On Sat, Dec 22, 2018 at 07:07:58AM +0100, Flipchan wrote:
> Hello,
>
> im trying to get relayd to work with multiple letsencrypt certificates,
>
> i want to go user -> https -> http backendhost based on Host header
>
> relayd:
>
> table <onehosts> { 192.168.3.3 192.168.3.3 }
> table <locals> { 127.0.0.1 }
> table <twohosts> { 192.168.3.6 192.168.3.5 }
>
> http protocol vhost {
> match request header "Host" value "0.domain.tld" forward to <locals>
> match request header "Host" value "1.domain.tld" forward to <onehost>
> match request header "Host" value "2.domain.tld" forward to <twohosts>
> }
>
> relay vhost {
> listen on 127.0.0.1 port 8089
> protocol vhost
> forward to <locals> port http check icmp
> forward to <onehosts> port http check icmp
> forward to <twohosts> port http check icmp
> }
>
> http protocol https {
> tcp { nodelay, sack, socket buffer 65536, backlog 128 }
> # tls ca cert "/etc/ssl/1.domain.tld.crt"
> # tls ca file "/etc/ssl/1.domain.tld.fullchain.pem"
> # tls ca key "/etc/ssl/private/1.domain.tld.key" password ""
>
> }
>
> relay sslhost {
> listen on 127.0.0.1 port 8443 ssl
> protocol https
> forward with tls to <locals> port https check icmp
> }
>
> Does anyone know how to get this working with multiple letsencrypt certs?
>
You need individual IP:port settings for each of the certs. Also don't
forward to different hosts based on match rules unless you really know
what you are doing. The backend system is only evaluated at the start of
the connection and so keepalive sessions will not route correctly.
--
:wq Claudio
