Squid as reverse proxy, LAN clients sluggish [closed]



  • Hi,

    I've recently configured squid as a reverse proxy.  It solves a problem for us…

    We have 3 'web' services running on one server, all on different ports.  I need them accessible by subdomain, and ideally transparent to the users.  We only have one external static IP.

    So, I have:

    
    Name                    pfSense Listens (squid)    Pfsense fowards to port     
    
    wiki.domain.com             WAN: 80 / 443     ->   192.168.1.102:8444
    jira.domain.com             WAN: 80 / 443     ->   192.168.1.102:8443
    svn.domain.com              WAN: 80 / 443     ->   192.168.1.102:443
    
    

    The problem I am having, is that when LAN clients on the 192.168.1.x network access the service by external FQDN, the web services run slowly, at a speed I would expect to get over remote internet.  Our WAN is pretty poor, so the speed drops even more as the WAN interface is saturated.

    If a LAN client connects to say "https://192.168.1.102:8444", I get lightning fast LAN speed as expected.

    So, unless the URI parsing in squid is really slow (which I very much doubt), I'm essentially forcing all traffic over the WAN by making LAN clients use the FQDN for access.

    Is there a way to have pfsense recognize that the source of the packets are on the same LAN and bypass the external link?  I feel like the traffic never should leave the WAN interface, so I'm not sure why it is so much slower anyway.

    Thanks for any advice anyone can provide… I'm a bit of a newb here.



  • So, I guess it is worth mentioning that the LAN clients really can't access the server by host name locally as a limitation of the software they are connecting to.  It expects all clients on the 'base url', which I have to configure as the external fqdn.  I've yet to think of a way that I can have the services both internally and externally accessible at the same time, which is a problem other users have found.  This is not a pfsense issue.

    I think this one is unsolvable for what I need… at first I was hoping it would be as simple as some firewall rules, but I don't think it will work out.

    Thanks anyway to those who gave it a look.


Log in to reply