On 2025-09-01, Reinis Martinsons <[email protected]> wrote: > On Sun, 2025-08-31 at 20:09 +0200, ashley wrote: >> So, in summary, is it possible for relayd to know what the correct >> certificate to use is, before receiving the HTTP request from the >> client? Is this possible to achieve with SNI? I haven't found any >> mentions of SNI in the relayd man page, so I can only assume it >> doesn't support SNI? > > Hi, TLS Server Name Indication should be supported, just add tls > keypair multiple times each with different name and forward based on > header "Host" value. As per relayd.conf(5): > > tls option > ... > keypair name > The relay will attempt to look up a private key in > /etc/ssl/private/name:port.key and a public certificate > in /etc/ssl/name:port.crt, where port is the specified > port that the relay listens on. If these files are not > present, the relay will continue to look in > /etc/ssl/private/name.key and /etc/ssl/name.crt. This > option can be specified multiple times for TLS Server > Name Indication. If not specified, a keypair will be > loaded using the specified IP address of the relay as > name. See ssl(8) for details about TLS server > certificates. >
/me makes a note to check the temperature in hell (my advice about using anything other than relayd for L7 termination still stands though) -- Please keep replies on the mailing list.
