Varnish and squid are really tailored for things other than (what I understand
at least) what you're looking for. I'd personally throw those out.
I'd also not introduce stunnel as it add unnecessary complexion. I also had
some weirdness trying to forward to another server *running on the same
pfsense* machine due to networking / etc (that may have to been to work with
floating carp IPs or something). Again, just added complexity. IMO stunnel
was mostly around for the days when haproxy didn't support ssl which I believe
was by far it's biggest use case.
Port forwarding to an internal box would certainly work. I prefer to stay away
from 'reflection' stuff however for internal clients...just a preference so I
like binding directly on the pfsense machine to avoid all that. May not be an
issue in your situation.
haproxy *does* support SNI and this is exactly how I'm using it in a personal
setup. The pfsense gui has a nice 'shared' frontend feature that allows you to
define a simple acl based off SNI hostname to make sure you proxy to the
correct backend. I'm personally also using a self-signed CA for which I
created a wildcard cert but separate certs work just as well with each of the
per-host frontends that you create.
Apache supports SNI as well.
Just to understand my setup a little more closely, I'm running several personal
(mostly private) sites off my little home connection. I wanted to be able to
access them while out and about *and* while at home ('behind' the router)
without any weirdness (changing IPs for example for git+ssh access). After
setting everything up through haproxy I now have ~10 different services running
each on a unique sub-domain that I hit directly. In my current setup since
they are just silly personal things (a personal gitlab, blog, rss reader, etc)
I don't really get anything out of the 'load balancing' side of things but if
you anticipate needing that it makes the decision over haproxy vs apache much
easier.
Travis Hansen
[email protected]
On Sunday, May 31, 2015 7:32 AM, Adam Thompson <[email protected]>
wrote:
Oh, shoot, that's a good point - I probably do need SNI support for SSL. I may
be able to get a wildcard cert, but that will be an issue one way or another.
Varnish doesn't support SSL at all, although I could theoretically do it with
stunnel and a wildcard cert.
Squid does support SSL, but appears to require wildcard cert.
Squid3 *may* support SNI, can't tell.
Haproxy supports SNI; hopefully the pfSense package is new enough to include
that.
Apache supports SNI, supposedly.
So I'm still left with a (overly, IMHO) large list.
I could also just port-forward TCP/{80,443} to a host behind the firewall and
do everything there, too.
Argh, too many options, not enough clarity on which packages are supported vs.
which ones are semi-orphaned.
-Adam
On May 30, 2015 11:12:01 PM CDT, Travis Hansen <[email protected]> wrote:
If you're looking for pure proxy frontend I'd stick with haproxy or apache (I
use haproxy).
haproxy provides load balancing and can do other things besides strictly
http(s) such a pure tcp and transparent proxy stuff.
Apache provides some things like mod_rewrite (I assume the pfsense build comes
with that) etc that aren't easily done with haproxy.
I could be wrong but if you're looking for SSL offloading (I ensure all traffic
goes over SSL) varnish and squid would be out of the picture. Travis Hansen
[email protected]
On Saturday, May 30, 2015 8:25 PM, Adam Thompson <[email protected]>
wrote:
I need to run a reverse proxy on a pfSense gateway - multiple websites,
one public IP, the usual reason.
However, I see there's a larger selection available than the last time I
looked.
It appears we now have:
* Apache w/mod_security-dev v0.43 / 0.22
* haproxy-1_5 v0.23
* haproxy-devel v0.24
* Proxy Server w/mod_security v0.1.7 /0.22.999
* squid
* squid3
* varnish3
1. Have I missed any?
2. Are "Apache w/mod_security-dev" and "Proxy Server w/mod_security"
essentially the same thing?
3. For relatively simple cases (straightforward hostname-to-internal-IP
mapping), is there any compelling reason to use one over another on
pfSense 2.2 today? FWIW, this firewall is relatively underpowered
(PowerEdge 1750, dual 2.4GHz P4-era Xeons).
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
