Routing WAN Traffic Based on Hostname/Domain Name to Static IP Address on LAN?
-
I'm running through the settings in pfSense trying to get up to speed with different things and wondering how you go about doing this. Seems a fairly straight forward thing to do, but doesn't seem obvious where this is configured as there are a lot of similar setting screens.
i.e. User --> www.example.com --> Resolves to external IP of pfSense box --> {config magic here somewhere in pfSense - based on incoming traffic on WAN interface} --> Static IP of VM on LAN interface.
I should add. I'm looking for this to work purely off the hostname, example.com or www.example.com. So that multiple ports forward through to the VM and that the SSL handshake also passes straight through to the VM rather than the SSL being handled by the pfSense firewall itself.
-
HAproxy does this. If you want to send say
something.domainX.tld to 192.168.1.100
otherthing.domainX.tld to 192.168.1.101etc.
If your going to want to do normal 443.. Prob a good idea to change pfsense https port to something other. There is no way currently to pick which interfaces/IP the webgui listens on. So if your going to want to use 443 for anything else, be it haproxy listening or openvpn, etc.
I have my webgui ssl port on 8443 for example.
HAproxy can either do ssl offloading and handle the ssl for you, or you can just pass it through.
-
@johnpoz Excellent, thanks for the info re. HAproxy, I'll have a play with that once I've installed the package.
Ultimately what I'm aiming to achieve is a basic setup of the following, the majority of which will be public facing VMs within the Server running XCP-NG;
- Internet
-
- Modem
-
-
- pfSense
-
-
-
-
- VLAN/Subnet 1
-
-
-
-
-
-
- PC 1
-
-
-
-
-
-
- VLAN/Subnet 2, 3, 4, 5, 6
-
-
-
-
-
-
- Server running XCP-NG
-
-
-
-
-
-
-
-
- VM 1
-
-
-
-
-
-
-
-
-
- VM 2
-
-
-
-
Sounds like HAproxy should do the job for a basic setup.
As a Phase 2, looking more at the Opensouce Cloud platforms to see if I can get that up and running which should be fun. Not sure if life would be made easier at that point with multiple IPs at the entry point to help route through to the right place easier.
-
Well if you had multiple public IPs - then you wouldn't need reverse proxy. As long as you had enough for each server you want to send too.
-
@johnpoz I've access to around 10 at the moment, only one in use at present, but I can purchase another 9 or so for very minimal cost.
Is it generally best practice to aim to route on WAN IP, rather than hostname, for the above kind of setup rather than using tools such as HAproxy, or is it generally a mixture of both?
I.e. Imagine wanting to run a combination of 'things' on the single physical server (massive capacity) behind the firewall for;
- cPanel WHM environment (within a single massive VM within XCP-NG) - Sounds like this may be best as IP WAN based routing
- Standard VMs for specific requirements - Sounds like this may be best as HAproxy routing
- Open source cloud platforms such as OpenStack or CloudStack (multiple VMs for the different components behind the scenes that need to be configured) - Sounds like this may be a mixture of both
Ultimately, while I've got a decent bit of hardware, I haven't got a £100k setup as this is in a home lab. But I'm wanting to replicate an enterprise class environment. (I've a lot to learn, hence the questions!!!)
Thoughts?
-
All depends on what your doing, what your serving, etc.
Both methods are valid - you can get some security behind a reverse proxy like HAproxy.. But its normally easy to just forward based on IP than having to deal with the headers, etc.
But with using a proxy you can also do some really neat stuff as well..