Unexpected behaviour with squid reverse proxy, all HTTPS sent to default site



  • I'm trying to set up a reverse proxy for a school, testing with an identical setup in my home-office network. I'm getting the same problem on both.

    In each case, I have two HTTP servers - one a web server with multiple sites on aliases, the other a webmail server which also serves HTTPS. I'm also testing by trying to access the first web server over HTTPS. In this setup, the webmail server is configured to redirect any HTTP request for it to HTTPS. Certificates et al are all set up correctly as far as I am aware both at the server and at the proxy.

    I have web server entries for the HTTP server as well as one each for the webmail server's HTTP and HTTPS listeners (to correctly facilitate it's http to https redirects) with mappings referring http or https requests to the appropriate webmail server port.

    This setup of web servers and mappings works as expected for HTTP - it is directed to the correct server based on the URI given.
    I have mappings for http://webserver.site1 to go to its HTTP listener (the redirector) and https://webserver.site1 going to its HTTPS port.

    However all HTTPS requests going through the reverse proxy are all sent to the "reverse HTTPS default site" and URI mappings seem to be completely ignored for incoming HTTPS requests - the hostname+domainname part of the incoming URI is replaced with the "reverse HTTPS default site" and sent to that default site.

    For testing I tried setting the "reverse HTTPS default site" to one alias of the web server, we'll call it www.site2. It will then  direct all HTTPS traffic to that server using the alias entered into that default HTTPS site setting, despite mappings for other other aliases for that server, and for the webmail server.

    i.e. if I have www.site1 and www.site2 served from that server as well as webmail.site1 served by a different server, and I set the "reverse HTTPS default site" to www.site2, and have mappings for www.site1 for that server and webmail.site1 for the webmail server.

    If I access any site via HTTP all the mappings work correctly - www.site1 to www.site1, www.site2 to www.site2, and webmail.site1 to webmail.site1.

    If I access any site via HTTPS then this happens: (all received by the reverse proxy as https) www.site1/some.page.name and webmail.site1/webmail.login.php end up being sent to www.site2 as URI requests for www.site2/some.page.name and www.site2/webmail.login.php which is wrong.
    Similarly, if I change the reverse HTTPS default site to webmail.site1, then www.site.2/some.page.name and www.site.1/some.other.page.name both end up going to the webmail server as webmail.site1/some.page.name and webmail/site1.some.other.page.name respectively.

    Have I missed something? I'm not sure why it's doing this with HTTPS traffic. As mentioned, if the request comes in as HTTP, everything works as expected.

    Tanks in advance for any help or pointers,

    Andrew



  • Hello,

    same things for me,

    as said in this topic http://forum.pfsense.org/index.php/topic,48347.135.html

    i've tested without success to make https redirect work, even with latest package update.

    you could try to install (in a vm for quick testing) linux squid and redirect https traffic on the testing vm with the config file generated on pfsense to debug…

    to be continued...



  • I'm having issues with the HTTPS reverse proxy as well, however the HTTP reverse proxy works fine.

    Currently I'm getting a squid error page saying Access Denied. Access control configuration prevents your request from being allowed at this time.

    Also I believe I found a bug in the HTTPS reverse proxy settings, you need to manually put in the listen port 443. By default it listens on 80 even though it says 443, just manually put it in there.


Log in to reply