OutbackDingo wrote:
the problem here is pf doesnt do hostname resolution, its not supported
by the filter so dns doesnt help, a reverse proxy would do a name
resolution, though you can use ACLs to direct traffic from a name to an
IP in a proxy also, and this isnt load balanceing, this would be name
based redirection. oops a proxy cache and varnich a cache accelerator
would work here, so probably would nginx which is a proxy in itself.


This configuration will never work as expected. There is no way for the SSL layer to know what certificate to present before the request has been issued. As SSL is negotiated at accept time, and as such only knows the ip address of the local and remote tcp connection end points. The host name is then sent inside the SSL connection as part of the http request in the host header.

This is a problem because the host name of the site being requested is present in the certificate and the SSL layer cannot work out which certificate to serve.

HTTPs hosts must be on distinct IP addresses because of this.

There is a spec for HTTP+TLS I believe which would allow for 'https' virtual hosting on a single IP as the hostname can be sent to the webserver before the START_TLS command is issued, but I don't know if any browsers support this at the moment.

Tom

On Mon, 2008-01-21 at 11:17 -0600, Doug Poland wrote:
OutbackDingo wrote:

On Mon, 2008-01-21 at 10:58 -0600, Doug Poland wrote:
OutbackDingo wrote:
On Mon, 2008-01-21 at 10:17 -0600, Doug Poland wrote:
Hello,

I've googled, read pf.conf(5) and the pf tutorial/faq, and experimented, but a working configuration eludes me.

Here's my environment:

        Firewall:
                FreeBSD 6.2-STABLE pf
                1 public (routable) IP address
        
        HTTPS:
                FreeBSD 7.0-PRERELEASE
                Listening on 3 private (RFC-1918) IPs
                Apache22 w/SSL and name-based virtual hosts
                

I would like to redirect incoming https traffic to a specific https server. So far, I've experimented with various rdr options pf.conf. I've even tried to create an address pool, but to no avail.

This is a rather high-level explanation and I didn't want to clutter this email with pf/DNS/apache syntax that is not working.

I'm open to other solutions if pf is not capable of doing the job. I have an idea of how apache and mod_rewrite "might" get me there but wanted to try pf first.

 > web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }"
 >
 > rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \
 >             round-robin sticky-address
 >
Hi, thanks for the quick response. Your suggestion was actually the first thing I tried :) Unfortunately, each host listens on a specific IP address for that virtual host. So if:

    webmail.example.com    = 10.0.0.10
    subversion.example.com = 10.0.0.11
    timesheets.example.com = 10.0.0.12

and pf sends a request for webmail.example.com to timesheets.example.com, the request fails.

 > ahhh read the email again, you want specific requests to go to
 > specific servers based on domain i take it.
 >
correct

 > you might want to look at varnish or a reverse cache engine, in order
 > for pf to accomlish that
 >
or perhaps an a reverse proxy engine?

 > pf would need to be able to do a dns reolution for the specific host
 > ie... pf see a request for subversion.example.com it should send all
 > requests for that site to 10.0.0.11,
 >
I have DNS resolution, the problem ( I think ) is in that pf simply sees the packet destined for my single public IP (because all my public host names must resolve to the same public IP address) and port 443.


 > a proxy would be better to use for this such as varnish, but why three
 > servers, if you used one apache wth 3 virtual hosts on each box you
 > get the load balance results
 >
Because when one uses SSL, each virtualhost must be on a distinct IP address. This was the only way to do things in the apache13 days. I did read somewhere that apache22 supports multiple SSL sites per IP, but browsers do not yet support this.

Thanks for your help so far.

_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to