Reverse proxy with squid???



  • Im working on installing pfSense 1.2.2 stable and in another topic forum they told me that what i was wanting to do squid might be able to do it.

    Our network currently consists of the main site and 3 remote sites. The main site is fed by a cable modem with 1 external IP address from suddenlink communications.  There are currently 3 Microsoft Servers (2 DCs and 1 Exchange server) and our asterisk/elastix voip pbx server.

    Right now since I have OWA and RPC over HTTPs turned on all the web traffic is forced to the exchange server only because i currently use a netgear fvs114 router. What i want to do is be able to allow outside access to owa still but also to the voicemail system website and also maybe another web server.  Can I setup squid to be able to forward the right request to the right web server? ??? ???



  • This should be possible with NAT only…you can setup port 80  or 443 to forward to your exchange server/OWA and then some random port to forward to your VM server.  You'll have to instruct your users to use the new link http://yourvmserver:81 or whatever...hopefully you can just change a link that they click on.



  • I achieve something similar with an Apache front-end and mod_proxy.

    Let's pretend that your least-laden Windows web server is on 192.168.1.3, your Exchange is on 192.168.1.4 and the other web server is on 192.168.1.5

    You can install Apache on the least-laden Windows web server. Make it listen on 192.168.1:3 80 and change IIS to listen to 127.0.0.1:80 ONLY.

    Apache's mod_proxy can then be configured thusly:

    ProxyPass /exchange http://192.168.1.4/exchange
    ProxyPass /something http://192.168.1.5/something
    ProxyPass / http://127.0.0.1/

    You'll need to add the ProxyPassReverse lines in too.

    Forward all incoming HTTP and HTTPS requests to 192.168.1.3 and Apache will cherry-pick the URLs for the specific servers. Anything that doesn't match is passed onto IIS.

    HTH



  • If you have DNS with multiple view configured then this is very easy with squid as a reverse proxy.
    I went down the apache mod_proxy route and managed to get around 6 of my internal websites externally available but had two sites in particular with funky usage parsing of the url which stopped mod_proxy from working for them.
    As I run my own DNS with an "Internal" view I tried the aquid revers proxy and its really great have not yet had a site that won't work!

    principle is on your external domain name lets say www.domain.com set your external DNS view to resove to your public facing IP address.
    Next make sure you forward all traffic with destination port 80 to your reverse proxy.
    Now when the reverse proxy receives a packet destined for www.example.com it does a DNS lookup to see how to resolve it, this time it will be a DNS lookup from an internal device and will use your DNS internal view and return an internal IP address (Assuming you are using RFC1918 address ranges internally).
    The state is ket and the packet forwarded.

    Make sure to only allow the host names that you wish to service from being accepted on the reverse proxy otherwise you will find naughty people bounce web traffic off your reverse proxy to make the end destination think your site is originating the traffic.

    here is complete example, very simple

    
    acl all src 0.0.0.0/0.0.0.0
    acl site_main dstdomain example.com www.example.com files.example.com
    acl site_main2 dstdomain example.info www.example.info
    
    http_access allow site_main
    http_access allow site_main2
    
    http_port 3128 transparent
    always_direct allow all
    
    

    Cheers



  • I installed squid but how do I manage it from the webGUI. I am running 1.2.3RC1 pfSense right now. It says its installed but I can not find it and do not know how to set it up for what I want it to do. I am reading the Wiki for squid but it doesnt really show me how to set it up.

    I have tried to get the asterisk server to listen to another port but it doesnt work. What happens is when you go to http://asteriskserver-ip-address it forwards that instantly over to https://asteriskserver-ip-address  I can not get it to function on different ports because it would take to much work to change it because several services running use 443 such as the flash operator panel and such. When i change the ports the operator panel stops functioning.

    What I am wanting to do is I guess use squid as a reverse proxy.

    Exchange is lets say 182.18.25.10 and uses both ports 80 and 443 for OWA and RPC over HTTPs and responds to https://owa.domain.com for external access. Exchange also uses port 8081 for access to users spam quarantine which is a seperate website on the server.
    Asterisk/VoIP server is lets say 182.18.25.15 and uses both ports 80 and 443 as well and responds to http://asterisk.domain.com internally and I want to give users external access so they can check their voicemail online from outside the network.
    Sharepoint Server is 182.18.25.12 and of course uses 80 and 443 and responds to http://portal.domain.com and https://portal.domain.com internally and outside access is from https://portal.domain.com:22874 but I do not want to use that anymore.



  • Nginx is very good (and very easy to configure) for reverse proxying. There is no package for pfsense, but I think nginx can be installed from ports inside a jail.



  • Ok how do I setup squid to reverse proxy? I have tried to find where i edit or setup information and cannot find it.

    I have to be able to provide everyone with outside access to these servers and internally they respond to what I have below…

    Exchange OWA listens from 10.25.18.14 ports 80, 443 and responds to http://owa.domain.com & https://owa.domain.com
    Sharepoint listens from 10.25.18.16 port 443 and responds to https://portal.domain.com
    Asterisk Voip listens from 10.25.18.18 port 80 and forwards internally to 443 and responds to http://pbx.domain.com and sends to https://pbx.domain.com

    Asterisk runs apache and I have tried to change ports but after I do that the web interfaces are no longer accessible. when you go to http://pbx.domain.com it forwards automatically to https://pbx.domain.com.  Changing ports on the asterisk server would be far to complex because several packages require ports 80 and 443 to function.



  • Does anyone know how to configure squid to work as a reverse proxy?  everything i have been readin on it has been vague as to how to configure it.



  • Does nobody know how to do this??????? Point me somewhere or something because I am having a hard time finding good instructions on how to do this and its driving me nuts.



  • You're asking about the configuration of a program that has it's own web site, documentation and mailing lists - have you considered looking there?  Heck, even Google finds a number of relevant pages ;)

    Once you know what settings need to be made, you should be able to look at the WebGUI and identify whether or not it's possible to do only via the GUI.


Locked