Reverse Proxy multi-subnets

pfsensereverse-proxysubnet

I'm having some problems that I think I should not be ordinarily facing. But after being beating senseless by this, I'm calling out uncle.

I have previously posted something along these lines here: (Clickety)

Now, I'm looking for any answer to my problem

We have a network as follows:

               __________ DMZ (10.0.0.0/24)  
              |  
WAN -----  PFsense ---------- LAN (192.168.1.0/22)  
              |  
              |_________ Wireless (172.169.50/24)

WAN has one IP and since we're a Red Cross society, we have no money because in fact we are a charity case we cannot afford to get more IPs (they cost a pretty penny here in Jordan)

So access to all services on the inside of the firewall is a must.

Here's the funny part. I'm a developer that had to assume the mantle of admin.

I've tried the previous acls in the link above and even with more acls, all I can ever get is a route to the webserver on the DMZ; even though I'm trying to access the DVR which is on the LAN subnet and the DNS resolves it correctly.

Of course, it gets more complicated as there are other services that need the involvement of ssl (specifically, exchange\owa).

So, I've come to you my friends, shuffling on my knees, face battered and soul withering, reaching out with my hands, asking for an answer that I hope will not destroy the network(s) or my soul.

Basically, I'm trying to get reverse proxy to work on my network, preferably with minimal change, so that we can use our services from web-side the firewall. If it can be done with squid (the one on PFsense) then fantastic.

Many thanks for any and all answers.

Best Answer

Put anything that needs public access on the "DMZ" segment. That is standard security.
In PFsense, use the "Firewall: NAT: Port Forward" to assign public WAN-IP:port to the resource on the DMZ

There are 65534 ports to choose from although some are more standard that others e.g. port 80 for HTTP.

Related Solutions

Nginx – How to Set Up as a Caching Reverse Proxy

I don't think that there is a way to explicitly invalidate cached items, but here is an example of how to do the rest. Update: As mentioned by Piotr in another answer, there is a cache purge module that you can use. You can also force a refresh of a cached item using nginx's proxy_cache_bypass - see Cherian's answer for more information.

In this configuration, items that aren't cached will be retrieved from example.net and stored. The cached versions will be served up to future clients until they are no longer valid (60 minutes).

Your Cache-Control and Expires HTTP headers will be honored, so if you want to explicitly set an expiration date, you can do that by setting the correct headers in whatever you are proxying to.

There are lots of parameters that you can tune - see the nginx Proxy module documentation for more information about all of this including details on the meaning of the different settings/parameters: http://nginx.org/r/proxy_cache_path

http {
  proxy_cache_path  /var/www/cache levels=1:2 keys_zone=my-cache:8m max_size=1000m inactive=600m;
  proxy_temp_path /var/www/cache/tmp; 


  server {
    location / {
      proxy_pass http://example.net;
      proxy_cache my-cache;
      proxy_cache_valid  200 302  60m;
      proxy_cache_valid  404      1m;
    }
  }
}

The difference between Load Balancer and Reverse Proxy

Your confusion is reasonable - they are often the same thing. But not always. When you refer to a load balancer you are referring to a very specific thing - a server or device that balances inbound requests across two or more web servers to spread the load. A reverse proxy, however, typically has any number of features:

load balancing: as discussed above
caching: it can cache content from the web server(s) behind it and thereby reduce the load on the web server(s) and return some static content back to the requester without having to get the data from the web server(s)
security: it can protect the web server(s) by preventing direct access from the internet; it might do this through simple means by just obfuscating the web server(s) or it may have some more active components that actually review inbound requests looking for malicious code
SSL acceleration: when SSL is used; it may serve as a termination point for those SSL sessions so that the workload of dealing with the encryption is offloaded from the web server(s)

I think this covers most of it but there are probably a few other features I've missed. Certainly it isn't uncommon to see a device or piece of software marketed as a load balancer/reverse proxy because the features are so commonly bundled together.

Related Topic