Using relayd as a reverse proxy for multiple local servers

Thu, 27 May 2021 01:54:09 -0700 


Hi,

I have been trying to configure relayd for a few days now to multiplex
multiple servers running on the same local machine, while at the same
time taking care of TLS.

A simplified state of my configuration looks something like this:

    log connection
    log state changes

    table <httpd> { 127.0.0.1 }
    table <serv1> { 127.0.0.1 }
    table <serv2> { 127.0.0.1 }
    table <acme>  { 127.0.0.1 }

    http protocol "http" {
      match request header "Host" value "example.com"     forward to <httpd>
      match request header "Host" value "sub.example.com" forward to <serv1>
      match request header "Host" value "beispiel.de"     forward to <serv2>
      match request path "/.well-known/acme*"             forward to <acme>
    }

    http protocol "https" {
      tls keypair "example.com" # responsible for example.com and 
sub.example.com
      tls keypair "beispiel.de"

      match request header "Host" value "example.com"     forward to <httpd>
      match request header "Host" value "sub.example.com" forward to <serv1>
      match request header "Host" value "beispiel.de"     forward to <serv2>
      match request path "/.well-known/acme*"             forward to <acme>
    }

    relay plain {
      listen on * port http

      protocol "http"

      forward to <httpd> port 8080
      forward to <serv1> port 8081
      forward to <serv2> port 8082
      forward to <acme>  port 8080
    }

    relay secure {
      listen on * port https tls

      protocol "https"

      forward to <httpd> port 8080
      forward to <serv1> port 8081
      forward to <serv2> port 8082
      forward to <acme>  port 8080
    }

The "plain" relayd works just the way it should, it redirects every
request to the right destination. "secure" on the other hand triggers an
error I cannot make sense of:

    # relayd -nvvv
    relay_load_certfiles: using certificate /etc/ssl/example.com:443.crt
    relay_load_certfiles: using private key /etc/ssl/private/example.com:443.key
    relay_load_certfiles: using certificate /etc/ssl/beispiel.de:443.crt
    relay_load_certfiles: using private key /etc/ssl/private/beispiel.de:443.key
    /etc/relayd.conf:46: cannot load certificates for relay secure4:443

I have looked into the source code, but couldn't find where "secure4"
comes from. The certificates and keys were generated using acme-client,
and they have the default permissions (crt is 444, key is 400).

Am I doing the right thing here, considering what I want to achieve? I
would be very grateful for any comments or hints on what I could be
doing wrong.

-- 
        Philip K.

Reply via email to