Solved Cannot access https

Hi,

I just finshed installing a new webserver on FreeBSD 11 using sysutils/cbsd.
I have 1 public IP so in order to serve all my jails, I use pf and a reverse web proxy server.

I have 3 jails:
- dbjail (database/mariadb101-server)
- reverse proxy jail (www/hiawatha)
- webjail (www/hiawatha)

The webjail can connect to the Mysql jail - No problem
The reverse proxy is redirecting all http (port 80) correctly to the webjail but https doesn't hit the webjail for some reason..

When I run telnet 208.95.xx.xx 443 from my home computer, I get the following response which sugest that port 443 is open
Code:
Trying 208.95.xx.xx...
Connected to 208-95-xx-xx.datacenter.net.
Escape character is '^]'.
^]
telnet>
If I run telnet 10.4.20.12 443 from the FreeBSD host, I get
Code:
Trying 10.4.20.12...
Connected to 10.4.20.12.
Escape character is '^]'.
Connection closed by foreign host.

Could someone please help me see if my /etc/pf.conf rules are correct?
Code:
### Interfaces ###
ExtIf   = "xn0"
JailIf  = "lo0"

### Hosts ###
WebProxy    =   "10.4.20.11"

### Services ###
webservices = "{80, 443, 8080, 8443}"
netbios_tcp = "{135, 139, 445}"
netbios_udp = "{135, 139, 445}"
IPv4_icmp_types="echoreq"

### Tables ###
table <TRUSTED> persist file "/etc/pf-files/trusted.pftable"
table <BLOCKEDZONE> persist file "/etc/pf-files/blockedzones.pftable"
table <BLOCKTEMP> counters
table <BLOCKNETS> {224.0.0.22, 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
                    169.254.0.0/16, 192.0.2.0/24, \
                    192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, \
                    169.254.0.0/16, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32}



### all incoming traffic on external interface is normalized and fragmented
### packets are reassembled.
scrub in on $ExtIf all fragment reassemble

#nat on $ExtIf from $JailIf:network  to any -> ($ExtIf)
nat on $ExtIf from 10.4.20.0/24 to any -> ($ExtIf)

# Hiawatha
# --- redirect http traffic to the internal web proxy server ---
rdr on $ExtIf inet proto tcp from  !($ExtIf) to $ExtIf port http  -> $WebProxy port  http
rdr on $ExtIf inet proto tcp from  !($ExtIf) to $ExtIf port https -> $WebProxy port  https
rdr on $ExtIf inet proto tcp from  !($ExtIf) to $ExtIf port 8443  -> $WebProxy port  8443
rdr on $ExtIf inet proto tcp from  !($ExtIf) to $ExtIf port 8080  -> $WebProxy port  8080

### set a default deny everything policy.
block log all

### exercise antispoofing on the external interface, but add the local
### loopback interface as an exception, to prevent services utilizing the
### local loop from being blocked accidentally.
set skip on lo

antispoof for $ExtIf inet

### get rid quick of Internet noise like microsoft netbios service.
### This accounts to 80% of dropped traffic. We don't need to log this also
block in quick on $ExtIf proto tcp from any to any port $netbios_tcp
block in quick on $ExtIf proto udp from any to any port $netbios_udp

### Quick blocks
block drop in log quick on $ExtIf from <BLOCKTEMP> to any
block drop in log quick on $ExtIf proto tcp from <BLOCKEDZONE> to any
block drop in log quick on $ExtIf proto tcp from <BLOCKNETS> to any

### $ExtIf inbound

# --- pass icmp echo
pass in log on $ExtIf inet proto icmp all icmp-type $IPv4_icmp_types

# --- pass incoming http/https traffic --
pass in log on $ExtIf inet proto tcp  from !($ExtIf)    to $WebProxy port $webservices

# --- pass incoming ssh traffic --
pass in quick log on $ExtIf proto tcp from <TRUSTED>  to $ExtIf port 222

### $ExtIf outbound
pass out log on $ExtIf inet proto { tcp, udp, icmp } from any to any modulate state
Is there any other security feature in FreeBSD 11 that I missed that could create such problem?

Thank you all in advance
 
I'm guessing only the Hiawatha on the host is actually running and the jail's Hiawatha isn't.

Also note that you're trying to connect to 10.4.20.12 while your pf.conf indicates the proxy is running on 10.4.20.11.
 
Back
Top