I have been all over the internet and have found a few examples of reverse proxy using Squid and I also found a video done by Lawrence on HAProxy for pfSense. I am a developer by trade, but dabble in networking and pretty much anything IT. My question is this. Can I host multiple domains using HTTPS port 443 on multiple web servers using 1 IP address. For example: www.domaina.com on IIS Server IP 192.168.1.150 and www.domainb.com on Apache Server IP 192.168.1.155. Notice it is not Sub Domains, but FQDNs. Currently I have a pfSense firewall port forwarding 443 to a single IIS server using 1 external WAN IP. On the IIS server, I break it down by host header. I also have an Apache server hosting several WordPress sites and I break them down with virtual host files. Each website is a different domain name and I’m using Let’s Encrypt for each domain. Any help/samples would be greatly appreciated if it’s even possible.
Yes, Server Name Indication (SNI) is an extension to TLS by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure HTTPS websites on a single IP.
Thanks. After looking this up, I guess I’m even more confused now than I ever was.
Are you trying to use a single external IP and then hand off to a IIS server or an Apache server depending on the hostname?
Yes, using pfSense if possible.
My video on HAProxy shows how to direct to different servers based on domains or sub domain.
Thank you for this. I have followed everything and get stuck on the certificate aspect. If I already have certs setup on my IIS and Apache servers, what do I need to do on the pfSense side? Do I remove them from the IIS/Apache side and re-create them on the pfSense side? Thanks for your help. Love your videos. They are very informative and you obviously know what you’re doing!
I would suggest SSL be done with HAProxy and then have HAProxy connect to each backend server based on the front end rules. If you are using a self signed on the back end servers just leave it and tell HAProxy not to test the validity of the servers certs.
I will try that. Thanks for your help!