Squid Reverse Proxy stops working when using Squid3 load balancing ACL
We've run into an issue that I'm unable to resolve and my Google-Fu has met it's match.
We have a stable and working pfSense 2.1.5 (i386) firewall that is configured with multiple WANs.
Squid3 is being used and we also use the reverse proxy to publish internal HTTPS sites and it's all working very well.
Recently we've enabled load-balancing the Squid requests over the WAN using the new Squid 3.2 random ACL options in the configuration:
acl fiftyPercent random 0.5 tcp_outgoing_address <<wan-ip-here>> fiftyPercent tcp_outgoing_address <<opt1-ip-here>></opt1-ip-here></wan-ip-here>
The load balancing through Squid works brilliantly. It's a pity that it doesn't have fail-over support, but since our WAN links are of the same type from the same provider, it's OK for us to just have load balancing.
The issue we are having is that if we use the above, our reverse proxy stops working. Packet captures show the traffic that would normally be on the LAN interface, as being output on the WAN interface. Clearly something about the above "tcp_outgoing_address" setting is also being applied to the reverse proxy traffic too, instead of just the forward proxy traffic.
I know too little of Squid and my searches of countless posts have yielded nothing (yet). Does anyone know how I can apply the random ACL to have the traditional outbound forward proxy load balance over the multi-WAN interfaces, but not have that ACL/settings apply to inbound reverse proxy traffic?
I figured out how to fix the issue.
First I had to learn some Squid bits and figure out how the Squid.conf is interpreted (ie. top-to-bottom for first-matched ACLs) and what some of the various "tags" mean. I found the following link quite useful to get some basics under the belt: http://www.deckle.co.uk/squid-users-guide/squid-configuration-basics.html
After grokking the Squid.conf that was generated by pfSense, I figured out what the existing reverse-proxy configuration ACLs were (as it was needed to for the cache_peer_access tags).
For those interested, you can use the "Edit File" function under the "Diagnostic" in the webconfigurator to browse to the generated Squid.conf file.
In my case it was under: /usr/pbi/squid-i386/etc/squid/squid.conf
Note: Yours may in in a different location if you use a different version or have the AMD64 version of pfSense.
After figuring out how these are interpreted by Squid (i.e. the order, precedence, overrides, etc.) with the help of the above link, I understood what was needed.
I looked up all the reverse-proxy ACLs generated by pfSense and create an tcp_outgoing_address tag for each using the LAN side IP (or DMZ side if that's where you are reverse-proxying to).
For example, the following is what I ended up with. This must be placed above the bits for the random ACL to load-balance the forward-proxy. 192.168.0.254 is the IP of my LAN side interface:
tcp_outgoing_address 192.168.0.254 OWA_URI_pfs tcp_outgoing_address 192.168.0.254 rvm_Extranet tcp_outgoing_address 192.168.0.254 rvm_Prototype tcp_outgoing_address 192.168.0.254 rvm_WebService tcp_outgoing_address 192.168.0.254 rvm_License # Put load balancing tags after setting the tcp_outgoing_address for reverse proxy tags acl fiftyPercent random 0.5 tcp_outgoing_address <<wan1-ip-here>> fiftyPercent tcp_outgoing_address <<wan2-ip-here>></wan2-ip-here></wan1-ip-here>
The result is that for the reverse-proxy traffic goes to the specified LAN side IP , and then the remainder of all other traffic is load-balanced via the random ACL on the WAN IPs.
Hope that helps anyone else who might run into a similar issue.