我正在尝试为 3 个 Web 服务器创建代理(与代理在同一台计算机上运行)。 A 已成功配置中继以通过其主机标头将请求重定向到正确的端口,但我无法根据请求主机标头设置自定义证书和私钥文件,因此所有域都会获得保存在 /etc/ssl/IP_ADDRESS 中的相同密钥和证书对.crt 和 /etc/ssl/private/IP_ADDRESS.key。您对如何实现这一目标有什么想法吗?
我的/etc/realyd.conf:
domain1="bar.com"
port1="3000"
domain2="foo.com"
port2="8000"
challengeport="3001"
table <challenge> { 127.0.0.1 }
table <table1> { 127.0.0.1 }
table <table2> {127.0.0.1 }
http protocol filter_challenge {
pass request path "/.well-known/acme-challenge/*" forward to <challenge>
tcp { nodelay, sack }
}
http protocol resolve_domains {
pass request quick header "Host" value $domain1 forward to <table1>
pass request quick header "Host" value $domain2 forward to <table2>
tcp { nodelay, sack }
}
relay "http_bar" {
listen on $domain1 port 80
protocol resolve_domains
protocol filter_challenge
forward to <table1> check tcp port $port1
forward to <table2> check tcp port $port2
forward to <challenge> check tcp port $challengeport
}
relay "https_bar" {
listen on $domain1 port 443 tls
protocol resolve_domains
forward to <table1> check tcp port $port1
forward to <table2> check tcp port $port2
}
答案1
从 OpenBSD 6.6 开始,relayd 现在支持 SNI。检查手册页中的“tls keypair”选项。
您可以多次指定此选项以覆盖所需数量的域:
http protocol "reverse_proxy_tls" {
block
pass request header "Host" value "www1.example.com" forward to <httpd_www1>
pass request header "Host" value "www2.example.com" forward to <httpd_www2>
pass request header "Host" value "www3.example.com" forward to <httpd_www3>
tls { no tlsv1.0, ciphers "HIGH" }
tls keypair "www1.example.com"
tls keypair "www2.example.com"
tls keypair "www3.example.com"
}
relay "https" {
listen on $external_ip port 443 tls
protocol "reverse_proxy_tls"
forward to <httpd_www1> port 8080
forward to <httpd_www2> port 8080
forward to <httpd_www3> port 8080
}
答案2
Relayd 尚不支持 SNI。使用 haproxy。