I have been all over the internet and have found a few examples of reverse proxy using Squid and I also found a video done by Lawrence on HAProxy for pfSense. I am a developer by trade, but dabble in networking and pretty much anything IT. My question is this. Can I host multiple domains using HTTPS port 443 on multiple web servers using 1 IP address. For example: www.domaina.com on IIS Server IP 192.168.1.150 and www.domainb.com on Apache Server IP 192.168.1.155. Notice it is not Sub Domains, but FQDNs. Currently I have a pfSense firewall port forwarding 443 to a single IIS server using 1 external WAN IP. On the IIS server, I break it down by host header. I also have an Apache server hosting several WordPress sites and I break them down with virtual host files. Each website is a different domain name and I’m using Let’s Encrypt for each domain. Any help/samples would be greatly appreciated if it’s even possible.
Yes, Server Name Indication (SNI) is an extension to TLS by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure HTTPS websites on a single IP.
Thanks. After looking this up, I guess I’m even more confused now than I ever was.
Are you trying to use a single external IP and then hand off to a IIS server or an Apache server depending on the hostname?
Yes, using pfSense if possible.
Thank you for this. I have followed everything and get stuck on the certificate aspect. If I already have certs setup on my IIS and Apache servers, what do I need to do on the pfSense side? Do I remove them from the IIS/Apache side and re-create them on the pfSense side? Thanks for your help. Love your videos. They are very informative and you obviously know what you’re doing!
I would suggest SSL be done with HAProxy and then have HAProxy connect to each backend server based on the front end rules. If you are using a self signed on the back end servers just leave it and tell HAProxy not to test the validity of the servers certs.
I will try that. Thanks for your help!