Adding two relay blocks does seem to fix the problem, thank you. jrmu
On Sat, Feb 27, 2021 at 02:50:11AM -0700, Anthony J. Bentley wrote:
> Hi,
>
> j...@ircnow.org writes:
> > Then it seems relayd also works. So I suspect relayd is ignoring
> > the tls keypair directive for IPv6 addresses. In other words, when IPv6 is
> > en
> > abled,
> > relayd appears to ignore:
> >
> > tls { keypair example.com }
> >
> > Can someone verify if this is correct behavior, if I misconfigured, or
> > if this is a bug?
>
> You're making things a bit harder for yourself with your choice of
> certificate filenames. For starters, on webservers I've never had
> any use for a certificate without full chain. So I just create a
> full chain certificate under the usual certificate filename in my
> acme-client config.
>
> domain example.com {
> domain key "/etc/ssl/private/example.com.key"
> domain full chain certificate "/etc/ssl/example.com.crt"
> sign with letsencrypt
> }
>
> No symlinks necessary.
>
> Then in relayd I create two relays, listening to the same protocol
> block.
>
> table <httpd> { 127.0.0.1 }
>
> log connection
>
> http protocol myremote {
> tls keypair "example.com"
>
> return error
> pass
> }
>
> relay mysite4 {
> listen on 127.0.0.1 port 443 tls
> protocol myremote
> forward to <httpd> check tcp port 80
> }
>
> relay mysite6 {
> listen on ::1 port 443 tls
> protocol myremote
> forward to <httpd> check tcp port 80
> }
>
> The problem really is that you can't listen on IPv4 and IPv6 in the
> same relay block. This might be a bug although I suppose it could be
> intentional (I've never found relayd's configuration very intuitive).
>
> --
> Anthony J. Bentley
signature.asc
Description: PGP signature
