Reverse Proxy - 403 Denied
-
Hi,
sorry but i am at the end of my understanding and didnt found something which resolves my problem. So after freaking out i hope someone can help.
Interfaces:
192.168.178.254 WAN PFSENSE LAN 10.10.55.254Real HTTP Server:
10.10.55.10:80VIP PFSENSE:
192.168.178.253What pfsense did to my squid.conf:
# This file is automatically generated by pfSense # Do not edit manually ! http_port 10.10.55.254:10 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE http_port 10.10.66.254:10 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE http_port 192.168.178.254:10 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE icp_port 0 dns_v4_first off pid_filename /var/run/squid/squid.pid cache_effective_user squid cache_effective_group proxy error_default_language en icon_directory /usr/local/etc/squid/icons visible_hostname t0r cache_mgr admin@localhost access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/local/libexec/squid/pinger sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048 sslcrtd_children 5 sslproxy_capath /usr/local/share/certs/ sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS logfile_rotate 2 debug_options rotate=2 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 10.10.55.0/24 10.10.66.0/24 192.168.178.0/24 forwarded_for on uri_whitespace strip acl dynamic urlpath_regex cgi-bin \? cache deny dynamic cache_mem 64 MB maximum_object_size_in_memory 256 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA minimum_object_size 0 KB maximum_object_size 4 MB offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #Remote proxies # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. # acl localhost src 127.0.0.1/32 acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 10 3129 1025-65535 acl sslports port 443 563 # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. #acl manager proto cache_object acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections # From 3.2 further configuration cleanups have been done to make things easier and safer. # The manager, localhost, and to_localhost ACL definitions are now built-in. # http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings http_port 192.168.178.254:8080 accel defaultsite=blabla.myfritz.net vhost http_port 192.168.178.253:8080 accel defaultsite=blabla.myfritz.net vhost # cache_peer 10.10.55.10 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin name=rvp_pi acl rvm_pi_extern url_regex -i http://blabla.myfritz.net:8080 acl rvm_pi_extern url_regex -i ^http://blabla.myfritz.net/.*$ acl rvm_pi_intern url_regex -i http://192.168.178.253:8080 cache_peer_access rvp_pi allow rvm_pi_extern cache_peer_access rvp_pi allow rvm_pi_intern cache_peer_access rvp_pi deny allsrc cache_peer_access rvp_pi deny allsrc never_direct allow rvm_pi_extern never_direct allow rvm_pi_intern http_access allow rvm_pi_extern http_access allow rvm_pi_intern # Package Integration url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf url_rewrite_bypass off url_rewrite_children 16 startup=8 idle=4 concurrency=0 # Custom options before auth always_direct allow all ssl_bump server-first all # Setup allowed ACLs # Allow local network(s) on interface(s) http_access allow localnet # Default block all to be sure http_access deny allsrc
what i get in access.log when trying to access internally http://192.168.178.253:8080/
1477741282.255 1 192.168.178.254 TCP_MISS/403 4361 GET http://192.168.178.253:8080/ - HIER_NONE/- text/html 1477741282.256 4 192.168.178.20 TCP_MISS/403 4443 GET http://192.168.178.253:8080/ - HIER_DIRECT/192.168.178.253 text/html 1477741282.548 3 192.168.178.20 TCP_MEM_HIT/200 13046 GET http://t0r:10/squid-internal-static/icons/SN.png - HIER_NONE/- image/png
I get a response of pfsense "access denied" in browser.
Can someone tell me what i didnt understood? -
hm … its so strange. tried different ways.
if i access my reverse proxy virtual ip 192.168.178.253 address i got this:
WAN IP to Virtual IP:
1477940015.140 5 192.168.178.254 TCP_MISS/403 4356 GET http://192.168.178.253:8080/ - HIER_NONE/- text/html
then meanwhile i get something from pfsense DMZ interface to my real server:
12:53:04.874615 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [s], seq 3006057150, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 208631927 ecr 0], length 0 12:53:04.875290 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [S.], seq 815078285, ack 3006057151, win 28960, options [mss 1460,sackOK,TS val 51709255 ecr 208631927,nop,wscale 6], length 0 12:53:04.876337 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1, win 517, options [nop,nop,TS val 208631928 ecr 51709255], length 0 12:53:04.876947 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [P.], seq 1:211, ack 1, win 517, options [nop,nop,TS val 208631929 ecr 51709255], length 210: HTTP: GET /squid-internal-dynamic/netdb HTTP/1.1 12:53:04.877620 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [.], ack 211, win 470, options [nop,nop,TS val 51709255 ecr 208631929], length 0 12:53:04.893512 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 1:559, ack 211, win 470, options [nop,nop,TS val 51709257 ecr 208631929], length 558: HTTP: HTTP/1.1 404 Not Found 12:53:04.894511 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 559, win 513, options [nop,nop,TS val 208631947 ecr 51709257], length 0 12:53:04.898668 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 559:990, ack 211, win 470, options [nop,nop,TS val 51709257 ecr 208631947], length 431: HTTP 12:53:04.899609 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 990, win 514, options [nop,nop,TS val 208631952 ecr 51709257], length 0 12:53:04.903232 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 990:1220, ack 211, win 470, options [nop,nop,TS val 51709258 ecr 208631952], length 230: HTTP 12:53:04.904087 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1220, win 515, options [nop,nop,TS val 208631956 ecr 51709258], length 0 12:53:04.904682 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 1220:1393, ack 211, win 470, options [nop,nop,TS val 51709258 ecr 208631952], length 173: HTTP 12:53:04.905511 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1393, win 516, options [nop,nop,TS val 208631958 ecr 51709258], length 0 12:53:04.906187 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [P.], seq 1393:1401, ack 211, win 470, options [nop,nop,TS val 51709258 ecr 208631958], length 8: HTTP 12:53:04.907124 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1401, win 517, options [nop,nop,TS val 208631959 ecr 51709258], length 0 12:53:09.912178 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [F.], seq 1401, ack 211, win 470, options [nop,nop,TS val 51709759 ecr 208631959], length 0 12:53:09.913057 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [.], ack 1402, win 517, options [nop,nop,TS val 208636966 ecr 51709759], length 0 12:53:09.913718 IP 10.10.55.254.27521 > 10.10.55.10.8080: Flags [F.], seq 211, ack 1402, win 517, options [nop,nop,TS val 208636966 ecr 51709759], length 0 12:53:09.914285 IP 10.10.55.10.8080 > 10.10.55.254.27521: Flags [.], ack 212, win 470, options [nop,nop,TS val 51709759 ecr 208636966], length 0 but this only contains a http get to a netdb, which i didnt request: [code] GET /squid-internal-dynamic/netdb HTTP/1.1\r\n Via: 1.1 t0r (squid/3.5.19)\r\n X-Forwarded-For: ::\r\n Host: 10.10.55.10:8080\r\n [/code] and finally this ends with the CLIENT IP requesting the Virtual IP in logging [code] 1477940039.298 24173 192.168.178.24 TCP_MISS/403 4443 GET http://192.168.178.253:8080/ - HIER_DIRECT/192.168.178.253 text/html 1477940039.544 7 192.168.178.24 TCP_MEM_HIT/200 13046 GET http://t0r:10/squid-internal-static/icons/SN.png - HIER_NONE/- image/png [/code] which displays me the access denied.[/s]
-
https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks
-
both doesnt change behavior
1477975456.203 5 192.168.178.254 TCP_MISS/403 4403 GET http://blabla.myfritz.net:8080/ - HIER_NONE/- text/html 1477975456.215 22 192.168.178.24 TCP_MISS/403 4485 GET http://blabla.myfritz.net:8080/ - HIER_DIRECT/192.168.178.253 text/html 1477975456.297 6 192.168.178.24 TCP_MEM_HIT/200 13046 GET http://t0r:10/squid-internal-static/icons/SN.png - HIER_NONE/- image/png
i dont understand this part: HIER_DIRECT/192.168.178.253 this should be the realserver instead of the accessed virtualIP of reverse proxy, isnt it?
-
so reverse proxy is working for all of you? layer8 problem? :-[
-
ive updated packages to latest, reconfigured everything and jeeeh, now i get another error which i am not able to fix too:
1482081072.306 1 192.168.178.254 TAG_NONE/400 3795 NONE error:request-too-large - HIER_NONE/- text/html 1482081072.322 28 192.168.178.254 TCP_MISS/400 3858 GET http://blabla.myfritz.net:8080/ - HIER_DIRECT/192.168.178.253 text/html
in browser i get squid error page:
ERROR The requested URL could not be retrieved The following error was encountered while trying to retrieve the URL: error:request-too-large The request or reply is too large. ...
config:
http_port 192.168.178.253:8080 accel defaultsite=blabla.myfritz.net vhost cache_peer 10.10.55.10 parent 8080 0 proxy-only no-query no-digest originserver login=PASS name=rvp_pi_peer acl rvm_pi_uri url_regex -i ^http://blabla.myfritz.net:8080/.* cache_peer_access rvp_pi_peer allow rvm_pi_uri cache_peer_access rvp_pi_peer deny allsrc never_direct allow rvm_pi_uri http_access allow rvm_pi_uri
its very frustrating :o