pf how-to: Single public IP --> many private NAT'd HTTPS servers

Doug Poland doug at polands.org
Mon Jan 21 09:16:23 PST 2008


OutbackDingo wrote:

> On Mon, 2008-01-21 at 10:58 -0600, Doug Poland wrote:
>> OutbackDingo wrote:
>>> On Mon, 2008-01-21 at 10:17 -0600, Doug Poland wrote:
>>>> Hello,
>>>>
>>>> I've googled, read pf.conf(5) and the pf tutorial/faq, and experimented, 
>>>> but a working configuration eludes me.
>>>>
>>>> Here's my environment:
>>>>
>>>> 	Firewall:
>>>> 		FreeBSD 6.2-STABLE pf
>>>> 		1 public (routable) IP address
>>>> 	
>>>> 	HTTPS:
>>>> 		FreeBSD 7.0-PRERELEASE
>>>> 		Listening on 3 private (RFC-1918) IPs
>>>> 		Apache22 w/SSL and name-based virtual hosts
>>>> 		
>>>>
>>>> I would like to redirect incoming https traffic to a specific https 
>>>> server.  So far, I've experimented with various rdr options pf.conf. 
>>>> I've even tried to create an address pool, but to no avail.
>>>>
>>>> This is a rather high-level explanation and I didn't want to clutter 
>>>> this email with pf/DNS/apache syntax that is not working.
>>>>
>>>> I'm open to other solutions if pf is not capable of doing the job.  I 
>>>> have an idea of how apache and mod_rewrite "might" get me there but 
>>>> wanted to try pf first.
>>>>
>>  > web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }"
>>  >
>>  > rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \
>>  >             round-robin sticky-address
>>  >
>> Hi, thanks for the quick response.  Your suggestion was actually the 
>> first thing I tried :)  Unfortunately, each host listens on a specific 
>> IP address for that virtual host.  So if:
>>
>>     webmail.example.com    = 10.0.0.10
>>     subversion.example.com = 10.0.0.11
>>     timesheets.example.com = 10.0.0.12
>>
>> and pf sends a request for webmail.example.com to 
>> timesheets.example.com, the request fails.
>>
 > ahhh read the email again, you want specific requests to go to
 > specific servers based on domain i take it.
 >
correct

 > you might want to look at varnish or a reverse cache engine, in order
 > for pf to accomlish that
 >
or perhaps an a reverse proxy engine?

 > pf would need to be able to do a dns reolution for the specific host
 > ie... pf see a request for subversion.example.com it should send all
 > requests for that site to 10.0.0.11,
 >
I have DNS resolution, the problem ( I think ) is in that pf simply sees 
the packet destined for my single public IP (because all my public host 
names must resolve to the same public IP address) and port 443.


 > a proxy would be better to use for this such as varnish, but why three
 > servers, if you used one apache wth 3 virtual hosts on each box you
 > get the load balance results
 >
Because when one uses SSL, each virtualhost must be on a distinct IP 
address.  This was the only way to do things in the apache13 days.  I 
did read somewhere that apache22 supports multiple SSL sites per IP, but 
browsers do not yet support this.

Thanks for your help so far.


More information about the freebsd-pf mailing list