On 2025-09-01, Reinis Martinsons <admin@frp.lv> wrote:
> On Sun, 2025-08-31 at 20:09 +0200, ashley wrote:
>> So, in summary, is it possible for relayd to know what the correct
>> certificate to use is, before receiving the HTTP request from the
>> client? Is this possible to achieve with SNI? I haven't found any
>> mentions of SNI in the relayd man page, so I can only assume it
>> doesn't support SNI?
>
> Hi, TLS Server Name Indication should be supported, just add tls
> keypair multiple times each with different name and forward based on
> header "Host" value. As per relayd.conf(5):
>
> tls option
> ...
> keypair name
> The relay will attempt to look up a private key in
> /etc/ssl/private/name:port.key and a public certificate
> in /etc/ssl/name:port.crt, where port is the specified
> port that the relay listens on. If these files are not
> present, the relay will continue to look in
> /etc/ssl/private/name.key and /etc/ssl/name.crt. This
> option can be specified multiple times for TLS Server
> Name Indication. If not specified, a keypair will be
> loaded using the specified IP address of the relay as
> name. See ssl(8) for details about TLS server
> certificates.
>
/me makes a note to check the temperature in hell
(my advice about using anything other than relayd for L7 termination
still stands though)
--
Please keep replies on the mailing list.
No comments:
Post a Comment