Hi,
jrmu@ircnow.org writes:
> Then it seems relayd also works. So I suspect relayd is ignoring
> the tls keypair directive for IPv6 addresses. In other words, when IPv6 is en
> abled,
> relayd appears to ignore:
>
> tls { keypair example.com }
>
> Can someone verify if this is correct behavior, if I misconfigured, or
> if this is a bug?
You're making things a bit harder for yourself with your choice of
certificate filenames. For starters, on webservers I've never had
any use for a certificate without full chain. So I just create a
full chain certificate under the usual certificate filename in my
acme-client config.
domain example.com {
domain key "/etc/ssl/private/example.com.key"
domain full chain certificate "/etc/ssl/example.com.crt"
sign with letsencrypt
}
No symlinks necessary.
Then in relayd I create two relays, listening to the same protocol
block.
table <httpd> { 127.0.0.1 }
log connection
http protocol myremote {
tls keypair "example.com"
return error
pass
}
relay mysite4 {
listen on 127.0.0.1 port 443 tls
protocol myremote
forward to <httpd> check tcp port 80
}
relay mysite6 {
listen on ::1 port 443 tls
protocol myremote
forward to <httpd> check tcp port 80
}
The problem really is that you can't listen on IPv4 and IPv6 in the
same relay block. This might be a bug although I suppose it could be
intentional (I've never found relayd's configuration very intuitive).
--
Anthony J. Bentley
No comments:
Post a Comment