Need help in understand what to configure for multiple website redirection



  • I'm trying to figure out how to solve my problem. I have the following network setup.

    I have traffic from security clients sending requests to http://secure.mydomain.com:443. The traffic is plain HTTP marked with the mime type "application/octet stream" and the HTTP payload is tunneling another secured protocol. The requests are served by a Windows hosted C++ service. pfSense is currently forwarding all 443 traffic to the IP this service is listening on.

    I then have websites such as;
    http://website.mydomain.com:80
    http://pictureweb.mydomain.com:80
    http://webmail.mydomain.com:80

    pfSense is NAT'ing all port 80 traffic to a Windows IIS server that serves up the correct website based on the hostname requested above.

    I need to add two new services to the network.
    1. I have a Linux server with Oracle WebLogic Server and Portal running. I want to serve this site over both HTTP:80 and HTTPS:443.
    2. I want to add SSL to some of the websites running on the IIS server.

    Therefore I need to redirect HTTP:80 and HTTPS:443 to different internal addresses which I can't do currently with simple NAT in pfSense because the firewall works at the IP address level and isn't aware of things like HTTP host headers.

    Can squid help me here? Would it be possible to install the squid pfSense package and configure it to reverse proxy all this traffic for me?

    I know what I really need is 3-4 static IP's from my ISP. But unfortunately I don't have that luxury and i'm trying to squeeze a lot of functionality down a regular comcast cable. If it just isn't possible then i'll have to spread all these services over different ports, but I would really like to try and stick with the correct ports for each of these services.

    Your advice and guidance is much appreciated.

    Simon



  • You definitely won't be able to get both SSL and cleartext traffic onto the same ip/port. The encryption in HTTPS is set up before any headers are sent, so the server is unable to differentiate by hostname.

    Proxying by virtual host shouldn't be hard to set up in squid, and I'm fairly sure you can do it, though I haven't used squid with pfSense so I can't help you there. There are lots of potential alternative ways to do this part though, Apache and many other web servers and reverse proxys have no trouble with that.


Log in to reply