Hi Brian,
I know that scenario but I want to serve a individual certificate for
every virtual host (httpd can do that) so I was looking for a simple
relay by looking at the header but I might cant get it to work this way :(
Am 20.09.2017 um 14:10 schrieb Bryan Harris:
I don't think you can know the host header unless you decrypt the https
using a certificate. It seems that idea would require SNI but I don't know
if they have SNI in relayd/httpd. (I could be wrong about that.)
In mine I have listen on $ext_addr port 443 tls. Then exists
/etc/ssl/ipaddr:443.crt file. Look at phrase "/etc/ssl/address:port.crt"
in relayd.conf(5).
The book below shows this scenario and how to use acme-client to get a free
certificate from Let's Encrypt.
https://www.michaelwlucas.com/tools/relayd
V/r,
Bryan
On Wed, Sep 20, 2017 at 4:37 AM, rosjat <ros...@ghweb.de> wrote:
there is of course a tls to much in the config
its just
relay "proxyssl" {
listen on $gateway port https
protocol "httpproxy"
forward to <new-webserver> port https
}
Am 20.09.2017 um 10:19 schrieb rosjat:
Hi there,
just a simple question about the relaying of https connections. Is it
possible to simple pass the https traffic to the webserver with relayd? My
naive approach was simply checking the host name in the header and then
forward it to http or https port. This works for http but with https it
doesnt.
here are my relayd.conf parts
http protocol "httpproxy" {
match request quick header "Host" value
"random-domain1.tld" forward to <new-webserver>
match request quick header "Host" value
"random-domain2.tld" forward to <old-webserver>
}
relay "proxy" {
listen on $gateway port http
protocol "httpproxy"
forward to <new-webserver> port http
forward to <old-webserver> port http
}
relay "proxyssl" {
listen on $gateway port https
protocol "httpproxy"
forward to <new-webserver> port https tls
}
with this I dont get a relay for https it seems, if I add tls to the
listen part I got told relayd cant find the certificates. And that is
totally understanable because there are no certs on this machine for these
domains because the are on the webserver machine.
So it all boils down to the question, do I have to set up my certificates
on the relay host to be able to use a https relay ?
regards
--
Markus Rosjat fon: +49 351 8107223 mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT
--
Markus Rosjat fon: +49 351 8107223 mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT