From owner-freebsd-pf@FreeBSD.ORG Mon Jan 21 17:16:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 17F3316A500 for ; Mon, 21 Jan 2008 17:16:23 +0000 (UTC) (envelope-from doug@polands.org) Received: from hrndva-omtalb.mail.rr.com (hrndva-omtalb.mail.rr.com [71.74.56.122]) by mx1.freebsd.org (Postfix) with ESMTP id C9E2213C46A for ; Mon, 21 Jan 2008 17:16:22 +0000 (UTC) (envelope-from doug@polands.org) Received: from corinth.polands.org ([75.87.219.217]) by hrndva-omta06.mail.rr.com with ESMTP id <20080121171621.MYQQ2392.hrndva-omta06.mail.rr.com@corinth.polands.org>; Mon, 21 Jan 2008 17:16:21 +0000 Received: from omnihp.polands.org (ammon.polands.org [172.16.1.7]) by corinth.polands.org (8.13.8/8.13.8) with ESMTP id m0LHGKeq035929; Mon, 21 Jan 2008 11:16:21 -0600 (CST) (envelope-from doug@polands.org) Message-ID: <4794D38C.6020007@polands.org> Date: Mon, 21 Jan 2008 11:17:00 -0600 From: Doug Poland User-Agent: Thunderbird 2.0.0.9 (X11/20071117) MIME-Version: 1.0 To: OutbackDingo References: <4794C5A8.8040402@polands.org> <1200904649.33634.9.camel@z60m> <4794CF21.2090606@polands.org> <1200906215.33634.14.camel@z60m> In-Reply-To: <1200906215.33634.14.camel@z60m> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.88.4/5509/Mon Jan 21 10:23:11 2008 on corinth.polands.org X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: pf how-to: Single public IP --> many private NAT'd HTTPS servers X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 17:16:23 -0000 OutbackDingo wrote: > On Mon, 2008-01-21 at 10:58 -0600, Doug Poland wrote: >> OutbackDingo wrote: >>> On Mon, 2008-01-21 at 10:17 -0600, Doug Poland wrote: >>>> Hello, >>>> >>>> I've googled, read pf.conf(5) and the pf tutorial/faq, and experimented, >>>> but a working configuration eludes me. >>>> >>>> Here's my environment: >>>> >>>> Firewall: >>>> FreeBSD 6.2-STABLE pf >>>> 1 public (routable) IP address >>>> >>>> HTTPS: >>>> FreeBSD 7.0-PRERELEASE >>>> Listening on 3 private (RFC-1918) IPs >>>> Apache22 w/SSL and name-based virtual hosts >>>> >>>> >>>> I would like to redirect incoming https traffic to a specific https >>>> server. So far, I've experimented with various rdr options pf.conf. >>>> I've even tried to create an address pool, but to no avail. >>>> >>>> This is a rather high-level explanation and I didn't want to clutter >>>> this email with pf/DNS/apache syntax that is not working. >>>> >>>> I'm open to other solutions if pf is not capable of doing the job. I >>>> have an idea of how apache and mod_rewrite "might" get me there but >>>> wanted to try pf first. >>>> >> > web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }" >> > >> > rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \ >> > round-robin sticky-address >> > >> Hi, thanks for the quick response. Your suggestion was actually the >> first thing I tried :) Unfortunately, each host listens on a specific >> IP address for that virtual host. So if: >> >> webmail.example.com = 10.0.0.10 >> subversion.example.com = 10.0.0.11 >> timesheets.example.com = 10.0.0.12 >> >> and pf sends a request for webmail.example.com to >> timesheets.example.com, the request fails. >> > ahhh read the email again, you want specific requests to go to > specific servers based on domain i take it. > correct > you might want to look at varnish or a reverse cache engine, in order > for pf to accomlish that > or perhaps an a reverse proxy engine? > pf would need to be able to do a dns reolution for the specific host > ie... pf see a request for subversion.example.com it should send all > requests for that site to 10.0.0.11, > I have DNS resolution, the problem ( I think ) is in that pf simply sees the packet destined for my single public IP (because all my public host names must resolve to the same public IP address) and port 443. > a proxy would be better to use for this such as varnish, but why three > servers, if you used one apache wth 3 virtual hosts on each box you > get the load balance results > Because when one uses SSL, each virtualhost must be on a distinct IP address. This was the only way to do things in the apache13 days. I did read somewhere that apache22 supports multiple SSL sites per IP, but browsers do not yet support this. Thanks for your help so far.