Problems Configuring Squid3 for Redirects



  • Hello,

    I'm currently running pfSense 2.1.5 with Squid3 3.1.20 pkg 2.1.2. I'm running a webmail site on my windows server 2003 webserver using my DMZ interface and 1:1 NAT to connect to it. I have an SSL certificate installed in pfSense and my webmail site. I found a few threads which pointed me in the direction for Redirecting connections from HTTP to HTTPS when a client types in the browsers address bar e.g. webmail.mydomain.com redirects to https://webmail.mydomain.com; unfortunately I'm unable to get it to work. As of now I have the redirect, General, Servers, and Mappings tab set as such.

    Your help would me much appreciated.

    Redirects

    Redirect Protocol: HTTPS
    Blocked Domains: webmail.mydomain.com
    Path regex: ^/$
    URL to redirect to : https://webmail.mydomain.com

    Do I need to configure the General, Servers and Mappings Tab?
    I tried anyhow but was still not able to get it to work.

    General Tab

    Revers Proxy Interface: WAN
    User defined reverse proxy IPs: ?
    External FQDN: webmail.mydomain.com

    Do I need to fill out the Squid Reverse HTTP and HTTPS  Setting?

    Web Servers Tab

    Peer Alias: HOST_Webmail_Secure
    Peer IP: 172.16.0.5
    Peer Port: 443
    Peer Protocol: HTTPS

    Mappings Tab

    Group name: HOST_Webmail_Secure
    Peers: Host_Webmail_Secure
    URIs: http://webmail.mydomain.com



  • well I'm still struggling to get the redirects to work externally. Internally the redirect from HTTP to HTTPS works fine.
    Has anyone got this working externally? Any help would be much appreciated.



  • @kiekar:

    well I'm still struggling to get the redirects to work externally. Internally the redirect from HTTP to HTTPS works fine.
    Has anyone got this working externally? Any help would be much appreciated.

    Did you tried haproxy instead of squid?



  • Did you tried haproxy instead of squid?

    No I Haven't but I will give it a try.

    I'm just curious though, In order for it to work do I need to fill out the General, Servers and Mappings tab.



  • Hello

    Is there anyone who can provide me some assistance to get an http to https redirect to work? I installed haproxy but I couldn't find any descent tutorials on how to setup a redirect so I abandon it for now. As I said before with squid3 the redirect works fine internally which I guess is from setting the redirect tab correctly, but I'm stuck on getting this to work with a connection externally.
    I'm just going around in circles not knowing what I need to enter for the other tabs.

    I have my WAN setup with a PPPOE connection. I have a block of 8 static IPs were one is set for my webmail.mydomain.com using virtual alias IP at the DMZ interface and 1:1 NAT and the appropriate rules set. My DMZ interface is a windows 2003 box using IIS6 with a SSL cert. When connecting externally using http://webmail.mydomain.com I'm able to view the site on my browser and also with https://webmail.mydomain.com my. So again my issue is the redirect.



  • If you still want to give haproxy-devel package a try take a look at this blog http://blog.haproxy.com/haproxy/haproxy-and-ssl/ the line like below can be put into the "Advanced pass thru" fields in the haproxy-devel frontend edit webgui.

    http-request redirect scheme https if !{ ssl_fc }
    


  • Thanks PiBa for your help.

    I gave it a try with HaProxy and this time around I made a small advancement but still have issues with the redirection externally. I've attached a couple of screen shots with my current setup on HaProxy. Am I missing something else that's preventing for the redirection to work externally?








  • I think the redirect itself work right? But then loading the website over https fails.?

    In the frontend you are currently listening in "https(offloading)" mode, however on the 443 port you then need to check the ssl checkbox.
    That also means you need to configure and import the server certificate in the pfsense certificate manager.

    Another option could be to create a second frontend specifically for the 443 port, and let it forward in mode "https(tcp)".



  • I modified the Frontend per your suggestions (offloading) but unfortunately redirection is still not working. Any other suggestions would be much appreciated.






  • Are you sure the connection is handled by haproxy? You don't have a portforward configured in pfSense, and do have a pass rule to allow people on the outside (from:any) to access haproxy (to: virtualip:80,443) ?

    Does the browser from outside people 'connect' on a tcp level? (check by looking at the stats page counters for the frontend connections, or running tcpdump on the pfSense wan connection while filtering for the ip and port , check to see if a SYN comes in and SYN,ACK is send back, then more ACK's and traffic should follow..)

    Does it get any reply back ? The actual webpage? Or a 503 no backend available error? 302 redirect? Anything else? Does it work if you put in the https://website/ url directly in the browser? Do you see that increasing counters on the stats page?

    Also try and remove the 'add acl' checkbox at the ssl offloading settings at the bottom, it could cause issues if the CN is actually a wildcard cert.

    Is a intermediate certificate used by your CertificateAuthority? If so is that intermediate certificate imported into the certificate manager as well?



  • Thank you PiBa for you help and your patience.

    Are you sure the connection is handled by haproxy? You don't have a portforward configured in pfSense, and do have a pass rule to allow people on the outside (from:any) to access haproxy (to: virtualip:80,443) ?

    I believe so. I do not have any port forward rules setup on the WAN interface however I do have Virtual IP addresses setup and  1:1 NAT setup mapping my public IPs to private IPs and I do have WAN rules set for port 80 and 443 for my webmail site. As for tcpdump, I'm not quite sure how to use it with filters.

    Does it get any reply back ? The actual webpage? Or a 503 no backend available error? 302 redirect? Anything else? Does it work if you put in the https://website/ url directly in the browser? Do you see that increasing counters on the stats page?

    There are no issues connecting to the webmail site externally. if I enter http://webmail.mydomain.com or https://webmail.mydomain.com in the browser, the site loads with no errors but the redirection is not working.

    Is a intermediate certificate used by your CertificateAuthority? If so is that intermediate certificate imported into the certificate manager as well

    I'm using GoDaddy SSL cert so as far as I now what is setup is correct but I could be wrong.






  • In the stats its visible that the backend "webmail_redirect" has processed 0 sessions, so no traffic has passed through haproxy to the actual mail/web-server.. It does look like the frontend handled 1 session, that could a the redirect but i'm not completely sure about that.

    I think the 1:1 nat rule may be the cause of the traffic skipping haproxy. If you remove that 1:1nat rule, then also the firewall rules would probably need to change a little to have the 'destination' your public-VirtualIP instead of the private webserver-ip.

    After thats working there are some other things to consider..:
    The mailserver would see pfSense-lan-ip as the 'client'. To work around that you could try adding the forward-for header or proxyprotocol if the mailserver supports one of those.., If it doesn't then a option could be to use the transparent-client-ip in the backend configuration.
    If you have the 1:1nat in place because you want the mailserver to use that ip when connecting to outside the same could probably be done with outbound-nat rules.. As for incoming traffic, you could still use a portforward to forward the https traffic directly to the webserver without having haproxy 'in-between', this should avoid most problems mentioned above. Though then haproxy wont handle the traffic or show stats for it, (the stats reset anyway on every config change, so are of limited use anyway..), and a straight port-forward might be faster.



  • All is working fine now. As you suggested I deleted the 1:1 NAT for the Webmail site and changed the rule to point to the public IP instead of the private IP.

    Thank you for you help.


Log in to reply