ashley wrote:
> Good day.
>
> I have two different domains, which I would like to redirect to two
> different web servers using relayd (all of them running on the same
> machine). One of them is just httpd serving static files, and the other
> is a web app that I want to run on the alternative domain.
>
> Is such a setup possible? Obviously I can match against the Host header
> when forwarding, but the problem is that when relayd listens with tls
> the server certificates are determined by the listen address. This is
> obviously a problem because each domain has a different certificate
> (both of which acquired from let's encrypt). I understand you can get
> wildcard certs for SLDs, which I guess would circumvent the problem,
> since then both domains would use the same cert for relayd to listen
> with, however I wish to use to completely separate FLDs.
>
> Is the *only* way to achieve this having two separate network interfaces
> with different addresses? With IPv6 that isn't a problem, but I need to
> support IPv4, and v4 addresses are expensive.
>
> So, in summary, is it possible for relayd to know what the correct
> certificate to use is, before receiving the HTTP request from the
> client? Is this possible to achieve with SNI? I haven't found any
> mentions of SNI in the relayd man page, so I can only assume it
> doesn't support SNI?
>
> Any advice, pointers or trout slaps would be greatly appreciated.
>
Actually this works for me:
Define multiple tls keypairs in your protocol block, such as
http protocol "https" {
tls keypair "www.somesite.com"
tls keypair "www.othersite.net"
tls keypair "api.sites.org"
pass request quick header "Host" value "www.somesite.com"
forward to <somesite>
pass request quick header "Host" value "www.othersite.net"
forward to <othersite>
pass request quick header "Host" value "api.sites.org" forward
to <sites>
[...]
}
You then need to have a certificate for each domain. For example,
www.somesite.com needs files
/etc/ssl/www.somesite.com.ctr
/etc/ssl/private/www.somesite.com.key
No comments:
Post a Comment