On Tue, May 11, 2010 at 5:05 PM, Keith <[email protected]> wrote: > Hi. is it possible to get multiple http relayd relays listening on localhost > each with a different port # and each with a different ssl certificate ? > > I've followed a tutorial I found on the net about setting up a firewall up > so that no services we bound to any network interfaces and then using pf > rdr's to pass say https traffic to localhost where you have relayd listening > and let it do the ssl decryption. So if pf failed for some reason then there > would be no services available for anyone to connect to ! > > I've got this setup working for http and a single https certificate just now > and it seems to be working fine but I need to be able to host multiple SSL > Certificates. If seems that the certificate appears to need to be named > after the IP that it's listening on and this is going to cause issues as > there's only one 127.0.0.1 I think. > > Our current setup consists of a pair of firewalls running openbsd, carp, pf > and relayd. Currently the carp interface has just one IP but we will assign > others to as we free up the other IP addresses in our range. > > I guess it's not the best idea to do the ssl offloading on the firewall so > in the future when another server becomes available I will probably want it > to do the SSL decryption. I guess if we do that we could just get the new > server a number of IP addresses and let relayd listed on each of them with > the SSL certs named after each IP. (If that makes sense) > > Could anyone give me some advice plz ?
I can't think of a situation where what you describe doesn't sound wacky. Maybe I misunderstand the intentions, can you link the 'tutorial'? Also, to do more than 1 SSL site you will just need to add another IP that coresponds with the cert. Maybe 'ifconfig lo1 127.0.0.2' is enough? -Bryan
