relayd, SNI and termination on the web-servers

-----BEGIN PGP SIGNATURE-----

iQJLBAEBCAA1FiEEY/wcDsYn9/rsernb7mZfHRyABpcFAmIghuwXHG5pZWxzQGtv
YnNjaGFldHpraS5uZXQACgkQ7mZfHRyABpe8dhAAlwOkvSRYon00Ze4pPPE2hf7J
qxoLBM3oE3Gqr32XjMDo6ZnAzyrJtKZfSvcDPjNodiou83AlNszTgZpiCCB3W05s
gBEA7/elCjYd1qmRJTvEoaUMyZDKbosa59yDVx/TTgjCfYc6A8cO4JKwgW+WbWZ3
FhR0HAP5w50r5bsYppniuirWbkVm79K+yLkb/sfZCNVHd5rXUNI/M0wVGu7ivO1n
nI3d7Tkxl9oLoyX1qUPK1Csuh2HD770KtXTgtro1GLbROiy2Hajw6G1lbjqMI16+
vDc3wH8vibbP6df97WD4yRx1mIQ2X59g0B/kYCR9mokAsyMXGjbkz0b7U93lc0/S
ZnQz47L5Gs47rHqUqnT4OwKflCASYQXJD4XzxCRo2OimyU0hWUqTh+2a74yq5btL
CqyzaevsRtGDRonzzn5NJMcB9DJjFdYxbt86nbe+fBqQVHCMZg+BDG3t8KMWHWtO
uogr1TCn4fyDxZ0RBqoW6pzodzIOCcLJ3RJmIhjxU44iAbiaxeKd5fFxcl6jvF8R
dSM+XvWCkXRGZsZzHGbDR/I+brsvkveceJ8llXNXp2c1J4hZ7wFSVlEKld9df7fS
CxJWM99JUV+F22Wu5NnjxEIqfENgYqIwcDYPSaZaPeiBxe0ezxDt7CosIerZfhsE
h/qqyrltpLkUk5HKLXc=
=wwC7
-----END PGP SIGNATURE-----
Hi,

I have a couple of webservers that are behind a pair of relayd-load balancers. I terminate TLS on the webservers that are running apache 2.4. Now I want to clean up the vhost-configuration and want to have a vhost-configuration where SNI will be used.

On the loadbalancer-side there is one IP per domain. On the webserver-side there is one internal IP per domain.
If traffic comes in on the IP for domain1, the traffic gets directed to the internal IP of domain1; and the same for domain2. Since I am using for each domain its own domains, I can work without SNI. In the future there will be only one IP per internal server though because of design changes. Thus I will need SNI.

Reading through the man-page of relayd.conf(5) I am not sure what to do to be honest. My current config looks like this:

##############RELAYD############################
ext_domain1=xxx.xxx.xxx.1
ext_domain2_if=xxx.xxx.xxx.2

fe_null_domain1="10.10.0.10"
fe_null_domain2="10.10.0.20"

fe_eins_domain1="10.10.0.11"
fe_eins_domain2="10.10.0.21"

fe_zwei_domain1="10.10.0.12"
fe_zwei_domain2="10.10.0.22"

# domain1
table <domain1_https> { $fe_null $fe_eins $fe_zwei }

redirect domain1 {
listen on $ext_domain1 port 443
forward to <domain1_https> port 443 check https "/index.php" digest 5ffe533b830f08a0326348a9160afafc8ada44db
}

# domain2
table <domain2_https> { $fe_null_src $fe_eins_src $fe_vier_src }

redirect src_discounto_de_ssl {
listen on $ext_src_discounto_if port 443
forward to <domain2_https> port 443 check tcp
}
##############RELAYD############################


The relevant part of the pf.conf looks like this:

###############PF###############################
null_domain="{ 10.10.0.10 10.10.0.20}"
eins_domain="{ 10.10.0.11 10.10.0.21}"
zwei_domain="{ 10.10.0.12 10.10.0.22}"

match out on egress from $null_domain to any nat-to (vio0)
match out on egress from $eins_domain to any nat-to (vio0)
match out on egress from $zwei_domain to any nat-to (vio0)

anchor "relayd/*"
###############PF###############################


What do I have to add here, so that the correct headers get forwarded? Or don't I need to add anything since I have for each domain its own IP on the load balancer and the complete traffic with all headers intact get forwarded anywas?

Best,

Niels