PfSense 2.3.2 - how do I setup multiple servers running the same HTTPS port?

rowebil · Nov 19, 2016, 10:46 PM

I am running pfSense 2.3.2_1.

Here is my scenario -

I have (1) Exchange Server using HTTPS and (1) Apache/Nginx Web Server running HTTP/S as well.
Both are using the same port, including the web server using port 80 as well.
Exchange Server does require a SSL cert, but I'm not sure if that's necessary to include on pfSense.
It is binded on IIS so I assume from what I read that I may need to store the cert on pfSense?
Honestly I'm not sure…

How do I direct traffic coming to 'mail.domain.com' to a certain server IP on my LAN and 'personalwebsite.com' to a different server IP on my LAN?
People mention squid reverse proxy and others mention HAProxy being better, but I have not seen any documentation on setting this up the way I intend.

Now pfSense has changed and new features have been added - so I'm wondering what is currently the best way to set this up?

Mind you, I am the only person using this Exchange Server and probably the only person that will be using the web server.
The web server is for a project I'm developing and I'd rather host the site locally because I have better hardware than most web hosts.
I'd like to access the website from the Internet (WAN) on it's normal ports.
So changing ports isn't really an option.

The residential ISP I have allows all ports. I have a static IP.
Another IP is out of the question. I do have another WAN link with an IP, but port 80 is blocked on that specific port.
They only allow ports open on the static IP.

All help is appreciated - you guys are very helpful!

Thank you

Derelict · Nov 19, 2016, 10:58 PM

HA proxy ought to be able to do that but only for clients that support SNI, which is a requirement for multiple SSL certificates on a single address:port no matter what the technology.

doktornotor · Nov 19, 2016, 11:04 PM

+1 for HAproxy.

rowebil · Nov 20, 2016, 12:10 AM

@Derelict:

HA proxy ought to be able to do that but only for clients that support SNI, which is a requirement for multiple SSL certificates on a single address:port no matter what the technology.

Is there another way in pfSense to do this without dealing with SSL issues?
OR even a different technology completely?

As for another machine separate from pfSense that handles this traffic without SNI requirements?

For example I have ONE server completely that directs traffic to different hosts based on the domain they're going to?

Derelict · Nov 20, 2016, 12:12 AM

No. Nothing can deal with serving the same ip:port to two different services. You need some sort of proxy. Your web server might be able to do it. Not sure. Get more IPs or put things on different ports.