Pfsense, varnish & port 80 - can i do this?



  • Hi everyone,

    I already installed varnish into pfsense, but I like to check whether varnish can meet my requirements.

    I have 1 Public Static IP e.g. 175.20.X.X.

    I have 3 web domains e.g.

    www.domain1.com - my corporate site (port 80) which to be routed to internal ip 192.168.1.5
    www.domain2.com - my business portal (port 80) which to be routed to internal ip 192.168.1.6
    www.domain3.com - my erp system (port 80) which to be routed to internal ip 192.168.1.7

    both 3 domains are registered via godaddy. I already pointed these 3 domains to my 1 public static IP (175.20.X.X).

    Now all my domains are on port 80.

    When my customer visited www.domain1.com, can varnish pass the customer to the right server which is 192.168.1.5?

    Note: as mentioned above, all 3 domains are different usage.

    I already enabled the port 80 to * for my pfsense firewall rules. But I can't figure out how to make this work.

    Any help? Thanks.



  • @ericmachine:

    can varnish pass the customer to the right server which is 192.168.1.5?

    Sure.

    Remove nat on port 80 if any.

    Listen varnish on 80 and disable web gui redirect rule on system -> advanced

    Allow connections on wan port 80 and then configure varnish



  • Thanks for replying back.

    I tried like what you recommended, but I couldn't get them working.

    Just to confirm again. All my internal web servers are using port 80 as follows.

    backend #1: 192.168.1.5
    port: 80
    LB: url equals www.domain1.com
    probe url: /
    connect timeout: 600s
    first timeout: 600s
    the others interval: around 5s

    backend #2: 192.168.1.6
    port: 80
    LB: url equals www.domain2.com
    probe url: /
    connect timeout: 600s
    first timeout: 600s
    the others interval: around 5s

    backend #3: 192.168.1.7
    port: 80
    LB: url equals www.domain3.com
    probe url: /
    connect timeout: 600s
    first timeout: 600s
    the others interval: around 5s

    I had disable the NAT port forward for port 80.

    But I added a firewall rule for port 80 to * (I assume I have to do this)

    I had changed pfsense to use port 8080. So when I login to pfsense, it will be http://pf.myoffice.com:8080.

    I had checked the "Disable webConfigurator " in system > advanced too.

    But I couldn't get them working.

    How is varnish smart enough to know where to direct the customers to?

    If customer A visit www.domain1.com, it should go to 192.168.1.5

    If customer B visit www.domain2.com, it should go to 192.168.1.6

    If customer C visit www.domain3.com, it should go to 192.168.1.7

    As you can see, all the customers are accessing any domains on port 80.

    Can port 80 take up more than 1 domain?

    Any help? Thanks.



  • The wan rule must be from any source to wan address port 80

    Add varnish widget to dashboard to see if varnish can chexk server status.

    Maybe you'll need to change check url to a valid file on Web servers like test.html

    The http header will tell varnish what site was requested by client.



  • Noted. Few questions.

    a) Can I have test.html to both locations?

    e.g.

    /var/www/domain1-com/test.html
    /var/www/domain2-com/test.html

    or it has to be different filename?

    e.g.

    /var/www/domain1-com/test1.html
    /var/www/domain2-com/test2.html

    b) How about the html file content? Can it be just a simple "hello world" thing? Or do I have to place any code on header to make sure varnish can understand?

    c) For the rule, this is what I did

    source *
    destination *
    port 80

    is that correct?

    d) I added the varnish widget to dashboard and saw this

    domain1.com - arrow up (green color)
    domain2.com - arrow down (red color)

    Any idea what's wrong? Thanks.



  • Test.html csn be the same on all servers and can return anything as varnish check http code (200 ok)

    Change Firewall rule to source any destination wan address port 80.


Log in to reply