Re: [pfSense Support] proxying HTTP(S) requests

Mon, 16 Jul 2007 07:59:25 -0700 

On Jul 13, 2007, at 5:23 PM, David L. Strout wrote:



 WAN=STATIC ADDRESS
 LAN-NET1=192.168.1.0/24 - trusted network users
 OPT2-NET2=192.168.100.0/25 - untrusted contractors
 OPT3-NET3=192.168.100.128/25 - untrusted vendors

 OPT3=10.0.0.0/30 - IPcop LAN
 OPT4=10.0.0.4/30 - IPcop WAN


 Here's what I am attempting .... I want to have the NET1 hosts (DHCP) 
go directly to the internet for HTTP(S) [80&443] requests and NET2&3 
get redirected to the IPcop proxy server for all of their requests as 
there is a HUGH amount of abuse going on this is the only real method 
I can assure the client that all connections (from NET2&3)are 
proxied.  I do not want to run squid on the pfSense box as I feel this 
is not the place for a proxy and cop will give the gramularity this I 
need with these clients.



 Here's my thinking .... I can NAT all requests from NET2&3 destined 
for port 80&443 and send them out the OPT3 interface.



 Is my thinking flawed and is there a better way to do this with 
redirects???



PS ... sorry the below diagram doesn't come out in this mail, but if 
you cut it out and paste it into notepad w/ courier text it should 
format correctly.


 NET2____(OPT1)____
                   \
 NET3____(OPT2)____ \
                   \ \
 NET1----(LAN)----pfSense----(WAN)INET
                   / /
     _(L)(OPT3)___/ /
    /              /
 IPCOP            /
    \_(W)(OPT4)__/



You'll likely run into difficulties proxying the HTTPS traffic. 
Wouldn't be very "secure" if the data was able to be proxied and cached 
somewhere.


I have a separate Squid proxy set up as a "load balancer" pool/gateway:

Name     Type                Servers/Gateways     Port          Monitor 
         Description
squid       gateway         <squid ip>                                  
  <squid ip>    Squid Transparent Proxy

                 (failover)



Then, I can use a rule to force the port 80 traffic to go out the Squid 
"gateway":
Proto       Source     Port	Destination	Port                 Gateway    
Schedule   Description
TCP        ! squid        *            *                        80 
(HTTP)     squid                              LAN --> Squid Proxy




Running a separate Squid box, you can implement whatever access 
controls you want - MAC address, site filtering, authentication, etc.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to