Can I use iptables on my Varnish server to forward HTTPS traffic to a specific server?

Posted by Dylan Beattie on Server Fault See other posts from Server Fault or by Dylan Beattie
Published on 2012-10-26T14:33:08Z Indexed on 2012/10/26 17:06 UTC
Read the original article Hit count: 261

We use Varnish as our front-end web cache and load balancer, so we have a Linux server in our development environment, running Varnish with some basic caching and load-balancing rules across a pair of Windows 2008 IIS web servers.

We have a wildcard DNS rule that points *.development at this Varnish box, so we can browse http://www.mysite.com.development, http://www.othersite.com.development, etc. The problem is that since Varnish can't handle HTTPS traffic, we can't access https://www.mysite.com.development/

For dev/testing, we don't need any acceleration or load-balancing - all I need is to tell this box to act as a dumb proxy and forward any incoming requests on port 443 to a specific IIS server. I suspect iptables may offer a solution but it's been a long while since I wrote an iptables rule. Some initial hacking has got me as far as

iptables -F
iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 10.0.0.241:443
iptables -t nat -A POSTROUTING -p tcp -d 10.0.0.241 --dport 443 -j MASQUERADE
iptables -A INPUT -j LOG --log-level 4 --log-prefix 'PreRouting '
iptables -A OUTPUT -j LOG --log-level 4 --log-prefix 'PostRouting '
iptables-save > /etc/iptables.rules

(where 10.0.0.241 is the IIS box hosting the HTTPS website), but this doesn't appear to be working.

To clarify - I realize there's security implications about HTTPS proxying/caching - all I'm looking for is completely transparent IP traffic forwarding. I don't need to decrypt, cache or inspect any of the packets; I just want anything on port 443 to flow through the Linux box to the IIS box behind it as though the Linux box wasn't even there.

Any help gratefully received...

EDIT: Included full iptables config script.

© Server Fault or respective owner

Related posts about iis

Related posts about iptables