Multiple Web Servers

natethegreat21 · Dec 2, 2022, 6:22 PM

Hey guys I know this is going to be a stupid question so please forgive me but I have only had 1 web server for the longest time and used port forwarding for ports 80 and 443 now I have a new web server and that also needs ports to be forwarded to the subdomain I created so im having a difficult time trying to find the best way to do that in PFSense. Thank you!

viragomann · Dec 2, 2022, 6:30 PM

@natethegreat21
Port forwarding is based an IPs and ports only. It cannot determine the host name.
So either get a second public IP for the additional server or install HAproxy on pfSense. HAproxy works on layer 7 and can detect the domain or host name and forward requests to the proper backend server.

If your websites are less critical you can also run a proxy on one of the web servers. That's what I do in my home setup, because proxying on Apache is quite simple.

natethegreat21 · Dec 2, 2022, 6:35 PM

@viragomann Okay I think I will try the HAproxy I will need to look up how to set it up as I haven't used it before but thanks so much for your help!

viragomann · Dec 2, 2022, 6:42 PM

@natethegreat21
I learned somethings from here:
https://github.com/ahuacate/pfsense-haproxy/blob/master/README.md
https://docs.deeztek.com/books/pfsense/page/pfsense-haproxy-softether-vpn
https://cbonte.github.io/haproxy-dconv/2.2/configuration.html

natethegreat21 · Dec 2, 2022, 6:47 PM

@viragomann Thats super helpful. Thank you so much!

natethegreat21 · Dec 2, 2022, 9:23 PM

@viragomann I installed and setup the software but for some reason its not passing any traffic to the destinations.

natethegreat21 · Dec 2, 2022, 9:36 PM

@natethegreat21

viragomann · Dec 2, 2022, 9:59 PM

@natethegreat21
I'm not expirenced with TCP mode, I only use https with SSL offloading.
For http/s offloading mode you need to import your SSL certificates into pfSense.

Anyway you need a pair of ACL + Action for each backend.
Each ACL must have a unique name if you configure both in a single frontend, e.g. game, nextcloud.

In TCP mode the proxy cannot read the host header, so it doesn't know the host name. It could only see the SNI.
So you might have to uncheck the ACL expression you have to select something like "SNI extension matches" and enter the SAN name of the SSL certificate.

Also I can't really see how you did the port 80 redirection.

natethegreat21 · Dec 2, 2022, 11:46 PM

@viragomann Im going to change it to offloading. What are you missing for port 80. Does it not makes sense?Yeah so now its saying the site cant provide a secure connection SSL error probably because the certs are not there. Should I just generate new certs or reuse the existing one on the Linux box?

natethegreat21 · Dec 2, 2022, 11:26 PM

This post is deleted!

viragomann · Dec 3, 2022, 12:20 AM

@natethegreat21 said in Multiple Web Servers:

What are you missing for port 80. Does it not makes sense?

I simply cannot see, how it works from your screenshots.

Should I just generate new certs or reuse the existing one on the Linux box?

Sounds like you're using self-signed certificates.
If so you can generate new one as well, but you can also import existing certificates into pfSense using the cert manager and assign them then in HAproxy.

natethegreat21 · Dec 3, 2022, 12:29 AM

@viragomann I just used Acme and generated some LetsEncrypt certs as well as added them to the DNS on my domain provider. Anything greyed out is my Pubilc IP or the web address.

natethegreat21 · Dec 3, 2022, 12:38 AM

@viragomann

natethegreat21 · Dec 3, 2022, 12:41 AM

@viragomann

natethegreat21 · Dec 4, 2022, 7:50 PM

@viragomann

natethegreat21 · Dec 4, 2022, 7:50 PM

@natethegreat21 Closing this out and opening a new topic.

hazeltorres · Dec 7, 2022, 5:02 PM

This post is deleted!