Here is what I did, which I learned from the httpd & relayd book by Michael
W Lucas (I recommend). I cannot remember why I set the top header options,
I must have been trying to learn about them. The host ones are to figure
out the site and send the connection to the table above.
ext_addr="..."
int_addr="127.0.0.1"
vm1_addr="192.0.2.11"
vm2_addr="192.0.2.12"
vm3_addr="192.0.2.13"
vm4_addr="192.0.2.14"
table <myself> { $int_addr }
table <website> {
$vm1_addr
$vm2_addr
$vm3_addr
$vm4_addr
}
# Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
http protocol https {
# playing with these options
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" value
"$SERVER_ADDR:$SERVER_PORT"
match request header set "Keep-Alive" value "$TIMEOUT"
match request header set "Connection" value "close"
match request header "Host" value "website.example.com" forward to
<website>
match request header "Host" value "example.com" forward to <myself>
match request header "Host" value "www.example.com" forward to <myself>
}
relay wwwtls {
# Run as a SSL/TLS accelerator
listen on $ext_addr port 443 tls
protocol https
forward to <myself> port 80 check tcp
forward to <website> port 80 mode loadbalance check tcp
}
V/r,
Bryan
On Thu, Sep 28, 2017 at 7:32 AM, mabi <m...@protonmail.ch> wrote:
> Hi,
>
> I was wondering if it is possible to use relayd as load balancer with TLS
> termination for multiple different websites residing on different server.
>
> From reading the man page I understand that for this purpose I will need
> to use one "relay" entity per website which will then have its own "http
> protocol" entity. If this is correct, this means I will require one public
> IP address per website which seems to me a bit a waste hence my asking.
>
> The alternative would be to have one "relay" entity but this means I can
> only have one "http protocol" entity assigned to it from my understanding.
> This also means that I would have to have to use one single SSL certificate
> file which includes every CN for each of my website. My feeling tells me
> that this does not sound good practice. Then how would relayd know that
> website www.website1.com has to be forwarded to the hosts in <table1> and
> that website www.website2.com has to be forwarded to the hosts in
> <table2>? Would you in the "http protocol" entity filter using the HTTP
> "Host" header (such as SNI)?
>
> Sorry for all these questions but I am trying to find out the best
> way/good practice to setup a relayd TLS load balancer for a different
> websites/webapps/domains and can't find much documentation about this
> specific case.
>
> Note here that I will be using the acme-client for all of the domains.
>
> Thanks for your input.
>
> Best,
> Mabi
