HAProxy package is 'currently' maintained by me, though maybe not highly
active, last week i added OCSP as an option in the -devel version.
Should get available in some time in the -1_5 version as well. Anyway it
offers quite some options, SSL-offloading, SNI, host-header/SNI backend
selection, others.. If something important is missing from the webgui,
and i think its usefull / easy to add, send me a mail and in time i
might add it. Also if something doesn't work properly, ill try and fix
it.. I do try to keep the package somewhat clean of an enormous amount
of options that will rarely be used.. And most 'advanced' options can be
added in the various 'textbox fields' as well..
Here an example of how haproxy can do http 1 ip to multiple backends:
https://docs.google.com/document/d/1YflytSq7P8oZBSCVUKWS1v2P0CdShbxeCsbTZ59JCRo/pub
In your case with https its a little different, and there is the option
to use SNI to forward TCP connections as is (IE on XP does not support
SNI, and maybe others if that matters for you...), or configure
ssl-offloading and process the actual http on haproxy, then the choice
to reencrypt the connection to backend or not.. And possibly mes up the
webapplication logic that wants to redirect to https again..
Pros:
-Acls for backend selection
-SSL/SNI support in various ways
-Nice stats page
-Session-stickiness, TCP forwarding, i think relatively low cpu usage,
others..
Cons:
-If you need 'rewriting' of the body of a html page then haproxy is not
going to do that for you. Haproxy can only insert/modify/remove
http-headers.
-Also if you want 'caching' this is not something haproxy will do.
As for the other packages ive not really used them much. So cant really
comment.., perhaps take a look at the github activity to see if and how
actively they are changing.? Though few commits can mean its very stable
and feature complete. It can also mean its not being actively
maintained. So still doesnt say much..
Greets PiBa-NL
Adam Thompson schreef op 31-5-2015 om 16:04:
Reverse proxy. Need to multiplex multiple publicly-accessible, secure,
websites running on private IPs from a single public IP.
It *is* hard to write that both succinctly and unambiguously!
-Adam
On May 31, 2015 8:54:14 AM CDT, Espen Johansen <pfse...@gmail.com> wrote:
Actually. Are you looking for reverse proxy or a user proxy. I'm
confused
after reading your mail a few times.
Brgds, Espen
31. mai 2015 15:35 skrev "Espen Johansen" <pfse...@gmail.com>:
Exclude varnish its primarily made for frontend LB proxy.
søn. 31. mai 2015, 15:32 skrev Adam Thompson <athom...@athompso.net>:
Oh, shoot, that's a good point - I probably do need SNI support for
SSL.
I may be able to get a wildcard cert, but that will be an issue one
way or
another.
Varnish doesn't support SSL at all, although I could theoretically
do it
with stunnel and a wildcard cert.
Squid does support SSL, but appears to require wildcard cert.
Squid3 *may* support SNI, can't tell.
Haproxy supports SNI; hopefully the pfSense package is new enough to
include that.
Apache supports SNI, supposedly.
So I'm still left with a (overly, IMHO) large list.
I could also just port-forward TCP/{80,443} to a host behind the
firewall
and do everything there, too.
Argh, too many options, not enough clarity on which packages are
supported vs. which ones are semi-orphaned.
-Adam
On May 30, 2015 11:12:01 PM CDT, Travis Hansen
<travisghan...@yahoo.com>
wrote:
If you're looking for pure proxy frontend I'd stick with haproxy or
apache (I use haproxy).
haproxy provides load balancing and can do other things besides
strictly http(s) such a pure tcp and transparent proxy stuff.
Apache provides some things like mod_rewrite (I assume the pfsense
build comes with that) etc that aren't easily done with haproxy.
I could be wrong but if you're looking for SSL offloading (I ensure
all
traffic goes over SSL) varnish and squid would be out of the
picture. Travis Hansen
travisghan...@yahoo.com
On Saturday, May 30, 2015 8:25 PM, Adam Thompson
<athom...@athompso.net> wrote:
I need to run a reverse proxy on a pfSense gateway - multiple
websites,
one public IP, the usual reason.
However, I see there's a larger selection available than the last
time
I
looked.
It appears we now have:
* Apache w/mod_security-dev v0.43 / 0.22
* haproxy-1_5 v0.23
* haproxy-devel v0.24
* Proxy Server w/mod_security v0.1.7 / 0.22.999
* squid
* squid3
* varnish3
1. Have I missed any?
2. Are "Apache w/mod_security-dev" and "Proxy Server
w/mod_security"
essentially the same thing?
3. For relatively simple cases (straightforward
hostname-to-internal-IP
mapping), is there any compelling reason to use one over another on
pfSense 2.2 today? FWIW, this firewall is relatively underpowered
(PowerEdge 1750, dual 2.4GHz P4-era Xeons).
--
-Adam Thompson
athom...@athompso.net
+1 (204) 291-7950 - cell
+1 (204) 489-6515 - fax
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
