Date: Mon, 21 Jan 2008 11:17:00 -0600 From: Doug Poland <doug@polands.org> To: OutbackDingo <outbackdingo@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: pf how-to: Single public IP --> many private NAT'd HTTPS servers Message-ID: <4794D38C.6020007@polands.org> In-Reply-To: <1200906215.33634.14.camel@z60m> References: <4794C5A8.8040402@polands.org> <1200904649.33634.9.camel@z60m> <4794CF21.2090606@polands.org> <1200906215.33634.14.camel@z60m>
next in thread | previous in thread | raw e-mail | index | archive | help
OutbackDingo wrote: > On Mon, 2008-01-21 at 10:58 -0600, Doug Poland wrote: >> OutbackDingo wrote: >>> On Mon, 2008-01-21 at 10:17 -0600, Doug Poland wrote: >>>> Hello, >>>> >>>> I've googled, read pf.conf(5) and the pf tutorial/faq, and experimented, >>>> but a working configuration eludes me. >>>> >>>> Here's my environment: >>>> >>>> Firewall: >>>> FreeBSD 6.2-STABLE pf >>>> 1 public (routable) IP address >>>> >>>> HTTPS: >>>> FreeBSD 7.0-PRERELEASE >>>> Listening on 3 private (RFC-1918) IPs >>>> Apache22 w/SSL and name-based virtual hosts >>>> >>>> >>>> I would like to redirect incoming https traffic to a specific https >>>> server. So far, I've experimented with various rdr options pf.conf. >>>> I've even tried to create an address pool, but to no avail. >>>> >>>> This is a rather high-level explanation and I didn't want to clutter >>>> this email with pf/DNS/apache syntax that is not working. >>>> >>>> I'm open to other solutions if pf is not capable of doing the job. I >>>> have an idea of how apache and mod_rewrite "might" get me there but >>>> wanted to try pf first. >>>> >> > web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }" >> > >> > rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \ >> > round-robin sticky-address >> > >> Hi, thanks for the quick response. Your suggestion was actually the >> first thing I tried :) Unfortunately, each host listens on a specific >> IP address for that virtual host. So if: >> >> webmail.example.com = 10.0.0.10 >> subversion.example.com = 10.0.0.11 >> timesheets.example.com = 10.0.0.12 >> >> and pf sends a request for webmail.example.com to >> timesheets.example.com, the request fails. >> > ahhh read the email again, you want specific requests to go to > specific servers based on domain i take it. > correct > you might want to look at varnish or a reverse cache engine, in order > for pf to accomlish that > or perhaps an a reverse proxy engine? > pf would need to be able to do a dns reolution for the specific host > ie... pf see a request for subversion.example.com it should send all > requests for that site to 10.0.0.11, > I have DNS resolution, the problem ( I think ) is in that pf simply sees the packet destined for my single public IP (because all my public host names must resolve to the same public IP address) and port 443. > a proxy would be better to use for this such as varnish, but why three > servers, if you used one apache wth 3 virtual hosts on each box you > get the load balance results > Because when one uses SSL, each virtualhost must be on a distinct IP address. This was the only way to do things in the apache13 days. I did read somewhere that apache22 supports multiple SSL sites per IP, but browsers do not yet support this. Thanks for your help so far.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4794D38C.6020007>