Hi,
I'm building OpenBSD bridge as transparent firewall for my servers. It
seems to be working fine. Now I need to attach a reverse proxy to ease
load of those webservers it is protecting. I like the idea of keeping fw
as bridge, because in hw failure it is fast and simple to bypass.
Shortly:
- scenario: internet <-> fw <-> dmz (public addresses)
- fw as transparent bridge
- need to attach reverse proxy, to cache _incoming_ http data (protecting
servers from load)
I've read from archives that I can't use squid in my fw box since it has
no ip addresses and squid requires tcp connection from itself to
webservers. I've since setup external squid box for this. Now my problem
is that I can get http redirected trough my squid box and everything is
working fine for web surfer, but my squid is not caching. So close, but
still so far...
This might be squid problem so bare with me, I've spent hours and
hours on googling, faqs, manuals and trying to find right setup both for
pf and squid but nothing seems to work. I seriously suspect that my squid
conf is ok so I'm asking here.
My squid box is on same network (behind my fw) as my webservers, so right
now I'm guessing could it be because:
http request: client->fw->proxy->webserver
http reply: webserver->fw->client
So that the incoming data gets redirected trough squid, but webserver
answer goes directly to client, so squid never actually gets the files to
cache?
If this is the case, what would be the solution? How could I ensure that
the webservers outgoing traffic would get trough squid box as well?
Againg, I'd like to keep my webservers ip-addresses public so that in case
of fw failure, everything works fine just by bypassing fw. For squid box I
could do whatever is needed to get this working.
affecting pf.conf rules:
-------------------------------------
scrub in on $ext_if all
scrub out on $ext_if all random-id
pass quick on $int_if all
block log on $ext_if all
pass out quick on $ext_if proto icmp from any to any keep state
pass out quick on $ext_if proto udp from any to any keep state
pass out quick on $ext_if proto tcp from any to any modulate state
# Redirect incoming http to reverse proxy:
rdr on $ext_if proto tcp from any to $webserver port 80 -> $cache port 8080
# Webserver:
pass in quick on $ext_if proto tcp from any to $webserver port 80 \
flags S/SA modulate state
# Cache:
pass in quick on $ext_if proto tcp from any to $cache port 8080 \
flags S/SA modulate state
-------------------------------------
I'm planning to set multiple webservers behind my fw (and proxy) but so
far I'm testing with only one.
I'm more than willing to send tcpdumps etc if this can be solved with pf.
Here is all I get to my squid logs:
... <web client address> TCP_MISS/200 ... DIRECT/<webservers public
address> image/gif
... <web client address> TCP_MISS/304 ... DIRECT/<webservers public
address> image/gif
Nothing else, never. I've ensured that those pages I'm requesting are
cacheable, tested only with static pictures etc.
Best regards,
++Toni
