OutbackDingo wrote:
On Mon, 2008-01-21 at 10:58 -0600, Doug Poland wrote:
OutbackDingo wrote:
On Mon, 2008-01-21 at 10:17 -0600, Doug Poland wrote:
Hello,
I've googled, read pf.conf(5) and the pf tutorial/faq, and experimented,
but a working configuration eludes me.
Here's my environment:
Firewall:
FreeBSD 6.2-STABLE pf
1 public (routable) IP address
HTTPS:
FreeBSD 7.0-PRERELEASE
Listening on 3 private (RFC-1918) IPs
Apache22 w/SSL and name-based virtual hosts
I would like to redirect incoming https traffic to a specific https
server. So far, I've experimented with various rdr options pf.conf.
I've even tried to create an address pool, but to no avail.
This is a rather high-level explanation and I didn't want to clutter
this email with pf/DNS/apache syntax that is not working.
I'm open to other solutions if pf is not capable of doing the job. I
have an idea of how apache and mod_rewrite "might" get me there but
wanted to try pf first.
> web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }"
>
> rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \
> round-robin sticky-address
>
Hi, thanks for the quick response. Your suggestion was actually the
first thing I tried :) Unfortunately, each host listens on a specific
IP address for that virtual host. So if:
webmail.example.com = 10.0.0.10
subversion.example.com = 10.0.0.11
timesheets.example.com = 10.0.0.12
and pf sends a request for webmail.example.com to
timesheets.example.com, the request fails.
> ahhh read the email again, you want specific requests to go to
> specific servers based on domain i take it.
>
correct
> you might want to look at varnish or a reverse cache engine, in order
> for pf to accomlish that
>
or perhaps an a reverse proxy engine?
> pf would need to be able to do a dns reolution for the specific host
> ie... pf see a request for subversion.example.com it should send all
> requests for that site to 10.0.0.11,
>
I have DNS resolution, the problem ( I think ) is in that pf simply sees
the packet destined for my single public IP (because all my public host
names must resolve to the same public IP address) and port 443.
> a proxy would be better to use for this such as varnish, but why three
> servers, if you used one apache wth 3 virtual hosts on each box you
> get the load balance results
>
Because when one uses SSL, each virtualhost must be on a distinct IP
address. This was the only way to do things in the apache13 days. I
did read somewhere that apache22 supports multiple SSL sites per IP, but
browsers do not yet support this.
Thanks for your help so far.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"