Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid Reverse Proxy for Multiple Internal Hosts

    Scheduled Pinned Locked Moved Cache/Proxy
    2 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dingo.vvarrior
      last edited by

      Hi everyone,
      I've been looking online, but can't seem to get Squid Reverse Proxy working.

      I am using the latest stable build of pfSense 64 bit, with Squid 3.5 family.

      I have followed a couple of guides online and everything looks ok.

      The issue I am encountered is the SSL certificate not working with Exchange. The Microsoft Remote Connectivity Analyser reports that the SSL Certificate couldn't be obtained.

      When I go direct to the site, via Firefox, I get a 404 page from my IIS server.

      I am trying to publish 2 websites via Squid:
      MS Exchange 2013
      Windows Server 2012 R2 Essentials (effectively Remote Web Workplace).

      Neither seems to be working. The documentation I have been following isn't updated for the latest version, and I have had no joy with the Squid documentation on their website.

      I have also had a lot of dramas getting Port 80 and 443 bound to Squid reverse proxy, as it only wanted High Ports (I think I've fixed this, but the error wasn't exact so had a lot of issues getting the system tunables right).

      Can anyone help me with a step by step guide? The link by one of the users, on these forums, is a dead link, so no joy there.

      Thank you in advance.

      1 Reply Last reply Reply Quote 0
      • S
        Soyokaze
        last edited by

        1. To mitigate port problems - simply bind squid to high port on localhost interface, and NAT from WAN to it.
        2. Make sure 100% what you are really made cert available to Squid and it works. For example - publish simple web server on IIS and try to reverse to it. If it works - you're ok.
        3. For Exchange I found default options available in Reverse Proxy configuration non usable for me. I found this one works:
        add to "Services -> Squid Proxy Server" (not in reverse proxy configuration!) to "Custom ACLS (Before Auth)" section:

        cache_peer %IP_OF_YOUR_EXCHANGE% parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_443_1_pfs
        cache_peer %IP_OF_YOUR_EXCHANGE% parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on name=OWA_HOST_80_1_pfs
        acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/.*$
        acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/owa.*$
        acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/exchange.*$
        acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/public.*$
        acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/exchweb.*$
        acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/ecp.*$
        acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/OAB.*$
        acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/Microsoft-Server-ActiveSync.*$
        acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/rpc/rpcproxy.dll.*$
        acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/rpcwithcert/rpcproxy.dll.*$
        acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/EWS.*$
        acl OWA_URI_pfs url_regex -i ^http://exc.contoso.com/pub.*$
        acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/pub.*$
        acl OWA_URI_pfs url_regex -i ^http://exc.contoso.com/AutoDiscover/AutoDiscover.xml
        acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/AutoDiscover/AutoDiscover.xml
        acl OWA_URI_pfs url_regex -i ^http://autodiscover.contoso.com/AutoDiscover/AutoDiscover.xml
        acl OWA_URI_pfs url_regex -i ^https://autodiscover.contoso.com/AutoDiscover/AutoDiscover.xml
        cache_peer_access OWA_HOST_443_1_pfs allow OWA_URI_pfs
        cache_peer_access OWA_HOST_80_1_pfs allow OWA_URI_pfs
        cache_peer_access OWA_HOST_443_1_pfs deny allsrc
        cache_peer_access OWA_HOST_80_1_pfs deny allsrc
        never_direct allow OWA_URI_pfs
        http_access allow OWA_URI_pfs
        
        

        Need full pfSense in a cloud? PM for details!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.