On Sat, Apr 18, 2015 at 07:27:28PM -0400, Jim Spaloss wrote: > Bob, > > Are you running squid? I've seen this happen before when trying to set up a > transparent proxy.
Nope, no squid. But thanks for the thought. > On Apr 18, 2015 6:42 PM, "Bob McClure Jr" <[email protected]> wrote: > > > On Fri, Apr 17, 2015 at 10:55:42PM -0500, Bob McClure Jr wrote: > > > I am a pfsense newbie. After my homebrew firewall crashed, a > > > colleague recommended pfsense, so I went for it. I'm running the > > > latest update of pfsense. > > > > > > I have a pretty basic three-piece setup -- WAN, LAN, and OPT1 which is > > > my DMZ for a web, mail, and DNS server. I have set up the NAT rules > > > for all the stuff from the WAN to get to OPT1. I learned much later > > > than I should have that, by default, LAN can get to anything on WAN > > > and OPT1, and OPT1 can get to anything on WAN. That is correct, isn't > > > it? > > > > > > The problem is that when I go from my workstation on the LAN to our > > > web server on OPT1, I am forced from an HTTP connection to HTTPS. > > > I've done a bunch of web searching and docs perusing, but I can't > > > figure out how to fix that. Everything else seems to be working > > > fine, including outside connections to the web server. > > > > > > Any clues for me? > > > > > > Cheers, > > > -- > > > Bob McClure, Jr. > > > > Here is an interesting discovery based on trying to wget a file off my > > web server (on OPT1) from a machine on the NAT: > > > > $ wget http://www.bobcatos.com/uploads/somefile.jpeg -O targetname.jpg > > --2015-04-18 17:26:11-- http://www.bobcatos.com/uploads/somefile.jpeg > > Resolving www.bobcatos.com... 208.101.214.202 > > Connecting to www.bobcatos.com|208.101.214.202|:80... connected. > > HTTP request sent, awaiting response... 301 Moved Permanently > > Location: https://www.bobcatos.com/uploads/somefile.jpeg [following] > > --2015-04-18 17:26:11-- https://www.bobcatos.com/uploads/somefile.jpeg > > Connecting to www.bobcatos.com|208.101.214.202|:443... connected. > > ERROR: cannot verify www.bobcatos.com’s certificate, issued by > > “/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed > > Certificate/[email protected] > > /CN=pfSense-5530c2f6c952e”: > > Unable to locally verify the issuer’s authority. > > ERROR: certificate common name “pfSense-5530c2f6c952e” doesn't match > > requested host name “www.bobcatos.com”. > > To connect to www.bobcatos.com insecurely, use ‘--no-check-certificate’. > > > > I see that it's using the outside address instead of the DMZ address, > > but that used to work on my old firewall. > > > > Why does pfsense insist on making this an SSLed connection and with a > > bogus SSL cert to boot? www.bobcatos.com has its own legit SSL cert, > > for pete's sake. > > > > Cheers, > > -- > > Bob McClure, Jr. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [email protected] http://www.bobcatos.com Make every effort to live in peace with all men and to be holy; without holiness no one will see the Lord. Hebrews 12:14 NIV _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
