Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense 2.3.2 - how do I setup multiple servers running the same HTTPS port?

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rowebil
      last edited by

      I am running pfSense 2.3.2_1.

      Here is my scenario -

      I have (1) Exchange Server using HTTPS and (1) Apache/Nginx Web Server running HTTP/S as well.
      Both are using the same port, including the web server using port 80 as well.
      Exchange Server does require a SSL cert, but I'm not sure if that's necessary to include on pfSense.
      It is binded on IIS so I assume from what I read that I may need to store the cert on pfSense?
      Honestly I'm not sure…

      How do I direct traffic coming to 'mail.domain.com' to a certain server IP on my LAN and 'personalwebsite.com' to a different server IP on my LAN?
      People mention squid reverse proxy and others mention HAProxy being better, but I have not seen any documentation on setting this up the way I intend.

      Now pfSense has changed and new features have been added - so I'm wondering what is currently the best way to set this up?

      Mind you, I am the only person using this Exchange Server and probably the only person that will be using the web server.
      The web server is for a project I'm developing and I'd rather host the site locally because I have better hardware than most web hosts.
      I'd like to access the website from the Internet (WAN) on it's normal ports.
      So changing ports isn't really an option.

      The residential ISP I have allows all ports. I have a static IP.
      Another IP is out of the question. I do have another WAN link with an IP, but port 80 is blocked on that specific port.
      They only allow ports open on the static IP.

      All help is appreciated - you guys are very helpful!

      Thank you

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        HA proxy ought to be able to do that but only for clients that support SNI, which is a requirement for multiple SSL certificates on a single address:port no matter what the technology.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          +1 for HAproxy.

          1 Reply Last reply Reply Quote 0
          • R
            rowebil
            last edited by

            @Derelict:

            HA proxy ought to be able to do that but only for clients that support SNI, which is a requirement for multiple SSL certificates on a single address:port no matter what the technology.

            Is there another way in pfSense to do this without dealing with SSL issues?
            OR even a different technology completely?

            As for another machine separate from pfSense that handles this traffic without SNI requirements?

            For example I have ONE server completely that directs traffic to different hosts based on the domain they're going to?

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              No. Nothing can deal with serving the same ip:port to two different services. You need some sort of proxy.  Your web server might be able to do it. Not sure. Get more IPs or put things on different ports.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.