pf how-to: Single public IP --> many private NAT'd HTTPS servers

Tom Judge tom at tomjudge.com
Mon Jan 21 11:31:21 PST 2008 

OutbackDingo wrote:
> the problem here is pf doesnt do hostname resolution, its not supported
> by the filter so dns doesnt help, a reverse proxy would do a name
> resolution, though you can use ACLs to direct traffic from a name to an
> IP in a proxy also, and this isnt load balanceing, this would be name
> based redirection. oops a proxy cache and varnich a cache accelerator
> would work here, so probably would nginx which is a proxy in itself.
> 

This configuration will never work as expected.  There is no way for the 
SSL layer to know what certificate to present before the request has 
been issued.  As SSL is negotiated at accept time, and as such only 
knows the ip address of the local and remote tcp connection end points. 
  The host name is then sent inside the SSL connection as part of the 
http request in the host header.

This is a problem because the host name of the site being requested is 
present in the certificate and the SSL layer cannot work out which 
certificate to serve.

HTTPs hosts must be on distinct IP addresses because of this.

There is a spec for HTTP+TLS I believe which would allow for 'https' 
virtual hosting on a single IP as the hostname can be sent to the 
webserver before the START_TLS command is issued, but I don't know if 
any browsers support this at the moment.

Tom

> On Mon, 2008-01-21 at 11:17 -0600, Doug Poland wrote:
>> OutbackDingo wrote:
>>
>>> On Mon, 2008-01-21 at 10:58 -0600, Doug Poland wrote:
>>>> OutbackDingo wrote:
>>>>> On Mon, 2008-01-21 at 10:17 -0600, Doug Poland wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I've googled, read pf.conf(5) and the pf tutorial/faq, and experimented, 
>>>>>> but a working configuration eludes me.
>>>>>>
>>>>>> Here's my environment:
>>>>>>
>>>>>> 	Firewall:
>>>>>> 		FreeBSD 6.2-STABLE pf
>>>>>> 		1 public (routable) IP address
>>>>>> 	
>>>>>> 	HTTPS:
>>>>>> 		FreeBSD 7.0-PRERELEASE
>>>>>> 		Listening on 3 private (RFC-1918) IPs
>>>>>> 		Apache22 w/SSL and name-based virtual hosts
>>>>>> 		
>>>>>>
>>>>>> I would like to redirect incoming https traffic to a specific https 
>>>>>> server.  So far, I've experimented with various rdr options pf.conf. 
>>>>>> I've even tried to create an address pool, but to no avail.
>>>>>>
>>>>>> This is a rather high-level explanation and I didn't want to clutter 
>>>>>> this email with pf/DNS/apache syntax that is not working.
>>>>>>
>>>>>> I'm open to other solutions if pf is not capable of doing the job.  I 
>>>>>> have an idea of how apache and mod_rewrite "might" get me there but 
>>>>>> wanted to try pf first.
>>>>>>
>>>>  > web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }"
>>>>  >
>>>>  > rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \
>>>>  >             round-robin sticky-address
>>>>  >
>>>> Hi, thanks for the quick response.  Your suggestion was actually the 
>>>> first thing I tried :)  Unfortunately, each host listens on a specific 
>>>> IP address for that virtual host.  So if:
>>>>
>>>>     webmail.example.com    = 10.0.0.10
>>>>     subversion.example.com = 10.0.0.11
>>>>     timesheets.example.com = 10.0.0.12
>>>>
>>>> and pf sends a request for webmail.example.com to 
>>>> timesheets.example.com, the request fails.
>>>>
>>  > ahhh read the email again, you want specific requests to go to
>>  > specific servers based on domain i take it.
>>  >
>> correct
>>
>>  > you might want to look at varnish or a reverse cache engine, in order
>>  > for pf to accomlish that
>>  >
>> or perhaps an a reverse proxy engine?
>>
>>  > pf would need to be able to do a dns reolution for the specific host
>>  > ie... pf see a request for subversion.example.com it should send all
>>  > requests for that site to 10.0.0.11,
>>  >
>> I have DNS resolution, the problem ( I think ) is in that pf simply sees 
>> the packet destined for my single public IP (because all my public host 
>> names must resolve to the same public IP address) and port 443.
>>
>>
>>  > a proxy would be better to use for this such as varnish, but why three
>>  > servers, if you used one apache wth 3 virtual hosts on each box you
>>  > get the load balance results
>>  >
>> Because when one uses SSL, each virtualhost must be on a distinct IP 
>> address.  This was the only way to do things in the apache13 days.  I 
>> did read somewhere that apache22 supports multiple SSL sites per IP, but 
>> browsers do not yet support this.
>>
>> Thanks for your help so far.
> 
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list