Reverse proxy, SSL Offloading and IPS/IDS with one nic?
I have a Watchguard X750e Cluster with a dedicated DMZ. There I have all my websites and such… My problem is that I am running out of public IP adresses, and so I wanted to aggregate all incoming connections to one IP (or group as websites and webservices and split them to two IPs) and route the traffic in the background with the help of a reverse proxy. Additionally I wanted to offload all SSL trafficto that machine also. So I could have all in one place.
So I have my range of pulic IP adresses like 212.222.223.xxx, and I am forwarding to my DMZ network 10.0.0.x
Before I start with that, I would like to clarify some details which I am not completely aware yet:
- is it possible to accomplish all of the above with one nic in my pfsense? So incoming traffic is forwarded to e.g. 10.0.0.20 (pfsense) and then hitting my webservers also from 10.0.0.20? or do I need to have a second IP? If the latter, can this be one on the same subnet, or do I necesarrily have to NAT here?
- Can I use different SSL Certificates? I have bought my cerificates over time when I needed them, so there is no real system to it. Each website (mostly different domains) have their own website, but out of history we also have e.g. mywebsite.com and www.mywebsite.com in one certificate, but webmail.mywebsite.com, autodiscover.mywebsite.com and mobileemail.mywebsite.com combined in another certificate
- what is the best way of logging my traffic (for reports and troubleshooting)? any advice from your side?
- Can I run IDS/IPS (Suricata?) in that configuration?
I would be happy if some of you could bring some light into the dark here. Many thanks for the time I save with trial and error (and pulling out my hair :)
I cannot believe nobody can help me here or at least tell me that I have an error in my plan. Do I need the second NIC (so, is there a requierement for NAT)?