OutbackDingo wrote:
the problem here is pf doesnt do hostname resolution, its not supported
by the filter so dns doesnt help, a reverse proxy would do a name
resolution, though you can use ACLs to direct traffic from a name to an
IP in a proxy also, and this isnt load balanceing, this would be name
based redirection. oops a proxy cache and varnich a cache accelerator
would work here, so probably would nginx which is a proxy in itself.
This configuration will never work as expected. There is no way for the
SSL layer to know what certificate to present before the request has
been issued. As SSL is negotiated at accept time, and as such only
knows the ip address of the local and remote tcp connection end points.
The host name is then sent inside the SSL connection as part of the
http request in the host header.
This is a problem because the host name of the site being requested is
present in the certificate and the SSL layer cannot work out which
certificate to serve.
HTTPs hosts must be on distinct IP addresses because of this.
There is a spec for HTTP+TLS I believe which would allow for 'https'
virtual hosting on a single IP as the hostname can be sent to the
webserver before the START_TLS command is issued, but I don't know if
any browsers support this at the moment.
Tom
On Mon, 2008-01-21 at 11:17 -0600, Doug Poland wrote:
OutbackDingo wrote:
On Mon, 2008-01-21 at 10:58 -0600, Doug Poland wrote:
OutbackDingo wrote:
On Mon, 2008-01-21 at 10:17 -0600, Doug Poland wrote:
Hello,
I've googled, read pf.conf(5) and the pf tutorial/faq, and experimented,
but a working configuration eludes me.
Here's my environment:
Firewall:
FreeBSD 6.2-STABLE pf
1 public (routable) IP address
HTTPS:
FreeBSD 7.0-PRERELEASE
Listening on 3 private (RFC-1918) IPs
Apache22 w/SSL and name-based virtual hosts
I would like to redirect incoming https traffic to a specific https
server. So far, I've experimented with various rdr options pf.conf.
I've even tried to create an address pool, but to no avail.
This is a rather high-level explanation and I didn't want to clutter
this email with pf/DNS/apache syntax that is not working.
I'm open to other solutions if pf is not capable of doing the job. I
have an idea of how apache and mod_rewrite "might" get me there but
wanted to try pf first.
> web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }"
>
> rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \
> round-robin sticky-address
>
Hi, thanks for the quick response. Your suggestion was actually the
first thing I tried :) Unfortunately, each host listens on a specific
IP address for that virtual host. So if:
webmail.example.com = 10.0.0.10
subversion.example.com = 10.0.0.11
timesheets.example.com = 10.0.0.12
and pf sends a request for webmail.example.com to
timesheets.example.com, the request fails.
> ahhh read the email again, you want specific requests to go to
> specific servers based on domain i take it.
>
correct
> you might want to look at varnish or a reverse cache engine, in order
> for pf to accomlish that
>
or perhaps an a reverse proxy engine?
> pf would need to be able to do a dns reolution for the specific host
> ie... pf see a request for subversion.example.com it should send all
> requests for that site to 10.0.0.11,
>
I have DNS resolution, the problem ( I think ) is in that pf simply sees
the packet destined for my single public IP (because all my public host
names must resolve to the same public IP address) and port 443.
> a proxy would be better to use for this such as varnish, but why three
> servers, if you used one apache wth 3 virtual hosts on each box you
> get the load balance results
>
Because when one uses SSL, each virtualhost must be on a distinct IP
address. This was the only way to do things in the apache13 days. I
did read somewhere that apache22 supports multiple SSL sites per IP, but
browsers do not yet support this.
Thanks for your help so far.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"