2

I'm fairly new to pfSense, so bear with me please.

To summarize, I have:

  • A network with split DNS enabled.
  • A single IIS web server with a single IP, different sites running using different host header binding over port 80, all sites working fine for internal users.
  • pfSense 2.3.4-RELEASE-p1 with Squid 0.4.40 installed on network edge.
  • What I have looks like the image below:

enter image description here

What I'm trying to achieve:

  • Publish the internal sites for external users using the same internal URLs.
  • Transparent Proxy (for internal caching and CalmAV) and HTTPS are not needed.

I read that pfSense can do this trick using Reverse Proxy, I followed the steps mentioned here to enable it (with the exception of using the same 80 port for internal sites): https://www.reddit.com/r/homelab/comments/2vyiiy/til_reverse_proxy_via_squid_in_pfsense/

Problem:

  • When external users type in the site URL and hit enter, the browser starts trying to connect, but after a few seconds it fails without loading the page, what is even weird is that the URL they typed is redirected from HTTP to HTTPS.

Troubleshooting:

  • Disabled Transparent HTTP Proxy for internal communication.
  • The Squid logs are not showing anything related to redirection of URL.
  • The pfSense firewall logs shows that external users are able to connect once using HTTP, and then all the traffic is communicated using HTTPS

Questions:

  • Is this scenario even valid with pfSense/Squid?
  • If yes, what am I missing? if not, what is the alternative?
  • Do I have to publish the sites by using different ports on IIS and enable port redirection on Pfsense? (which is the very thing that I'm trying to avoid)

Any additional steps or troubleshooting advice is very much appreciated.

Noor Khaldi
  • 3,829
  • 3
  • 18
  • 28
  • Are you sure the web server is not involved in this problem? I would bypass pfsense and find out first if I could access the site via HTTP externally. Then you know if you are even looking in the right place for the problem. – Appleoddity Sep 09 '17 at 00:27
  • it's not the web server because 1) it works locally 2) I restored pfSense to default settings, enabled forward port 80 from external to internal IIS server, asked an external user to test the URLs and they worked fine (makes me wonder why not just port forward 80 and be done with it?) – Noor Khaldi Sep 09 '17 at 06:05
  • Makes me wonder too. Why aren't you just port forwarding port 80? – Appleoddity Sep 09 '17 at 06:06
  • LOL, because at a later stage I will have to publish more internal web servers all under port 80. port forwarding works with a single internal IP address, it serves my purpose now but won't at the near future, so my problem isn't solved by port forwarding. – Noor Khaldi Sep 09 '17 at 06:08
  • Makes sense. Sorry, I'm not familiar enough with pfSense to offer further support. – Appleoddity Sep 09 '17 at 06:09

1 Answers1

2

Solved:

I had to spend some intimate time with the squid manual, highly recommended to really understand how it works: http://www.visolve.com/squid/whitepapers/reverseproxy.php

After reading the manual, I decided to start from scratch and do a complete reinstall of pfSense, as I started to believe that there was something wrong with the Squid services, it wasn't showing anything in the logs.

Tips and Tricks that applied to my scenario:

  • Make sure that the DNS splitting is done correctly.
  • Make sure that pfSense is using your internal DNS first. OR that you have static DNS entries on pfSense for the local sites. (hosts files or DNS forwarder static entry)
  • Even though you may not use it, you have to configure and enable the forward proxy, no need to enable transparent mode though.
  • The forward proxy must be enabled FIRST, if you enable reverse proxy without configuring forward, things will get ugly.
  • You do NOT need to tell pfSense about the host headers used in the deployment if you're using split brain DNS, actually adding host headers caused the squid service to go down in my scenario.

Because it took me some time to figure this out, I thought I'd better answer/archive my findings so I can help others who got stuck like me,

Step by step guide:

Step 1: Enable Forward Proxy by going to Services => Squid Proxy Server => General

  • Eanble Squid Proxy: Check
  • Proxy Interface: LAN
  • Proxy Port: 3128
  • Allow Users on Interface: Checked
  • Transport HTTP Proxy: NOT Checked
  • SSL Man In The Middle Filtering: NOT Checked

Step 2: Enable Reverse Proxy by going to Services => Squid Reverse Proxy => General

  • Reverse Proxy Interface: WAN
  • External FQDN: from my example, this should be xyd.com, just the top domain name, typing anything else caused an error, people say that although this field allows you to type only one domain name it won't stop you from proxying different domain names too, as long as one of them matches, but I can't confirm though.
  • Reset TCP Connections on Unauthorized Requests: Checked
  • Enable HTTP Reverse Proxy: Checked
  • Reverse HTTP Port: 80

Do all the above and save, before you proceed make sure that the squid service is up and running by browsing to: Status => Services => Squid Services Status Green, if it's not then recheck your work until it is.

Now time to define the mappings between external DNS and internal DNS

Step 3: Define the Internal Web Servers by going to Services => Squid Reverse Proxy => Web Servers

  • Add each internal Web Server (not website or URL) you have by clicking Add
  • Enable This Peer: Checked
  • Peer Alias: Name of internal web server, just a name for easy referencing. from my example: Web/IIS
  • Peer IP: the actual internal IP resolved by DNS, from my example: 10.0.0.2
  • Peer Port: the port the internal site is using, from my example: 80
  • Peer Protocol: HTTP

Once you're done with this, pfSense now know that there is an internal web server with the settings you just applied, you now need to tell it what does this web server have by defining mappings.

Step 4: Define internal URLs by going to Services => Squid Reverse Proxy => Mappings

  • Enable This URI: Checked
  • Group Name: Any name that allows you to quickly identify the URLs or host headers used in this group, I used something like "Web/IIS Group Redirection Group" EDIT: writing long names here caused the squid service to fail, only write short names with no spaces.
  • Peers: You have to select the servers that are able to answer the URLs identified in this group, from my example: The web server identified in the previous step: Web/IIS
  • URI Settings: you have to write in the host headers, domain names or URLs you want pfSense to match in this group, Here is a big note: ONLY write this if you have transparent mode ENABLED, for my example, transparent mode was Off and so I didn't have to write any host headers, domain names or URLs.

After making sure that the Squid service is still running, I did a test from an external user and ta-da! it worked :)

Noor Khaldi
  • 3,829
  • 3
  • 18
  • 28