How to manage multiple websites behind pfSeense

mauro.tridici · Jul 14, 2021, 11:34 AM

Dear Users,

I'm a newbie and I'm trying to implement the following scenario using pfSense.
In particular, I would like to protect 3 different websites that are running in the backend (behind pfSense).

In my mind, a general user should be able to reach each different website specifying related DNS name.

For example:

if a user want to visit site01.domain.com, pfSense should redirect the request to 192.168.1.11 server
if a user want to visit site02.domain.com, pfSense should redirect the request to 192.168.1.12 server
if a user want to visit site02.domain.com:8080, pfSense should redirect the request to 192.168.1.13 server

Can I implement this kind of scenario? If yes, how can I do it?

Thank you very much,
Mauro

viragomann · Jul 14, 2021, 11:58 AM

@mauro-tridici
pfSense itself works on layer 3 and hence sees only the destination IP and port. So you basically need a different external IP / port combination for each website, when you want to forward it to different backends.

To use a single IP / port combination for multiple host names and forward it to different backend hosts on pfSense, you have to install a reverse proxy package like HAproxy. This works on L7 and can inspect the host header in common protocols.

johnpoz · Jul 14, 2021, 12:06 PM

@mauro-tridici said in How to manage multiple websites behind pfSeense:

Can I implement this kind of scenario? If yes, how can I do it?

As stated by @viragomann HAproxy is what your looking for, it can do your example setup just fine. your site1 and 2 example would be HAproxy, your site2:8080 port thing could just be normal port forwarding.

mauro.tridici · Jul 14, 2021, 12:14 PM

@viragomann many thanks for the explanation. Following your input, I just found a lot of guides about pfSense, ACME, and HAproxy. I really appreciated it.

mauro.tridici · Jul 14, 2021, 12:19 PM

@johnpoz thank you for your help. NetGate community is so reactive :) and it is very good for a newbie. Thanks again. I merged the content of both the answers and I think I'm on the right way now.

johnpoz · Jul 14, 2021, 12:35 PM

You can have haproxy use acme certs as well, and do ssl offloading for stuff that doesn't support ssl on its own, just so you have 1 place to manage the ssl stuff.

I host a couple of different sites using acme certs on haproxy. And also share the 443 port with my openvpn server instance that listens on 443 (for when 1194 upd is blocked)..

You can also setup sni restrictions - so some bot hitting your 443 port on just your IP and not using and sending the sni won't get any info back.. I am a fan of this sort of control for sure..

nick.loenders · Apr 23, 2024, 9:20 AM

Can I also use 3 different public ip's and THEN do the NAT ?

so
one.domain.com has 81.82.120.21
two.domain.com has 81.82.120.22
three.domain.com has 81.82.121.23

and then make sure on the pfsense the NAT forwards
one.domain.com:443 to 192.168.10.11:21443
two.domain.com:443 to 192.168.10.11:22443
three.domain.com:443 to 192.168.10.11:23443

?

I can't use 192.168.10.11:443 as this is used by the TSGATE service.

viragomann · Apr 23, 2024, 10:05 AM

@nick-loenders
Yes, you can do this. But to be accurate, you have to forward a certain destination IP and port to a target IP and port, not domains, pfSense can't see them.

So you forward
81.82.120.21:443 to 192.168.10.11:21443
81.82.120.22:443 to 192.168.10.11:22443
81.82.121.23:443 to 192.168.10.11:23443

nick.loenders · Apr 23, 2024, 10:21 AM

This post is deleted!

viragomann · Apr 23, 2024, 10:23 AM

This post is deleted!