Squid 3 reverse proxy - HTTPS==>HTTP fails

Gob

Hi

I have squid reverse proxy (v3.1.20) running with a wildcard SSL cert.
I have numerous web servers on our LAN running some with HTTPS and some with HTTP.
I would like to use the wildcard cert for traffic to all web servers.

I have only enabled the HTTPS part of the reverse proxy on pfSense and I have configured the appropriate ports and protocols on the web servers tab and applied mappings.
The reverse proxy works perfectly for web servers running https internally (i.e. HTTPS to HTTPS) however web servers only running HTTP (HTTPS to HTTP) generate a squid error page:

The following error was encountered while trying to retrieve the URL: https://abc.mydomain.com/

Unable to forward this request at this time.

This request could not be forwarded to the origin server or to any parent caches.

Some possible problems are:

An Internet connection needed to access this domains origin servers may be down.
All configured parent caches may be currently unreachable.
The administrator may not allow this cache to make direct connections to origin servers.
Your cache administrator is admin@localhost.

There isn't anything in the system logs.
Is HTTPS==>HTTP a supported configuration?

thanks
Gordon

marcelloc

Did you tried new redirect tab?

Gob

I have just noticed that tab after upgrading to the latest version of squid.
I don't really understand how that will help me in this scenario however.

Is the redirect doing a url rewrite?

marcelloc

Take a look on this topic.
http://forum.pfsense.org/index.php/topic,51812.msg315017.html#msg315017

Gob

ah, right. I have just tried the redirect solution.
Unfortunately the redirect rewrites the address in the browser, so if I have this redirect rule:

https://www.externaldomain.com redirecting to http://internaldomain.local

from outside the network I enter https://www.externaldomain.com into my browser and the browser address changes to http://internaldomain.local which does not resolve nor is accessible from outside the network.

My main requirement for the reverse proxy is to implement a mobile device management platform with multiple exchange servers.
The iOS mobile devices will only work with a HTTPS connection but the ActiveSync proxy behind pfSense that distributes the traffic to the various exchange servers will only work with HTTP.

This diagram hopefully explains a little clearer:

marcelloc

I know apache can do it easily, but have no idea how to do it with squid reverse options.

Pound proxy can help too, but there is no gui for pfsense yet.

Gob

Thanks again for you valued help Marcelloc.

Pound looks like it will do the job and be the simplest to set up. I don't want to risk breaking my production pfSense box so I will install as a standalone proxy.

Just looking through the packages I came across stunnel. do you think that would do the job or is stunnel for outbound connections only?

Gordon

marcelloc

@Gob:

Just looking through the packages I came across stunnel. do you think that would do the job or is stunnel for outbound connections only?

I have not tried stunnel package yet to see how it works.

Gob

Hi Marcelloc

I have done some more reading on squid and following the examples on the squid website it is possible to use the squid reverse proxy to work with HTTPS on the WAN and HTTP on the LAN.
After examining the /usr/local/etc/squid/squid.conf it appears that only the HTTPS webserver get an entry and not the HTTP webservers. The mappings seem to get added correctly but not the peer entries.
I manually added the following to the squid.conf and it worked perfectly.

#test
cache_peer 192.168.250.4 parent 80 0 proxy-only no-query originserver login=PASS name=rvp_test

Obviously this will get overwritten if I perform anything that regenerates the squid.conf.

Can you give me any tips on how to make it persistent or are you able to take a look at the package?

many thanks
Gordon

Gob

further to my post above…
If I enable the HTTP reverse proxy (as well as the HTTPS reverse proxy) the package manager does add all of the HTTP webservers (cache_peer) and cache_peer_access lines to squid.conf.
But the addition of the http_port lines along side the existing https_port lines seems to prevent it from working.

So ideally it would be handy to include all cache_peer and cache_peer_access lines for HTTP webservers even when the HTTP reverse proxy is not enabled.

marcelloc

@Gob:

So ideally it would be handy to include all cache_peer and cache_peer_access lines for HTTP webservers even when the HTTP reverse proxy is not enabled.

Did you tried this config? Does it creates a bogons config?

Comexans

Hi,

I am facing the same situation :
we have a webserver (http only) within our company and needed to make it accessible from internet in https.
I set the HTTPS mode for squid and create HTTP peer et corresponding mapping.
This was not working at all

I added the missing cache_peer and cache_peer_access lines as explained by Gob within /usr/local/etc/squid/squid.conf file and now the HTTPS ==> HTTP reverse proxy is working very well !

Marcelloc : is there a way to fix this in the squid3 package ?

Thanks.

marcelloc

can you try with squid3-dev package on a testing machine?

falcone

hi
i had same probleb,i enabled http and https mode,but i uncomment

Reverse Proxy settings

#http_port 213.151.40.39:80 accel defaultsite=falcone.co.il vhost
https_port 213.151.40.39:443 accel cert=/usr/pbi/squid-amd64/local/etc/squid/564b6b275c7eb.crt key=/usr/pbi/squid-amd64/local/etc/squid/564b6b275c7eb.key defaultsite=falcone.co.il vhost

after this proxy listening just on https:)

flowjo-mike

This is still an issue with that latest pfSense (2.3.2-RELEASE-p1) and Squid 0.4.23_1) Packages.  Every time I make a change to anything squid/clamav/reverse proxy I have to add the entry back into squid.conf.

Is this going to be fixed?