Netgate SG-1000 microFirewall

Author Topic: SOLVED: Redirect Inbound HTTPS/HTTP Requests Based on URL (Multiple ADFS farms)  (Read 257 times)

0 Members and 1 Guest are viewing this topic.

Offline KrazeyKami

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-1
    • View Profile
Hello!

This question was asked in 2008, and I've very lazy copy / pasted it, as I'm curious to the same thing, and if there is a built-in solution for this nowadays (as opposed to having an IIS server doing reroute).

Thanks!

OP: https://forum.pfsense.org/index.php?topic=9127.0

Hi there,

I've been diggiing around for a while with this one. Basically I would like to know if it is possible to configure pfSense to redirect inbound https traffic based on the URL. e.g.

You have a small network with an Exchange server for OWA/OMA/RPC over HTTP and a seperate Terminal Services Gateway server behind pfSence with a single WAN and single IP.

As both the servers require 443 traffic, could the inbound requests for https://mail.server.com and https://tsgateway.server.com be directed to the appropriate server??

Thanks.
« Last Edit: February 11, 2018, 07:40:25 am by KrazeyKami »

Online kpa

  • Hero Member
  • *****
  • Posts: 1233
  • Karma: +138/-6
    • View Profile
Re: Revisit: Redirect Inbound HTTPS/HTTP Requests Based on URL
« Reply #1 on: January 22, 2018, 06:08:15 am »
What you want is a reverse proxy like haproxy that is available as a package for pfSense. IP level NAT can not accomplish what you want because pfSense's packet filter has no capability to look inside the data payloads of the IP packets it filters or NATs so it will not see the URLs used in the HTTP connections. I'm not familiar with how HTTPS redirects would work in a reverse proxy so someone else who knows more should comment on that.

Offline KrazeyKami

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-1
    • View Profile
Re: Revisit: Redirect Inbound HTTPS/HTTP Requests Based on URL
« Reply #2 on: January 22, 2018, 06:19:10 am »
Hi Kpa!

Thanks, this is what I was looking for. Just wanted to make sure there was not something built-in.

Cheers,
Kami.

Offline zaraki131

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Revisit: Redirect Inbound HTTPS/HTTP Requests Based on URL
« Reply #3 on: January 26, 2018, 12:57:03 pm »
I am trying to do something similar to this but with a bit of a twist and looking at the config pages for HAproxy and Squid id did not see anything that jumped out as making this possible.

In my current setup I have several servers each one with 1 or more web based applications running on different ports.

PRTGServer has PRTG listening on say port 81
AppServer1 has App1 listening on 8900, App2 on 8901 and App3 on 8902
AppServer2 has App4 on 80 and App5 on 8903

I have a registered domain and say it is called test.com. With my domain registrar I have setup port 80 redirects for several hosts to point to specific ports and I have port forward rules setup to send the traffic to the correct server in the network.

PRTG.test.com
App1.test.com
App2.test.com
...

In this current setup it is working great but now I am wanting to use SSL on each of these apps which then changes the listening ports.

PRTGServer has PRTG listening on say port 91
AppServer1 has App1 listening on 9900, App2 on 9901 and App3 on 9902
AppServer2 has App4 on 90 and App5 on 9903

I have tried messing around with setting the port 80 redirects on the domain registrar to be the new ports then have new NAT rules to send them to the correct server which i figured wouldn't work but was worth a try. Is there any way to make this work?

Online PiBa

  • Hero Member
  • *****
  • Posts: 840
  • Karma: +133/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: Revisit: Redirect Inbound HTTPS/HTTP Requests Based on URL
« Reply #4 on: January 26, 2018, 03:05:57 pm »
Https uses port 443, also what prevents you from just pointing all domains to your own wan-ip instead of some provider redirect, and making haproxy send it to appropriate backend/server?

Offline zaraki131

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Revisit: Redirect Inbound HTTPS/HTTP Requests Based on URL
« Reply #5 on: January 26, 2018, 03:47:50 pm »
Https uses port 443, also what prevents you from just pointing all domains to your own wan-ip instead of some provider redirect, and making haproxy send it to appropriate backend/server?

Mostly for the fact I have not figured out how to get HAproxy to redirect domains to servers with ports

Online PiBa

  • Hero Member
  • *****
  • Posts: 840
  • Karma: +133/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: Revisit: Redirect Inbound HTTPS/HTTP Requests Based on URL
« Reply #6 on: January 26, 2018, 04:13:45 pm »
In the backend/server definition you can set the port to use.. Other than that use acl's and actions to select the desired backend.

https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/Single-frontend-serving-multiple-different-domains-using-http

Offline KrazeyKami

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-1
    • View Profile
Re: Revisit: Redirect Inbound HTTPS/HTTP Requests Based on URL
« Reply #7 on: February 11, 2018, 05:37:42 am »
Hello PiBa,

I've been trying to set this up via HAProxy, but to no avail. Maybe you can guide me on this.

My goal: 2 backend services both listening on the same WAN address for 443.
I used to use NAT rules for this; switchting the order of the NAT rules if service1 needed to become active, or service2.
I am under the impression that HAProxy can determine which backend to select, based on the ACL options (e.g. request for domain1.com:443 -> backend1, and request for domain2.com:443 -> backend2.

1st question: Do I need to keep my NAT rules in place, or are they redundant by using HAProxy?

EDIT: I think I've gotten a step further; I realized that the firewall was terminating all traffic, so instead of NAT rules forwarding 443, I've opened up port 443 as a whole on the firewall. I now see the proxy being hit with requests.

Setup question;
I've configured the following;
Frontend:




All further settings are left unchecked / default.


Backend1:



All further settings are left unchecked / default.


Backend2:



All further settings are left unchecked / default.


However, I don't get any response / redirect for the services. It simply doesn't seem to pick it up.
I already tried disabling my NAT rules, but then traffic simply isn't forwarded at all. When I keep them enabled, the only site responding is the one in the first order rule, like it worked before.

Am I making a config or design error? Based on the above, what should I change to meet my goal?

Many thanks in advance! Let me know if you need more info.
« Last Edit: February 11, 2018, 06:39:32 am by KrazeyKami »

Online PiBa

  • Hero Member
  • *****
  • Posts: 840
  • Karma: +133/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: Revisit: Redirect Inbound HTTPS/HTTP Requests Based on URL
« Reply #8 on: February 11, 2018, 07:31:20 am »
Indeed a firewall rule needs to allow traffic but you found that :).

With the current settings:
-frontend that listens on :443 without 'ssl offloading' checked behind it. (And probably no certificate selected at the bottom)
-the 'Type' you have selected "http/https(offloading)"
These 2 settings don't match.. You will likely be sending https traffic to that 443 port, but are not using offloading..

So you need to decide do you want to use ssl-offloading or not.?.
-With offloading, certificates need to be present on pfSense, configured on haproxy, and haproxy can use and modify host headers, keep stats of different response codes.
-Without offloading, haproxy can only use SNI to determine the proper backend, and will not be able to read or modify headers.

So to 'fix' the configuration:
-So enable offloading on the external address, and configure certificates.
Or
-Change type to https(tcp), and change the acl's to use SNI - Server Name Indication.

Offline KrazeyKami

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-1
    • View Profile
Re: Revisit: Redirect Inbound HTTPS/HTTP Requests Based on URL
« Reply #9 on: February 11, 2018, 07:34:36 am »
Thanks PiBa,

I was getting on track in this direction indeed :)
I don't want to use offloading, so SNI headers.. which brings me into a whole new ballgame when it comes to using Web Application Proxy between the AD FS and HAProxy.

Either way, back to the drawing board.


Thanks again! :)

---

IT WORKS :):):)

Thanks a lot!
« Last Edit: February 11, 2018, 07:39:57 am by KrazeyKami »

Online PiBa

  • Hero Member
  • *****
  • Posts: 840
  • Karma: +133/-1
  • PiBa-NL(on IRC)
    • View Profile
Without offloading you do have SNI available from the SSL layer. Just no Host HTTP header.