Unfortunately the proxy route really wouldn't be an option. SNI support isn't universal enough for that to work for us, and we can't mix different client's sites on one certificate for business reasons. If either of those were an option there would be no problem as we could just have a single public IP serve all the sites. Multi-wan is unappetizing because of the added complexity, and having yet another point of failure. Plus we have a warm-failover site, so a second provider would need to be at each site as well, whereas the redirection I'm trying to set up could just be pointed to a different site upon failure. And I really wish that a larger block was possible, but we've bumped it up the chain and they just are not set up for it apparently.
On Thu, Jul 26, 2012 at 4:46 PM, Joseph Hardeman <[email protected]>wrote: > Hey Adam,**** > > ** ** > > I see what your trying to do, basically use IP space on another provider > and tunnel through to your local machines. So this is feasible and should > be able to be done, how though I would have to play with it myself and see. > **** > > ** ** > > I could tell them to simply go the multi-wan approach or get a larger > block of IP’s. Or do what Seth and Moshe recommended and setup a proxy. > Something to discuss with them about.**** > > ** ** > > Thanks for the advice.**** > > ** ** > > Joe**** > > ** ** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Adam Stasiak > *Sent:* Thursday, July 26, 2012 9:48 AM > *To:* pfSense support and discussion > > *Subject:* Re: [pfSense] Using pfSense to route inbound traffic via > Domain Name instead of IP**** > > ** ** > > Not sure if this is helpful to you at all, but I've looked at a possible > workaround for SSL and a lack of public IPs. > > > Host a virtualized pfsense box with a service provider (I'm using ARP > networks). > Get a /29 (or more as needed). > Set up a tunnel between the virtualized box and your local pfsense > route traffic from the addresses on the /29 to different local IPs on your > internal network (or NAT to different ports on one local IP. > > Full disclosure, I haven't yet gotten this working, have asked a couple > times on forums and this list, and people have seemed to think it's > feasible, but have gotten bored before being able to help me through the > nitty gritty. And I'm not knowledgeable enough about the intricacies of > routing to figure out what the problem is myself. I'm thinking about just > getting a support subscription and seeing if that will get if functioning. > Assuming I'm not chasing a pipe dream, this could be something that would > work for you, and I'd be happy to let you know/write up a how-to for the > wiki/etc. if I am ever successful. > > There's obviously an extra cost for this, but it's not too bad, and our > only option for an ISP (short of getting a T1) won't give out more than a > /29 (and I've already used up all the available IPs, so have none left over > for extra SSL sites). **** > > On Thu, Jul 26, 2012 at 2:53 AM, Seth Mos <[email protected]> wrote:**** > > Op 26-7-2012 5:01, Moshe Katz schreef:**** > > On Wed, Jul 25, 2012 at 10:24 PM, Joseph Hardeman**** > > <[email protected] <mailto:[email protected]>> wrote:**** > > ** ** > > There isn't really any built-in way to do this. What you really want is > a reverse-proxy server (which could or could not be running on the > pfSense box). However, your Reverse Proxy would either have to support > SNI or have a single certificate with all of the domains on it. Your > reverse-proxy would then route by domain name.**** > > ** ** > > Indeed, you need a full on proxy server like HAproxy or Varnish depending > on your tastes to do this. > > Not sure which one does the man in the middle for SSL, the proxy will need > to terminate the SSL connection and can speak http or https to the backend. > **** > > Two parenthetical notes about SNI:**** > > * IIS 8 (release next month or so, RC currently available) does > support SNI. > * Windows XP does not support SNI. (Firefox on XP does, as well as > Chrome > 6 do).**** > > > As Moshe makes clear here there is no other feature you can use except SNI > for SSL name based virtual hosting. Otherwise you need one IP per SSL > certificate, proxy or not. > > Regards, > > Seth > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list**** > > ** ** > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > >
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
