Problem with Squid-Reverse proxy

  • I am trying to use squid reverse proxy on latest pfsense I386

    • Has DNS and mixed set of port gateways forwarded

    I have installed the squid3 20_1_5 package and try as I may I can not get things to work.

    Here is my config concepts
    Pfsence is public IP on WAN side
    Backside is basic  private lan (192.168.0.x)
    4 servers with mixed ports
    .69:80 -> IIS box using headers to select from a handful of sites
    .69:81 ->Yawcam live feed
    .40:8080 -> Remote controlled Webcam
    .40:80 -> IIS box using headers to select from addional and failover sites (disregarded at this point)
    .140:5150 -> Rabit based sensor collection box – Web interface
    .120:80  -> Webmail site

    Objectives: -> .69:81 ->.69:80 -.140:5150
    www.* ->.69:80
    backyardcam.domain -> .40:8080

    Steps I took:

    1. Installed squid3 pkg from pfsense
    2. Defined 4 servers
    3. Mapped sites based on url to server
    4. Set listen port to 80 and IP to
    5. Set PF Webgui to port 180 and turned off redirect
    6. Created firewall rule for Wan side input on 80 ->
    7. Enabled squid logging
    8. Enabled Squid and all of the mapping and servers
    9. Started Squid service watched real-time log viewer
    10. Injected http requests from outside source

    From SSH terminal ps –a shows no squid processes
    Realtime log shows nothing
    Services show squid running
    http request time out

    smels like either squid is not starting or I am not listening on right ports.


  • dan104,

    If you listen squid on loopback, you need a nat rule to forward traffic from wan to but if you listen on wan address, you just need the firewall rule.

    You have 6 ports to forward, so I suggest you to create servers based on your ports.

    host_69_81 (host .69 port 81)
    host_69_80 (host .69 port 80)
    host_40_8080 (host .40 port 8080)
    host_40_80    (host .40 port 80)
    host_140_5150 (host .140 port 5150)
    host_120_80    (host .120 port 80)

    Currente package version, creates only one squid conf instead of multiple daemons. This way, you need to publish all your sites on wan_ip:80 for all http traffic and wan_ip:443 for all ssl traffic.

    The host header on mappings will forward the request to the server the way you want:

    uri: host:host_69_81
    uri:     host:host_69_80
    uri:       host:host_140_5150
    uri: www.*  host:host_69_80
    uri: backyardcam.domain  host:host_40_8080

    Marcello Coutinho

  • Thank you for the prompt answers!

    When you say lisen on wan address I assume you are saying the public ID, which I tried but maybe I had other errors.

    My current set up is almost the same as you suggested, except the 127…. I do have a firewall rule forwarding port 80 on WAN to 127....  But need to go look at the NAT settings tonight.

    There are lots of option on the GEN tab, any ones that are must do's and other that are avoid for nows?

    Thank you again

  • Tried what I thought you said and still no traffic Attaching my config.xml file
    Any thoughts?



  • dan104,

    Remove your xml from previous post, It's not safe exposing your firewall config to the world  :(

    I've tried to access your ip on http and https without success.

    try these steps:

    • Remove the nats for your internal web servers

    • listen reverse squid on 80

    • apply a firewall rule on wan allowing access from any to interface_address port 80 and port 443

    • check on console/ssh if squid is running and listening on ports 80/443 using netstat -an | grep -i listen

    • test using tcpdump(on console/ssh) if you get any http/https traffic to wan_address at port 80,443

Log in to reply