• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Squid Reverse Proxy for Multiple Internal Hosts

Scheduled Pinned Locked Moved Cache/Proxy
2 Posts 2 Posters 2.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    dingo.vvarrior
    last edited by May 12, 2016, 4:04 PM

    Hi everyone,
    I've been looking online, but can't seem to get Squid Reverse Proxy working.

    I am using the latest stable build of pfSense 64 bit, with Squid 3.5 family.

    I have followed a couple of guides online and everything looks ok.

    The issue I am encountered is the SSL certificate not working with Exchange. The Microsoft Remote Connectivity Analyser reports that the SSL Certificate couldn't be obtained.

    When I go direct to the site, via Firefox, I get a 404 page from my IIS server.

    I am trying to publish 2 websites via Squid:
    MS Exchange 2013
    Windows Server 2012 R2 Essentials (effectively Remote Web Workplace).

    Neither seems to be working. The documentation I have been following isn't updated for the latest version, and I have had no joy with the Squid documentation on their website.

    I have also had a lot of dramas getting Port 80 and 443 bound to Squid reverse proxy, as it only wanted High Ports (I think I've fixed this, but the error wasn't exact so had a lot of issues getting the system tunables right).

    Can anyone help me with a step by step guide? The link by one of the users, on these forums, is a dead link, so no joy there.

    Thank you in advance.

    1 Reply Last reply Reply Quote 0
    • S
      Soyokaze
      last edited by May 28, 2016, 8:08 PM

      1. To mitigate port problems - simply bind squid to high port on localhost interface, and NAT from WAN to it.
      2. Make sure 100% what you are really made cert available to Squid and it works. For example - publish simple web server on IIS and try to reverse to it. If it works - you're ok.
      3. For Exchange I found default options available in Reverse Proxy configuration non usable for me. I found this one works:
      add to "Services -> Squid Proxy Server" (not in reverse proxy configuration!) to "Custom ACLS (Before Auth)" section:

      cache_peer %IP_OF_YOUR_EXCHANGE% parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_443_1_pfs
      cache_peer %IP_OF_YOUR_EXCHANGE% parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on name=OWA_HOST_80_1_pfs
      acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/.*$
      acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/owa.*$
      acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/exchange.*$
      acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/public.*$
      acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/exchweb.*$
      acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/ecp.*$
      acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/OAB.*$
      acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/Microsoft-Server-ActiveSync.*$
      acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/rpc/rpcproxy.dll.*$
      acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/rpcwithcert/rpcproxy.dll.*$
      acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/EWS.*$
      acl OWA_URI_pfs url_regex -i ^http://exc.contoso.com/pub.*$
      acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/pub.*$
      acl OWA_URI_pfs url_regex -i ^http://exc.contoso.com/AutoDiscover/AutoDiscover.xml
      acl OWA_URI_pfs url_regex -i ^https://exc.contoso.com/AutoDiscover/AutoDiscover.xml
      acl OWA_URI_pfs url_regex -i ^http://autodiscover.contoso.com/AutoDiscover/AutoDiscover.xml
      acl OWA_URI_pfs url_regex -i ^https://autodiscover.contoso.com/AutoDiscover/AutoDiscover.xml
      cache_peer_access OWA_HOST_443_1_pfs allow OWA_URI_pfs
      cache_peer_access OWA_HOST_80_1_pfs allow OWA_URI_pfs
      cache_peer_access OWA_HOST_443_1_pfs deny allsrc
      cache_peer_access OWA_HOST_80_1_pfs deny allsrc
      never_direct allow OWA_URI_pfs
      http_access allow OWA_URI_pfs
      
      

      Need full pfSense in a cloud? PM for details!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received