SOLVED: Redirect Inbound HTTPS/HTTP Requests Based on URL (Multiple ADFS farms)

  • Hello!

    This question was asked in 2008, and I've very lazy copy / pasted it, as I'm curious to the same thing, and if there is a built-in solution for this nowadays (as opposed to having an IIS server doing reroute).



    Hi there,

    I've been diggiing around for a while with this one. Basically I would like to know if it is possible to configure pfSense to redirect inbound https traffic based on the URL. e.g.

    You have a small network with an Exchange server for OWA/OMA/RPC over HTTP and a seperate Terminal Services Gateway server behind pfSence with a single WAN and single IP.

    As both the servers require 443 traffic, could the inbound requests for and be directed to the appropriate server??


  • What you want is a reverse proxy like haproxy that is available as a package for pfSense. IP level NAT can not accomplish what you want because pfSense's packet filter has no capability to look inside the data payloads of the IP packets it filters or NATs so it will not see the URLs used in the HTTP connections. I'm not familiar with how HTTPS redirects would work in a reverse proxy so someone else who knows more should comment on that.

  • Hi Kpa!

    Thanks, this is what I was looking for. Just wanted to make sure there was not something built-in.


  • I am trying to do something similar to this but with a bit of a twist and looking at the config pages for HAproxy and Squid id did not see anything that jumped out as making this possible.

    In my current setup I have several servers each one with 1 or more web based applications running on different ports.

    PRTGServer has PRTG listening on say port 81
    AppServer1 has App1 listening on 8900, App2 on 8901 and App3 on 8902
    AppServer2 has App4 on 80 and App5 on 8903

    I have a registered domain and say it is called With my domain registrar I have setup port 80 redirects for several hosts to point to specific ports and I have port forward rules setup to send the traffic to the correct server in the network.

    In this current setup it is working great but now I am wanting to use SSL on each of these apps which then changes the listening ports.

    PRTGServer has PRTG listening on say port 91
    AppServer1 has App1 listening on 9900, App2 on 9901 and App3 on 9902
    AppServer2 has App4 on 90 and App5 on 9903

    I have tried messing around with setting the port 80 redirects on the domain registrar to be the new ports then have new NAT rules to send them to the correct server which i figured wouldn't work but was worth a try. Is there any way to make this work?

  • Https uses port 443, also what prevents you from just pointing all domains to your own wan-ip instead of some provider redirect, and making haproxy send it to appropriate backend/server?

  • @PiBa:

    Https uses port 443, also what prevents you from just pointing all domains to your own wan-ip instead of some provider redirect, and making haproxy send it to appropriate backend/server?

    Mostly for the fact I have not figured out how to get HAproxy to redirect domains to servers with ports

  • In the backend/server definition you can set the port to use.. Other than that use acl's and actions to select the desired backend.

  • Hello PiBa,

    I've been trying to set this up via HAProxy, but to no avail. Maybe you can guide me on this.

    My goal: 2 backend services both listening on the same WAN address for 443.
    I used to use NAT rules for this; switchting the order of the NAT rules if service1 needed to become active, or service2.
    I am under the impression that HAProxy can determine which backend to select, based on the ACL options (e.g. request for -> backend1, and request for -> backend2.

    1st question: Do I need to keep my NAT rules in place, or are they redundant by using HAProxy?

    EDIT: I think I've gotten a step further; I realized that the firewall was terminating all traffic, so instead of NAT rules forwarding 443, I've opened up port 443 as a whole on the firewall. I now see the proxy being hit with requests.

    Setup question;
    I've configured the following;

    All further settings are left unchecked / default.


    All further settings are left unchecked / default.


    All further settings are left unchecked / default.

    However, I don't get any response / redirect for the services. It simply doesn't seem to pick it up.
    I already tried disabling my NAT rules, but then traffic simply isn't forwarded at all. When I keep them enabled, the only site responding is the one in the first order rule, like it worked before.

    Am I making a config or design error? Based on the above, what should I change to meet my goal?

    Many thanks in advance! Let me know if you need more info.

  • Indeed a firewall rule needs to allow traffic but you found that :).

    With the current settings:
    -frontend that listens on :443 without 'ssl offloading' checked behind it. (And probably no certificate selected at the bottom)
    -the 'Type' you have selected "http/https(offloading)"
    These 2 settings don't match.. You will likely be sending https traffic to that 443 port, but are not using offloading..

    So you need to decide do you want to use ssl-offloading or not.?.
    -With offloading, certificates need to be present on pfSense, configured on haproxy, and haproxy can use and modify host headers, keep stats of different response codes.
    -Without offloading, haproxy can only use SNI to determine the proper backend, and will not be able to read or modify headers.

    So to 'fix' the configuration:
    -So enable offloading on the external address, and configure certificates.
    -Change type to https(tcp), and change the acl's to use SNI - Server Name Indication.

  • Thanks PiBa,

    I was getting on track in this direction indeed :)
    I don't want to use offloading, so SNI headers.. which brings me into a whole new ballgame when it comes to using Web Application Proxy between the AD FS and HAProxy.

    Either way, back to the drawing board.

    Thanks again! :)


    IT WORKS :):):)

    Thanks a lot!

  • Without offloading you do have SNI available from the SSL layer. Just no Host HTTP header.

Log in to reply