Can I configure pfSense to act as a proxy server?
-
@johnpoz thank you for your reply.
I think I'm in the second case.
I will try to describe the scenario with an example.Imagine you have 3 web sites that every corporate users need to reach:
www.website1.com
www.website2com
www.website3.comSo, users that are working from office can reach them using current pfsense gateway/firewall (with public IP x.x.x.x)
IP x.x.x.x will be authorised (by the web sites admin) to reach the web sites.corporate_users_from_LAN -> (private IP) corporate GW/FW (public IP)-> web sites
Users that are working from home should reach the web sites only through the proxy server (that I would like to activate on the same pfsense GW/FW mentioned above).
corporate_users_from_home -> (public IP) corporate GW/FW (public IP) -> web sites
The websites admin should authorise only the pfsense GW/FW public IP.
Do you think that it can be done using the current and running pfsense instance?
What are the best practices in this case/scenario?Thank you in advance,
Mauro -
@mauro-tridici if I want users out of the public internet (corp users at home) to get to my corp websites hosted on the corp network I would use a vpn..
You could limit where these vpn users can go via simple firewall rules in pfsense, or your websites if running their own firewall could allow the specific range of IPs these vpn clients would get.
Not only does this allow access to your websites, it would also allow if you want any other access to resources on the corp network. Also the vpn auth method is way more secure than just some proxy access with a password, etc.
I mean sure you can setup a reverse proxy on pfsense with the haproxy, and auth your users to that.. But vpn would be a much more robust and secure method of letting road warriors from accessing your company resources.
-
@johnpoz sorry, but the websites are not corp websites hosted on the corp network. They are public websites owned by other people.
In other words, I would like to reach these websites only passing through a proxy server owned by our corporate.
-
@mauro-tridici I don't know if it is correct... but it seems that the service I would like to implement is called "transparent proxy"... but I'm not sure, I'm still reading
-
@mauro-tridici so you want some home user to access www.website1.com that limits who can access to corp IPs.
Vpn would be better solution to allow users to come from a corp network when not on the corp network..
User connects to the corp vpn, and then routes traffic through this vpn to get to xyz, be that on the corp network or off the corp network. Traffic to something off the corp network would be coming from a corp IP.
-
@mauro-tridici said in Can I configure pfSense to act as a proxy server?:
mplement is called "transparent proxy".
no that is not what you want - a transparent proxy is something that intercept traffic and proxies it... For your thing to work you would need the client to have an explicit proxy setup - where they send traffic trying to go to www.website.com to send to your proxy.
-
@johnpoz said in Can I configure pfSense to act as a proxy server?:
Traffic to something off the corp network would be coming from a corp IP.
this sentence wins.
thank you very much for your support.in any case, for informational purposes only, is this the "other not recommended" solution (transparent proxy solution)?
https://docs.netgate.com/pfsense/en/latest/recipes/http-client-proxy-transparent.html
-
@mauro-tridici see my last post - no a transparent proxy would not work for what you want.. How would proxy even see the traffic to intercept it?
-
@johnpoz you are right.. sorry but I'm a newbie and I'm still trying to study and understand a lot of things :)
-
@mauro-tridici while you could setup a proxy on pfsense with haproxy, I really wouldn't go that route. If you want remote users to look like they come from your corp network. I would vpn them into your network, and route whatever traffic you want to come from a corp IP to something out the internet through the vpn.
