Hi Stuart, > Sent: Monday, December 24, 2018 at 1:13 AM > From: "Stuart Henderson" <s...@spacehopper.org> > To: misc@openbsd.org > Subject: Re: Relayd with multiple lets encrypt cert's > > On 2018-12-22, Aham Brahmasmi <aham.brahma...@gmx.com> wrote: > >> On Sat, Dec 22, 2018 at 12:28:46PM +0100, Aham Brahmasmi wrote: > >> > Hi, > >> > > >> > > On Sat, Dec 22, 2018 at 07:07:58AM +0100, Flipchan wrote: > >> > > > Hello, > >> > > > Does anyone know how to get this working with multiple letsencrypt > >> > > > certs? > >> > > > > >> > > > >> > > You need individual IP:port settings for each of the certs. Also don't > >> > > forward to different hosts based on match rules unless you really know > >> > > what you are doing. The backend system is only evaluated at the start > >> > > of > >> > > the connection and so keepalive sessions will not route correctly. > >> > > > >> > > -- > >> > > :wq Claudio > >> > > >> > Would having a single SAN certificate help in this case [1]? > >> > > >> > >> Yes and no. It would make listening on one port possible but it does not > >> solve the issue of 'match forward to' being sticky for a connection. > >> > >> -- > >> :wq Claudio > > > > Danke Claudio for your response. > > > > Would it be possible for you to please elaborate on the 'match forward > > to' being sticky for a connection? I presume that there is some problem > > which might occur due to this. > > A request comes in with some Host geader, relayd decides the destination > based on this and proxies the request. Client does keepalive and > holds on to the connection for use with another request to the same > destination IP. Client then sends a second request - different Host: > header on the same IP. relayd already picked a backend with the first > request and sends it there rather than doing a fresh lookup based on the > second Host header.
I am sorry for the delay in my response. Thank you for the simple and helpful explanation. I had not thought about this possibility of the client reusing the underlying connection to an IP:port shared by different hosts. Dhanyavaad. Regards, ab ---------|---------|---------|---------|---------|---------|---------|--
