Bob, Are you running squid? I've seen this happen before when trying to set up a transparent proxy. On Apr 18, 2015 6:42 PM, "Bob McClure Jr" <[email protected]> wrote:
> On Fri, Apr 17, 2015 at 10:55:42PM -0500, Bob McClure Jr wrote: > > I am a pfsense newbie. After my homebrew firewall crashed, a > > colleague recommended pfsense, so I went for it. I'm running the > > latest update of pfsense. > > > > I have a pretty basic three-piece setup -- WAN, LAN, and OPT1 which is > > my DMZ for a web, mail, and DNS server. I have set up the NAT rules > > for all the stuff from the WAN to get to OPT1. I learned much later > > than I should have that, by default, LAN can get to anything on WAN > > and OPT1, and OPT1 can get to anything on WAN. That is correct, isn't > > it? > > > > The problem is that when I go from my workstation on the LAN to our > > web server on OPT1, I am forced from an HTTP connection to HTTPS. > > I've done a bunch of web searching and docs perusing, but I can't > > figure out how to fix that. Everything else seems to be working > > fine, including outside connections to the web server. > > > > Any clues for me? > > > > Cheers, > > -- > > Bob McClure, Jr. > > Here is an interesting discovery based on trying to wget a file off my > web server (on OPT1) from a machine on the NAT: > > $ wget http://www.bobcatos.com/uploads/somefile.jpeg -O targetname.jpg > --2015-04-18 17:26:11-- http://www.bobcatos.com/uploads/somefile.jpeg > Resolving www.bobcatos.com... 208.101.214.202 > Connecting to www.bobcatos.com|208.101.214.202|:80... connected. > HTTP request sent, awaiting response... 301 Moved Permanently > Location: https://www.bobcatos.com/uploads/somefile.jpeg [following] > --2015-04-18 17:26:11-- https://www.bobcatos.com/uploads/somefile.jpeg > Connecting to www.bobcatos.com|208.101.214.202|:443... connected. > ERROR: cannot verify www.bobcatos.com’s certificate, issued by > “/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed > Certificate/[email protected] > /CN=pfSense-5530c2f6c952e”: > Unable to locally verify the issuer’s authority. > ERROR: certificate common name “pfSense-5530c2f6c952e” doesn't match > requested host name “www.bobcatos.com”. > To connect to www.bobcatos.com insecurely, use ‘--no-check-certificate’. > > I see that it's using the outside address instead of the DMZ address, > but that used to work on my old firewall. > > Why does pfsense insist on making this an SSLed connection and with a > bogus SSL cert to boot? www.bobcatos.com has its own legit SSL cert, > for pete's sake. > > Cheers, > -- > Bob McClure, Jr. Bobcat Open Systems, Inc. > [email protected] http://www.bobcatos.com > Make every effort to live in peace with all men and to be holy; > without holiness no one will see the Lord. > Hebrews 12:14 NIV > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
