Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problems Configuring Squid3 for Redirects

    Scheduled Pinned Locked Moved pfSense Packages
    13 Posts 3 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kiekar
      last edited by

      Hello,

      I'm currently running pfSense 2.1.5 with Squid3 3.1.20 pkg 2.1.2. I'm running a webmail site on my windows server 2003 webserver using my DMZ interface and 1:1 NAT to connect to it. I have an SSL certificate installed in pfSense and my webmail site. I found a few threads which pointed me in the direction for Redirecting connections from HTTP to HTTPS when a client types in the browsers address bar e.g. webmail.mydomain.com redirects to https://webmail.mydomain.com; unfortunately I'm unable to get it to work. As of now I have the redirect, General, Servers, and Mappings tab set as such.

      Your help would me much appreciated.

      Redirects

      Redirect Protocol: HTTPS
      Blocked Domains: webmail.mydomain.com
      Path regex: ^/$
      URL to redirect to : https://webmail.mydomain.com

      Do I need to configure the General, Servers and Mappings Tab?
      I tried anyhow but was still not able to get it to work.

      General Tab

      Revers Proxy Interface: WAN
      User defined reverse proxy IPs: ?
      External FQDN: webmail.mydomain.com

      Do I need to fill out the Squid Reverse HTTP and HTTPS  Setting?

      Web Servers Tab

      Peer Alias: HOST_Webmail_Secure
      Peer IP: 172.16.0.5
      Peer Port: 443
      Peer Protocol: HTTPS

      Mappings Tab

      Group name: HOST_Webmail_Secure
      Peers: Host_Webmail_Secure
      URIs: http://webmail.mydomain.com

      1 Reply Last reply Reply Quote 0
      • K
        kiekar
        last edited by

        well I'm still struggling to get the redirects to work externally. Internally the redirect from HTTP to HTTPS works fine.
        Has anyone got this working externally? Any help would be much appreciated.

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          @kiekar:

          well I'm still struggling to get the redirects to work externally. Internally the redirect from HTTP to HTTPS works fine.
          Has anyone got this working externally? Any help would be much appreciated.

          Did you tried haproxy instead of squid?

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • K
            kiekar
            last edited by

            Did you tried haproxy instead of squid?

            No I Haven't but I will give it a try.

            I'm just curious though, In order for it to work do I need to fill out the General, Servers and Mappings tab.

            1 Reply Last reply Reply Quote 0
            • K
              kiekar
              last edited by

              Hello

              Is there anyone who can provide me some assistance to get an http to https redirect to work? I installed haproxy but I couldn't find any descent tutorials on how to setup a redirect so I abandon it for now. As I said before with squid3 the redirect works fine internally which I guess is from setting the redirect tab correctly, but I'm stuck on getting this to work with a connection externally.
              I'm just going around in circles not knowing what I need to enter for the other tabs.

              I have my WAN setup with a PPPOE connection. I have a block of 8 static IPs were one is set for my webmail.mydomain.com using virtual alias IP at the DMZ interface and 1:1 NAT and the appropriate rules set. My DMZ interface is a windows 2003 box using IIS6 with a SSL cert. When connecting externally using http://webmail.mydomain.com I'm able to view the site on my browser and also with https://webmail.mydomain.com my. So again my issue is the redirect.

              1 Reply Last reply Reply Quote 0
              • P
                PiBa
                last edited by

                If you still want to give haproxy-devel package a try take a look at this blog http://blog.haproxy.com/haproxy/haproxy-and-ssl/ the line like below can be put into the "Advanced pass thru" fields in the haproxy-devel frontend edit webgui.

                http-request redirect scheme https if !{ ssl_fc }
                
                1 Reply Last reply Reply Quote 0
                • K
                  kiekar
                  last edited by

                  Thanks PiBa for your help.

                  I gave it a try with HaProxy and this time around I made a small advancement but still have issues with the redirection externally. I've attached a couple of screen shots with my current setup on HaProxy. Am I missing something else that's preventing for the redirection to work externally?

                  HaProxy_FrontEnd.jpg
                  HaProxy_FrontEnd.jpg_thumb
                  Pass_Thru_FrontEnd.jpg
                  Pass_Thru_FrontEnd.jpg_thumb
                  HaProxy_Backend.jpg
                  HaProxy_Backend.jpg_thumb

                  1 Reply Last reply Reply Quote 0
                  • P
                    PiBa
                    last edited by

                    I think the redirect itself work right? But then loading the website over https fails.?

                    In the frontend you are currently listening in "https(offloading)" mode, however on the 443 port you then need to check the ssl checkbox.
                    That also means you need to configure and import the server certificate in the pfsense certificate manager.

                    Another option could be to create a second frontend specifically for the 443 port, and let it forward in mode "https(tcp)".

                    1 Reply Last reply Reply Quote 0
                    • K
                      kiekar
                      last edited by

                      I modified the Frontend per your suggestions (offloading) but unfortunately redirection is still not working. Any other suggestions would be much appreciated.

                      Webmail_Cert.jpg
                      Webmail_Cert.jpg_thumb
                      Webmail_Frontend.jpg
                      Webmail_Frontend.jpg_thumb

                      1 Reply Last reply Reply Quote 0
                      • P
                        PiBa
                        last edited by

                        Are you sure the connection is handled by haproxy? You don't have a portforward configured in pfSense, and do have a pass rule to allow people on the outside (from:any) to access haproxy (to: virtualip:80,443) ?

                        Does the browser from outside people 'connect' on a tcp level? (check by looking at the stats page counters for the frontend connections, or running tcpdump on the pfSense wan connection while filtering for the ip and port , check to see if a SYN comes in and SYN,ACK is send back, then more ACK's and traffic should follow..)

                        Does it get any reply back ? The actual webpage? Or a 503 no backend available error? 302 redirect? Anything else? Does it work if you put in the https://website/ url directly in the browser? Do you see that increasing counters on the stats page?

                        Also try and remove the 'add acl' checkbox at the ssl offloading settings at the bottom, it could cause issues if the CN is actually a wildcard cert.

                        Is a intermediate certificate used by your CertificateAuthority? If so is that intermediate certificate imported into the certificate manager as well?

                        1 Reply Last reply Reply Quote 0
                        • K
                          kiekar
                          last edited by

                          Thank you PiBa for you help and your patience.

                          Are you sure the connection is handled by haproxy? You don't have a portforward configured in pfSense, and do have a pass rule to allow people on the outside (from:any) to access haproxy (to: virtualip:80,443) ?

                          I believe so. I do not have any port forward rules setup on the WAN interface however I do have Virtual IP addresses setup and  1:1 NAT setup mapping my public IPs to private IPs and I do have WAN rules set for port 80 and 443 for my webmail site. As for tcpdump, I'm not quite sure how to use it with filters.

                          Does it get any reply back ? The actual webpage? Or a 503 no backend available error? 302 redirect? Anything else? Does it work if you put in the https://website/ url directly in the browser? Do you see that increasing counters on the stats page?

                          There are no issues connecting to the webmail site externally. if I enter http://webmail.mydomain.com or https://webmail.mydomain.com in the browser, the site loads with no errors but the redirection is not working.

                          Is a intermediate certificate used by your CertificateAuthority? If so is that intermediate certificate imported into the certificate manager as well

                          I'm using GoDaddy SSL cert so as far as I now what is setup is correct but I could be wrong.

                          wan_rules.jpg
                          wan_rules.jpg_thumb
                          haproxy_stat.jpg
                          haproxy_stat.jpg_thumb

                          1 Reply Last reply Reply Quote 0
                          • P
                            PiBa
                            last edited by

                            In the stats its visible that the backend "webmail_redirect" has processed 0 sessions, so no traffic has passed through haproxy to the actual mail/web-server.. It does look like the frontend handled 1 session, that could a the redirect but i'm not completely sure about that.

                            I think the 1:1 nat rule may be the cause of the traffic skipping haproxy. If you remove that 1:1nat rule, then also the firewall rules would probably need to change a little to have the 'destination' your public-VirtualIP instead of the private webserver-ip.

                            After thats working there are some other things to consider..:
                            The mailserver would see pfSense-lan-ip as the 'client'. To work around that you could try adding the forward-for header or proxyprotocol if the mailserver supports one of those.., If it doesn't then a option could be to use the transparent-client-ip in the backend configuration.
                            If you have the 1:1nat in place because you want the mailserver to use that ip when connecting to outside the same could probably be done with outbound-nat rules.. As for incoming traffic, you could still use a portforward to forward the https traffic directly to the webserver without having haproxy 'in-between', this should avoid most problems mentioned above. Though then haproxy wont handle the traffic or show stats for it, (the stats reset anyway on every config change, so are of limited use anyway..), and a straight port-forward might be faster.

                            1 Reply Last reply Reply Quote 0
                            • K
                              kiekar
                              last edited by

                              All is working fine now. As you suggested I deleted the 1:1 NAT for the Webmail site and changed the rule to point to the public IP instead of the private IP.

                              Thank you for you help.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.