Solved:
I had to spend some intimate time with the squid manual, highly recommended to really understand how it works: http://www.visolve.com/squid/whitepapers/reverseproxy.php
After reading the manual, I decided to start from scratch and do a complete reinstall of pfSense, as I started to believe that there was something wrong with the Squid services, it wasn't showing anything in the logs.
Tips and Tricks that applied to my scenario:
- Make sure that the DNS splitting is done correctly.
- Make sure that pfSense is using your internal DNS first. OR that you have static DNS entries on pfSense for the local sites. (hosts files or DNS forwarder static entry)
- Even though you may not use it, you have to configure and enable the forward proxy, no need to enable transparent mode though.
- The forward proxy must be enabled FIRST, if you enable reverse proxy without configuring forward, things will get ugly.
- You do NOT need to tell pfSense about the host headers used in the deployment if you're using split brain DNS, actually adding host headers caused the squid service to go down in my scenario.
Because it took me some time to figure this out, I thought I'd better answer/archive my findings so I can help others who got stuck like me,
Step by step guide:
Step 1: Enable Forward Proxy by going to Services => Squid Proxy Server => General
- Eanble Squid Proxy: Check
- Proxy Interface: LAN
- Proxy Port: 3128
- Allow Users on Interface: Checked
- Transport HTTP Proxy: NOT Checked
- SSL Man In The Middle Filtering: NOT Checked
Step 2: Enable Reverse Proxy by going to Services => Squid Reverse Proxy => General
- Reverse Proxy Interface: WAN
- External FQDN: from my example, this should be xyd.com, just the top domain name, typing anything else caused an error, people say that although this field allows you to type only one domain name it won't stop you from proxying different domain names too, as long as one of them matches, but I can't confirm though.
- Reset TCP Connections on Unauthorized Requests: Checked
- Enable HTTP Reverse Proxy: Checked
- Reverse HTTP Port: 80
Do all the above and save, before you proceed make sure that the squid service is up and running by browsing to: Status => Services => Squid Services Status Green, if it's not then recheck your work until it is.
Now time to define the mappings between external DNS and internal DNS
Step 3: Define the Internal Web Servers by going to Services => Squid Reverse Proxy => Web Servers
- Add each internal Web Server (not website or URL) you have by clicking Add
- Enable This Peer: Checked
- Peer Alias: Name of internal web server, just a name for easy referencing. from my example: Web/IIS
- Peer IP: the actual internal IP resolved by DNS, from my example: 10.0.0.2
- Peer Port: the port the internal site is using, from my example: 80
- Peer Protocol: HTTP
Once you're done with this, pfSense now know that there is an internal web server with the settings you just applied, you now need to tell it what does this web server have by defining mappings.
Step 4: Define internal URLs by going to Services => Squid Reverse Proxy => Mappings
- Enable This URI: Checked
- Group Name: Any name that allows you to quickly identify the URLs or host headers used in this group, I used something like "Web/IIS Group Redirection Group"
EDIT: writing long names here caused the squid service to fail, only write short names with no spaces.
- Peers: You have to select the servers that are able to answer the URLs identified in this group, from my example: The web server identified in the previous step: Web/IIS
- URI Settings: you have to write in the host headers, domain names or URLs you want pfSense to match in this group, Here is a big note: ONLY write this if you have transparent mode ENABLED, for my example, transparent mode was Off and so I didn't have to write any host headers, domain names or URLs.
After making sure that the Squid service is still running, I did a test from an external user and ta-da! it worked :)