http_port 192.168.178.253:8080 accel defaultsite=blabla.myfritz.net vhost
#
cache_peer 10.10.55.10 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin name=rvp_pi

acl rvm_pi_extern url_regex -i http://blabla.myfritz.net:8080
acl rvm_pi_extern url_regex -i ^http://blabla.myfritz.net/.*$
acl rvm_pi_intern url_regex -i http://192.168.178.253:8080
cache_peer_access rvp_pi allow rvm_pi_extern
cache_peer_access rvp_pi allow rvm_pi_intern
cache_peer_access rvp_pi deny allsrc
cache_peer_access rvp_pi deny allsrc
never_direct allow rvm_pi_extern
never_direct allow rvm_pi_intern
http_access allow rvm_pi_extern
http_access allow rvm_pi_intern

# Package Integration
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
url_rewrite_bypass off
url_rewrite_children 16 startup=8 idle=4 concurrency=0

# Custom options before auth

always_direct allow all
ssl_bump server-first all
# Setup allowed ACLs
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc

what i get in access.log when trying to access internally http://192.168.178.253:8080/

1477741282.255      1 192.168.178.254 TCP_MISS/403 4361 GET http://192.168.178.253:8080/ - HIER_NONE/- text/html
1477741282.256      4 192.168.178.20 TCP_MISS/403 4443 GET http://192.168.178.253:8080/ - HIER_DIRECT/192.168.178.253 text/html
1477741282.548      3 192.168.178.20 TCP_MEM_HIT/200 13046 GET http://t0r:10/squid-internal-static/icons/SN.png - HIER_NONE/- image/png

I get a response of pfsense "access denied" in browser.
Can someone tell me what i didnt understood?

Guest

hm … its so strange. tried different ways.

if i access my reverse proxy virtual ip 192.168.178.253 address i got this:

WAN IP to Virtual IP:

1477940015.140      5 192.168.178.254 TCP_MISS/403 4356 GET http://192.168.178.253:8080/ - HIER_NONE/- text/html

then meanwhile i get something from pfsense DMZ interface to my real server:

12:53:04.874615 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [s], seq 3006057150, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 208631927 ecr 0], length 0
12:53:04.875290 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [S.], seq 815078285, ack 3006057151, win 28960, options [mss 1460,sackOK,TS val 51709255 ecr 208631927,nop,wscale 6], length 0
12:53:04.876337 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1, win 517, options [nop,nop,TS val 208631928 ecr 51709255], length 0
12:53:04.876947 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [P.], seq 1:211, ack 1, win 517, options [nop,nop,TS val 208631929 ecr 51709255], length 210: HTTP: GET /squid-internal-dynamic/netdb HTTP/1.1
12:53:04.877620 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [.], ack 211, win 470, options [nop,nop,TS val 51709255 ecr 208631929], length 0
12:53:04.893512 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 1:559, ack 211, win 470, options [nop,nop,TS val 51709257 ecr 208631929], length 558: HTTP: HTTP/1.1 404 Not Found
12:53:04.894511 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 559, win 513, options [nop,nop,TS val 208631947 ecr 51709257], length 0
12:53:04.898668 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 559:990, ack 211, win 470, options [nop,nop,TS val 51709257 ecr 208631947], length 431: HTTP
12:53:04.899609 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 990, win 514, options [nop,nop,TS val 208631952 ecr 51709257], length 0
12:53:04.903232 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 990:1220, ack 211, win 470, options [nop,nop,TS val 51709258 ecr 208631952], length 230: HTTP
12:53:04.904087 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1220, win 515, options [nop,nop,TS val 208631956 ecr 51709258], length 0
12:53:04.904682 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 1220:1393, ack 211, win 470, options [nop,nop,TS val 51709258 ecr 208631952], length 173: HTTP
12:53:04.905511 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1393, win 516, options [nop,nop,TS val 208631958 ecr 51709258], length 0
12:53:04.906187 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 1393:1401, ack 211, win 470, options [nop,nop,TS val 51709258 ecr 208631958], length 8: HTTP
12:53:04.907124 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1401, win 517, options [nop,nop,TS val 208631959 ecr 51709258], length 0
12:53:09.912178 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [F.], seq 1401, ack 211, win 470, options [nop,nop,TS val 51709759 ecr 208631959], length 0
12:53:09.913057 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1402, win 517, options [nop,nop,TS val 208636966 ecr 51709759], length 0
12:53:09.913718 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [F.], seq 211, ack 1402, win 517, options [nop,nop,TS val 208636966 ecr 51709759], length 0
12:53:09.914285 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [.], ack 212, win 470, options [nop,nop,TS val 51709759 ecr 208636966], length 0

but this only contains a http get to a netdb, which i didnt request:

[code]
    GET /squid-internal-dynamic/netdb HTTP/1.1\r\n
    Via: 1.1 t0r (squid/3.5.19)\r\n
    X-Forwarded-For: ::\r\n
    Host: 10.10.55.10:8080\r\n
[/code]

and finally this ends with the CLIENT IP requesting the Virtual IP in logging
[code]
1477940039.298  24173 192.168.178.24 TCP_MISS/403 4443 GET http://192.168.178.253:8080/ - HIER_DIRECT/192.168.178.253 text/html
1477940039.544      7 192.168.178.24 TCP_MEM_HIT/200 13046 GET http://t0r:10/squid-internal-static/icons/SN.png - HIER_NONE/- image/png
[/code]
which displays me the access denied.[/s]

KOM

https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

Guest

both doesnt change behavior

1477975456.203      5 192.168.178.254 TCP_MISS/403 4403 GET http://blabla.myfritz.net:8080/ - HIER_NONE/- text/html
1477975456.215     22 192.168.178.24 TCP_MISS/403 4485 GET http://blabla.myfritz.net:8080/ - HIER_DIRECT/192.168.178.253 text/html
1477975456.297      6 192.168.178.24 TCP_MEM_HIT/200 13046 GET http://t0r:10/squid-internal-static/icons/SN.png - HIER_NONE/- image/png

i dont understand this part: HIER_DIRECT/192.168.178.253 this should be the realserver instead of the accessed virtualIP of reverse proxy, isnt it?

Guest

so reverse proxy is working for all of you? layer8 problem?  :-[

Guest

ive updated packages to latest, reconfigured everything and jeeeh, now i get another error which i am not able to fix too:

1482081072.306      1 192.168.178.254 TAG_NONE/400 3795 NONE error:request-too-large - HIER_NONE/- text/html
1482081072.322     28 192.168.178.254 TCP_MISS/400 3858 GET http://blabla.myfritz.net:8080/ - HIER_DIRECT/192.168.178.253 text/html

in browser i get squid error page:

ERROR

The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: error:request-too-large

The request or reply is too large.
...

config:

http_port 192.168.178.253:8080 accel defaultsite=blabla.myfritz.net vhost
cache_peer 10.10.55.10 parent 8080 0 proxy-only no-query no-digest originserver login=PASS name=rvp_pi_peer
acl rvm_pi_uri url_regex -i ^http://blabla.myfritz.net:8080/.*
cache_peer_access rvp_pi_peer allow rvm_pi_uri
cache_peer_access rvp_pi_peer deny allsrc
never_direct allow rvm_pi_uri
http_access allow rvm_pi_uri

its very frustrating  :o