Problem with Squid-Reverse proxy

dan104

I am trying to use squid reverse proxy on latest pfsense I386

• Has DNS and mixed set of port gateways forwarded

I have installed the squid3 20_1_5 package and try as I may I can not get things to work.

Here is my config concepts
Pfsence is public IP on WAN side
Backside is basic  private lan (192.168.0.x)
4 servers with mixed ports
.69:80 -> IIS box using headers to select from a handful of sites
.69:81 ->Yawcam live feed
.40:8080 -> Remote controlled Webcam
.40:80 -> IIS box using headers to select from addional and failover sites (disregarded at this point)
.140:5150 -> Rabit based sensor collection box – Web interface
.120:80  -> Webmail site

Objectives:
Birdcam.domain.com -> .69:81
www.domain.com ->.69:80
wel.domain.com -.140:5150
www.*.domain.com ->.69:80
backyardcam.domain -> .40:8080

Steps I took:

1. Installed squid3 pkg from pfsense
2. Defined 4 servers
3. Mapped sites based on url to server
4. Set listen port to 80 and IP to 127.0.0.1
5. Set PF Webgui to port 180 and turned off redirect
6. Created firewall rule for Wan side input on 80 -> 127.0.0.1
7. Enabled squid logging
8. Enabled Squid and all of the mapping and servers
9. Started Squid service watched real-time log viewer
10. Injected http requests from outside source

Results:
From SSH terminal ps –a shows no squid processes
Realtime log shows nothing
Services show squid running
http request time out

smels like either squid is not starting or I am not listening on right ports.

Thoughts??????

marcelloc

dan104,

If you listen squid on loopback, you need a nat rule to forward traffic from wan to 127.0.0.1 but if you listen on wan address, you just need the firewall rule.

You have 6 ports to forward, so I suggest you to create servers based on your ports.

host_69_81 (host .69 port 81)
host_69_80 (host .69 port 80)
host_40_8080 (host .40 port 8080)
host_40_80    (host .40 port 80)
host_140_5150 (host .140 port 5150)
host_120_80    (host .120 port 80)

Currente package version, creates only one squid conf instead of multiple daemons. This way, you need to publish all your sites on wan_ip:80 for all http traffic and wan_ip:443 for all ssl traffic.

The host header on mappings will forward the request to the server the way you want:

uri: Birdcam.domain.com host:host_69_81
uri: www.domain.com     host:host_69_80
uri: wel.domain.com       host:host_140_5150
uri: www.*.domain.com  host:host_69_80
uri: backyardcam.domain  host:host_40_8080

att,
Marcello Coutinho

dan104

Thank you for the prompt answers!

When you say lisen on wan address I assume you are saying the public ID, which I tried but maybe I had other errors.

My current set up is almost the same as you suggested, except the 127…. I do have a firewall rule forwarding port 80 on WAN to 127....  But need to go look at the NAT settings tonight.

There are lots of option on the GEN tab, any ones that are must do's and other that are avoid for nows?

Thank you again
Dan

dan104

Tried what I thought you said and still no traffic Attaching my config.xml file
Any thoughts?

Dan

Still_not_working.txt

marcelloc

dan104,

Remove your xml from previous post, It's not safe exposing your firewall config to the world  :(

I've tried to access your ip on http and https without success.

try these steps:

• Remove the nats for your internal web servers

• listen reverse squid on 80

• apply a firewall rule on wan allowing access from any to interface_address port 80 and port 443

• check on console/ssh if squid is running and listening on ports 80/443 using netstat -an | grep -i listen

• test using tcpdump(on console/ssh) if you get any http/https traffic to wan_address at port 80,443