SQUID3 Reverse Proxy question

BlazeStar

Bumping this because I'm an attention whore

dkrizic

Hi,

yes, you activate "NAT Reflection mode for port forwards" = "Enable (NAT + Proxy)". Using different IP addresses for internal and external leads to many problems, because computers tend to cache IP addresses. NAT reflection solves this. It works for everything except VoIP, but VoIP devices usually don't roam.

basically all of the mappings should work, the "^" at the beginning means "at the beginning" and the "$" at the end means "at the end". The "." means "any character" and the "*" means "zero or more", so

^https://test.domain.com/.$
^http://test.domain.com/.$

is very fine and matches all requests to any URL of the given domain. It should work. Use lowercase (domain.com instead of DOMAIN.COM).
If you want to forward all HTTP to HTTPS, you can add an entry to

Services > Reverse Proxy > Mappings

with the following configuration

Redirect name: Whatever
Redirect protocol: HTTP
Blocked domains: test.domain.com
Path regex: ^/.*$
URL to redirect to: https://test.domain.com/

"Real time" does not seem to work, so don't get confused here. Try externally with "curl" or "wget" and look at the response.

dkrizic

One question: What is the port numbers under:

Services > Reverse Proxy > General

reverse HTTP port (in my case 8080)
reverse HTTPS port (in my case 8443)

I have forwards from WAN 80 -> 8080 and 443 -> 8443

BlazeStar

@dkrizic:

Hi,

yes, you activate "NAT Reflection mode for port forwards" = "Enable (NAT + Proxy)". Using different IP addresses for internal and external leads to many problems, because computers tend to cache IP addresses. NAT reflection solves this. It works for everything except VoIP, but VoIP devices usually don't roam.

basically all of the mappings should work, the "^" at the beginning means "at the beginning" and the "$" at the end means "at the end". The "." means "any character" and the "*" means "zero or more", so

^https://test.domain.com/.$
^http://test.domain.com/.$

is very fine and matches all requests to any URL of the given domain. It should work. Use lowercase (domain.com instead of DOMAIN.COM).

All that is done.

@dkrizic:

If you want to forward all HTTP to HTTPS, you can add an entry to

Services > Reverse Proxy > Mappings

with the following configuration

Redirect name: Whatever
Redirect protocol: HTTP
Blocked domains: test.domain.com
Path regex: ^/.*$
URL to redirect to: https://test.domain.com/

"Real time" does not seem to work, so don't get confused here. Try externally with "curl" or "wget" and look at the response.

I guess you meant in
Services > Reverse Proxy > Redirects
and not
Services > Reverse Proxy > Mappings

I added that too.

@dkrizic:

One question: What is the port numbers under:

Services > Reverse Proxy > General

reverse HTTP port (in my case 8080)
reverse HTTPS port (in my case 8443)

I have forwards from WAN 80 -> 8080 and 443 -> 8443

Before I left it blank so by design the ports were 80 and 443.
I had WAN Firewall rules that would just PASS 80 and 443.

Now I changed the
Services > Reverse Proxy > General
http://snag.gy/m0wlj.jpg

And I have updated my WAN firewall rules like so :
http://snag.gy/yOZCY.jpg
http://snag.gy/OBRwk.jpg

Still, when I try CURL on the mapped address, it goes :

curl: (7) Failed to connect to XXX port 80: Operation timed out

When I try to ping it, I get 100.0% packet loss

I think there might be something else wrong :S

dkrizic

Your firewall rules are wrong. You are opening ports 80 to 8080 and 443 to 8443, so you actually opened port 80 to 8443 to the public. Remove those rules!

If squid runs on ports 80/443, then it would be sufficient to add only two rules:

• Destination port 80 to 80 (and nothing more)
• Desintation port 443 to 443

but since we need to go from port 80 to 8080 and 443 to 8443, you need a port forward.

Remove the two rules and add two port forwards:

Interface: WAN
Protocol: TCP
Destination port range: From HTTP to HTTP (which is 80)
Redirect target IP: 127.0.0.1
Redirect target port: 8080
Filter rule association: Add associated filter rule

Same for 443/8443

They try again and report

BlazeStar

@dkrizic:

Your firewall rules are wrong. You are opening ports 80 to 8080 and 443 to 8443, so you actually opened port 80 to 8443 to the public. Remove those rules!

If squid runs on ports 80/443, then it would be sufficient to add only two rules:

• Destination port 80 to 80 (and nothing more)
• Desintation port 443 to 443

but since we need to go from port 80 to 8080 and 443 to 8443, you need a port forward.

Remove the two rules and add two port forwards:

Interface: WAN
Protocol: TCP
Destination port range: From HTTP to HTTP (which is 80)
Redirect target IP: 127.0.0.1
Redirect target port: 8080
Filter rule association: Add associated filter rule

Same for 443/8443

They try again and report

Okay so I deleted the rule.

But to make a port forward, I couldn't find a way to do that in Firewall > Rules.

So I added it in Firewall > NAT > Port Forward

Here are the new rules :
http://snag.gy/rZEWU.jpg

Detail :
http://snag.gy/hRmpz.jpg
http://snag.gy/jJJOe.jpg

Just to make sure I rebooted the whole pfsense server.

Then I SSH'ed into an external server and still when I tried CURL on the mapped address, it goes :
Code: [Select]
curl: (7) Failed to connect to XXX port 80: Operation timed out

When I tried to ping it, I still got 100.0% packet loss

Also, from INTERNAL, now that I've removed the DNS forwarder, I can't access the server by typing it's FQDN.

dkrizic

Hi,

the rules look ok now.

I have one idea left: Ensure that the reverse proxy listens on loopback, also. I forgot that, sorry.

Ping will only work if you enable it by rule. This has nothing to do with reverse proxy.

Regards,

Darko

BlazeStar

@dkrizic:

Hi,

the rules look ok now.

I have one idea left: Ensure that the reverse proxy listens on loopback, also. I forgot that, sorry.

Ping will only work if you enable it by rule. This has nothing to do with reverse proxy.

Regards,

Darko

You ROCK!!
That worked almost perfectly!

I should have figured it out, as I just did the port forwarding to the loopback :S
Such a n00b, such a n00b I am…

So right now with reverse proxy I have 2 servers configured... a CRM (https) and an ERP (http)

From LAN : Both work !!!!! Yay !

From WAN : The CRM (https) does work, the ERP (http) does NOT work !

I rebooted just to make sure… it's the same...

So, like I said, it's almost perfectly working!

dkrizic

Hi,

I presume that the following happens: You go to http://test.domain.com/ and the internal web server does a redirect to https://test.internal.domain.com/application/ (or so). What is the URL after you have successfully accessed from internal network? One of the reasons is, that the peers is configured with HTTPS, but accessed with HTTP from outside. Some application allow, that you configure HTTP/HTTPS and the actual domain name to redirect to.

Anyway, I don't think it is a good idea, that you use HTTP for an application like CRM or ERP and therefore I suggest you do the following:

• Buy a wildcard certificate "*.domain.com", but for tests you can use any certificate which will surely give a warning in all browsers
• Configure both peers with HTTPS (I presume you did)
• Add two now entries to the DNS like "erp.domain.com" and "crm.domain.com". They can be CNAMEs to the existing name
• Add a mapping "^https://erp.domain.com/.*$" and use the peer ERP
• Add a mapping "^https://crm.domain.com/.*$" and use the peer CRM
• Now test if both work like "https://crm.domain.com" from external and internal. If external does not work for now, check what redirects happen. We can possibly fix that.
• Add a Redirect that maps HTTP to crm.domain.com (any path) to https://crm.domain.com/. You can also add the application path here (e.g. https://crm.domain.com/application/login.jsp), so the application will not try to redirect anymore!
• Same for erp.domain.com
• Now a "http://erp.domain.com" should redirect you to "https://erp.domain.com/" (including application path)
• Same for the other(s)

Test and report.

Darkmagister

hi, i have quite the same problem, i have pfsense 2.2
i want to use the reverse proxy, i just need http protocol i just have a few testing website
squid http listen to port 81 (8080 is already used) (of course i've enabled the use of port lower than 1024 on pfsense)
so i've enabled listen to lan, wan loopback
on webserver i've created my webserver that listen on port 80 http
on mapping i've created a record, that point to the previous peer, and added the domain as you written (^http://sub.domain.com/.*$)
nothing on redirects

now i've added a nat rule on the firewall
from 80 to 81 on 127.0.0.1

no if i go to http://sub.domain.com i just receive failed (like is blocked)
if i go to http://sub.domain.com:81 i receive a timeout error

the sub.domain.com have an A record that point to my ip address

what's wrong ?

dkrizic

Hi,

here is an example of how I did it:

Ensure NAT Reflection is active

General setting of the Reverse Proxy, in my case 8080 for HTTP and 8443 for HTTPS. It listens on loopback. I am not sure, if it is required to listen on the WAN interface.

The two Port Forwards for 80 to 8080 and 443 to 8443

Here is an example of observium.domain.com externally on HTTPS, internally HTTP (yes, this works).

The according Mapping for HTTPS only

This redirect points http://photo.domain.com/ and https://photo.domain.com/ (root path only) to https://photo.domain.com/photo/. If the app does the redirect, it will point to http://photo.internal.domain.com/photo/ which does not work :-)

Compare and report if it works.

Darkmagister

thanks but i don't get where is my error i'll add some screenshot maybe you spot something

dkrizic

Looks ok so far, I have the following ideas to check:

• Is the domain really pointing to the right IP address? If you changed it lately, it can still be outdated with caching DNS servers

• Is a different behavior from inside and outside?

• Does the internal HTTP host expect a name? Does http://<internal-ip>/ give the right web site?</internal-ip>

Darkmagister

btw the error that i get with curl if i go to sub.domain.com is
Recv failure: Connection reset by peer

it's possible that the pfsense web interface create a problem ? because i've disabled the access from outside but it listen to port 80

so the domain sub.domain.com point to my ip the domain.com point to another ip this can be a problem?
inside i have another dns server so it's work, but not because i'm going thour pfsense

the server need to have the domain name on the url otherwise it serve the default apache page but if i go to http://IP-ADDRESS/ directly from outside i receive the same error as above

dkrizic

Hi,

yes, that is possible. I have changed the port to HTTPS 442 and use the Reverse Proxy to access it on 443 as all other internal hosts.

Move it and try again.

Darkmagister

i have just changed the pfsense port to 90

but nothing changed, i still receive
Recv failure: Connection reset by peer

BlazeStar

Reporting back…

So I was starting to think there was a problem with my proxy / reverse-proxy config so I did the following :

So I've tried this :

@jimp:

To remove squid, squidguard, lightsquid, and anything else with 'squid' in its package name:

foreach (array_keys($config['installedpackages']) as $sec) {
	if (strpos($sec, "squid") !== false)
		unset($config['installedpackages'][$sec]);
}
write_config("Removed all squid-related settings");

And it cleared everything.

I started to configure everything from scratch.

Right now the proxy is in HTTP transparent mode, without SSL filtering.

@dkrizic:

Hi,

I presume that the following happens: You go to http://test.domain.com/ and the internal web server does a redirect to https://test.internal.domain.com/application/ (or so). What is the URL after you have successfully accessed from internal network? One of the reasons is, that the peers is configured with HTTPS, but accessed with HTTP from outside. Some application allow, that you configure HTTP/HTTPS and the actual domain name to redirect to.

Anyway, I don't think it is a good idea, that you use HTTP for an application like CRM or ERP and therefore I suggest you do the following:

• Buy a wildcard certificate "*.domain.com", but for tests you can use any certificate which will surely give a warning in all browsers
• Configure both peers with HTTPS (I presume you did)
• Add two now entries to the DNS like "erp.domain.com" and "crm.domain.com". They can be CNAMEs to the existing name
• Add a mapping "^https://erp.domain.com/.*$" and use the peer ERP
• Add a mapping "^https://crm.domain.com/.*$" and use the peer CRM
• Now test if both work like "https://crm.domain.com" from external and internal. If external does not work for now, check what redirects happen. We can possibly fix that.
• Add a Redirect that maps HTTP to crm.domain.com (any path) to https://crm.domain.com/. You can also add the application path here (e.g. https://crm.domain.com/application/login.jsp), so the application will not try to redirect anymore!
• Same for erp.domain.com
• Now a "http://erp.domain.com" should redirect you to "https://erp.domain.com/" (including application path)
• Same for the other(s)

Test and report.

So :

• For the reverse proxy interfaces, I just selected EVERYTHING (WAN, LAN and loopback)

• I enabled HTTP reverse mode on 8080, and HTTPS reverse mode on 8443

• My NAT forwarder rules are still there, unchanged and they seem good

• For now I don't have a wildcard certificate, I have a self-signed one which is okay for what I need

• I'm now testing only one peer in HTTPS. It is configured adequately

• On my domain name, I added a CNAME for CRM.DOMAIN.COM

• I added a peer with the internal IP

• I added a mapping for ^https://crm.domain.com/.*$

• I added a redirect from crm.domain.com to https://crm.domain.com/ (for HTTP protocol with path regex ^/$ )

• I don't need application path, https://crm.domain.com/ is perfect

In conclusion :
https://crm.domain.com/ works from EXTERNAL, not from internal

amason

Can you add local overrides (split DNS) for the internal side instead of trying to bounce them off the firewall?

–
Andy

BlazeStar

@amason:

Can you add local overrides (split DNS) for the internal side instead of trying to bounce them off the firewall?

–
Andy

You mean DNS forwards ?

That's what I was doing but I was instructed to stop doing so (see beginning of thread)

I can do that and exclude the LAN from the reverse proxy interfaces (the interfaces the reverse-proxy server will bind to)

But I still can't make the reverse proxy work from WAN for HTTP server (I have a web server which does not required HTTPs and it just won't work whatever I try).

I'm getting very annoyed at this… I'm almost at the point where I want to run a separate reverse proxy (apache or such) in a VM and forward the HTTP and HTTPS port from pfSense to that...

There's something broken... I've done a "textbook" configuration from scratch and the damn thing will not work...

dkrizic

Hi,

this seems to be a Reverse NAT problem, Squid seems to work correctly. Check this forum for reverse NAT.

Regards,

Darko