OpenBSD 中继,多个域的 https 代理

OpenBSD 中继,多个域的 https 代理

我正在尝试为 3 个 Web 服务器创建代理(与代理在同一台计算机上运行)。 A 已成功配置中继以通过其主机标头将请求重定向到正确的端口,但我无法根据请求主机标头设置自定义证书和私钥文件,因此所有域都会获得保存在 /etc/ssl/IP_ADDRESS 中的相同密钥和证书对.crt 和 /etc/ssl/private/IP_ADDRESS.key。您对如何实现这一目标有什么想法吗?

我的/etc/realyd.conf

domain1="bar.com"
port1="3000"
domain2="foo.com"
port2="8000"
challengeport="3001"

table <challenge> { 127.0.0.1 }
table <table1> { 127.0.0.1 }
table <table2> {127.0.0.1 }

http protocol filter_challenge {
pass request path "/.well-known/acme-challenge/*" forward to <challenge>

tcp { nodelay, sack }
}

http protocol resolve_domains {
pass request quick header "Host" value $domain1 forward to <table1>
pass request quick header "Host" value $domain2 forward to <table2>

tcp { nodelay, sack }
}


relay "http_bar" {
    listen on $domain1 port 80

    protocol resolve_domains
    protocol filter_challenge

    forward to <table1> check tcp port $port1
    forward to <table2> check tcp port $port2
    forward to <challenge> check tcp port $challengeport
}

relay "https_bar" {
    listen on $domain1 port 443 tls

    protocol resolve_domains

    forward to <table1> check tcp port $port1
    forward to <table2> check tcp port $port2
}

答案1

从 OpenBSD 6.6 开始,relayd 现在支持 SNI。检查手册页中的“tls keypair”选项。

您可以多次指定此选项以覆盖所需数量的域:

http protocol "reverse_proxy_tls" {
  block
  pass request header "Host" value "www1.example.com" forward to <httpd_www1>
  pass request header "Host" value "www2.example.com" forward to <httpd_www2>
  pass request header "Host" value "www3.example.com" forward to <httpd_www3>
  tls { no tlsv1.0, ciphers "HIGH" }
  tls keypair "www1.example.com"
  tls keypair "www2.example.com"
  tls keypair "www3.example.com"
}

relay "https" {
  listen on $external_ip port 443 tls
  protocol "reverse_proxy_tls"
  forward to <httpd_www1> port 8080
  forward to <httpd_www2> port 8080
  forward to <httpd_www3> port 8080
}

答案2

Relayd 尚不支持 SNI。使用 haproxy。

相关内容