1

I'm having an issue with Squid's transparent proxy on my pfSense firewall.

My company hosts an internal git server at the following address (for example purposes) http://git.gitserver.com/. From our domain registrar there is a dns record to forward to one of our public IP addresses that is managed by pfsense, which is (for example purposes) 1.2.3.4. From within pfSense I have a 1:1 NAT setup that NATs 1.2.3.4 to an internal address of (for example purposes) 10.10.10.11. Everything is up and running and is accessible from within the network (lan side) as well as from outside the network (WAN side).

My issue is when enabling Squid's transparent proxy(for antivirus, website logging, and eventually reverse proxy functionality), and I am inside the network (lan side), all sites that are hosted internally on our servers are redirected from http to https automatically.

Is there something I'm missing or should be keeping in my for squid and how it functions? Is this a default feature of squid? At this time, I want to keep SSL out of the equation, and will eventually be switching over in due time.

David Makogon
  • 2,768
  • 1
  • 20
  • 29
RyeGuy
  • 11
  • 3

1 Answers1

2

It's not that Squid is changing it from HTTP to HTTPS, it's that NAT reflection doesn't apply to traffic initiated by the host itself (which is the case for Squid). Traffic from the LAN hosts would hit the reflection. So what you're hitting is actually the web GUI of the firewall, not your internal server. That's where the HTTP to HTTPS redirect comes from.

You'll need split DNS for Squid to be able to reach your internal sites, so git.gitserver.com resolves to 10.10.10.11 internally rather than 1.2.3.4.

Chris Buechler
  • 2,998
  • 14
  • 18
  • So I went ahead and put in a domain override in pfsense's dns resolver for git.gitserver.com to resolve to the internal address of 10.10.10.11. Which works if I point my computer to pfsense for dns. My next problem is, that because I have a windows domain controller taking care of DHCP and DNS internally, I can no longer access the rest of my network with netbios names. Is there an easy way to tell pfsense to forward any request with my.domain to my internal dns server? – RyeGuy Jun 30 '16 at 19:57
  • So to clarify. Should I instead push out 1.2.3.4 to my dhcp clients to forward all dns requests to pfsense first and then, the only dns server setup in pfsense be 10.10.10.1(dc/dns/dhcp server) and then from there forward all requests to the internet. – RyeGuy Jun 30 '16 at 20:11
  • You probably want to setup split DNS on your Windows server in that case, that's best in an AD environment. – Chris Buechler Jul 01 '16 at 20:56