Varnish and squid are really tailored for things other than (what I understand at least) what you're looking for. I'd personally throw those out.
I'd also not introduce stunnel as it add unnecessary complexion. I also had some weirdness trying to forward to another server *running on the same pfsense* machine due to networking / etc (that may have to been to work with floating carp IPs or something). Again, just added complexity. IMO stunnel was mostly around for the days when haproxy didn't support ssl which I believe was by far it's biggest use case.
Port forwarding to an internal box would certainly work. I prefer to stay away from 'reflection' stuff however for internal clients...just a preference so I like binding directly on the pfsense machine to avoid all that. May not be an issue in your situation.
haproxy *does* support SNI and this is exactly how I'm using it in a personal setup. The pfsense gui has a nice 'shared' frontend feature that allows you to define a simple acl based off SNI hostname to make sure you proxy to the correct backend. I'm personally also using a self-signed CA for which I created a wildcard cert but separate certs work just as well with each of the per-host frontends that you create.
Apache supports SNI as well.
Just to understand my setup a little more closely, I'm running several personal (mostly private) sites off my little home connection. I wanted to be able to access them while out and about *and* while at home ('behind' the router) without any weirdness (changing IPs for example for git+ssh access). After setting everything up through haproxy I now have ~10 different services running each on a unique sub-domain that I hit directly. In my current setup since they are just silly personal things (a personal gitlab, blog, rss reader, etc) I don't really get anything out of the 'load balancing' side of things but if you anticipate needing that it makes the decision over haproxy vs apache much easier.
Travis Hansen
***@yahoo.com
On Sunday, May 31, 2015 7:32 AM, Adam Thompson <***@athompso.net> wrote:
Oh, shoot, that's a good point - I probably do need SNI support for SSL. I may be able to get a wildcard cert, but that will be an issue one way or another.
Varnish doesn't support SSL at all, although I could theoretically do it with stunnel and a wildcard cert.
Squid does support SSL, but appears to require wildcard cert.
Squid3 *may* support SNI, can't tell.
Haproxy supports SNI; hopefully the pfSense package is new enough to include that.
Apache supports SNI, supposedly.
So I'm still left with a (overly, IMHO) large list.
I could also just port-forward TCP/{80,443} to a host behind the firewall and do everything there, too.
Argh, too many options, not enough clarity on which packages are supported vs. which ones are semi-orphaned.
-Adam
On May 30, 2015 11:12:01 PM CDT, Travis Hansen <***@yahoo.com> wrote:
If you're looking for pure proxy frontend I'd stick with haproxy or apache (I use haproxy).
haproxy provides load balancing and can do other things besides strictly http(s) such a pure tcp and transparent proxy stuff.
Apache provides some things like mod_rewrite (I assume the pfsense build comes with that) etc that aren't easily done with haproxy.
I could be wrong but if you're looking for SSL offloading (I ensure all traffic goes over SSL) varnish and squid would be out of the picture. Travis Hansen
***@yahoo.com
On Saturday, May 30, 2015 8:25 PM, Adam Thompson <***@athompso.net> wrote:
I need to run a reverse proxy on a pfSense gateway - multiple websites,
one public IP, the usual reason.
However, I see there's a larger selection available than the last time I
looked.
It appears we now have:
* Apache w/mod_security-dev v0.43 / 0.22
* haproxy-1_5 v0.23
* haproxy-devel v0.24
* Proxy Server w/mod_security v0.1.7 /0.22.999
* squid
* squid3
* varnish3
1. Have I missed any?
2. Are "Apache w/mod_security-dev" and "Proxy Server w/mod_security"
essentially the same thing?
3. For relatively simple cases (straightforward hostname-to-internal-IP
mapping), is there any compelling reason to use one over another on
pfSense 2.2 today? FWIW, this firewall is relatively underpowered
(PowerEdge 1750, dual 2.4GHz P4-era Xeons).
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.