In the past, in order to host multiple domain names or sub domains from my homelab, I’ve resorted to running each application on a separate port. This becomes quite cumbersome once you’ve got a small handful of sites that all need external access.
To resolve this, I found multiple sites online suggesting a reverse proxy. So today, we’re going to cover how to implement the Squid Reverse Proxy on pfSense.
Step 1 – Adding the Squid package
First things first, we’ll need to add the Squid package if you don’t already have it installed.
Step 2 – Enabling Squid
Next we’ll want to make sure the Squid Proxy itself is enabled, otherwise the Reverse Proxy won’t work.
On the General Tab, Ensure Enable Squid Proxy is checked.
Step 3 – Configuring the Reverse Proxy
Third, we’re going to do a quick set up of the Reverse proxy.
On the General Tab, set the following:
- Squid Reverse Proxy General Settings
- Reverse Proxy Interface(s) – Select the interfaces you want the proxy to run on. Typically it’ll just be your WAN interface.
- External FQDN – The Fully Qualified Domain Name which you’ll be proxying for by default.
- Squid Reverse HTTP Settings
- Enabled HTTP Reverse Proxy – checked
- Reverse HTTP Port – unless you have special needs, leaving this at 80 is fine.
- Reverse HTTP Default Site – This is the default sub domain you want to redirect to if there’s nothing found in the mappings (we’ll cover that later)
- Squid Reverse HTTPS Settings
- Enable HTTPS Reverse Proxy – checked
- Reverse HTTPS Port – unless you have special needs, leaving this at 443 is fine.
- Reverse HTTPS Default Site – This is the default sub domain you want to redirect to if there’s nothing found in the mappings (we’ll cover that later)
- Reverse SSL Certificate – This is the cert to use for the domains you want to use. In this example it’s using the wild card cert which we created in this post.
- Click Save
Step 4 – Adding Web Servers
Go to the Web Servers tab and click ‘Add’.
Enter the internal information for the web server you want to direct traffic to.
Do this for each web server and protocol you need. For example, if you have a web server that hosts on both ports 80 and 443, you’ll want to add two web servers.
Step 5 – Adding Web Server Mappings
On the Mappings tab, click ‘Add’.
Fill out the mapping information, for the site in question. If you added multiple web servers for the same physical IP/machine, you can select multiple “peers” — aka Webservers — here.
Under the URI setting, add as many patterns as you need for the proxy to use as criteria to map to the set of servers.
For example, if you have HTTP and HTTPS sites running on the same server, you could add both:
- ^https://external.example.com/.*$
- ^http://external.example.com/.*$
After you’ve clicked ‘Save’ you should be off to the race!
Dan,
Let’s say I currently have 5 web servers inside my LAN and they are currently set as 1:1 mappings from public to private IP.
Now If I want to switch this setup to a reverse proxy and do something like this:
All 5 different servers, with their own IP, will now be set in public DNS to x.x.x.x
inside the LAN the IP’s for the servers stay the same 10.1.1.10, .11, .12, .13, .14
Can I use the technique above to map, via domain name, each inbound website request to the appropriate internal server?
Secondly, what is the purpose of the SSL cert in step #3, and how does this relate to the 5 unique domains which were 1:1 mapped and now will be moved to share one IP?
I think if that public DNS is your public IP it should work, if you have — let’s say — a VPS, and that’s where your DNS points, you might need to do something else, like proxying with something like HAProxy to point back into your local network. This is actually how I do it now, since I’ve switched ISPs since I wrote this and my new ISP blocks common ports like 80 and 443.
The SSL cert is for the proxying, since all the requests for all your domains are pointing to the one IP address it still needs to resolve as valid. It’s been a bit, but I don’t think the Squid Reverse proxy can support different certs for different sites. You’d essentially have one cert (the wildcard) for all your sites, and then Squid would figure out what server behind the firewall the request needs to be routed to.
‘Reverse HTTP port’ must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value(1023).
To listen on low ports, change net.inet.ip.portrange.reservedhigh sysctl value to 0 in System: Advanced: System Tunables and restart Squid daemon.
Help me, it’s a new install
Version PFsense: 2.5.1-RELEASE (amd64)
Version Squid: 0.4.45_8
hmm, did you edit that tunable? For me it’s set to `0` and I don’t recall ever customizing that value. As your message states, you can go to System -> Advanced, then go to the System Tunables tab and update the value for `net.inet.ip.portrange.reservedhigh`