From owner-freebsd-pf@FreeBSD.ORG Mon Jan 21 17:51:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C58516A418 for ; Mon, 21 Jan 2008 17:51:35 +0000 (UTC) (envelope-from outbackdingo@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.177]) by mx1.freebsd.org (Postfix) with ESMTP id D8E0113C448 for ; Mon, 21 Jan 2008 17:51:34 +0000 (UTC) (envelope-from outbackdingo@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so3869457waf.3 for ; Mon, 21 Jan 2008 09:51:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer:content-transfer-encoding; bh=aOu+i/3hK2WuMkLQ9LcoxEqCEB04Sgk9fYGHyVjp2VQ=; b=gPAAWCqp7QI+IXmSeyK/+9KBjU18d71Fe8gR6S4cosMwen+uybjf0p8z8yCFCZENSmQiUkqBhmVunskCXNuV6NZcfyAxqC7iGnfNP/Q4TEHVA5cEot44flgUSSpIeUQxPDylNDPsM6mCSl1X0nI4wn+uFJornkWb238xjMG4nl8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer:content-transfer-encoding; b=hbf4ut9//ZjDK3yAke7F6CmnknK/A6vosboccIPOMW8hYqVqz3ive6BlGtnsVokO6tXSSl3Os31ERWoQZ+u7p1LVCYwF8HuoAqUCY+w0kGFKP1HJtrmXHk1djHbZzj/HjkAKu1+16lBgP20rRac9v0fLn6TiHZEFrmXDO7wpBPI= Received: by 10.115.54.1 with SMTP id g1mr3587055wak.133.1200936287513; Mon, 21 Jan 2008 09:24:47 -0800 (PST) Received: from ?10.1.1.2? ( [124.157.244.165]) by mx.google.com with ESMTPS id j15sm11386097waf.51.2008.01.21.09.24.43 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 21 Jan 2008 09:24:46 -0800 (PST) From: OutbackDingo To: Doug Poland In-Reply-To: <4794D38C.6020007@polands.org> References: <4794C5A8.8040402@polands.org> <1200904649.33634.9.camel@z60m> <4794CF21.2090606@polands.org> <1200906215.33634.14.camel@z60m> <4794D38C.6020007@polands.org> Content-Type: text/plain Date: Mon, 21 Jan 2008 17:24:36 +0800 Message-Id: <1200907476.33634.20.camel@z60m> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pf how-to: Single public IP --> many private NAT'd HTTPS servers X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 17:51:35 -0000 the problem here is pf doesnt do hostname resolution, its not supported by the filter so dns doesnt help, a reverse proxy would do a name resolution, though you can use ACLs to direct traffic from a name to an IP in a proxy also, and this isnt load balanceing, this would be name based redirection. oops a proxy cache and varnich a cache accelerator would work here, so probably would nginx which is a proxy in itself. On Mon, 2008-01-21 at 11:17 -0600, Doug Poland wrote: > OutbackDingo wrote: > > > On Mon, 2008-01-21 at 10:58 -0600, Doug Poland wrote: > >> OutbackDingo wrote: > >>> On Mon, 2008-01-21 at 10:17 -0600, Doug Poland wrote: > >>>> Hello, > >>>> > >>>> I've googled, read pf.conf(5) and the pf tutorial/faq, and experimented, > >>>> but a working configuration eludes me. > >>>> > >>>> Here's my environment: > >>>> > >>>> Firewall: > >>>> FreeBSD 6.2-STABLE pf > >>>> 1 public (routable) IP address > >>>> > >>>> HTTPS: > >>>> FreeBSD 7.0-PRERELEASE > >>>> Listening on 3 private (RFC-1918) IPs > >>>> Apache22 w/SSL and name-based virtual hosts > >>>> > >>>> > >>>> I would like to redirect incoming https traffic to a specific https > >>>> server. So far, I've experimented with various rdr options pf.conf. > >>>> I've even tried to create an address pool, but to no avail. > >>>> > >>>> This is a rather high-level explanation and I didn't want to clutter > >>>> this email with pf/DNS/apache syntax that is not working. > >>>> > >>>> I'm open to other solutions if pf is not capable of doing the job. I > >>>> have an idea of how apache and mod_rewrite "might" get me there but > >>>> wanted to try pf first. > >>>> > >> > web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }" > >> > > >> > rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \ > >> > round-robin sticky-address > >> > > >> Hi, thanks for the quick response. Your suggestion was actually the > >> first thing I tried :) Unfortunately, each host listens on a specific > >> IP address for that virtual host. So if: > >> > >> webmail.example.com = 10.0.0.10 > >> subversion.example.com = 10.0.0.11 > >> timesheets.example.com = 10.0.0.12 > >> > >> and pf sends a request for webmail.example.com to > >> timesheets.example.com, the request fails. > >> > > ahhh read the email again, you want specific requests to go to > > specific servers based on domain i take it. > > > correct > > > you might want to look at varnish or a reverse cache engine, in order > > for pf to accomlish that > > > or perhaps an a reverse proxy engine? > > > pf would need to be able to do a dns reolution for the specific host > > ie... pf see a request for subversion.example.com it should send all > > requests for that site to 10.0.0.11, > > > I have DNS resolution, the problem ( I think ) is in that pf simply sees > the packet destined for my single public IP (because all my public host > names must resolve to the same public IP address) and port 443. > > > > a proxy would be better to use for this such as varnish, but why three > > servers, if you used one apache wth 3 virtual hosts on each box you > > get the load balance results > > > Because when one uses SSL, each virtualhost must be on a distinct IP > address. This was the only way to do things in the apache13 days. I > did read somewhere that apache22 supports multiple SSL sites per IP, but > browsers do not yet support this. > > Thanks for your help so far.