[prev in list] [next in list] [prev in thread] [next in thread]
List: pfsense-discussion
Subject: Re: [pfSense] reverse proxy situation
From: PiBa <pba_2k3 () yahoo ! com>
Date: 2015-05-31 16:56:54
Message-ID: 556B3D56.80303 () yahoo ! com
[Download RAW message or body]
HAProxy package is 'currently' maintained by me, though maybe not highly
active, last week i added OCSP as an option in the -devel version.
Should get available in some time in the -1_5 version as well. Anyway it
offers quite some options, SSL-offloading, SNI, host-header/SNI backend
selection, others.. If something important is missing from the webgui,
and i think its usefull / easy to add, send me a mail and in time i
might add it. Also if something doesn't work properly, ill try and fix
it.. I do try to keep the package somewhat clean of an enormous amount
of options that will rarely be used.. And most 'advanced' options can be
added in the various 'textbox fields' as well..
Here an example of how haproxy can do http 1 ip to multiple backends:
https://docs.google.com/document/d/1YflytSq7P8oZBSCVUKWS1v2P0CdShbxeCsbTZ59JCRo/pub
In your case with https its a little different, and there is the option
to use SNI to forward TCP connections as is (IE on XP does not support
SNI, and maybe others if that matters for you...), or configure
ssl-offloading and process the actual http on haproxy, then the choice
to reencrypt the connection to backend or not.. And possibly mes up the
webapplication logic that wants to redirect to https again..
Pros:
-Acls for backend selection
-SSL/SNI support in various ways
-Nice stats page
-Session-stickiness, TCP forwarding, i think relatively low cpu usage,
others..
Cons:
-If you need 'rewriting' of the body of a html page then haproxy is not
going to do that for you. Haproxy can only insert/modify/remove
http-headers.
-Also if you want 'caching' this is not something haproxy will do.
As for the other packages ive not really used them much. So cant really
comment.., perhaps take a look at the github activity to see if and how
actively they are changing.? Though few commits can mean its very stable
and feature complete. It can also mean its not being actively
maintained. So still doesnt say much..
Greets PiBa-NL
Adam Thompson schreef op 31-5-2015 om 16:04:
> Reverse proxy. Need to multiplex multiple publicly-accessible, secure, websites \
> running on private IPs from a single public IP. It *is* hard to write that both \
> succinctly and unambiguously!
> -Adam
>
> On May 31, 2015 8:54:14 AM CDT, Espen Johansen <pfsense@gmail.com> wrote:
> > Actually. Are you looking for reverse proxy or a user proxy. I'm
> > confused
> > after reading your mail a few times.
> >
> > Brgds, Espen
> > 31. mai 2015 15:35 skrev "Espen Johansen" <pfsense@gmail.com>:
> >
> > > Exclude varnish its primarily made for frontend LB proxy.
> > >
> > > søn. 31. mai 2015, 15:32 skrev Adam Thompson <athompso@athompso.net>:
> > >
> > > > Oh, shoot, that's a good point - I probably do need SNI support for
> > SSL.
> > > > I may be able to get a wildcard cert, but that will be an issue one
> > way or
> > > > another.
> > > >
> > > > Varnish doesn't support SSL at all, although I could theoretically
> > do it
> > > > with stunnel and a wildcard cert.
> > > > Squid does support SSL, but appears to require wildcard cert.
> > > > Squid3 *may* support SNI, can't tell.
> > > > Haproxy supports SNI; hopefully the pfSense package is new enough to
> > > > include that.
> > > > Apache supports SNI, supposedly.
> > > >
> > > > So I'm still left with a (overly, IMHO) large list.
> > > > I could also just port-forward TCP/{80,443} to a host behind the
> > firewall
> > > > and do everything there, too.
> > > >
> > > > Argh, too many options, not enough clarity on which packages are
> > > > supported vs. which ones are semi-orphaned.
> > > >
> > > > -Adam
> > > >
> > > > On May 30, 2015 11:12:01 PM CDT, Travis Hansen
> > <travisghansen@yahoo.com>
> > > > wrote:
> > > > > If you're looking for pure proxy frontend I'd stick with haproxy or
> > > > > apache (I use haproxy).
> > > > > haproxy provides load balancing and can do other things besides
> > > > > strictly http(s) such a pure tcp and transparent proxy stuff.
> > > > > Apache provides some things like mod_rewrite (I assume the pfsense
> > > > > build comes with that) etc that aren't easily done with haproxy.
> > > > > I could be wrong but if you're looking for SSL offloading (I ensure
> > all
> > > > > traffic goes over SSL) varnish and squid would be out of the
> > > > > picture. Travis Hansen
> > > > > travisghansen@yahoo.com
> > > > >
> > > > >
> > > > > On Saturday, May 30, 2015 8:25 PM, Adam Thompson
> > > > > <athompso@athompso.net> wrote:
> > > > >
> > > > >
> > > > > I need to run a reverse proxy on a pfSense gateway - multiple
> > websites,
> > > > > one public IP, the usual reason.
> > > > > However, I see there's a larger selection available than the last
> > time
> > > > > I
> > > > > looked.
> > > > >
> > > > > It appears we now have:
> > > > > * Apache w/mod_security-dev v0.43 / 0.22
> > > > > * haproxy-1_5 v0.23
> > > > > * haproxy-devel v0.24
> > > > > * Proxy Server w/mod_security v0.1.7 / 0.22.999
> > > > > * squid
> > > > > * squid3
> > > > > * varnish3
> > > > >
> > > > > 1. Have I missed any?
> > > > > 2. Are "Apache w/mod_security-dev" and "Proxy Server
> > w/mod_security"
> > > > > essentially the same thing?
> > > > > 3. For relatively simple cases (straightforward
> > hostname-to-internal-IP
> > > > > mapping), is there any compelling reason to use one over another on
> > > > > pfSense 2.2 today? FWIW, this firewall is relatively underpowered
> > > > > (PowerEdge 1750, dual 2.4GHz P4-era Xeons).
> > > > >
> > > > > --
> > > > > -Adam Thompson
> > > > > athompso@athompso.net
> > > > > +1 (204) 291-7950 - cell
> > > > > +1 (204) 489-6515 - fax
> > > > >
> > > > > _______________________________________________
> > > > > pfSense mailing list
> > > > > https://lists.pfsense.org/mailman/listinfo/list
> > > > > Support the project with Gold! https://pfsense.org/gold
> > > > --
> > > > Sent from my Android device with K-9 Mail. Please excuse my brevity.
> > > > _______________________________________________
> > > > pfSense mailing list
> > > > https://lists.pfsense.org/mailman/listinfo/list
> > > > Support the project with Gold! https://pfsense.org/gold
> > >
> > _______________________________________________
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic