Tryng to Configure Pfsense and Squid3 as a reverse proxy
Im trying to set up Pfsense (2.2.4-RELEASE) with the Squid3 package (0.3.9.2) as a reverse proxy.
The purpose is to publish a few different Http and Https services through one IP based on URI filtering.
In my lab environment the net design looks as this
Evil net (aka my simulated internet) is at 192.168.3.0/24 with PFsense Wan interface at 192.168.3.2.
i have an "external" client here at 192.168.3.5 to do my tests from
I have a DMZ at 192.168.1.0 with Pfsense DMZ interface at 192.168.1.2.
There is a webserver at 192.168.1.5
I also have two more webservers at other nets but I don't think we nedd them currently.
I have configured two Firewall Rules
IPv4 TCP * * WAN address 443 (HTTPS) * none Listner for HTTPS published sites
IPv4 TCP * * WAN address 80 (HTTP) * none Listner for HTTP published Sites
I have created two Reverse proxy peers
on WWW 192.168.1.5 80 HTTP www
on https 192.168.1.5 443 HTTPS https
I have one mapping
on test1 WWW,https binding them to the URI of my domain
I can se the traffic beeing accepted in the firewall log
However it doesn't work and then I use Wireshark on my "external" computer i see something that really surprised me.
I get a HTTP 301 Moved Permanently. And then the Pfsense box tells the client to connect to the Admin port of the Pfsense box. in this test port 666
It shouldn't do that, should it? I don't want that redirect since it's wrong and I don't like it to tell where the admin port is.
Can anyone assist? I guess it's my config somewhere but I haven't been able to figure out where
Found out about the problem with Squid and ports below 1024.
Added nat rules to 5080 and 5433 and that seems to have fixed some of the problem.
Now I can do nat from wan to internal.
I can't do nat from wan to DMZ(opt interface)
I can ping my webserver from the DMZ interface so there is connectivity between them
I have a "allow anything" rule om DMZ at the moment
IPv4 TCP * * * * * none
Nailed that one too :)
In the webgui it said /24 on the interface. On the console it said /32. After changing it on the console to /24 it works
IT IS DONE ;D
The old TMG is now replaced with a PFsense box.
Two things i miss from TMG though
- The External computer set. Makes creating firewall rules so much easier. Just do an allow anything to external and you got unrestricted internet access but no access to other networks on the "inside" like opt
- The grouping functionality. In tmg you can create a group and then collect rules in the group. For example i can place all rules for my webservers in one group and have the mail servers in another. Makes troubleshooting much faster since i know i only have to look in the mail group when troubleshooting mail