Reverse proxy + HTTPS/SSL interception



  • Why when I enable HTTPS/SSL interception (Enable SSL filtering) in Squid3-dev 3.3.10 Proxy server, the service Reverse Proxy doesn't work?
    In Squid Reverse HTTP setting it's enable HTTP reverse mode.



  • did you tic Enable HTTPS reverse proxy ?



  • @aGeekHere:

    did you tic Enable HTTPS reverse proxy ?

    Yes, but it doesn't work.



  • can someone help me?



  • @slevi:

    can someone help me?

    Did your clients have the root CA installed?

    If you intercept SSL Traffic, all Clients need to trust the Certificate as master.
    SSL Interception is nearly the same as a "man in the middle Attack".



  • Hi, I do not your setup (or what you have not done) so please read through these two links

    https://forum.pfsense.org/index.php?topic=73640.0

    https://forum.pfsense.org/index.php?topic=79389.0

    After that tell me if it fixed the problem.



  • SquidGuard isn't the problem, it's not enabled.
    I have 2 internal lan:

    1. LAN with: windows server 2008 r2 with Active directory; windows users; ubuntu server 14.04 with LAMP, so it's my first web server.
    2. DMZ with only the second web server, an other ubuntu 14.04 with LAMP.

    Reverse proxy works when:

    • Proxy server: Authentication –> Authentication method: None

    • SSL interceptin ON or OFF

    or

    • Proxy server: Authentication –> Authentication method: LDAP or Local

    • SSL interceptin OFF

    Reverse proxy doesn't work when:

    • Proxy server: Authentication –> Authentication method: LDAP or Local

    • SSL interceptin ON

    @aGeekHere:

    Hi, I do not your setup (or what you have not done) so please read through these two links

    https://forum.pfsense.org/index.php?topic=73640.0

    https://forum.pfsense.org/index.php?topic=79389.0

    After that tell me if it fixed the problem.

    It doesn't fix the problem.

    In squid real time log STATUS:
    TCP_MISS/200 is reverse proxy working
    TCP_MISS/503 reverse proxy is not working

    ![04 reverse proxy.JPG](/public/imported_attachments/1/04 reverse proxy.JPG)
    ![04 reverse proxy.JPG_thumb](/public/imported_attachments/1/04 reverse proxy.JPG_thumb)
    ![05 proxy.JPG](/public/imported_attachments/1/05 proxy.JPG)
    ![05 proxy.JPG_thumb](/public/imported_attachments/1/05 proxy.JPG_thumb)
    ![06 proxy.JPG](/public/imported_attachments/1/06 proxy.JPG)
    ![06 proxy.JPG_thumb](/public/imported_attachments/1/06 proxy.JPG_thumb)
    ![11 error.JPG](/public/imported_attachments/1/11 error.JPG)
    ![11 error.JPG_thumb](/public/imported_attachments/1/11 error.JPG_thumb)
    ![12 tcp miss.JPG](/public/imported_attachments/1/12 tcp miss.JPG)
    ![12 tcp miss.JPG_thumb](/public/imported_attachments/1/12 tcp miss.JPG_thumb)



  • Hi, ok a few ideas

    in "reverse SSL certificate" it is set as "webConfigurator default" should be certif1

    tic "Transparent http proxy" as well

    What is in your "Integrations"

    What is in your "Custom ACLS (Before_Auth)"

    In webConfigurator

    What is your "SSL Certificate" set to? (should be certif1 not webConfigurator default)

    And lastly when you created your Certificate was Server set to Yes (see link)

    http://www.sxl.net/guides/how-to-setup-pfsense-ssl-certificate-authority/

    I hope this helps