SQUID3 Reverse Proxy question
-
hi, i have quite the same problem, i have pfsense 2.2
i want to use the reverse proxy, i just need http protocol i just have a few testing website
squid http listen to port 81 (8080 is already used) (of course i've enabled the use of port lower than 1024 on pfsense)
so i've enabled listen to lan, wan loopback
on webserver i've created my webserver that listen on port 80 http
on mapping i've created a record, that point to the previous peer, and added the domain as you written (^http://sub.domain.com/.*$)
nothing on redirectsnow i've added a nat rule on the firewall
from 80 to 81 on 127.0.0.1no if i go to http://sub.domain.com i just receive failed (like is blocked)
if i go to http://sub.domain.com:81 i receive a timeout errorthe sub.domain.com have an A record that point to my ip address
what's wrong ?
-
Hi,
here is an example of how I did it:
Ensure NAT Reflection is active
General setting of the Reverse Proxy, in my case 8080 for HTTP and 8443 for HTTPS. It listens on loopback. I am not sure, if it is required to listen on the WAN interface.
The two Port Forwards for 80 to 8080 and 443 to 8443
Here is an example of observium.domain.com externally on HTTPS, internally HTTP (yes, this works).
The according Mapping for HTTPS only
This redirect points http://photo.domain.com/ and https://photo.domain.com/ (root path only) to https://photo.domain.com/photo/. If the app does the redirect, it will point to http://photo.internal.domain.com/photo/ which does not work :-)
Compare and report if it works.
-
thanks but i don't get where is my error i'll add some screenshot maybe you spot something
-
Looks ok so far, I have the following ideas to check:
-
Is the domain really pointing to the right IP address? If you changed it lately, it can still be outdated with caching DNS servers
-
Is a different behavior from inside and outside?
-
Does the internal HTTP host expect a name? Does http://<internal-ip>/ give the right web site?</internal-ip>
-
-
btw the error that i get with curl if i go to sub.domain.com is
Recv failure: Connection reset by peerit's possible that the pfsense web interface create a problem ? because i've disabled the access from outside but it listen to port 80
so the domain sub.domain.com point to my ip the domain.com point to another ip this can be a problem?
inside i have another dns server so it's work, but not because i'm going thour pfsensethe server need to have the domain name on the url otherwise it serve the default apache page but if i go to http://IP-ADDRESS/ directly from outside i receive the same error as above
-
Hi,
yes, that is possible. I have changed the port to HTTPS 442 and use the Reverse Proxy to access it on 443 as all other internal hosts.
Move it and try again.
-
i have just changed the pfsense port to 90
but nothing changed, i still receive
Recv failure: Connection reset by peer
-
Reporting back…
So I was starting to think there was a problem with my proxy / reverse-proxy config so I did the following :
So I've tried this :
To remove squid, squidguard, lightsquid, and anything else with 'squid' in its package name:
foreach (array_keys($config['installedpackages']) as $sec) { if (strpos($sec, "squid") !== false) unset($config['installedpackages'][$sec]); } write_config("Removed all squid-related settings");And it cleared everything.
I started to configure everything from scratch.
Right now the proxy is in HTTP transparent mode, without SSL filtering.
Hi,
I presume that the following happens: You go to http://test.domain.com/ and the internal web server does a redirect to https://test.internal.domain.com/application/ (or so). What is the URL after you have successfully accessed from internal network? One of the reasons is, that the peers is configured with HTTPS, but accessed with HTTP from outside. Some application allow, that you configure HTTP/HTTPS and the actual domain name to redirect to.
Anyway, I don't think it is a good idea, that you use HTTP for an application like CRM or ERP and therefore I suggest you do the following:
- Buy a wildcard certificate "*.domain.com", but for tests you can use any certificate which will surely give a warning in all browsers
- Configure both peers with HTTPS (I presume you did)
- Add two now entries to the DNS like "erp.domain.com" and "crm.domain.com". They can be CNAMEs to the existing name
- Add a mapping "^https://erp.domain.com/.*$" and use the peer ERP
- Add a mapping "^https://crm.domain.com/.*$" and use the peer CRM
- Now test if both work like "https://crm.domain.com" from external and internal. If external does not work for now, check what redirects happen. We can possibly fix that.
- Add a Redirect that maps HTTP to crm.domain.com (any path) to https://crm.domain.com/. You can also add the application path here (e.g. https://crm.domain.com/application/login.jsp), so the application will not try to redirect anymore!
- Same for erp.domain.com
- Now a "http://erp.domain.com" should redirect you to "https://erp.domain.com/" (including application path)
- Same for the other(s)
Test and report.
So :
-
For the reverse proxy interfaces, I just selected EVERYTHING (WAN, LAN and loopback)
-
I enabled HTTP reverse mode on 8080, and HTTPS reverse mode on 8443
-
My NAT forwarder rules are still there, unchanged and they seem good
-
For now I don't have a wildcard certificate, I have a self-signed one which is okay for what I need
-
I'm now testing only one peer in HTTPS. It is configured adequately
-
On my domain name, I added a CNAME for CRM.DOMAIN.COM
-
I added a peer with the internal IP
-
I added a mapping for ^https://crm.domain.com/.*$
-
I added a redirect from crm.domain.com to https://crm.domain.com/ (for HTTP protocol with path regex ^/$ )
-
I don't need application path, https://crm.domain.com/ is perfect
In conclusion :
https://crm.domain.com/ works from EXTERNAL, not from internal -
Can you add local overrides (split DNS) for the internal side instead of trying to bounce them off the firewall?
–
Andy -
Can you add local overrides (split DNS) for the internal side instead of trying to bounce them off the firewall?
–
AndyYou mean DNS forwards ?
That's what I was doing but I was instructed to stop doing so (see beginning of thread)
I can do that and exclude the LAN from the reverse proxy interfaces (the interfaces the reverse-proxy server will bind to)
But I still can't make the reverse proxy work from WAN for HTTP server (I have a web server which does not required HTTPs and it just won't work whatever I try).
I'm getting very annoyed at this… I'm almost at the point where I want to run a separate reverse proxy (apache or such) in a VM and forward the HTTP and HTTPS port from pfSense to that...
There's something broken... I've done a "textbook" configuration from scratch and the damn thing will not work...
-
Hi,
this seems to be a Reverse NAT problem, Squid seems to work correctly. Check this forum for reverse NAT.
Regards,
Darko
-
woah
after 6 months of using SQUID i got used to it…
I got fed up with the reverse proxy thing and I deleted squid3 package all at once
The internetz is sooooooooo FAST now it's incredible !!!
I was under the impresssion that squid was speeding up our interwebz connection but it was NOT
I'm enjoying high speed internet for real now !