I was trying to configure relayd for TLS acceleration when I noticed an unusual
error.
Here is my /etc/relayd.conf (with actual IPs and domains replaced):
ip4="192.0.2.1"
ip6="2001:db8::"
table <www> { 127.0.0.1 }
table <bnc> { 127.0.0.1 }
log connection
http protocol https {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Connection" value "close"
# Various TCP options
tcp { sack, backlog 128 }
tls { keypair example.com }
match request header "Host" value "www.example.com" forward to <www>
}
relay wwwtls {
listen on $ip4 port 443 tls
listen on $ip6 port 443 tls
protocol https
forward to <www> port 8001 check icmp
}
I set up symlinks for the SSL certs as follows:
$ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com:443.crt
$ doas ln -s /etc/ssl/private/example.com.key /etc/ssl/private/example.com:443.key
I then start relayd:
$ doas relayd -dvv
and get the following errors:
relay_load_certfiles: using certificate /etc/ssl/example.com:443.crt
relay_load_certfiles: using private key /etc/ssl/private/example.com:443.key
/etc/relayd.conf:26: cannot load certificates for relay wwwtls2:443
I discovered that if I comment out the below line, line 23, relayd works:
listen on $ip6 port 443 tls
So if I uncomment out the IPv6 listener, relayd works just fine.
If I include the IPv6 listener but create symlinks with IPv6 addresses like follows:
$ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8:::443.crt
$ doas ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8:::443.key
Then it seems relayd also works. So I suspect relayd is ignoring
the tls keypair directive for IPv6 addresses. In other words, when IPv6 is enabled,
relayd appears to ignore:
tls { keypair example.com }
Can someone verify if this is correct behavior, if I misconfigured, or
if this is a bug?
jrmu
No comments:
Post a Comment