Seeting up Subdomains in pfSense

pfanatic

Hello,

I have a problem that I am trying to solve and I do not believe I will be able to do without some help, so I appreciate any directions.

I want to setup various subdomains for main domain (example.com) that point to different IP addresses or different ports. Here is an example:

www.example.com –--> pfSense ---> webserver (10.10.10.10)

www.mail.example.com ----> pfSense ---> mailserver (10.10.10.11:3030)

www.calendar.example.com ----> pfSense ---> mailserver (10.10.10.11:4040)

I want pfSense to determine which server in my internal network the traffic should be router based the subdomain used. I am looking around the web find a step by step instructions on this, but I was not able to find anything that is clear. The packages that seem to be recommended for this setup are the HAproxy, Squid3, and Apache with mod_security-dev

From what i saw I think the Apache might be the way to go, but I am not sure how to go about configuring it.

Does anyone knows what I will need to use and how should I set it up?

Thank you!

johnpoz

dns has nothing to do with ports..

Are you wanting for this to for external access, and you only have 1 public IP?  Or internally?

If you want externally users that hit your 1 public IP via a name to get sent to different private IPs you have to setup a reverse proxy for that.  If you want to serve up different sites via same server internally that is quite simple via any httpd server.

Guest

A redirection proxy server could do the job as well, if the Squid is able to do so I would give him a try.

firewalluser

@pfanatic:

Hello,

I have a problem that I am trying to solve and I do not believe I will be able to do without some help, so I appreciate any directions.

I want to setup various subdomains for main domain (example.com) that point to different IP addresses or different ports. Here is an example:

www.example.com –--> pfSense ---> webserver (10.10.10.10)

www.mail.example.com ----> pfSense ---> mailserver (10.10.10.11:3030)

www.calendar.example.com ----> pfSense ---> mailserver (10.10.10.11:4040)

I want pfSense to determine which server in my internal network the traffic should be router based the subdomain used. I am looking around the web find a step by step instructions on this, but I was not able to find anything that is clear. The packages that seem to be recommended for this setup are the HAproxy, Squid3, and Apache with mod_security-dev

From what i saw I think the Apache might be the way to go, but I am not sure how to go about configuring it.

Does anyone knows what I will need to use and how should I set it up?

Thank you!

Have you seen this thread? https://forum.pfsense.org/index.php?topic=23533.0

How have you got your domains setup with whoever who is looking after them? For example do you have to create the subdomains with whoever looks after your domain name or have you got it setup to forward to your pfsense setup for all DNS lookups?

If you have multiple fixed ip addresses and your domain name is handled by some other company not your pfsense fw, one way you can do this is to create a subdomain with the outside domain name company that points to one of your fixed ip's then on pfsense port forward the fixed ip to the relevant device or service.

eg

mail.domain.com –> 1.2.3.4 --> pfsense Virtual IP - Allow Rule from ip with relevent port open to relevant device/service
diary.domain.com --> 1.2.3.5 --> pfsense Virtual IP - Allow Rule from ip with relevent port open to relevant device/service
cam1.domain.com --> 1.2.3.6 --> pfsense Virtual IP - Allow Rule from ip with relevent port open to relevant device/service
cam2.domain.com --> 1.2.3.7 --> pfsense Virtual IP - Allow Rule from ip with relevent port open to relevant device/service

Just be aware some devices like webcams are easy to hack, then install firmware with built in brute force cracker to then brute force test the main network. Brute force is slow over the internet, but getting a device like a webcam or automatic number plate recognition cam and upgrading its firmware means you are restricted by the speed of the local network behind pfsense which will be fast, some of my customers had fibre (splicing is an art) to web cams due to the 100m restriction CAT5/6 presents so make sure you have a proper DMZ in place to reduce your risks.

You security is only as good as the public facing services (mail, web servers, cams, voip, etc) you choose to employ and how they are isolated from other devices/services on the network.

Just so you know.

pfanatic

What I need to do as mentioned on my initial post is to have requests coming to my one public IP and have them redirect to proper server or website within my network.

www.example.com –--> pfSense ---> webserver (10.10.10.10)

www.mail.example.com ----> pfSense ---> mailserver (10.10.10.11:3030)

www.calendar.example.com ----> pfSense ---> mailserver (10.10.10.11:4040)

example.com is the public domain that is redirected to my one public IP and from there based on the sub-domain used I want the request to go to the proper server or service within the same server...as shown above.

I do not want to setup the sub-domains in my domain registrar all requests to *.example.com will go to my public ip.

I am aware that i need to use reverse proxy, but I was looking for some direction as to which package will be the best to do that in pfsense. and also does anyone has step by step instructions for setting this up in pfsense?

Thank you!

Derelict

You can't steer connections to certain ports with DNS unless the protocol/service you're dealing with understands some other type of record, like SRV records.

There is no facility to specify a port in a normal A or AAAA record.  They are (A)ddress records.

You really need to specify what you expect the outside ports to be.  www.mail.example.com:??? www.calendar.example.com:???

pfanatic

I will not be using DNS or A records.

The sub-domains will be handled by a Reverse Proxy. Please read the example and do not post comments that are missing the point about the problem I am trying to solve.

All I need is if anyone knows or can point to step by step instructions on how to setup a Reverse Proxy in pfSense. Perhaps with using Squid3, HAproxy or what ever the best option will be.

Thank you.

Guest

nginx or Squid3 as a reverse-proxy would do the job for you.

dkrizic

or HAProxy

gabe

If you are only dealing with http(s) and don't want that your clients have to type the port numbers for other services besides usual http(s) 80/443 (and so dealing with NAT), you need a reverse proxy.
Considering your calendar and mail servers are just web servers as well, any reverse web proxy will do the job, but personally I'd go with nginx (small, fast and well documented). Specifically, you're going to need the proxy_pass function. https://www.nginx.com/resources/admin-guide/reverse-proxy/
Hope it helps.

firewalluser

@pfanatic:

What I need to do as mentioned on my initial post is to have requests coming to my one public IP and have them redirect to proper server or website within my network.

My bad:
http://serverfault.com/questions/577103/how-to-configure-haproxy-to-route-by-port-without-using-multiple-frontend-or-lis
https://cbonte.github.io/haproxy-dconv/configuration-1.5.html
earlier manual
http://www.haproxy.org/download/1.4/doc/configuration.txt

johnpoz

So your using a wildcard record..  Not really a good idea if you ask me.. What happens when user goes to sljdflsjdfljdljflsjdff.example com ??  What gets served?  Your default page?

In your example you have 2 private side Ips, .10 and .11 – if you this was all just on one box then you don't need a reverse proxy.  Your httpd can see the host headers and serve up whatever site you want to serve be it www.example.com or mail.example.com or whatever.example.com