Squid Reverse Proxy for Multiple Internal Hosts



  • Hi everyone,
    I've been looking online, but can't seem to get Squid Reverse Proxy working.

    I am using the latest stable build of pfSense 64 bit, with Squid 3.5 family.

    I have followed a couple of guides online and everything looks ok.

    The issue I am encountered is the SSL certificate not working with Exchange. The Microsoft Remote Connectivity Analyser reports that the SSL Certificate couldn't be obtained.

    When I go direct to the site, via Firefox, I get a 404 page from my IIS server.

    I am trying to publish 2 websites via Squid:
    MS Exchange 2013
    Windows Server 2012 R2 Essentials (effectively Remote Web Workplace).

    Neither seems to be working. The documentation I have been following isn't updated for the latest version, and I have had no joy with the Squid documentation on their website.

    I have also had a lot of dramas getting Port 80 and 443 bound to Squid reverse proxy, as it only wanted High Ports (I think I've fixed this, but the error wasn't exact so had a lot of issues getting the system tunables right).

    Can anyone help me with a step by step guide? The link by one of the users, on these forums, is a dead link, so no joy there.

    Thank you in advance.



  • 1. To mitigate port problems - simply bind squid to high port on localhost interface, and NAT from WAN to it.
    2. Make sure 100% what you are really made cert available to Squid and it works. For example - publish simple web server on IIS and try to reverse to it. If it works - you're ok.
    3. For Exchange I found default options available in Reverse Proxy configuration non usable for me. I found this one works:
    add to "Services -> Squid Proxy Server" (not in reverse proxy configuration!) to "Custom ACLS (Before Auth)" section:

    cache_peer %IP_OF_YOUR_EXCHANGE% parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_443_1_pfs
    cache_peer %IP_OF_YOUR_EXCHANGE% parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on name=OWA_HOST_80_1_pfs
    acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/.*$
    acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/owa.*$
    acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/exchange.*$
    acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/public.*$
    acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/exchweb.*$
    acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/ecp.*$
    acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/OAB.*$
    acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/Microsoft-Server-ActiveSync.*$
    acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/rpc/rpcproxy.dll.*$
    acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/rpcwithcert/rpcproxy.dll.*$
    acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/EWS.*$
    acl OWA_URI_pfs url_regex -i ^http://exc.contoso.com/pub.*$
    acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/pub.*$
    acl OWA_URI_pfs url_regex -i ^http://exc.contoso.com/AutoDiscover/AutoDiscover.xml
    acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/AutoDiscover/AutoDiscover.xml
    acl OWA_URI_pfs url_regex -i ^http://autodiscover.contoso.com/AutoDiscover/AutoDiscover.xml
    acl OWA_URI_pfs url_regex -i ^https://autodiscover.contoso.com/AutoDiscover/AutoDiscover.xml
    cache_peer_access OWA_HOST_443_1_pfs allow OWA_URI_pfs
    cache_peer_access OWA_HOST_80_1_pfs allow OWA_URI_pfs
    cache_peer_access OWA_HOST_443_1_pfs deny allsrc
    cache_peer_access OWA_HOST_80_1_pfs deny allsrc
    never_direct allow OWA_URI_pfs
    http_access allow OWA_URI_pfs