pf how-to: Single public IP --> many private NAT'd HTTPS servers

OutbackDingo outbackdingo at gmail.com
Mon Jan 21 09:51:35 PST 2008


the problem here is pf doesnt do hostname resolution, its not supported
by the filter so dns doesnt help, a reverse proxy would do a name
resolution, though you can use ACLs to direct traffic from a name to an
IP in a proxy also, and this isnt load balanceing, this would be name
based redirection. oops a proxy cache and varnich a cache accelerator
would work here, so probably would nginx which is a proxy in itself.

On Mon, 2008-01-21 at 11:17 -0600, Doug Poland wrote:
> OutbackDingo wrote:
> 
> > On Mon, 2008-01-21 at 10:58 -0600, Doug Poland wrote:
> >> OutbackDingo wrote:
> >>> On Mon, 2008-01-21 at 10:17 -0600, Doug Poland wrote:
> >>>> Hello,
> >>>>
> >>>> I've googled, read pf.conf(5) and the pf tutorial/faq, and experimented, 
> >>>> but a working configuration eludes me.
> >>>>
> >>>> Here's my environment:
> >>>>
> >>>> 	Firewall:
> >>>> 		FreeBSD 6.2-STABLE pf
> >>>> 		1 public (routable) IP address
> >>>> 	
> >>>> 	HTTPS:
> >>>> 		FreeBSD 7.0-PRERELEASE
> >>>> 		Listening on 3 private (RFC-1918) IPs
> >>>> 		Apache22 w/SSL and name-based virtual hosts
> >>>> 		
> >>>>
> >>>> I would like to redirect incoming https traffic to a specific https 
> >>>> server.  So far, I've experimented with various rdr options pf.conf. 
> >>>> I've even tried to create an address pool, but to no avail.
> >>>>
> >>>> This is a rather high-level explanation and I didn't want to clutter 
> >>>> this email with pf/DNS/apache syntax that is not working.
> >>>>
> >>>> I'm open to other solutions if pf is not capable of doing the job.  I 
> >>>> have an idea of how apache and mod_rewrite "might" get me there but 
> >>>> wanted to try pf first.
> >>>>
> >>  > web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }"
> >>  >
> >>  > rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \
> >>  >             round-robin sticky-address
> >>  >
> >> Hi, thanks for the quick response.  Your suggestion was actually the 
> >> first thing I tried :)  Unfortunately, each host listens on a specific 
> >> IP address for that virtual host.  So if:
> >>
> >>     webmail.example.com    = 10.0.0.10
> >>     subversion.example.com = 10.0.0.11
> >>     timesheets.example.com = 10.0.0.12
> >>
> >> and pf sends a request for webmail.example.com to 
> >> timesheets.example.com, the request fails.
> >>
>  > ahhh read the email again, you want specific requests to go to
>  > specific servers based on domain i take it.
>  >
> correct
> 
>  > you might want to look at varnish or a reverse cache engine, in order
>  > for pf to accomlish that
>  >
> or perhaps an a reverse proxy engine?
> 
>  > pf would need to be able to do a dns reolution for the specific host
>  > ie... pf see a request for subversion.example.com it should send all
>  > requests for that site to 10.0.0.11,
>  >
> I have DNS resolution, the problem ( I think ) is in that pf simply sees 
> the packet destined for my single public IP (because all my public host 
> names must resolve to the same public IP address) and port 443.
> 
> 
>  > a proxy would be better to use for this such as varnish, but why three
>  > servers, if you used one apache wth 3 virtual hosts on each box you
>  > get the load balance results
>  >
> Because when one uses SSL, each virtualhost must be on a distinct IP 
> address.  This was the only way to do things in the apache13 days.  I 
> did read somewhere that apache22 supports multiple SSL sites per IP, but 
> browsers do not yet support this.
> 
> Thanks for your help so far.



More information about the freebsd-pf mailing list