I run several services on the same host and would like to consolidate
certificate management with the help of relayd.
Before:
- acme-client generates certificates via LE
- kibana running https on port 5601
- unifi running https on port 8443
- httpd running http+https on port 80
- daily.local script to install new certs and restart all services
when LE updates
After:
- register new LE domains for kibana and unifi
- switch kibana and unifi back to running http on localhost
- relayd transparently terminates all https and demuxes to http
service based on Host header
- daily.local has much fewer services to manage
First off, is this even possible with relayd?
Second, I am having difficulty grokking how to structure my
relayd.conf. Will I need one relay and protocol block for EACH
service? Do I need a pf.conf anchor if I am only using relay
behavior?
Lastly and perhaps indicative of my difficulties, I am having
difficulty building (or debugging) even a single host as
proof-of-concept using the config below. The relayd daemon starts
just fine, loading symlinked <addr>.crt and <addr>.key files. (Should
I be using the fullchain.pem instead?)
Behavior seems to vary based on client / environment - I have seen
both wget and curl complain about certificate verification (relaying
to :80), while curl on a different box reported an empty reply from
the server after timeout (relaying to 127.0.0.1:80).
Hints or clue sticks would be most appreciated.
--david
### relayd.conf
http protocol wwwproto {
tcp { nodelay, sack, socket buffer 65536, backlog 128 }
# seen in example, not sure of purpose
match request header set "Connection" value "close"
# notify client if relay failed
return error
# reject unknown hosts by default
block
# traffic for httpd, forward
pass request header "Host" value "example.com"
pass request header "Host" value "www.example.com"
}
relay wwwrelay {
listen on em1 port 443 tls
protocol wwwproto
transparent forward to lo port http
}
