[pfSense Support] stunnel / Haproxy / carp
Hi ! Cookie based forwarding to the matching backend server using haproxy works fine. SSL sessions should be decrypted by stunnel and then forwarded to haproxy for cookie based forwarding. But this didn't happen. Due to an not permitted operation the SSL connect would be closed. the carp interfaces belong to loopback ?! should they not belong to the WAN interface ? stunnel log : LOG5[15140:675287104]: stunnel 4.25 on i386-unknown-freebsd7.0 with OpenSSL 0.9.8e 23 Feb 2007 LOG5[15140:675287104]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP LOG5[15140:675287104]: 5417 clients allowed LOG5[9813:675289552]: Shop_01 accepted connection from 80.xxx.xxx.xxx:6526 LOG3[9813:675289552]: remote connect (93.www.xxx.98:80): Operation not permitted (1) LOG5[9813:675289552]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket my conf : pfsense interfaces: WAN : 93.www.xxx.97 /zz LAN : 192.168.0.222 /24 haproxy conf : listen www1 93.www.xxx.98:80 modehttp log global cookie funnySessionID prefix option dontlognull option httpclose option forwardfor except 93.www.xxx.98 maxconn 1000 clitimeout 6000 contimeout 12000 srvtimeout 12000 retries 2 server ap1 192.168.0.110:80 cookie ap1 check inter 3 weight 1 server ap2 192.168.0.100:80 cookie ap2 check inter 3 weight 1 listen www2 93.xxx.xxx.99:80 modehttp log global cookie funnySessionID prefix option dontlognull option forwardfor except 93.www.xxx.99 option httpclose maxconn 1000 clitimeout 6000 contimeout 12000 srvtimeout 12000 retries 2 server ap1 192.168.0.110:80 cookie ap1 check inter 3 weight 1 server ap2 192.168.0.100:80 cookie ap2 check inter 3 weight 1 stunnel conf : chroot = /var/tmp/stunnel setuid = stunnel setgid = stunnel socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 output = /usr/local/etc/stunnel/stun.log [shop_01] key = /usr/local/etc/stunnel/a0x.key cert = /usr/local/etc/stunnel/a0x.chain accept = 93.www.xxx.98:443 connect = 93.www.xxx.98:80 TIMEOUTclose = 0 [shop_02] key = /usr/local/etc/stunnel/6by.key cert = /usr/local/etc/stunnel/6by.chain accept = 93.www.xxx.99:443 connect = 93.www.xxx.99:80 TIMEOUTclose = 0 carp interfaces : carp0: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 93.www.xxx.98 /zz carp: MASTER vhid 150 advbase 1 advskew 0 carp1: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 93.www.xxx.99 /zz carp: MASTER vhid 151 advbase 1 advskew 0 -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] upgrade failure from Beta2 to Beta3
I am playing with 2.0 Beta and saw Beta3 was availible. I am running the nanobsd version on a Soekris Net4801 on a 2g SanDisk CF card. The orginal load was by putting the Beta2 image on the CF card with dd. I downloaded the latest snapshot of Beta3 and tried to upload via a browser the new version for upgrading, but it failed with the following: Jun 30 08:52:39 proxy php: : New alert found: Upgrade failed due to the upgrade image being larger than the partition that is configured on disk. Halting. Size on disk: 219 Size of new image: 488 Is removing the CF card and using DD again, my only option now? Lyle - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] upgrade failure from Beta2 to Beta3
On 6/30/2010 10:16 AM, Lyle Giese wrote: I am playing with 2.0 Beta and saw Beta3 was availible. I am running the nanobsd version on a Soekris Net4801 on a 2g SanDisk CF card. The orginal load was by putting the Beta2 image on the CF card with dd. I downloaded the latest snapshot of Beta3 and tried to upload via a browser the new version for upgrading, but it failed with the following: Jun 30 08:52:39 proxy php: : New alert found: Upgrade failed due to the upgrade image being larger than the partition that is configured on disk. Halting. Size on disk: 219 Size of new image: 488 Is removing the CF card and using DD again, my only option now? Are you absolutely sure you are using the proper size upgrade image? Often this error is because the wrong size upgrade image is used, or a full image is being uploaded instead of an upgrade image. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] upgrade failure from Beta2 to Beta3
Jim Pingle wrote: On 6/30/2010 10:16 AM, Lyle Giese wrote: I am playing with 2.0 Beta and saw Beta3 was availible. I am running the nanobsd version on a Soekris Net4801 on a 2g SanDisk CF card. The orginal load was by putting the Beta2 image on the CF card with dd. I downloaded the latest snapshot of Beta3 and tried to upload via a browser the new version for upgrading, but it failed with the following: Jun 30 08:52:39 proxy php: : New alert found: Upgrade failed due to the upgrade image being larger than the partition that is configured on disk. Halting. Size on disk: 219 Size of new image: 488 Is removing the CF card and using DD again, my only option now? Are you absolutely sure you are using the proper size upgrade image? Often this error is because the wrong size upgrade image is used, or a full image is being uploaded instead of an upgrade image. Jim Thanks, Jim. But why would I look in the upgrade directory on the download site when I had downloaded the nanobsd version from the nanobsd directory? There are no upgrade images in the nanobsd directory, you have to go into the upgrade directory to find them. Nothing noted that I could find in the download area about using an upgrade image or on the page that directed me to the download page for the 2.0 beta or on the user interface in pfSense where you upload the img.gz file toGRIN! Lyle
Re: [pfSense Support] upgrade failure from Beta2 to Beta3
On Wed, Jun 30, 2010 at 12:58 PM, Lyle Giese l...@lcrcomputer.net wrote: But why would I look in the upgrade directory on the download site when I had downloaded the nanobsd version from the nanobsd directory? There are no upgrade images in the nanobsd directory, you have to go into the upgrade directory to find them. Your question, although valid, becomes to a degree less relevant when you realise that newer nanobsd images now have a functioning auto-upgrade feature, so you can upgrade from the web UI without having to know which is the correct directory or image on the snapshot server. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] blocking https:facebook.com via squidguard pfsense gui
I decided to enable transparent proxy on my school firewall because I was getting a million requests a day to configure proxy settings on student laptops. But now that I turned on transparent proxy, students have discovered that they can get to banned sites (like facebook) via https. http://www.facebook.com is blocked but https://www.facebook.com still works. Can someone let me know how to block these? I understand I have to deny the 'connect method' but don't see where to do this. Can this only be done in command line? Luke Jaeger | Technology Coordinator Pioneer Valley Performing Arts Charter Public School www.pvpa.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] blocking https:facebook.com via squidguard pfsense gui
On 6/30/2010 4:00 PM, Luke Jaeger wrote: I decided to enable transparent proxy on my school firewall because I was getting a million requests a day to configure proxy settings on student laptops. But now that I turned on transparent proxy, students have discovered that they can get to banned sites (like facebook) via https. http://www.facebook.com is blocked but https://www.facebook.com still works. Can someone let me know how to block these? I understand I have to deny the 'connect method' but don't see where to do this. Can this only be done in command line? You cannot transparently proxy SSL connections. You would have to deny outbound access to port 443 and if they want SSL, they must configure the proxy settings into their browser(s) either by hand or automatically with something like WPAD. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] blocking https:facebook.com via squidguard pfsense gui
thanks Jim - I got the impression from reading the pfsense forum that there is a way to block https for specific domains by denying the connect method - am I understanding this wrong? Otherwise I might give WPAD a try. Luke Jaeger | Technology Coordinator Pioneer Valley Performing Arts Charter Public School www.pvpa.org On Jun 30, 2010, at 4:06 PM, Jim Pingle wrote: On 6/30/2010 4:00 PM, Luke Jaeger wrote: I decided to enable transparent proxy on my school firewall because I was getting a million requests a day to configure proxy settings on student laptops. But now that I turned on transparent proxy, students have discovered that they can get to banned sites (like facebook) via https. http://www.facebook.com is blocked but https://www.facebook.com still works. Can someone let me know how to block these? I understand I have to deny the 'connect method' but don't see where to do this. Can this only be done in command line? You cannot transparently proxy SSL connections. You would have to deny outbound access to port 443 and if they want SSL, they must configure the proxy settings into their browser(s) either by hand or automatically with something like WPAD. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] blocking https:facebook.com via squidguard pfsense gui
If you don´t want any www.facebook.com connections at all you can use the DNS Forwarder to change its IP to something else... On 30 June 2010 17:29, Luke Jaeger ad...@pvpa.org wrote: thanks Jim - I got the impression from reading the pfsense forum that there is a way to block https for specific domains by denying the connect method - am I understanding this wrong? Otherwise I might give WPAD a try. Luke Jaeger | Technology Coordinator Pioneer Valley Performing Arts Charter Public School www.pvpa.org On Jun 30, 2010, at 4:06 PM, Jim Pingle wrote: On 6/30/2010 4:00 PM, Luke Jaeger wrote: I decided to enable transparent proxy on my school firewall because I was getting a million requests a day to configure proxy settings on student laptops. But now that I turned on transparent proxy, students have discovered that they can get to banned sites (like facebook) via https. http://www.facebook.com is blocked but https://www.facebook.com still works. Can someone let me know how to block these? I understand I have to deny the 'connect method' but don't see where to do this. Can this only be done in command line? You cannot transparently proxy SSL connections. You would have to deny outbound access to port 443 and if they want SSL, they must configure the proxy settings into their browser(s) either by hand or automatically with something like WPAD. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Those of you who think you know it all upset us who do!
Re: [pfSense Support] blocking https:facebook.com via squidguard pfsense gui
2010/6/30 Luke Jaeger ad...@pvpa.org I decided to enable transparent proxy on my school firewall because I was getting a million requests a day to configure proxy settings on student laptops. But now that I turned on transparent proxy, students have discovered that they can get to banned sites (like facebook) via https. http://www.facebook.com is blocked but https://www.facebook.com still works. Can someone let me know how to block these? I understand I have to deny the 'connect method' but don't see where to do this. Can this only be done in command line? Luke Jaeger | Technology Coordinator Pioneer Valley Performing Arts Charter Public School www.pvpa.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Try this: To block this you have to add rule like: Destination: Type: Network Address: 66.220.144.0/20 See: - http://wiki.developers.facebook.com/index.php/Facebook_IP_Addresses - whois 69.63.189.16 -- Luis G. Coralle Departamento de Informática Facultad de Ciencias Médicas Universidad Nacional del Comahue Av. Luis Toschi y Los Arrayanes Cipolletti - Río Negro Tel. 0299 - 4782603 INT. 24 / Fax 0299 - 4776140 http://medicina.uncoma.edu.ar/