HAProxy, Pound, Squid-Reverse & Varnish
-
Dear all,
I've tried and spent hours configuring HAProxy, Pound, Squid-Reverse & Varnish.
My goal is to setup a reverse proxy handling host-headers to the corresponding servers and Load Balance if applicable. For HTTP as well as HTTPS.
- http://www.domain.com/ refers to server: 192.168.125.10 (port 80)
- http://www.domain1.com/ refers to server: 192.168.125.11 (port 80)
- http://extranet.domain.com/ refers to server: 192.168.125.21 (port 80 + LB)
- http://extranet.domain.com/ refers to server: 192.168.125.23 (port 80 + LB)
- https://intranet.domain.com/ refers to server: 192.168.140.241 (port 443 & 987 + LB)
- https://intranet.domain.com/ refers to server: 192.168.140.245 (port 443 & 987 + LB)
- https://webmail.domain.com/owa refers to server: 192.168.140.245 (port 443; MS Exchange + LB)
- https://webmail.domain.com/owa refers to server: 192.168.140.247 (port 443; MS Exchange + LB)
I can't figure out how to configure all the above packages; all without any luck. All packages except Pound is not implemented in pfSense. Some people swear by one package others to complete others. Which one to choose? Could somebody help me configuring one of the best suitable and stable package?
Thanks in advance,
Canefield -
canefield,
I think your first try should be configuring just squid-reverse.
I'm very busy these days with my job and some package improvements(including squid-reverse).
It's on my todo list simplify this publishing process and I believe that squid-reverse is the most simple package for reverse proxy with http/https.att,
Marcello Coutinho -
Marcello,
Thanks for your reply. I will have a closer look at Squid. Could somebody help me out configuring this. I'm new to Linux and pfSense. I don't have any clues.
Thanks,
Canefield -
canefield,
I think your first try should be configuring just squid-reverse.
I'm very busy these days with my job and some package improvements(including squid-reverse).
It's on my todo list simplify this publishing process and I believe that squid-reverse is the most simple package for reverse proxy with http/https.att,
Marcello CoutinhoI've been using pound for a while but prefer to use packages that are built for pfsense(for support reasons). I agree with marcelloc, that squid-reverse would be the way to go but LB options are not in the GUI(at least from what I can tell). Hopefully this will be added soon because the syntax is different when setting up Reverse-Proxy with LB (http://wiki.squid-cache.org/SquidFaq/ReverseProxy#Load_balancing_of_backend_servers) but its straight forward. For performance, I've heard Varnish is the way to go but the configuration can be very complex.
-
Cino,
Thanks for your reply. You're telling me it it pretty straight-forward, but I don't get it. As you're indicating I believe I also should use packages included and supported by pfSense.
Could somebody provide me with a working configuration, step-by-step example, screenshots, etc.?
Thanks,
Canefield -
Canefield,
Here is how i configured the Reverse settings tab for my setup:
Reverse Proxy interface: loopback (could be your WAN, but I setup a NAT Port-forward rule)
external FQDN: FQDN that will resolve the public IP, example your WAN IP
Enable HTTP reverse mode: checked
reverse HTTP port: 9080 (could be 80 but the NAT Port-forward rule will direct traffic from port 80 to 9080)peer definitions :
HOST_SERVER1;192.168.0.150;80;HTTP
HOST_SERVER2;192.168.0.100;80;HTTP
HOST_SERVER3;192.168.0.50;80;HTTP
HOST_SERVER4;192.168.0.10;80;HTTPURI definitions:
WEBAPP_SERVER1;;http://host1.domain.net
WEBAPP_SERVER1;;http://host2.domain.net
WEBAPP_SERVER1;;http://host3.domain.net
WEBAPP_SERVER2;;http://host1.domain2.com
WEBAPP_SERVER2;;http://box.domain2.net
WEBAPP_SERVER2;;http://boxone.domain2.net
WEBAPP_SERVER2;;http://domain2.net
WEBAPP_SERVER2;;http://..domain2.net (wildcard for host names)
WEBAPP_SERVER3;;http://domain3.net
WEBAPP_SERVER4;*;http://domain4.netACL definitions:
HOST_SERVER1;WEBAPP_SERVER1
HOST_SERVER2;WEBAPP_SERVER2
HOST_SERVER3;WEBAPP_SERVER3
HOST_SERVER4;WEBAPP_SERVER4create a NAT rule:
interface WAN
Protocol TCP
DEST: WAN Address
DEST Port: 80
Redirect IP: 127.0.0.1
Redirect Port: 9080
Filter rule association: Create associated filter ruleI haven't tried https, but see if you can get http to work first… Maybe someone else can help with HTTPS... Like I said before, LB options aren't built into the GUI from what I can tell but its probably in the works(I hope anyways)
Hope this helps
Stephen