Situation
I have an ESXi Server hosting multiple VMs, including one for each pfSense, Varnish and Tomcat. They are configured like the following:
-
pfSenseVM
(Firewall, IP=10.0.0.1)- NAT Rules from port 80 to
VarnishVM:80
and port 443 toVarnishVM:443
- webConfigurator listens on port 443
- webConfigurator is not accessible from outside
- has installed a default SSL Certificate with
CN=Common Name (eg, YOUR name)
under System > Cert Manager
- NAT Rules from port 80 to
-
VarnishVM
(Proxy, IP=10.0.0.2)- Routes requests for
my.domain.com:443
to the backendTomcat:8443
- Routes requests for
-
TomcatVM
(Application Server, IP=10.0.0.3)- connector in
server.xml
listens on port 8443 - self signed certificate mported in keystore used by above connector
- the self signed certificate has the CA
CN=*.domain.com
- connector in
Problem
It seems that I receive the wrong certificate (CN=Common Name (eg, YOUR name)
).
- When I enter
https://my.domain.com
in a browser, it keeps loading and after a few tries I see in Firebug that the request was aborted. The varnishlog shows a timeout. - When I call a
wget https://my.domain.com
from theTomcatVM
, the received certificate is the one installed in pfSense and is not working because of the certificates'CN
. I believe that this is the key. - When I call a
wget https://localhost:8443
from theTomcatVM
, the received certificate is the one installed in the Java keystore, which is correct but obviously not working becauselocalhost
does not match*.domain.com
Why do I receive the wrong certificate? I can only assume that I need to configure the webConfigurator from pfSense to listen on a different port. If that's correct, how would I do that?
UPDATE
I have now a Pound instance (PoundVM
) and got webConfigurator to sit on a different port.
- pfSense now has a NAT rule from port 443 to
PoundVM:443
(replacing the one toVarnishVM:443
PoundVM
(IP=10.0.0.4)- Pound listens on port 443 and is configured like this
It still does not work. Firebug still shows "Aborted" and I can't see any log messages from Pound.
I should also note that the (self-signed) certificate was created on the TomcatVM
using OpenSSL (as .crt) and imported to the Java keystore. I then copied that and the private key to PoundVM
and created a .pem file using this guide. The Cert
value in the Pound config points to this file. Is that correct?
UPDATE 2
I made a copy paste error in the Pound config, the address on which the HTTPS listener listens is now 10.0.0.4 instead of 127.0.0.1 and Pound can be reached from outside. It now gives me an HTTP 414: Request URI too long, alltough the requested URI is about 200 characters long. I found that I can configure the MAXBUF
when compiling pound. But I installed it using apt… Nevertheless I find the 414 strange because the URI is https://my.domain.com/some/path/that/is/certainly/not/1024/bytes/long
UPDATE 3
I got It working now by redirecting to Tomcat's HTTP port instead of HTTPS. Pound is new to me and I thought I could redirect the encrypted request to Tomcat.
Best Answer
webConfigurator is sitting on port 443, and so is your NAT. You can't have it both ways. You mentioned that moving webConfigurator still doesn't allow this to work; my guess is that pfSense has some special magic applied to port 443 to restrict admin access. You can either disable this magic, or do the much easier option and either run the NAT against a different port or a different IP. Of the two, a separate port is probably much, much easier. Let's say you picked 8443 (for consistency with the Tomcat server). You'd then access the site by https://my.domain.com:8443.
Now, all that said, you didn't explain how it is that you are decoding SSL here. Varnish isn't going to work for SSL traffic. Thus, even once you get this working it... won't work. So you either need to fill out your explanation a bit more, or rethink/eliminate your use of Varnish. One common solution I've seen is the use of a dedicated SSL decoding proxy, like Pound, in front of Varnish.
See also the "Why No SSL" FAQ on Varnish's website.