pf how-to: Single public IP --> many private NAT'd HTTPS servers
Doug Poland
doug at polands.org
Mon Jan 21 09:16:23 PST 2008
OutbackDingo wrote:
> On Mon, 2008-01-21 at 10:58 -0600, Doug Poland wrote:
>> OutbackDingo wrote:
>>> On Mon, 2008-01-21 at 10:17 -0600, Doug Poland wrote:
>>>> Hello,
>>>>
>>>> I've googled, read pf.conf(5) and the pf tutorial/faq, and experimented,
>>>> but a working configuration eludes me.
>>>>
>>>> Here's my environment:
>>>>
>>>> Firewall:
>>>> FreeBSD 6.2-STABLE pf
>>>> 1 public (routable) IP address
>>>>
>>>> HTTPS:
>>>> FreeBSD 7.0-PRERELEASE
>>>> Listening on 3 private (RFC-1918) IPs
>>>> Apache22 w/SSL and name-based virtual hosts
>>>>
>>>>
>>>> I would like to redirect incoming https traffic to a specific https
>>>> server. So far, I've experimented with various rdr options pf.conf.
>>>> I've even tried to create an address pool, but to no avail.
>>>>
>>>> This is a rather high-level explanation and I didn't want to clutter
>>>> this email with pf/DNS/apache syntax that is not working.
>>>>
>>>> I'm open to other solutions if pf is not capable of doing the job. I
>>>> have an idea of how apache and mod_rewrite "might" get me there but
>>>> wanted to try pf first.
>>>>
>> > web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }"
>> >
>> > rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \
>> > round-robin sticky-address
>> >
>> Hi, thanks for the quick response. Your suggestion was actually the
>> first thing I tried :) Unfortunately, each host listens on a specific
>> IP address for that virtual host. So if:
>>
>> webmail.example.com = 10.0.0.10
>> subversion.example.com = 10.0.0.11
>> timesheets.example.com = 10.0.0.12
>>
>> and pf sends a request for webmail.example.com to
>> timesheets.example.com, the request fails.
>>
> ahhh read the email again, you want specific requests to go to
> specific servers based on domain i take it.
>
correct
> you might want to look at varnish or a reverse cache engine, in order
> for pf to accomlish that
>
or perhaps an a reverse proxy engine?
> pf would need to be able to do a dns reolution for the specific host
> ie... pf see a request for subversion.example.com it should send all
> requests for that site to 10.0.0.11,
>
I have DNS resolution, the problem ( I think ) is in that pf simply sees
the packet destined for my single public IP (because all my public host
names must resolve to the same public IP address) and port 443.
> a proxy would be better to use for this such as varnish, but why three
> servers, if you used one apache wth 3 virtual hosts on each box you
> get the load balance results
>
Because when one uses SSL, each virtualhost must be on a distinct IP
address. This was the only way to do things in the apache13 days. I
did read somewhere that apache22 supports multiple SSL sites per IP, but
browsers do not yet support this.
Thanks for your help so far.
More information about the freebsd-pf
mailing list