Migrating Apache reverse proxy to Squid3 using pfSense

pfsensereverse-proxy

I currently have a pfSense firewall that redirects port 80 and 443 to an internal Apache that acts as a reverse proxy for several subdomains on our company.

Since pfSense provides a reverse proxy through Squid3, I'd like to get rid of the Apache server and route everything with pfSense instead.

My current Apache configuration is something like this:

<VirtualHost *:80 *:443>
    RewriteEngine   on
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    ServerName trac.mycompany.com
    SSLProxyEngine on

    SetEnv force-proxy-request-1.0 1
    SetEnv proxy-nokeepalive 1

    ProxyPreserveHost On
    ProxyPass / https://trac.mycompany.com/
    ProxyPassReverse / https://trac.mycompany.com/
    ProxyVia on
</VirtualHost>

<VirtualHost *:80 *:443>
    ServerName svn.mycompany.com
    ProxyPass / http://svn.mycompany.com/
    ProxyPassReverse / http://svn.mycompany.com/
    ProxyVia On
</VirtualHost>

As you can see, both are pretty straight forward. I know that using virtual hosts with HTTPS and a single external IP address limits me to use self signed certificates, and I'm aware of the risks, but at this moment don't care (I just want the usernames and password to be sent encrypted).

On pfSense, I configured it as follows:

enter image description here

The reverse proxy is on. Both trac and svn run on the same local server (192.168.0.26).
The problem is that when the proxy hits the internal server, the local server Apache always tries to serve the trac subdomain, instead of matching by name.

Is this something I can accomplish with the Reverse Proxy module of pfSense? Am I missing something obvious here?

Best Answer

i know this is a late response but better late than never :) you probably sorted yourself out by now but if you didnt... create a secondary IP address on the local server running off the same NIC and run each website on a separate IP.

i didnt think you could ever serve 2 https sites off the same IP address and ports since the headers get lost with encryption and you always end up on the main default site. 2 http sites is fine but 2 https sites needs different ports or different IPs.

Related Solutions

Ssl – When Using Reverse Proxy, Backend Server Does 301 Back to The Proxy Server or Changes URL

I have done that by the following code. You can try it...

    ProxyPreserveHost On
    <Proxy *>
            AddDefaultCharset off
            Order deny,allow
            Deny from all
          Allow from all
    </Proxy>

            ProxyPass /google http://www.google.com/
            ProxyHTMLURLMap http://www.google.com /google

    <Location /google>
            ProxyPassReverse /
            ProxyHTMLInterp On
            ProxyHTMLURLMap  /      /google
            RequestHeader    unset  Accept-Encoding
    </Location>

Zimbra 7.2 reverse proxy to arbitrary internal website

Follow this link: http://www.maxxer.it/2010/linux/set-apache2-to-proxy-zimbra/

I've successfully proxied Zimbra using Apache2 for long time.

These commands work on Debian/Ubuntu servers.

At first, enable apache2′s modules:

a2enmod proxy
a2enmod proxy_html
a2enmod proxy_http

Make sure the use of mod_proxy is allowed, by changing /etc/apache2/mods_available/proxy.conf

Allow from all

In this case I want to proxy SSL, so before starting you will need to move Zimbra HTTPS away from port 443 (I moved to 444). Copy your Zimbra certificate files to a directory accessible by apache. I choose /etc/apache2/ssl.

To allow automatic redirect from / to /zimbra, as in your normal Zimbra install, add the following line to your main stanza:

RedirectMatch ^/$ /zimbra/
Then, edit you apache2 config file and add:

SSLProxyEngine on
SSLCertificateFile /etc/apache2/ssl/host.crt
SSLCertificateKeyFile /etc/apache2/ssl/host.key
SSLCACertificateFile /etc/apache2/ssl/ca_bundle.crt
ProxyRequests On
ProxyPreserveHost On
ProxyVia full
<Location "/service">
  ProxyPass https://your_zimbra_ip:444/service
  ProxyPassReverse https://your_zimbra_ip:444/service
  ProxyPassReverse /
  ProxyHTMLExtended      On
  ProxyHTMLURLMap /service /service
</Location>

<Location "/zimbra">
  ProxyPass https://your_zimbra_ip:444/zimbra
  ProxyPassReverse https://your_zimbra_ip:444/zimbra
  ProxyPassReverse /
  ProxyHTMLExtended      On
  ProxyHTMLURLMap /zimbra /zimbra
</Location>

<Location "/home">
  ProxyPass https://your_zimbra_ip:444/home
  ProxyPassReverse https://your_zimbra_ip:444/home
  ProxyPassReverse /
  ProxyHTMLExtended      On
  ProxyHTMLURLMap /home /home
</Location>

# CalDAV
<Location "/principals">
  ProxyPass https://your_zimbra_ip:444/principals
  ProxyPassReverse https://your_zimbra_ip:444/principals
  ProxyPassReverse /
  ProxyHTMLExtended      On
  ProxyHTMLURLMap /principals /principals
</Location>
# DAV
<Location "/dav">
  ProxyPass https://your_zimbra_ip:444/dav
  ProxyPassReverse https://your_zimbra_ip:444/dav
  ProxyPassReverse /
  ProxyHTMLExtended      On
  ProxyHTMLURLMap /dav /dav
</Location>
#Printing and HTML interface
<Location "/h">
  ProxyPass https://your_zimbra_ip:444/h
  ProxyPassReverse https://your_zimbra_ip:444/h
  ProxyPassReverse /
  ProxyHTMLExtended      On
  ProxyHTMLURLMap /h /h
</Location>

# img for mobile interface
<Location "/img">
  ProxyPass https://your_zimbra_ip:444/img
  ProxyPassReverse https://your_zimbra_ip:444/img
  ProxyPassReverse /
  ProxyHTMLExtended      On
  ProxyHTMLURLMap /img /img
</Location>

Restart your apache2, and you should be done! P.S. in case you wish to proxy https:

a2enmod ssl

Add the following to your /etc/apache2/sites-available/default-ssl

SSLProxyEngine on
ProxyRequests On
ProxyPreserveHost On
ProxyVia full

Best Answer

Related Solutions

Ssl – When Using Reverse Proxy, Backend Server Does 301 Back to The Proxy Server or Changes URL

Zimbra 7.2 reverse proxy to arbitrary internal website

Related Topic