HAProxy, Pound, Squid-Reverse & Varnish



  • Dear all,

    I've tried and spent hours configuring HAProxy, Pound, Squid-Reverse & Varnish.

    My goal is to setup a reverse proxy handling host-headers to the corresponding servers and Load Balance if applicable. For HTTP as well as HTTPS.

    • http://www.domain.com/ refers to server: 192.168.125.10 (port 80)
    • http://www.domain1.com/ refers to server: 192.168.125.11 (port 80)
    • http://extranet.domain.com/ refers to server: 192.168.125.21 (port 80 + LB)
    • http://extranet.domain.com/ refers to server: 192.168.125.23 (port 80 + LB)
    • https://intranet.domain.com/ refers to server: 192.168.140.241 (port 443 & 987 + LB)
    • https://intranet.domain.com/ refers to server: 192.168.140.245 (port 443 & 987 + LB)
    • https://webmail.domain.com/owa refers to server: 192.168.140.245 (port 443; MS Exchange + LB)
    • https://webmail.domain.com/owa refers to server: 192.168.140.247 (port 443; MS Exchange + LB)

    I can't figure out how to configure all the above packages; all without any luck. All packages except Pound is not implemented in pfSense. Some people swear by one package others to complete others. Which one to choose? Could somebody help me configuring one of the best suitable and stable package?

    Thanks in advance,
    Canefield



  • canefield,

    I think your first try should be configuring just squid-reverse.

    I'm very busy these days with my job and some package improvements(including squid-reverse).
    It's on my todo list simplify this publishing process and I believe that squid-reverse is the most simple package for reverse proxy with http/https.

    att,
    Marcello Coutinho



  • Marcello,

    Thanks for your reply. I will have a closer look at Squid. Could somebody help me out configuring this. I'm new to Linux and pfSense. I don't have any clues.

    Thanks,
    Canefield



  • @marcelloc:

    canefield,

    I think your first try should be configuring just squid-reverse.

    I'm very busy these days with my job and some package improvements(including squid-reverse).
    It's on my todo list simplify this publishing process and I believe that squid-reverse is the most simple package for reverse proxy with http/https.

    att,
    Marcello Coutinho

    I've been using pound for a while but prefer to use packages that are built for pfsense(for support reasons). I agree with marcelloc, that squid-reverse would be the way to go but LB options are not in the GUI(at least from what I can tell). Hopefully this will be added soon because the syntax is different when setting up Reverse-Proxy with LB (http://wiki.squid-cache.org/SquidFaq/ReverseProxy#Load_balancing_of_backend_servers) but its straight forward. For performance, I've heard Varnish is the way to go but the configuration can be very complex.



  • Cino,

    Thanks for your reply. You're telling me it it pretty straight-forward, but I don't get it. As you're indicating I believe I also should use packages included and supported by pfSense.

    Could somebody provide me with a working configuration, step-by-step example, screenshots, etc.?

    Thanks,
    Canefield



  • Canefield,

    Here is how i configured the Reverse settings tab for my setup:

    Reverse Proxy interface: loopback  (could be your WAN, but I setup a NAT Port-forward rule)
    external FQDN: FQDN that will resolve the public IP, example your WAN IP
    Enable HTTP reverse mode: checked
    reverse HTTP port: 9080  (could be 80 but the NAT Port-forward rule will direct traffic from port 80 to 9080)

    peer definitions :
    HOST_SERVER1;192.168.0.150;80;HTTP
    HOST_SERVER2;192.168.0.100;80;HTTP
    HOST_SERVER3;192.168.0.50;80;HTTP
    HOST_SERVER4;192.168.0.10;80;HTTP

    URI definitions:
    WEBAPP_SERVER1;;http://host1.domain.net
    WEBAPP_SERVER1;
    ;http://host2.domain.net
    WEBAPP_SERVER1;;http://host3.domain.net
    WEBAPP_SERVER2;
    ;http://host1.domain2.com
    WEBAPP_SERVER2;;http://box.domain2.net
    WEBAPP_SERVER2;
    ;http://boxone.domain2.net
    WEBAPP_SERVER2;;http://domain2.net
    WEBAPP_SERVER2;
    ;http://..domain2.net    (wildcard for host names)
    WEBAPP_SERVER3;
    ;http://domain3.net
    WEBAPP_SERVER4;*;http://domain4.net

    ACL definitions:
    HOST_SERVER1;WEBAPP_SERVER1
    HOST_SERVER2;WEBAPP_SERVER2
    HOST_SERVER3;WEBAPP_SERVER3
    HOST_SERVER4;WEBAPP_SERVER4

    create a NAT rule:
    interface WAN
    Protocol  TCP
    DEST: WAN Address
    DEST Port: 80
    Redirect IP: 127.0.0.1
    Redirect Port: 9080
    Filter rule association: Create associated filter rule

    I haven't tried https, but see if you can get http to work first… Maybe someone else can help with HTTPS... Like I said before, LB options aren't built into the GUI from what I can tell but its probably in the works(I hope anyways)

    Hope this helps

    Stephen


Log in to reply