On Thu, September 21, 2017 3:49 am, rosjat wrote: > Hi, > > so I added the with tls keywords to the relay and my webserver gets > request now but from my relayhost and this is making the way back quiet > hard :( > > so I added the X Headers for Forwarded-For and Forwarded-By but it still > leaves the question how to tell the relayhost to just let it all out > like in a normal rdr-to rule in pf? Like I said pf rule just works fine > so the traffic can go thorugh all the interfaces just fine. > > regards > > MArkus >
You can't do what you want with a layer 7 relay in relayd. Redirect rules in pf work because pf doesn't know or care about DNS host names. Because you are using SSL, once you need to make decisions based on the host, you have two options: A relay server that supports SNI so it can see the Host and forward to the right server. Or terminating the SSL encryption at the relay server so you can read the unencrypted host value. Option 2 is required for relayd as it does not support SNI. But that means the relay server holds the SSL certificate. You can only have 1 certificate per IP and port. If you want to use individual certs for each web site, you're stuck. You either need to use different ports, which is typically a non-starter for web sites, or put multiple IPs on the relay box. If security between the relay server and web servers is necessary (don't trust someone else's network, and if possible, don't trust your own) you can re-encrypt the communication from relayd and the web server but it'll be relayd using the web server certificate, not the user.
