Hi,
I have been trying to configure relayd for a few days now to multiplex
multiple servers running on the same local machine, while at the same
time taking care of TLS.
A simplified state of my configuration looks something like this:
log connection
log state changes
table <httpd> { 127.0.0.1 }
table <serv1> { 127.0.0.1 }
table <serv2> { 127.0.0.1 }
table <acme> { 127.0.0.1 }
http protocol "http" {
match request header "Host" value "example.com" forward to <httpd>
match request header "Host" value "sub.example.com" forward to <serv1>
match request header "Host" value "beispiel.de" forward to <serv2>
match request path "/.well-known/acme*" forward to <acme>
}
http protocol "https" {
tls keypair "example.com" # responsible for example.com and sub.example.com
tls keypair "beispiel.de"
match request header "Host" value "example.com" forward to <httpd>
match request header "Host" value "sub.example.com" forward to <serv1>
match request header "Host" value "beispiel.de" forward to <serv2>
match request path "/.well-known/acme*" forward to <acme>
}
relay plain {
listen on * port http
protocol "http"
forward to <httpd> port 8080
forward to <serv1> port 8081
forward to <serv2> port 8082
forward to <acme> port 8080
}
relay secure {
listen on * port https tls
protocol "https"
forward to <httpd> port 8080
forward to <serv1> port 8081
forward to <serv2> port 8082
forward to <acme> port 8080
}
The "plain" relayd works just the way it should, it redirects every
request to the right destination. "secure" on the other hand triggers an
error I cannot make sense of:
# relayd -nvvv
relay_load_certfiles: using certificate /etc/ssl/example.com:443.crt
relay_load_certfiles: using private key /etc/ssl/private/example.com:443.key
relay_load_certfiles: using certificate /etc/ssl/beispiel.de:443.crt
relay_load_certfiles: using private key /etc/ssl/private/beispiel.de:443.key
/etc/relayd.conf:46: cannot load certificates for relay secure4:443
I have looked into the source code, but couldn't find where "secure4"
comes from. The certificates and keys were generated using acme-client,
and they have the default permissions (crt is 444, key is 400).
Am I doing the right thing here, considering what I want to achieve? I
would be very grateful for any comments or hints on what I could be
doing wrong.
--
Philip K.
No comments:
Post a Comment