Personally, I would drop the keypairs you define and rename the
certificates as 'localhost.crt' for example.com and its subdomain and a
certificate 'localhost:8082' for handling beispiel.de. Similarly,
repeat this for the private keys as well.
No further configuration is needed after that. See the description of
'keypair' under the PROTOCOLS section in relayd.conf(8).
Regards,
JP
On 21/05/27 08:43am, Philip Kaludercic wrote:
>
> Hi,
>
> I have been trying to configure relayd for a few days now to multiplex
> multiple servers running on the same local machine, while at the same
> time taking care of TLS.
>
> A simplified state of my configuration looks something like this:
>
> log connection
> log state changes
>
> table <httpd> { 127.0.0.1 }
> table <serv1> { 127.0.0.1 }
> table <serv2> { 127.0.0.1 }
> table <acme> { 127.0.0.1 }
>
> http protocol "http" {
> match request header "Host" value "example.com" forward to <httpd>
> match request header "Host" value "sub.example.com" forward to <serv1>
> match request header "Host" value "beispiel.de" forward to <serv2>
> match request path "/.well-known/acme*" forward to <acme>
> }
>
> http protocol "https" {
> tls keypair "example.com" # responsible for example.com and
> sub.example.com
> tls keypair "beispiel.de"
>
> match request header "Host" value "example.com" forward to <httpd>
> match request header "Host" value "sub.example.com" forward to <serv1>
> match request header "Host" value "beispiel.de" forward to <serv2>
> match request path "/.well-known/acme*" forward to <acme>
> }
>
> relay plain {
> listen on * port http
>
> protocol "http"
>
> forward to <httpd> port 8080
> forward to <serv1> port 8081
> forward to <serv2> port 8082
> forward to <acme> port 8080
> }
>
> relay secure {
> listen on * port https tls
>
> protocol "https"
>
> forward to <httpd> port 8080
> forward to <serv1> port 8081
> forward to <serv2> port 8082
> forward to <acme> port 8080
> }
>
> The "plain" relayd works just the way it should, it redirects every
> request to the right destination. "secure" on the other hand triggers an
> error I cannot make sense of:
>
> # relayd -nvvv
> relay_load_certfiles: using certificate /etc/ssl/example.com:443.crt
> relay_load_certfiles: using private key
> /etc/ssl/private/example.com:443.key
> relay_load_certfiles: using certificate /etc/ssl/beispiel.de:443.crt
> relay_load_certfiles: using private key
> /etc/ssl/private/beispiel.de:443.key
> /etc/relayd.conf:46: cannot load certificates for relay secure4:443
>
> I have looked into the source code, but couldn't find where "secure4"
> comes from. The certificates and keys were generated using acme-client,
> and they have the default permissions (crt is 444, key is 400).
>
> Am I doing the right thing here, considering what I want to achieve? I
> would be very grateful for any comments or hints on what I could be
> doing wrong.
>
> --
> Philip K.
>
