I run several services on the same host and would like to consolidate certificate management with the help of relayd.
Before: - acme-client generates certificates via LE - kibana running https on port 5601 - unifi running https on port 8443 - httpd running http+https on port 80 - daily.local script to install new certs and restart all services when LE updates After: - register new LE domains for kibana and unifi - switch kibana and unifi back to running http on localhost - relayd transparently terminates all https and demuxes to http service based on Host header - daily.local has much fewer services to manage First off, is this even possible with relayd? Second, I am having difficulty grokking how to structure my relayd.conf. Will I need one relay and protocol block for EACH service? Do I need a pf.conf anchor if I am only using relay behavior? Lastly and perhaps indicative of my difficulties, I am having difficulty building (or debugging) even a single host as proof-of-concept using the config below. The relayd daemon starts just fine, loading symlinked <addr>.crt and <addr>.key files. (Should I be using the fullchain.pem instead?) Behavior seems to vary based on client / environment - I have seen both wget and curl complain about certificate verification (relaying to :80), while curl on a different box reported an empty reply from the server after timeout (relaying to 127.0.0.1:80). Hints or clue sticks would be most appreciated. --david ### relayd.conf http protocol wwwproto { tcp { nodelay, sack, socket buffer 65536, backlog 128 } # seen in example, not sure of purpose match request header set "Connection" value "close" # notify client if relay failed return error # reject unknown hosts by default block # traffic for httpd, forward pass request header "Host" value "example.com" pass request header "Host" value "www.example.com" } relay wwwrelay { listen on em1 port 443 tls protocol wwwproto transparent forward to lo port http }