pfSense Support Subscription

Author Topic: squid-reverse  (Read 18110 times)

0 Members and 1 Guest are viewing this topic.

Offline trendchiller

  • Sr. Member
  • ****
  • Posts: 347
    • View Profile
squid-reverse
« on: January 04, 2012, 01:05:56 pm »
Hi !

the squid-reverse package is a replacement for the "normal" squi package since pfSense 2.0 and combines reverse functionality with the normal squid caching proxy.

you can use the squid-reverse package to replace the squid package when you're using squid in pfSense 2.0. the configuration should be kept.

squid-reverse is not available in pfSense 1.x.

i'll bump the squid version in squid-reverse to squid 3.x when squid 3.x is running stable...

Offline Sam0r

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: squid-reverse
« Reply #1 on: January 25, 2012, 09:21:35 am »
Could you post a sample configuration?

I've been trying on and off to get this working for months, and still can't.

Everything looks right, but it just won't forward anything!

Offline trendchiller

  • Sr. Member
  • ****
  • Posts: 347
    • View Profile
Re: squid-reverse
« Reply #2 on: January 25, 2012, 02:07:06 pm »
Hi !
You are trying to use the reverse part and it does not work ?
First:
Did you add Firewall-Rules from ANY to WAN-Address for 80 / 443 ?

The three config fields are as follows:

HOST_SSL;192.168.1.1;443;HTTPS
HOST;192.168.1.1;80;HTTP

WEBAPP_SSL;faq;https://gw.domainname.com
WEBAPP;faq;http://gw.domainname.com

HOST_SSL;WEBAPP_SSL
HOST;WEBAPP

here it works great !

Offline gtr33m

  • Newbie
  • *
  • Posts: 17
    • View Profile
Re: squid-reverse
« Reply #3 on: January 31, 2012, 06:46:01 pm »
Are there instructions anywhere, or do I simply follow something like this? http://wiki.squid-cache.org/SquidFaq/ReverseProxy

Thanks,

Mark
« Last Edit: January 31, 2012, 07:01:33 pm by gtr33m »

Offline trendchiller

  • Sr. Member
  • ****
  • Posts: 347
    • View Profile
Re: squid-reverse
« Reply #4 on: February 01, 2012, 01:43:48 am »
Hi !
the packages should be self-explanatory, under each input field there are explanations...

for further held, please ask ;-)

Offline Sam0r

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: squid-reverse
« Reply #5 on: February 04, 2012, 02:10:59 pm »
I've configured it like you suggested, and all I get when I try to browse to a page on it is:

Quote
While trying to retrieve the URL: http://wi.atlantis.me.uk/

The following error was encountered:

Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Offline trendchiller

  • Sr. Member
  • ****
  • Posts: 347
    • View Profile
Re: squid-reverse
« Reply #6 on: February 04, 2012, 02:32:04 pm »
is your subnet allowed under access control ?
or any destimation blocked ?

Offline Sam0r

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: squid-reverse
« Reply #7 on: February 04, 2012, 03:33:38 pm »
Ive left everything on default except the reverse proxy section, should i change anything on the other tabs?

Also, on your URI Definitions, what does the faq part mean?

Offline trendchiller

  • Sr. Member
  • ****
  • Posts: 347
    • View Profile
Re: squid-reverse
« Reply #8 on: February 04, 2012, 04:00:48 pm »
you should check the access tab if your subnet is allowed and if there are any sites blocked...

the faq reflects the uri- after the fqdn http://server.domain.tld: for http://server.domain.tld/faq

FAQ_HTTP;faq;http://server.domain.tld will be http://server.domain.tld/faq

Offline Sam0r

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: squid-reverse
« Reply #9 on: February 04, 2012, 04:15:24 pm »
Sorted it.

I was trying to publish the root of the site.

Turns out you have to put a * in there for that.

So, my config looks like this:

Peer Definitions:
prometheushttp;192.1.22.6;80;HTTP

URI Definitions:
atlantisweb;*;http://www.atlantis.me.uk
atlantisweb;*;http://atlantis.me.uk
atlantiswi;*;http://wi.atlantis.me.uk

ACL Definitions:
prometheushttp;atlantisweb
prometheushttp;atlantiswi

I added my subnet into the top box in access control.

Then I enabled logging in the general settings, SSH'd to the box and entered the shell.

I ran tail -F /var/squid/logs/access.log so i could see all the incoming HTTP requests.

Now to get OWA, Outlook anywhere and active sync working over HTTPS.

Any ideas if this can do other HTTPS streaming things? I have a citrix secure gateway server that uses HTTPS to connect on port 443. It's not a web page though. I guess it's similar to activesync. At the moment it's running on 4430 but i'd like to run that through squid too.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9962
    • View Profile
Re: squid-reverse
« Reply #10 on: February 04, 2012, 05:29:30 pm »
I have a citrix secure gateway server that uses HTTPS to connect on port 443. It's not a web page though. I guess it's similar to activesync.

If its not http, you may need to use haproxy or native pfSense load balancer to balance tcp connections.

Offline Sam0r

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: squid-reverse
« Reply #11 on: February 06, 2012, 03:53:30 pm »
Actually I've just realised a day after getting it working that it doesn't support Exchange 2010 Web Services, this makes the package totally useless for me.

I just want a reverse proxy, like in forefront TMG/ISA Server!

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9962
    • View Profile
Re: squid-reverse
« Reply #12 on: February 06, 2012, 04:02:43 pm »
Actually I've just realised a day after getting it working that it doesn't support Exchange 2010 Web Services, this makes the package totally useless for me.

I just want a reverse proxy, like in forefront TMG/ISA Server!

I have it working with varnish, haproxy and apache.

To get balance with https without having certificate issues, you may need a wildcard certificate.

Varnish does all http balance/cache
Haproxy does the https balance
Apache has the certificates and mod_security

Offline Sam0r

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: squid-reverse
« Reply #13 on: February 06, 2012, 04:42:00 pm »
I think I'll just go back to using Forefront TMG.

As good as pfsense  is, it does't work for me. I need something up and running, and with documentation, not something put together by people in their spare time with next to no documentation.

No offence to the community, it's a great work in progress, but its not for me.

thanks for your time.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14935
    • View Profile
Re: squid-reverse
« Reply #14 on: February 07, 2012, 12:37:02 pm »
I think I'll just go back to using Forefront TMG.

As good as pfsense  is, it does't work for me. I need something up and running, and with documentation, not something put together by people in their spare time with next to no documentation.

No offence to the community, it's a great work in progress, but its not for me.

thanks for your time.

There are so many things wrong with that statement I don't know where to begin. But you are right, there is no one perfect solution for everyone, use whatever works best for you.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!