I've been following the tutorials from https://https://calomel.org
I am using a modified version of their pf.conf that can be found at
https://calomel.org/pf_config.html and the relayd tutorial that can be
found at https://calomel.org/relayd.html
The following is an extract from their pf tutorial page.... "As an
added layer of security all services will be running on localhost and
only those clients negotiating the redirect rules (rdr) will be able to
connect. The ideology is if the firewall is off or disabled in some way
then the services on the firewall are not available to anyone."
Were doing the above and have relayd listening in 127.0.0.1 port 8080
and have pf rdr rules redirecting https traffic to 127.0.0.1:8080 and
the certificate that the https relay is using is called 127.0.0.1.crt
This works fine but what if we want to host another ssl certificate ? I
can add another IP address to the firewall and put a rdr rules in to pf
and can put another relay in to relayd.conf but what name does the
certificate get now ? This is where I am stuck..
Keith
On 12/05/2010 01:05, Keith wrote:
Hi. is it possible to get multiple http relayd relays listening on
localhost each with a different port # and each with a different ssl
certificate ?
I've followed a tutorial I found on the net about setting up a
firewall up so that no services we bound to any network interfaces and
then using pf rdr's to pass say https traffic to localhost where you
have relayd listening and let it do the ssl decryption. So if pf
failed for some reason then there would be no services available for
anyone to connect to !
I've got this setup working for http and a single https certificate
just now and it seems to be working fine but I need to be able to host
multiple SSL Certificates. If seems that the certificate appears to
need to be named after the IP that it's listening on and this is
going to cause issues as there's only one 127.0.0.1 I think.
Our current setup consists of a pair of firewalls running openbsd,
carp, pf and relayd. Currently the carp interface has just one IP but
we will assign others to as we free up the other IP addresses in our
range.
I guess it's not the best idea to do the ssl offloading on the
firewall so in the future when another server becomes available I
will probably want it to do the SSL decryption. I guess if we do that
we could just get the new server a number of IP addresses and let
relayd listed on each of them with the SSL certs named after each IP.
(If that makes sense)
Could anyone give me some advice plz ?
Thanks
Keith
