Oh, shoot, that's a good point - I probably do need SNI support for SSL. I may
be able to get a wildcard cert, but that will be an issue one way or another.
Varnish doesn't support SSL at all, although I could theoretically do it with
stunnel and a wildcard cert.
Squid does support SSL, but appears to require wildcard cert.
Squid3 *may* support SNI, can't tell.
Haproxy supports SNI; hopefully the pfSense package is new enough to include
that.
Apache supports SNI, supposedly.
So I'm still left with a (overly, IMHO) large list.
I could also just port-forward TCP/{80,443} to a host behind the firewall and
do everything there, too.
Argh, too many options, not enough clarity on which packages are supported vs.
which ones are semi-orphaned.
-Adam
On May 30, 2015 11:12:01 PM CDT, Travis Hansen <[email protected]> wrote:
>If you're looking for pure proxy frontend I'd stick with haproxy or
>apache (I use haproxy).
>haproxy provides load balancing and can do other things besides
>strictly http(s) such a pure tcp and transparent proxy stuff.
>Apache provides some things like mod_rewrite (I assume the pfsense
>build comes with that) etc that aren't easily done with haproxy.
>I could be wrong but if you're looking for SSL offloading (I ensure all
>traffic goes over SSL) varnish and squid would be out of the
>picture. Travis Hansen
>[email protected]
>
>
>On Saturday, May 30, 2015 8:25 PM, Adam Thompson
><[email protected]> wrote:
>
>
>I need to run a reverse proxy on a pfSense gateway - multiple websites,
>
>one public IP, the usual reason.
>However, I see there's a larger selection available than the last time
>I
>looked.
>
>It appears we now have:
>* Apache w/mod_security-dev v0.43 / 0.22
>* haproxy-1_5 v0.23
>* haproxy-devel v0.24
>* Proxy Server w/mod_security v0.1.7 / 0.22.999
>* squid
>* squid3
>* varnish3
>
>1. Have I missed any?
>2. Are "Apache w/mod_security-dev" and "Proxy Server w/mod_security"
>essentially the same thing?
>3. For relatively simple cases (straightforward hostname-to-internal-IP
>
>mapping), is there any compelling reason to use one over another on
>pfSense 2.2 today? FWIW, this firewall is relatively underpowered
>(PowerEdge 1750, dual 2.4GHz P4-era Xeons).
>
>--
>-Adam Thompson
> [email protected]
> +1 (204) 291-7950 - cell
> +1 (204) 489-6515 - fax
>
>_______________________________________________
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
