SQUID3 Reverse Proxy question



  • Hi guys,

    Using 2.2.2-RELEASE (amd64)
    With squid3 0.2.8

    I'm trying to get the reverse proxy to work but it won't :(

    Here are the steps I did :

    1. I created a CNAME for my domain, to point towards my NO-IP dynamic host (which I update with pfSense).
      CNAME : test.DOMAIN.COM > bleh.geekgalaxy.com

    2. In pfSense > SERVICES > Reverse proxy

    A) GENERAL > I put my external FQDN to DOMAIN.COM and the interface to WAN. I've also enabled HTTP ever mode on port 80, and HTTPS on pour 443

    B) WEB SERVERS > I added a "peer", enabled it, with peer alias = test, peer IP = 10.0.3.50 (server internal IP) and peer port = 443. Protocol is HTTPS.

    C) MAPPINGS > I added a "URI", enable id, with a group name = test, peer = test, URI = test.DOMAIN.COM

    1. I added two firewall rules on WAN just to PASS ports 80 and 443.

    2. For the LAN, I've also added a DNS forwarder for  test.DOMAIN.COM > 10.0.3.50

    From the internal, all works.

    From the external, nothing works.

    In SERVICES > REVERSE PROXY > REAL TIME

    I don't even see anything going on when I type test.DOMAIN.COM from my phone with LTE connection (not WLAN of course).

    Also of course everywhere I wrote DOMAIN.COM this is just not to post my real domain name.

    I'd like to get help to diagnose my problem and get my reverse proxy to work.

    Thank you!



  • Hi,

    this cannot work. When you access "test.domain.com", you will get IP 10.0.3.50 and your browser will access the server directly. You are not using the Reverse Proxy at all. You should enable NAT Reflection in System > Advanced > Firewall/NAT and you should NOT use other DNS entries internally externally. If this is configured correctly, all internet machines will access your servers the same way, as if they were external.

    1. Looks ok

    A) Let the Reverse Proxy listen on LAN and WAN
    C) How does the mapping look like? It should be "^https://test.domain.com/.$" and "^http://test.domain.com/.$"

    Then it should work.

    Regards,

    Darko



  • Man you're awesome.

    @dkrizic:

    Hi,

    this cannot work. When you access "test.domain.com", you will get IP 10.0.3.50 and your browser will access the server directly. You are not using the Reverse Proxy at all. You should enable NAT Reflection in System > Advanced > Firewall/NAT and you should NOT use other DNS entries internally externally. If this is configured correctly, all internet machines will access your servers the same way, as if they were external.

    I've never used this before.

    In System > Advanced > Firewall/NAT
    Which option do I chose… ENABLE (NAT + Proxy) ?

    And is there anything else to configure ?

    I took out the DNS forwards.

    @dkrizic:

    1. Looks ok

    A) Let the Reverse Proxy listen on LAN and WAN
    C) How does the mapping look like? It should be "^https://test.domain.com/.$" and "^http://test.domain.com/.$"

    Then it should work.

    Regards,

    Darko

    I made sure LAN and WAN were selected for the Reverse proxy.

    I have 3 URI for mapping :

    I was wondering if I should add:



  • Bumping this because I'm an attention whore



  • Hi,

    yes, you activate "NAT Reflection mode for port forwards" = "Enable (NAT + Proxy)". Using different IP addresses for internal and external leads to many problems, because computers tend to cache IP addresses. NAT reflection solves this. It works for everything except VoIP, but VoIP devices usually don't roam.

    basically all of the mappings should work, the "^" at the beginning means "at the beginning" and the "$" at the end means "at the end". The "." means "any character" and the "*" means "zero or more", so

    ^https://test.domain.com/.$
    ^http://test.domain.com/.
    $

    is very fine and matches all requests to any URL of the given domain. It should work. Use lowercase (domain.com instead of DOMAIN.COM).
    If you want to forward all HTTP to HTTPS, you can add an entry to

    Services > Reverse Proxy > Mappings

    with the following configuration

    Redirect name: Whatever
    Redirect protocol: HTTP
    Blocked domains: test.domain.com
    Path regex: ^/.*$
    URL to redirect to: https://test.domain.com/

    "Real time" does not seem to work, so don't get confused here. Try externally with "curl" or "wget" and look at the response.



  • One question: What is the port numbers under:

    Services > Reverse Proxy > General

    reverse HTTP port (in my case 8080)
    reverse HTTPS port (in my case 8443)

    I have forwards from WAN 80 -> 8080 and 443 -> 8443



  • @dkrizic:

    Hi,

    yes, you activate "NAT Reflection mode for port forwards" = "Enable (NAT + Proxy)". Using different IP addresses for internal and external leads to many problems, because computers tend to cache IP addresses. NAT reflection solves this. It works for everything except VoIP, but VoIP devices usually don't roam.

    basically all of the mappings should work, the "^" at the beginning means "at the beginning" and the "$" at the end means "at the end". The "." means "any character" and the "*" means "zero or more", so

    ^https://test.domain.com/.$
    ^http://test.domain.com/.
    $

    is very fine and matches all requests to any URL of the given domain. It should work. Use lowercase (domain.com instead of DOMAIN.COM).

    All that is done.

    @dkrizic:

    If you want to forward all HTTP to HTTPS, you can add an entry to

    Services > Reverse Proxy > Mappings

    with the following configuration

    Redirect name: Whatever
    Redirect protocol: HTTP
    Blocked domains: test.domain.com
    Path regex: ^/.*$
    URL to redirect to: https://test.domain.com/

    "Real time" does not seem to work, so don't get confused here. Try externally with "curl" or "wget" and look at the response.

    I guess you meant in
    Services > Reverse Proxy > Redirects
    and not
    Services > Reverse Proxy > Mappings

    I added that too.

    @dkrizic:

    One question: What is the port numbers under:

    Services > Reverse Proxy > General

    reverse HTTP port (in my case 8080)
    reverse HTTPS port (in my case 8443)

    I have forwards from WAN 80 -> 8080 and 443 -> 8443

    Before I left it blank so by design the ports were 80 and 443.
    I had WAN Firewall rules that would just PASS 80 and 443.

    Now I changed the
    Services > Reverse Proxy > General
    http://snag.gy/m0wlj.jpg

    And I have updated my WAN firewall rules like so :
    http://snag.gy/yOZCY.jpg
    http://snag.gy/OBRwk.jpg

    Still, when I try CURL on the mapped address, it goes :

    curl: (7) Failed to connect to XXX port 80: Operation timed out
    

    When I try to ping it, I get 100.0% packet loss

    I think there might be something else wrong :S



  • Your firewall rules are wrong. You are opening ports 80 to 8080 and 443 to 8443, so you actually opened port 80 to 8443 to the public. Remove those rules!

    If squid runs on ports 80/443, then it would be sufficient to add only two rules:

    • Destination port 80 to 80 (and nothing more)
    • Desintation port 443 to 443

    but since we need to go from port 80 to 8080 and 443 to 8443, you need a port forward.

    Remove the two rules and add two port forwards:

    Interface: WAN
    Protocol: TCP
    Destination port range: From HTTP to HTTP (which is 80)
    Redirect target IP: 127.0.0.1
    Redirect target port: 8080
    Filter rule association: Add associated filter rule

    Same for 443/8443

    They try again and report



  • @dkrizic:

    Your firewall rules are wrong. You are opening ports 80 to 8080 and 443 to 8443, so you actually opened port 80 to 8443 to the public. Remove those rules!

    If squid runs on ports 80/443, then it would be sufficient to add only two rules:

    • Destination port 80 to 80 (and nothing more)
    • Desintation port 443 to 443

    but since we need to go from port 80 to 8080 and 443 to 8443, you need a port forward.

    Remove the two rules and add two port forwards:

    Interface: WAN
    Protocol: TCP
    Destination port range: From HTTP to HTTP (which is 80)
    Redirect target IP: 127.0.0.1
    Redirect target port: 8080
    Filter rule association: Add associated filter rule

    Same for 443/8443

    They try again and report

    Okay so I deleted the rule.

    But to make a port forward, I couldn't find a way to do that in Firewall > Rules.

    So I added it in Firewall > NAT > Port Forward

    Here are the new rules :
    http://snag.gy/rZEWU.jpg

    Detail :
    http://snag.gy/hRmpz.jpg
    http://snag.gy/jJJOe.jpg

    Just to make sure I rebooted the whole pfsense server.

    Then I SSH'ed into an external server and still when I tried CURL on the mapped address, it goes :
    Code: [Select]
    curl: (7) Failed to connect to XXX port 80: Operation timed out

    When I tried to ping it, I still got 100.0% packet loss

    Also, from INTERNAL, now that I've removed the DNS forwarder, I can't access the server by typing it's FQDN.



  • Hi,

    the rules look ok now.

    I have one idea left: Ensure that the reverse proxy listens on loopback, also. I forgot that, sorry.

    Ping will only work if you enable it by rule. This has nothing to do with reverse proxy.

    Regards,

    Darko



  • @dkrizic:

    Hi,

    the rules look ok now.

    I have one idea left: Ensure that the reverse proxy listens on loopback, also. I forgot that, sorry.

    Ping will only work if you enable it by rule. This has nothing to do with reverse proxy.

    Regards,

    Darko

    You ROCK!!
    That worked almost perfectly!

    I should have figured it out, as I just did the port forwarding to the loopback :S
    Such a n00b, such a n00b I am…

    So right now with reverse proxy I have 2 servers configured... a CRM (https) and an ERP (http)

    From LAN : Both work !!!!! Yay !

    From WAN : The CRM (https) does work, the ERP (http) does NOT work !

    I rebooted just to make sure… it's the same...

    So, like I said, it's almost perfectly working!



  • Hi,

    I presume that the following happens: You go to http://test.domain.com/ and the internal web server does a redirect to https://test.internal.domain.com/application/ (or so). What is the URL after you have successfully accessed from internal network? One of the reasons is, that the peers is configured with HTTPS, but accessed with HTTP from outside. Some application allow, that you configure HTTP/HTTPS and the actual domain name to redirect to.

    Anyway, I don't think it is a good idea, that you use HTTP for an application like CRM or ERP and therefore I suggest you do the following:

    • Buy a wildcard certificate "*.domain.com", but for tests you can use any certificate which will surely give a warning in all browsers
    • Configure both peers with HTTPS (I presume you did)
    • Add two now entries to the DNS like "erp.domain.com" and "crm.domain.com". They can be CNAMEs to the existing name
    • Add a mapping "^https://erp.domain.com/.*$" and use the peer ERP
    • Add a mapping "^https://crm.domain.com/.*$" and use the peer CRM
    • Now test if both work like "https://crm.domain.com" from external and internal. If external does not work for now, check what redirects happen. We can possibly fix that.
    • Add a Redirect that maps HTTP to crm.domain.com (any path) to https://crm.domain.com/. You can also add the application path here (e.g. https://crm.domain.com/application/login.jsp), so the application will not try to redirect anymore!
    • Same for erp.domain.com
    • Now a "http://erp.domain.com" should redirect you to "https://erp.domain.com/" (including application path)
    • Same for the other(s)

    Test and report.



  • hi, i have quite the same problem, i have pfsense 2.2
    i want to use the reverse proxy, i just need http protocol i just have a few testing website
    squid http listen to port 81 (8080 is already used) (of course i've enabled the use of port lower than 1024 on pfsense)
    so i've enabled listen to lan, wan loopback
    on webserver i've created my webserver that listen on port 80 http
    on mapping i've created a record, that point to the previous peer, and added the domain as you written (^http://sub.domain.com/.*$)
    nothing on redirects

    now i've added a nat rule on the firewall
    from 80 to 81 on 127.0.0.1

    no if i go to http://sub.domain.com i just receive failed (like is blocked)
    if i go to http://sub.domain.com:81 i receive a timeout error

    the sub.domain.com have an A record that point to my ip address

    what's wrong ?



  • Hi,

    here is an example of how I did it:

    Ensure NAT Reflection is active

    General setting of the Reverse Proxy, in my case 8080 for HTTP and 8443 for HTTPS. It listens on loopback. I am not sure, if it is required to listen on the WAN interface.

    The two Port Forwards for 80 to 8080 and 443 to 8443

    Here is an example of observium.domain.com externally on HTTPS, internally HTTP (yes, this works).

    The according Mapping for HTTPS only

    This redirect points http://photo.domain.com/ and https://photo.domain.com/ (root path only) to https://photo.domain.com/photo/. If the app does the redirect, it will point to http://photo.internal.domain.com/photo/ which does not work :-)

    Compare and report if it works.














  • thanks but i don't get where is my error i'll add some screenshot maybe you spot something












  • Looks ok so far, I have the following ideas to check:

    • Is the domain really pointing to the right IP address? If you changed it lately, it can still be outdated with caching DNS servers

    • Is a different behavior from inside and outside?

    • Does the internal HTTP host expect a name? Does http://<internal-ip>/ give the right web site?</internal-ip>



  • btw the error that i get with curl if i go to sub.domain.com is
    Recv failure: Connection reset by peer

    it's possible that the pfsense web interface create a problem ? because i've disabled the access from outside but it listen to port 80

    so the domain sub.domain.com point to my ip the domain.com point to another ip this can be a problem?
    inside i have another dns server so it's work, but not because i'm going thour pfsense

    the server need to have the domain name on the url otherwise it serve the default apache page but if i go to http://IP-ADDRESS/ directly from outside i receive the same error as above



  • Hi,

    yes, that is possible. I have changed the port to HTTPS 442 and use the Reverse Proxy to access it on 443 as all other internal hosts.

    Move it and try again.



  • i have just changed the pfsense port to 90

    but nothing changed, i still receive
    Recv failure: Connection reset by peer




  • Reporting back…

    So I was starting to think there was a problem with my proxy / reverse-proxy config so I did the following :

    So I've tried this :

    @jimp:

    To remove squid, squidguard, lightsquid, and anything else with 'squid' in its package name:

    foreach (array_keys($config['installedpackages']) as $sec) {
    	if (strpos($sec, "squid") !== false)
    		unset($config['installedpackages'][$sec]);
    }
    write_config("Removed all squid-related settings");
    
    

    And it cleared everything.

    I started to configure everything from scratch.

    Right now the proxy is in HTTP transparent mode, without SSL filtering.

    @dkrizic:

    Hi,

    I presume that the following happens: You go to http://test.domain.com/ and the internal web server does a redirect to https://test.internal.domain.com/application/ (or so). What is the URL after you have successfully accessed from internal network? One of the reasons is, that the peers is configured with HTTPS, but accessed with HTTP from outside. Some application allow, that you configure HTTP/HTTPS and the actual domain name to redirect to.

    Anyway, I don't think it is a good idea, that you use HTTP for an application like CRM or ERP and therefore I suggest you do the following:

    • Buy a wildcard certificate "*.domain.com", but for tests you can use any certificate which will surely give a warning in all browsers
    • Configure both peers with HTTPS (I presume you did)
    • Add two now entries to the DNS like "erp.domain.com" and "crm.domain.com". They can be CNAMEs to the existing name
    • Add a mapping "^https://erp.domain.com/.*$" and use the peer ERP
    • Add a mapping "^https://crm.domain.com/.*$" and use the peer CRM
    • Now test if both work like "https://crm.domain.com" from external and internal. If external does not work for now, check what redirects happen. We can possibly fix that.
    • Add a Redirect that maps HTTP to crm.domain.com (any path) to https://crm.domain.com/. You can also add the application path here (e.g. https://crm.domain.com/application/login.jsp), so the application will not try to redirect anymore!
    • Same for erp.domain.com
    • Now a "http://erp.domain.com" should redirect you to "https://erp.domain.com/" (including application path)
    • Same for the other(s)

    Test and report.

    So :

    • For the reverse proxy interfaces, I just selected EVERYTHING (WAN, LAN and loopback)

    • I enabled HTTP reverse mode on 8080, and HTTPS reverse mode on 8443

    • My NAT forwarder rules are still there, unchanged and they seem good

    • For now I don't have a wildcard certificate, I have a self-signed one which is okay for what I need

    • I'm now testing only one peer in HTTPS. It is configured adequately

    • On my domain name, I added a CNAME for CRM.DOMAIN.COM

    • I added a peer with the internal IP

    • I added a mapping for ^https://crm.domain.com/.*$

    • I added a redirect from crm.domain.com to https://crm.domain.com/ (for HTTP protocol with path regex ^/$ )

    • I don't need application path, https://crm.domain.com/ is perfect

    In conclusion :
    https://crm.domain.com/ works from EXTERNAL, not from internal



  • Can you add local overrides (split DNS) for the internal side instead of trying to bounce them off the firewall?


    Andy



  • @amason:

    Can you add local overrides (split DNS) for the internal side instead of trying to bounce them off the firewall?


    Andy

    You mean DNS forwards ?

    That's what I was doing but I was instructed to stop doing so (see beginning of thread)

    I can do that and exclude the LAN from the reverse proxy interfaces (the interfaces the reverse-proxy server will bind to)

    But I still can't make the reverse proxy work from WAN for HTTP server (I have a web server which does not required HTTPs and it just won't work whatever I try).

    I'm getting very annoyed at this… I'm almost at the point where I want to run a separate reverse proxy (apache or such) in a VM and forward the HTTP and HTTPS port from pfSense to that...

    There's something broken... I've done a "textbook" configuration from scratch and the damn thing will not work...



  • Hi,

    this seems to be a Reverse NAT problem, Squid seems to work correctly. Check this forum for reverse NAT.

    Regards,

    Darko



  • woah

    after 6 months of using SQUID i got used to it…

    I got fed up with the reverse proxy thing and I deleted squid3 package all at once

    The internetz is sooooooooo FAST now it's incredible !!!

    I was under the impresssion that squid was speeding up our interwebz connection but it was NOT

    I'm enjoying high speed internet for real now !


Log in to reply