OutbackDingo wrote:

On Mon, 2008-01-21 at 10:58 -0600, Doug Poland wrote:
OutbackDingo wrote:
On Mon, 2008-01-21 at 10:17 -0600, Doug Poland wrote:
Hello,

I've googled, read pf.conf(5) and the pf tutorial/faq, and experimented, but a working configuration eludes me.

Here's my environment:

        Firewall:
                FreeBSD 6.2-STABLE pf
                1 public (routable) IP address
        
        HTTPS:
                FreeBSD 7.0-PRERELEASE
                Listening on 3 private (RFC-1918) IPs
                Apache22 w/SSL and name-based virtual hosts
                

I would like to redirect incoming https traffic to a specific https server. So far, I've experimented with various rdr options pf.conf. I've even tried to create an address pool, but to no avail.

This is a rather high-level explanation and I didn't want to clutter this email with pf/DNS/apache syntax that is not working.

I'm open to other solutions if pf is not capable of doing the job. I have an idea of how apache and mod_rewrite "might" get me there but wanted to try pf first.

 > web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }"
 >
 > rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \
 >             round-robin sticky-address
 >
Hi, thanks for the quick response. Your suggestion was actually the first thing I tried :) Unfortunately, each host listens on a specific IP address for that virtual host. So if:

    webmail.example.com    = 10.0.0.10
    subversion.example.com = 10.0.0.11
    timesheets.example.com = 10.0.0.12

and pf sends a request for webmail.example.com to timesheets.example.com, the request fails.

> ahhh read the email again, you want specific requests to go to
> specific servers based on domain i take it.
>
correct

> you might want to look at varnish or a reverse cache engine, in order
> for pf to accomlish that
>
or perhaps an a reverse proxy engine?

> pf would need to be able to do a dns reolution for the specific host
> ie... pf see a request for subversion.example.com it should send all
> requests for that site to 10.0.0.11,
>
I have DNS resolution, the problem ( I think ) is in that pf simply sees the packet destined for my single public IP (because all my public host names must resolve to the same public IP address) and port 443.


> a proxy would be better to use for this such as varnish, but why three
> servers, if you used one apache wth 3 virtual hosts on each box you
> get the load balance results
>
Because when one uses SSL, each virtualhost must be on a distinct IP address. This was the only way to do things in the apache13 days. I did read somewhere that apache22 supports multiple SSL sites per IP, but browsers do not yet support this.

Thanks for your help so far.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to