Iis – Publish different sites using a single IP and pfSense – Squid

host-headersiispfsensePROXYsquid

I'm fairly new to pfSense, so bear with me please.

To summarize, I have:

  • A network with split DNS enabled.
  • A single IIS web server with a single IP, different sites running using different host header binding over port 80, all sites working fine for internal users.
  • pfSense 2.3.4-RELEASE-p1 with Squid 0.4.40 installed on network edge.
  • What I have looks like the image below:

enter image description here

What I'm trying to achieve:

  • Publish the internal sites for external users using the same internal URLs.
  • Transparent Proxy (for internal caching and CalmAV) and HTTPS are not needed.

I read that pfSense can do this trick using Reverse Proxy, I followed the steps mentioned here to enable it (with the exception of using the same 80 port for internal sites): https://www.reddit.com/r/homelab/comments/2vyiiy/til_reverse_proxy_via_squid_in_pfsense/

Problem:

  • When external users type in the site URL and hit enter, the browser starts trying to connect, but after a few seconds it fails without loading the page, what is even weird is that the URL they typed is redirected from HTTP to HTTPS.

Troubleshooting:

  • Disabled Transparent HTTP Proxy for internal communication.
  • The Squid logs are not showing anything related to redirection of URL.
  • The pfSense firewall logs shows that external users are able to connect once using HTTP, and then all the traffic is communicated using HTTPS

Questions:

  • Is this scenario even valid with pfSense/Squid?
  • If yes, what am I missing? if not, what is the alternative?
  • Do I have to publish the sites by using different ports on IIS and enable port redirection on Pfsense? (which is the very thing that I'm trying to avoid)

Any additional steps or troubleshooting advice is very much appreciated.

Best Answer

Solved:

I had to spend some intimate time with the squid manual, highly recommended to really understand how it works: http://www.visolve.com/squid/whitepapers/reverseproxy.php

After reading the manual, I decided to start from scratch and do a complete reinstall of pfSense, as I started to believe that there was something wrong with the Squid services, it wasn't showing anything in the logs.

Tips and Tricks that applied to my scenario:

  • Make sure that the DNS splitting is done correctly.
  • Make sure that pfSense is using your internal DNS first. OR that you have static DNS entries on pfSense for the local sites. (hosts files or DNS forwarder static entry)
  • Even though you may not use it, you have to configure and enable the forward proxy, no need to enable transparent mode though.
  • The forward proxy must be enabled FIRST, if you enable reverse proxy without configuring forward, things will get ugly.
  • You do NOT need to tell pfSense about the host headers used in the deployment if you're using split brain DNS, actually adding host headers caused the squid service to go down in my scenario.

Because it took me some time to figure this out, I thought I'd better answer/archive my findings so I can help others who got stuck like me,

Step by step guide:

Step 1: Enable Forward Proxy by going to Services => Squid Proxy Server => General

  • Eanble Squid Proxy: Check
  • Proxy Interface: LAN
  • Proxy Port: 3128
  • Allow Users on Interface: Checked
  • Transport HTTP Proxy: NOT Checked
  • SSL Man In The Middle Filtering: NOT Checked

Step 2: Enable Reverse Proxy by going to Services => Squid Reverse Proxy => General

  • Reverse Proxy Interface: WAN
  • External FQDN: from my example, this should be xyd.com, just the top domain name, typing anything else caused an error, people say that although this field allows you to type only one domain name it won't stop you from proxying different domain names too, as long as one of them matches, but I can't confirm though.
  • Reset TCP Connections on Unauthorized Requests: Checked
  • Enable HTTP Reverse Proxy: Checked
  • Reverse HTTP Port: 80

Do all the above and save, before you proceed make sure that the squid service is up and running by browsing to: Status => Services => Squid Services Status Green, if it's not then recheck your work until it is.

Now time to define the mappings between external DNS and internal DNS

Step 3: Define the Internal Web Servers by going to Services => Squid Reverse Proxy => Web Servers

  • Add each internal Web Server (not website or URL) you have by clicking Add
  • Enable This Peer: Checked
  • Peer Alias: Name of internal web server, just a name for easy referencing. from my example: Web/IIS
  • Peer IP: the actual internal IP resolved by DNS, from my example: 10.0.0.2
  • Peer Port: the port the internal site is using, from my example: 80
  • Peer Protocol: HTTP

Once you're done with this, pfSense now know that there is an internal web server with the settings you just applied, you now need to tell it what does this web server have by defining mappings.

Step 4: Define internal URLs by going to Services => Squid Reverse Proxy => Mappings

  • Enable This URI: Checked
  • Group Name: Any name that allows you to quickly identify the URLs or host headers used in this group, I used something like "Web/IIS Group Redirection Group" EDIT: writing long names here caused the squid service to fail, only write short names with no spaces.
  • Peers: You have to select the servers that are able to answer the URLs identified in this group, from my example: The web server identified in the previous step: Web/IIS
  • URI Settings: you have to write in the host headers, domain names or URLs you want pfSense to match in this group, Here is a big note: ONLY write this if you have transparent mode ENABLED, for my example, transparent mode was Off and so I didn't have to write any host headers, domain names or URLs.

After making sure that the Squid service is still running, I did a test from an external user and ta-da! it worked :)

Related Topic