On 12/12/05, Peter Landry <[EMAIL PROTECTED]> wrote: > Hi All, > We're migrating an old Microsoft ISA Server system to OpenBSD pf. First > off, before I ask any questions, kudos to everyone -- Installing OpenBSD > 3.8 was a very pleasant, painless experience for someone who's never > used it before. Setting up pf/nat was also extraordinarily easy. The > docs are great.
Welcome, glad to hear you enjoyed it so far. > > That aside, the only thing that I haven't been able to migrate yet is > ISA's ability to redirect web requests coming in on the same IP to > different machines based on the host name. IE- www.a.com (IP > 123.123.0.1) gets redirected to the internal IP 192.168.0.1 while > www.b.com (also IP 123.123.0.1) gets redirected to the internal IP > 192.168.0.2. This is application level filtering and such, pf doesn't do that. > > I haven't found anything in the docs, and all the list archive questions > I've found were specific to ipnat, not pf. > > I'm thinking that I can't do it. In that case, my options seem to be 1) > use different external IP's for each website, and redirect to different > internal servers based on IP 2) redirect all web traffic to the legacy > ISA system, which will then redirect based on hostname. I'm hesitant to > use up all our IPs for option 1, but I'm thinking option 2 is even > worse... Are there any options I haven't thought of? I would suggest looking at squid for reverse proxying. It's transparent, and you can have pf redirect all port 80 traffic to squid, which will then decide where to route the http request based on what site they asked for. This would also help protect your web servers from various attacks (but not all) since they wouldn't be talking directly with your web server, as well as squid being in a chroot and running as an unprivileged user. You could also setup squid to do caching which would reduce the load on your web server if need be. Good luck, Jason
