带有 Relayd/httpd/acme-client 的 OpenBSD 服务器。尝试奔跑https://mydomain.com(应用程序服务器端口 32489),https://webmail.mydomain.com(48293) 和https://forum.mydomain.com(28192)。所有三个站点共享相同的 TLS 证书。常规 HTTP 仅用于生成 TLS 证书(acme-client)。
迄今为止https://mydomain.com按预期工作,但其他两个返回:
curl -vvv https://webmail.mydomain.com
* Rebuilt URL to: https://webmail.mydomain.com/
* Trying XXX...
* TCP_NODELAY set
* Connected to webmail.mydomain.com (XXX) port 443 (#0)
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 180 bytes...
* schannel: sent initial handshake data: sent 180 bytes
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4032
* schannel: encrypted data buffer: offset 4032 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 2/3)
* schannel: encrypted data got 907
* schannel: encrypted data buffer: offset 4939 length 5056
* schannel: sending next handshake data: sending 93 bytes...
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 2/3)
* schannel: encrypted data got 51
* schannel: encrypted data buffer: offset 51 length 5056
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET / HTTP/1.1
> Host: webmail.mydomain.com
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 31
* schannel: encrypted data buffer: offset 31 length 103424
* schannel: server closed the connection
* schannel: schannel_recv cleanup
* Empty reply from server
* Connection #0 to host webmail.mydomain.com left intact
curl: (52) Empty reply from server
acme-client.conf
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory"
account key "/etc/ssl/private/letsencrypt.key"
}
domain mydomain.com {
alternative names { www.mydomain.com webmail.mydomain.com forum.mydomain.com }
domain key "/etc/ssl/private/mydomain.com.key"
domain full chain certificate "/etc/ssl/mydomain.com.crt"
sign with letsencrypt
}
httpd.conf
ext_if="vio0"
types {
include "/usr/share/misc/mime.types"
}
server "mydomain.com" {
alias "www.mydomain.com"
listen on $ext_if port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "*" {
block return 301 "https://mydomain.com$REQUEST_URI"
}
}
server "webmail.mydomain.com" {
listen on $ext_if port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "*" {
block return 301 "https://webmail.mydomain.com$REQUEST_URI"
}
}
server "forum.mydomain.com" {
listen on $ext_if port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "*" {
block return 301 "https://forum.mydomain.com$REQUEST_URI"
}
}
relayd.conf
ip="XXX"
table <cms> { 127.0.0.1 }
cms_port="32489"
table <webmail> { 127.0.0.1 }
webmail_port="48293"
table <forum> { 127.0.0.1 }
forum_port="28192"
table <httpd> { 127.0.0.1 }
httpd_port="80"
log connection errors
http protocol "http" {
match request header set "Connection" value "close"
match response header remove "Server"
}
relay "http_relay" {
listen on $ip port http
protocol "http"
forward to <httpd> port $httpd_port
}
http protocol "https" {
match header log "Host"
match header log "X-Forwarded-For"
match header log "User-Agent"
match header log "Referer"
match url log
match header set "X-Forwarded-For" value "$REMOTE_ADDR"
match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
match header set "Keep-Alive" value "$TIMEOUT"
# Best practice security headers
match response header remove "Server"
match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains"
match response header append "X-Frame-Options" value SAMEORIGIN
match response header append "X-XSS-Protection" value "1; mode=block"
match response header append "X-Content-Type-Options" value nosniff
match response header append "Referrer-Policy" value strict-origin
match response header append "Feature-Policy" value "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"
pass request header "Host" value "mydomain.com" forward to <cms>
pass request header "Host" value "www.mydomain.com" forward to <cms>
pass request header "Host" value "webmail.mydomain.com" forward to <webmail>
pass request header "Host" value "forum.mydomain.com" forward to <forum>
tls keypair "mydomain.com"
}
relay "https_relay" {
listen on $ip port https tls
protocol "https"
forward to <cms> port $cms_port
forward to <webmail> port $webmail_port
forward to <forum> port $forum_port
}
答案1
relayd尚不处理 TLS SNI,因此您需要tls keypair为每个转发的域一个条目。这意味着您需要为您服务的每个域提供个人.key和文件。.crt这可以通过符号链接轻松处理,例如:
# cd /etc/ssl
# ln -s mydomain.com.crt www.mydomain.com.crt
# cd /etc/ssl/private
# ln -s mydomain.com.key www.mydomain.com.key
然后添加
tls keypair "www.mydomain.com"
到http protocol "https" {...}的部分relayd.conf。跑步
# relayd -n
会告诉您是否一切正常。
relayd请注意,更新证书后您需要重新加载。这通常httpd由cron工作来处理。man各州页面acme-client
A cron(8) job can renew the certificate as necessary. On renewal,
httpd(8) is reloaded:
~ * * * * acme-client example.com && rcctl reload httpd
所以在这种情况下,您需要添加relayd到行尾,以重新加载httpd和relayd。如果您使用其他方法或脚本,则需要对其进行适当调整。