Upgrade succesfull but squid reverse proxy no longer works
-
Upgraded from 2.1.5 to 2.2 without any issues. When we started testing the system we noticed that none of our web sites were able to be reached. Tracked down the issue to the upgrade of Squid 3.1.20 pkg 2.1.2 to 3.4.10_2 pkg 0.2.6
Do not know what has changed, but the reverse proxy (the only thing we use in squid) is no longer routing request to our web sites properly.
Tried uninstall and re-install, tried a re-boot same results. the config is relatively simple we have a NAT entry for port 80 that points to 127.0.0.1 which should cause the reverse proxy to pickup the request and route it to the correct web server IP. The reverse proxy has a WEB servers defined with mapping for the names of the web sites pointing to the correct web server.
In the settings screen there is a check mark for reverse proxy but the comment does not explain the rule we need to create. Can somebody give us the rule we need to create?
Enable HTTP reverse mode
If this field is checked, the proxy-server will act in HTTP reverse mode.
(You have to add a rule with destination "WAN-address")Can somebody suggest what has changed between the 2 versions and what we need to modify for the reverse proxy (both http and https) to work again? Is there some documentation on how to setup reverse proxy in PFSense 2.2?
Thanks
cjb
-
It's a freebsd 10/pfsense sysctrl security option that do not allow non root users to use <1024 ports.
The current workaround is listen squid on ports > 1024 and nat it from 80/443
-
It's a freebsd 10/pfsense sysctrl security option that do not allow non root users to use <1024 ports.
The current workaround is listen squid on ports > 1024 and nat it from 80/443
I tried this:
Change reverse proxyport to 8008 > Add rule to allow src:* dest: WAN address port: 8008 > connect to my.domain.com:8008 and my2.domain.com:8008 are OK.
Add NAT SRC: * Dest: WAN ADDR 80 NAT IP: 192.168.68.1 (pfsense LAN IP) NAT port: 8008
add rule to allow SRC:* Dest: 192.168.68.1 port: 8008
still able to access my.domain.com:8008 and my2.domain.com:8008 but no acces to my.domain.com and my2.domain.com on port 80
No messages in system log
This used to work w/o a problem in 2.1.5 -
After creating the nat rule, you do not need a firewall rules to wan on high port.
You can also listen only on loopback and then nat it from wan 80 .