pf how-to: Single public IP --> many private NAT'd HTTPS servers
Doug Poland
doug at polands.org
Mon Jan 21 08:57:32 PST 2008
OutbackDingo wrote:
>
> On Mon, 2008-01-21 at 10:17 -0600, Doug Poland wrote:
>> Hello,
>>
>> I've googled, read pf.conf(5) and the pf tutorial/faq, and experimented,
>> but a working configuration eludes me.
>>
>> Here's my environment:
>>
>> Firewall:
>> FreeBSD 6.2-STABLE pf
>> 1 public (routable) IP address
>>
>> HTTPS:
>> FreeBSD 7.0-PRERELEASE
>> Listening on 3 private (RFC-1918) IPs
>> Apache22 w/SSL and name-based virtual hosts
>>
>>
>> I would like to redirect incoming https traffic to a specific https
>> server. So far, I've experimented with various rdr options pf.conf.
>> I've even tried to create an address pool, but to no avail.
>>
>> This is a rather high-level explanation and I didn't want to clutter
>> this email with pf/DNS/apache syntax that is not working.
>>
>> I'm open to other solutions if pf is not capable of doing the job. I
>> have an idea of how apache and mod_rewrite "might" get me there but
>> wanted to try pf first.
>>
> web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }"
>
> rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \
> round-robin sticky-address
>
Hi, thanks for the quick response. Your suggestion was actually the
first thing I tried :) Unfortunately, each host listens on a specific
IP address for that virtual host. So if:
webmail.example.com = 10.0.0.10
subversion.example.com = 10.0.0.11
timesheets.example.com = 10.0.0.12
and pf sends a request for webmail.example.com to
timesheets.example.com, the request fails.
--
Regards,
Doug
More information about the freebsd-pf
mailing list