Squid 3 - Reverse Proxy

qwaven

Hi all,

Wondering if anyone can help.

Please correct me if I am wrong, however as I understand the Squid 3 reverse proxy feature should allow me to "proxy" connections from the outside world and redirect to internal servers based on what http header is sent?

If this is true, I am having difficulty getting this to work, perhaps I am not understanding what the options are asking me for. :(

Hoping someone can assist with getting this going?

I have an internal server running a website "http://internal-ip/mysite/page/something.html" using port 80.

I've set up a public DNS record "mysite.domain.com"

Under reverse proxy general

I have WAN interface selected

External FQDN: domain.com

HTTP mode is enabled with port 80

No other settings on this page.

Web servers tab

Added a peer and enabled

peer alias is the same as my DNS record "mysite"

peer IP is the IP of my internal server

port 80

Mappings tab

not sure if this is required but I added one anyway.

just enabled, added my peer, and added domain "mysite.domain.com"

Wondering if there is something else I am missing, or am I just on the wrong track completely?

Your help is greatly appreciated.

Thanks!

Update: Also to add I have a firewall rule allowing any any on TCP port 80 with log enabled. When trying the website I do see the traffic being logged but my browser displays error "the connection to the server was reset"

marcelloc

"The connection is reseted" is the squid3 message for no rule match.

The default fqdn is the full dns name instead of domain name.

Take a screenshot with a sample config. Maybe it will be easier to help.

qwaven

Thanks for your help.

I've added some photo's (4 of them) with sample entries.

Where domain.com is my primary domain, and mysite.domain.com would be the address I am trying to use and point to a specific internal server.

I do have another NAT rule on a different external port which works fine when by-passing the proxy.

Thanks for your help!

Cheers.

reserse_proxy_general.JPG_thumb

reserse_proxy_mappings.JPG_thumb

reserse_proxy_web_servers.JPG_thumb

reverse_proxy_firewall_rule.JPG_thumb

qwaven

So after looking at my own screenshots I tried one more thing.

I unchecked "reset unauthorized connections" and I now see more info. I believe it is something with Squid blocking the connection?


The following error was encountered while trying to retrieve the URL: http://mysite.domain.com/

    Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is admin@domain.com.

Would you happen to know what option would effect "access"?

Thanks!

marcelloc

Change external fqdn to mysite.domain.com and check squid realtime tab / error logs.

qwaven

Thanks for your response.

I had already tried setting FQDM to mysite.domain.com ; tried it again and its still not working.

I'm not sure where to see the live logs, under SARG I see this:

2012-07-04 13:57 xxx.xxx.xxx.xxx - GET mysite.domain.com

I'm wondering if I use mysite.domain.com does that mean I cannot have more than one domain (website) behind the proxy?

Thanks!

qwaven

Hi again,

Thanks for your help.

I've stumbled upon Mod Security package which I think will better meet my needs. It seems to be working with my setup.

Thanks again. If you have any comments (should I not use this?) or something please let me know.

Cheers

marcelloc

@qwaven:

I've stumbled upon Mod Security package which I think will better meet my needs. It seems to be working with my setup.

I'm doind new package gui for modsecurity :D

It's almost done, maybe this week.

qwaven

Cool I'd be happy to try the new one out.

Thanks for your help.

Cheers. :)

yon

Hi, I am new use the Squid 3. I want to do like www.facebook.com.sixxs.org Reverse Proxy service. How I do it? Could you help me?!

qwaven

Hey marcelloc,

Been using your mod_security package and its still working great! Curious about the functionality. My understanding is that Mod_Security is supposed to be an "application firewall/IPS" for web servers… is this still the case or is this solely running in proxy only mode?

If its able to do the firewall bit, will the new package you're working on including customizations for this? (or how does one customize rules)

Thoughts or input?

Thanks for all your hard work! Very much appreciated. :)

Update: Figure I'm supposed to edit / add code to the bottom "custom mod security rules" and when I put one from the mod security site to change what my web server is reported as it does not seem to apply or nmap is able to still figure it out 100% correctly?

Thanks

marcelloc

@qwaven:

Been using your mod_security package and its still working great!

This is not my package, I'm just improving an existing package :)

@qwaven:

Curious about the functionality. My understanding is that Mod_Security is supposed to be an "application firewall/IPS" for web servers… is this still the case or is this solely running in proxy only mode?

If I'm not wrong modsecurity rules on current package are too old, so just some features are working

@qwaven:

If its able to do the firewall bit, will the new package you're working on including customizations for this? (or how does one customize rules)

New version will have a lot of new modsecurity_options, updated rules and rules customization

qwaven

haha whoops… well thanks to the creator then! ;)

I'll hold off playing with this older package and eagerly wait for your new one. Sounds like it will be quite nice! :)

Will it be seen as an update or a totally new package?

Thanks again.

Cheers!

marcelloc

@qwaven:

Will it be seen as an update or a totally new package?

Maybe as an update, but config will change a lot, save your config on a txt and/or backup file

qwaven

awesome thanks I'll look forward to it.

Cheers!