Not sure if this is helpful to you at all, but I've looked at a possible workaround for SSL and a lack of public IPs.
Host a virtualized pfsense box with a service provider (I'm using ARP networks). Get a /29 (or more as needed). Set up a tunnel between the virtualized box and your local pfsense route traffic from the addresses on the /29 to different local IPs on your internal network (or NAT to different ports on one local IP. Full disclosure, I haven't yet gotten this working, have asked a couple times on forums and this list, and people have seemed to think it's feasible, but have gotten bored before being able to help me through the nitty gritty. And I'm not knowledgeable enough about the intricacies of routing to figure out what the problem is myself. I'm thinking about just getting a support subscription and seeing if that will get if functioning. Assuming I'm not chasing a pipe dream, this could be something that would work for you, and I'd be happy to let you know/write up a how-to for the wiki/etc. if I am ever successful. There's obviously an extra cost for this, but it's not too bad, and our only option for an ISP (short of getting a T1) won't give out more than a /29 (and I've already used up all the available IPs, so have none left over for extra SSL sites). On Thu, Jul 26, 2012 at 2:53 AM, Seth Mos <[email protected]> wrote: > Op 26-7-2012 5:01, Moshe Katz schreef: > >> On Wed, Jul 25, 2012 at 10:24 PM, Joseph Hardeman >> <[email protected] >> <mailto:jhardeman@cirracore.**com<[email protected]>>> >> wrote: >> > > There isn't really any built-in way to do this. What you really want is >> a reverse-proxy server (which could or could not be running on the >> pfSense box). However, your Reverse Proxy would either have to support >> SNI or have a single certificate with all of the domains on it. Your >> reverse-proxy would then route by domain name. >> > > Indeed, you need a full on proxy server like HAproxy or Varnish depending > on your tastes to do this. > > Not sure which one does the man in the middle for SSL, the proxy will need > to terminate the SSL connection and can speak http or https to the backend. > > Two parenthetical notes about SNI: >> >> * IIS 8 (release next month or so, RC currently available) does >> support SNI. >> * Windows XP does not support SNI. (Firefox on XP does, as well as >> Chrome > 6 do). >> > > As Moshe makes clear here there is no other feature you can use except SNI > for SSL name based virtual hosting. Otherwise you need one IP per SSL > certificate, proxy or not. > > Regards, > > Seth > ______________________________**_________________ > List mailing list > [email protected] > http://lists.pfsense.org/**mailman/listinfo/list<http://lists.pfsense.org/mailman/listinfo/list> >
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
