Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tryng to Configure Pfsense and Squid3 as a reverse proxy

    Scheduled Pinned Locked Moved Cache/Proxy
    4 Posts 1 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mats
      last edited by

      Im trying to set up Pfsense (2.2.4-RELEASE) with the Squid3 package (0.3.9.2) as a reverse proxy.
      The purpose is to publish a few different Http and Https services through one IP based on URI filtering.

      In my lab environment the net design looks as this

      Evil net (aka my simulated internet) is at 192.168.3.0/24 with PFsense Wan interface at 192.168.3.2.
      i have an "external" client here at 192.168.3.5 to do my tests from

      I have a DMZ at 192.168.1.0 with Pfsense DMZ interface at 192.168.1.2.
      There is a webserver at 192.168.1.5

      I also have two more webservers at other nets but I don't think we nedd them currently.

      I have configured two Firewall Rules
      IPv4 TCP * * WAN address 443 (HTTPS) * none Listner for HTTPS published sites
      IPv4 TCP * * WAN address 80 (HTTP) * none Listner for HTTP published Sites

      I have created two Reverse proxy peers
      on WWW 192.168.1.5 80 HTTP www
      on https 192.168.1.5 443 HTTPS https

      I have one mapping
      on test1 WWW,https binding them to the URI of my domain

      I can se the traffic beeing accepted in the firewall log

      However it doesn't work and then I use Wireshark on my "external" computer i see something that really surprised me.

      I get a HTTP 301 Moved Permanently. And then the Pfsense box tells the client to connect to the Admin port of the Pfsense box. in this test port 666

      It shouldn't do that, should it? I don't want that redirect since it's wrong and I don't like it to tell where the admin port is.

      Can anyone assist? I guess it's my config somewhere but I haven't been able to figure out where

      1 Reply Last reply Reply Quote 0
      • M
        Mats
        last edited by

        Found out about the problem with Squid and ports below 1024.

        Added nat rules to 5080 and 5433 and that seems to have fixed some of the problem.

        Now I can do nat from wan to internal.
        I can't do nat from wan to DMZ(opt interface)

        I can ping my webserver from the DMZ interface so there is connectivity between them

        I have a "allow anything" rule om DMZ at the moment
        IPv4 TCP * * * * * none

        1 Reply Last reply Reply Quote 0
        • M
          Mats
          last edited by

          Nailed that one too :)

          In the webgui it said /24 on the interface. On the console it said /32. After changing it on the console to /24 it works

          1 Reply Last reply Reply Quote 0
          • M
            Mats
            last edited by

            IT IS DONEĀ  ;D

            The old TMG is now replaced with a PFsense box.

            Two things i miss from TMG though

            • The External computer set. Makes creating firewall rules so much easier. Just do an allow anything to external and you got unrestricted internet access but no access to other networks on the "inside" like opt
            • The grouping functionality. In tmg you can create a group and then collect rules in the group. For example i can place all rules for my webservers in one group and have the mail servers in another. Makes troubleshooting much faster since i know i only have to look in the mail group when troubleshooting mail
            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.