Here is what I did, which I learned from the httpd & relayd book by Michael
W Lucas (I recommend).  I cannot remember why I set the top header options,
I must have been trying to learn about them.  The host ones are to figure
out the site and send the connection to the table above.

ext_addr="..."
int_addr="127.0.0.1"
vm1_addr="192.0.2.11"
vm2_addr="192.0.2.12"
vm3_addr="192.0.2.13"
vm4_addr="192.0.2.14"

table <myself> { $int_addr }
table <website> {
  $vm1_addr
  $vm2_addr
  $vm3_addr
  $vm4_addr
}

# Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
http protocol https {
  # playing with these options
  match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
  match request header append "X-Forwarded-By" value
"$SERVER_ADDR:$SERVER_PORT"
  match request header set "Keep-Alive" value "$TIMEOUT"
  match request header set "Connection" value "close"

  match request header "Host" value "website.example.com" forward to
<website>
  match request header "Host" value "example.com" forward to <myself>
  match request header "Host" value "www.example.com" forward to <myself>

}

relay wwwtls {
  # Run as a SSL/TLS accelerator
  listen on $ext_addr port 443 tls
  protocol https

  forward to <myself> port 80 check tcp
  forward to <website> port 80 mode loadbalance check tcp
}

V/r,
Bryan

On Thu, Sep 28, 2017 at 7:32 AM, mabi <m...@protonmail.ch> wrote:

> Hi,
>
> I was wondering if it is possible to use relayd as load balancer with TLS
> termination for multiple different websites residing on different server.
>
> From reading the man page I understand that for this purpose I will need
> to use one "relay" entity per website which will then have its own "http
> protocol" entity. If this is correct, this means I will require one public
> IP address per website which seems to me a bit a waste hence my asking.
>
> The alternative would be to have one "relay" entity but this means I can
> only have one "http protocol" entity assigned to it from my understanding.
> This also means that I would have to have to use one single SSL certificate
> file which includes every CN for each of my website. My feeling tells me
> that this does not sound good practice. Then how would relayd know that
> website www.website1.com has to be forwarded to the hosts in <table1> and
> that website www.website2.com has to be forwarded to the hosts in
> <table2>? Would you in the "http protocol" entity filter using the HTTP
> "Host" header (such as SNI)?
>
> Sorry for all these questions but I am trying to find out the best
> way/good practice to setup a relayd TLS load balancer for a different
> websites/webapps/domains and can't find much documentation about this
> specific case.
>
> Note here that I will be using the acme-client for all of the domains.
>
> Thanks for your input.
>
> Best,
> Mabi

Reply via email to