Squid3 - New GUI with sync, normal and reverse proxy
-
When using the Reverse Proxy in theory will it redirect the traffic based upon the URL?
I've got 2 internal webservers with one public IP, should I be able to route the traffic based upon server1.mydomain.com to 192.168.1.50 and say server2.mydomain.com to 192.168.1.51 ?
It seems I've configured the reverse proxy properly and added a rule to allow http traffic to each private address but i'm not having any luck.
Anyone have any ideas or a detailed instructions?
-
When using the Reverse Proxy in theory will it redirect the traffic based upon the URL?
I've got 2 internal webservers with one public IP, should I be able to route the traffic based upon server1.mydomain.com to 192.168.1.50 and say server2.mydomain.com to 192.168.1.51 ?
yes,
It seems I've configured the reverse proxy properly and added a rule to allow http traffic to each private address but i'm not having any luck.
what you got on squid access log?
-
Here is what I see in the access.log file /var/squid/logs - I only see internal traffic. Shouldn't I see attempts from public IP's that are trying to access the web servers?
1338991913.168 179241 MY.DESKTOP.I.P TCP_MISS/504 1290 GET http://domain1.mydomain.com/ - DIRECT/MY.PUBLIC.I.P text/html
I'll try and add some screenshots of my setup
EDIT: added screenshots
-
The setup looks fine, I'll try to simulate it.
-
Make URI textbox blank in order to get:
acl test1 url_regex -i http://test1.mydomain.com.*$
Now you get:
acl test1 url_regex -i test1.mydomain.com/http://test1.mydomain.com.*$
You can look at /usr/local/etc/squid/squid.conf in a ssh shell.
Best regards.
-
That made it work from internal on the LAN, but I still cant get to it from the outside.
Any other ideas?
Thanks!
-
Unable to get reverse squid 3 to work. Here is my configuration, if somebody can help. The example i'm trying to get to work is 2 web servers; one on port 80 and another on port 8081. The request comes to port 80 should be pickedup by squid and depending on the URL squid should send the request either to port 80 of the web server or to port 8081. The test Im using is www goes to port 80 and helpdesk goes to port 8081. When I try it, everythings goes to port 80. Port 8081 is never sent aqnything and the helpdesk goes to port 80.
The squid.conf file reverse proxy section looks like this: (XXX is equal to mydomainname)
Reverse Proxy settings
http_port 192.168.XXX.XXX:80 accel defaultsite=XXXX.ca vhost
http_port 156.34.XXX.XXX:80 accel defaultsite=XXXX.ca vhost
#XXXX HelpDesk
cache_peer 192.168.XXX.15 parent 8081 0 proxy-only no-query originserver login=PASS name=XXXXHelpDeskacl XXXXHelpDesk url_regex -i http://helpdesk.XXXX.ca/.$
acl XXXXHelpDesk url_regex -i http://helpdesk.XXXX.com/.$
cache_peer_access XXXXHelpDesk allow XXXXXHelpDesk
cache_peer_access XXXXHelpDesk allow XXXXHelpDesk
cache_peer_access XXXXHelpDesk deny allsrc
cache_peer_access XXXXHelpDesk deny allsrc
never_direct allow XXXXHelpDesk
never_direct allow XXXXHelpDesk
http_access allow XXXXHelpDesk
http_access allow XXXXHelpDeskdeny_info TCP_RESET allsrc
Custom options
 -
Sounds like the same issue I'm having, however it looks like one of your mappings isnt ON. Maybe that will fix it, if so I need to look over my config again.
-
I looked at my squid.config file at its basically the same as cjbujold's.
Is there anything else to try, or does anyone have any idea why this isnt working?
Thanks for the help.
-
Hi,
There is no possible to restart/start squid service from dashboard and services GUI pages.
Best regards
IGIdeus -
Hi,
IMHO squid as a package for firewall should be hardened a little bit more.
From my perspective ACL safe_ports should include only 21, 80, 443 and 1025-65535 ports, ACL SSL should include only 443 port. All other ports should be added manually.
There could be information about other ports in description of the options.The brilliant function could be possibility to manage the ACLs like in Webmin or like firewall rules in pfSense.
Best regards
IGIdeus -
There is no possible to restart/start squid service from dashboard and services GUI pages.
Apply this patch on your 2.0.1 install to fix restart service option
https://github.com/bsdperimeter/pfsense/commit/6ae78f0808747893f30b867c51b744dfe39e2190From my perspective ACL safe_ports should include only 21, 80, 443 and 1025-65535 ports, ACL SSL should include only 443 port. All other ports should be added manually.
the current list (21 70 80 210 280 443 488 563 591 631 777 901 1025-65535) is not that big. I think(and in some cases I remove) that 1025-65535 is the most "unsecure" port range on this array. You can chage it editing squid.inc file.
The brilliant function could be possibility to manage the ACLs like in Webmin or like firewall rules in pfSense.
It's on the todo list, but I need some free time to finish.
-
The setup looks fine, I'll try to simulate it.
Did you ever have a chance to simulate the reverse proxy traffic?
-
Pfsense 2.0.1 32 BIT
Squid services not started :(
-php: /pkg_edit.php: The command '/usr/local/sbin/squid -k shutdown' returned exit code '1', the output was 'FATAL: Bungled squid.conf line 4: http_port 127.0.0.1:3128 intercept Squid Cache (Version 2.7.STABLE9): Terminated abnormally.'
-squid[54825]: Bungled squid.conf line 4: http_port 127.0.0.1:3128 intercept
-
Squid Cache (Version 2.7.STABLE9)
Did you installed squidguard after squid? force a squid3 reinstall, check config, apply settings and test again.
-
Thanks its working ;)
-
Hi,
Is there a way that we can enable LDAP and NT authentication properly on this module, I was not able to run this using LDAP or NT.
** PLease advise
TIA
-
any news on pbi package? I did a new install of 2.1 and can't install the package.. I may follow these step to manually install; http://forum.pfsense.org/index.php/topic,50572.0.html
-
-
http://lists.pfsense.org/pipermail/dev/2012-June/000178.html
thanks. Guess I should had read the whole thing… I missed the bottom part
EDIT: Squid 3 has been built it looks, http://files.pfsense.com/packages/8/All/squid-3.1.19-i386.pbi
EDIT2: Since the package showed up, I installed it... Looks like it needs some options added to it when the pbi is being built:
2012/06/18 13:19:24| cache_cf.cc(381) parseOneConfigFile: squid.conf:17 unrecognized: 'sslcrtd_children' 2012/06/18 13:19:24| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1' 2012/06/18 13:19:24| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable 2012/06/18 13:19:24| WARNING: You should probably remove '127.0.0.1' from the ACL named 'ext_manager' 2012/06/18 13:19:24| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1' 2012/06/18 13:19:24| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable 2012/06/18 13:19:24| WARNING: You should probably remove '127.0.0.1' from the ACL named 'ext_manager' 2012/06/18 13:19:24| cache_cf.cc(381) parseOneConfigFile: squid.conf:73 unrecognized: 'delay_pools' 2012/06/18 13:19:24| cache_cf.cc(381) parseOneConfigFile: squid.conf:74 unrecognized: 'delay_class' 2012/06/18 13:19:24| cache_cf.cc(381) parseOneConfigFile: squid.conf:75 unrecognized: 'delay_parameters' 2012/06/18 13:19:24| cache_cf.cc(381) parseOneConfigFile: squid.conf:76 unrecognized: 'delay_initial_bucket_level' 2012/06/18 13:19:24| cache_cf.cc(381) parseOneConfigFile: squid.conf:77 unrecognized: 'delay_access'2012/06/18 13:24:54| cache_cf.cc(381) parseOneConfigFile: squid-reverse.conf:11 unrecognized: 'netdb_filename' 2012/06/18 13:24:54| cache_cf.cc(381) parseOneConfigFile: squid-reverse.conf:16 unrecognized: 'sslcrtd_children'It wont start, I manually was able to start squid by taking the unrecognized commands out.. hand edit the squid.inc file so they aren't added
EDIT3: Still testing but looks like option -f will be needed to keep the config files in the same location:
-f file Use given config-file instead of
/usr/pbi/squid-i386/etc/squid/squid.conf
