Thank you for your precise explanation. HTTP relay seems to work fine now.
#cat /etc/relayd.conf ext_addr="msk0" host1="10.0.30.101" host2="10.0.30.201" table <www_101> { $host1 } table <www_201> { $host2 } http protocol "web_one" { return error pass request header "Host" value "1.domain.com" forward to <www_101> pass request header "Host" value "2.domain.com" forward to <www_101> pass request header "Host" value "3.domain.com" forward to <www_101> pass request header "Host" value "4.domain.com" forward to <www_201> pass request header "Host" value "5.domain.com" forward to <www_201> pass request header "Host" value "6.domain.com" forward to <www_201> } relay relay_one { listen on $ext_addr port 80 protocol "web_one" forward to <www_101> check tcp port 80 forward to <www_201> check tcp port 80 } #relayctl show relays Id Type Name Avlblty Status 1 relay relay_one active #relayctl show summary Id Type Name Avlblty Status 1 relay relay_one active 1 table www_101:80 active (1 hosts) 1 host 10.0.30.101 100.00% up 2 table www_201:80 active (1 hosts) 2 host 10.0.30.201 100.00% up The second thing to do is enabling wesites' SSL/TLS certs. Each website has its own certificate on its server. I suppose that I have to configure man-in-the-middle "TLS inspecion" mode to enable TLS connection using these certs again. Am I right? I did the following conf: #grep divert /etc/pf.conf pass in on $ext_if inet proto tcp to port 443 divert-to localhost port 8443 #openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ca.key -out /etc/ssl/ca.crt #openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/127.0.0.1.key -out /etc/ssl/127.0.0.1.crt #ls -la /etc/ssl/*.crt -rwxr-x--- 1 root _relayd 1298 Oct 10 09:29 /etc/ssl/127.0.0.1.crt -rwxr-x--- 1 root _relayd 1371 Oct 6 13:11 /etc/ssl/ca.crt #ls -la /etc/ssl/private/*.key -rwxr-x--- 1 root _relayd 1704 Oct 10 09:29 /etc/ssl/private/127.0.0.1.key -rwxr-x--- 1 root _relayd 1858 Oct 6 13:11 /etc/ssl/private/ca.key #cat /etc/relayd.conf ext_addr="msk0" host1="10.0.30.101" host2="10.0.30.201" table <www_101> { $host1 } table <www_201> { $host2 } http protocol "web_one" { return error pass request header "Host" value "1.domain.com" forward to <www_101> pass request header "Host" value "2.domain.com" forward to <www_101> pass request header "Host" value "3.domain.com" forward to <www_101> pass request header "Host" value "4.domain.com" forward to <www_201> pass request header "Host" value "5.domain.com" forward to <www_201> pass request header "Host" value "6.domain.com" forward to <www_201> } http protocol "web_tls" { return error pass request header "Host" value "1.domain.com" forward to <www_101> pass request header "Host" value "2.domain.com" forward to <www_101> pass request header "Host" value "3.domain.com" forward to <www_101> pass request header "Host" value "4.domain.com" forward to <www_201> pass request header "Host" value "5.domain.com" forward to <www_201> pass request header "Host" value "6.domain.com" forward to <www_201> tls tlsv1 tls ca key "/etc/ssl/private/ca.key" password "somepasshere" tls ca cert "/etc/ssl/ca.crt" } relay relay_one { listen on $ext_addr port 80 protocol "web_one" forward to <www_101> check tcp port 80 forward to <www_201> check tcp port 80 } relay relay_tls { listen on 127.0.0.1 port 8443 tls protocol "web_tls" forward with tls to <www_101> check tcp port 443 forward with tls to <www_201> check tcp port 443 } #relayctl show relays Id Type Name Avlblty Status 1 relay relay_one active 2 relay relay_tls active #relayctl show summary Id Type Name Avlblty Status 1 relay relay_one active 1 table www_101:80 active (1 hosts) 1 host 10.0.30.101 100.00% up 2 table www_201:80 active (1 hosts) 2 host 10.0.30.201 100.00% up 2 relay relay_tls active 3 table www_101:443 active (1 hosts) 3 host 10.0.30.101 100.00% up 4 table www_201:443 active (1 hosts) 4 host 10.0.30.201 100.00% up Websites (https://4.domain, https://5.domain, https://6.domain) started to show the content of 1.domain.com If I changed the order of "forward" websites (https://1.domain, https://2.domain, https://3.domain) started to show content of 4.domain.com relay relay_tls { listen on 127.0.0.1 port 8443 tls protocol "web_tls" forward with tls to <www_201> check tcp port 443 forward with tls to <www_101> check tcp port 443 } All domains use relay_machine's certificate instead of the specific domain's cert. What am I doing wrong? On Wed, 5 Oct 2016 09:57:49 -0400 "trondd" <tro...@kagu-tsuchi.com> wrote: > On Wed, October 5, 2016 8:43 am, Radek wrote: > > Yes, my servers share the same ext IP. > > It is 5.9. I am trying to configure relayd. I commented out previous > > "rdr-to" rules from /etc/pf.conf and added as below. > > 10.0.30.101, 10.0.30.201 - it is not a mistake - ( 10.0.8.11, 10.0.8.22 > > was just an exemplary IP) > > All websites are unreachable now. > > > > #grep relayd /etc/pf.conf > > anchor "relayd/*" > > > > #relayd -n > > configuration OK > > > > #cat /etc/relayd.conf > > ext_addr="msk0" > > host1="10.0.30.101" > > host2="10.0.30.201" > > > > table <www_101> { $host1 } > > table <www_201> { $host2 } > > > > http protocol "web_one" { > > return error > > pass > > match request header "Host" value "1.domain.com" forward to <www_101> > > I think you need "pass request header..." > > > } > > > > http protocol "web_two" { > > return error > > pass > > match request header "Host" value "4.domain.com" forward to <www_201> > > } > > You should combine the two protocols into one. You can have multiple pass > lines. Last match wins, unless you use "quick". You can define a default > that way. > > > > > relay relay_one { > > listen on $ext_addr port 80 > > protocol "web_one" > > forward to <www_101> check tcp port 80 > > } > > > > relay relay_two { > > listen on $ext_addr port 80 > > protocol "web_two" > > forward to <www_201> check tcp port 80 > > } > > You should have only one relay defined, you can't have two things > listening on the same port. Just put the two "forward to" lines in the > same relay block. > > > > > > #/etc/rc.d/relayd -df restart > > doing _rc_parse_conf > > doing _rc_quirks > > relayd_flags empty, using default >< > > doing _rc_read_runfile > > doing _rc_parse_conf > > doing _rc_quirks > > relayd_flags empty, using default >< > > doing _rc_read_runfile > > doing rc_check > > relayd > > doing rc_stop > > doing _rc_wait stop > > doing rc_check > > doing rc_check > > doing _rc_rm_runfile > > (ok) > > doing _rc_parse_conf > > doing _rc_quirks > > relayd_flags empty, using default >< > > doing _rc_read_runfile > > doing rc_check > > relayd > > doing rc_pre > > configuration OK > > doing rc_start > > doing _rc_wait start > > doing rc_check > > doing _rc_write_runfile > > (ok) > > > > relayctl is your friend here. See if the relays are actually up: > 'relayctl show relays' and 'relayctl show summary' > > -- radek