I am confused using relayd & certificates & pf
First of all, I want to do ssl-accel, so do I need to do "divert" in pf.conf,
as:
pass in quick inet proto tcp from lan:network to any port https divert-to
localhost port 8443
or is it OK just to use IP of relayd device, as:
# $OpenBSD: relayd.conf,v 1.3 2014/12/12 10:05:09 reyk Exp $
www2=13.13.15.2
www3=13.13.15.3
in_addr=10.10.11.55 <====================
interval 5
table <hosts> { $www2, $www3 }
http protocol "http_tls" {
tls tlsv1
tls ca key "/etc/ssl/private/ca.key" password "some_passwd"
tls ca cert "/etc/ssl/ca.crt"
}
relay "tlsaccel" {
listen on $in_addr port 443 tls <====================
protocol "http_tls"
forward to <hosts> port 80 timeout 300 \
check icmp
}
or ca must be in /etc/ssl/cert.pem ??
also ca.crt must be on every client?
Do I need 10.10.11.55.crt & key ? Or I need 127.0.0.1.crt .... ?
Do I need to sign 10.10.11.crt (or 127.0.0.1.crt) by some public cert?
some link to COMPLETE example (not only relayd.conf) will be fine!
thanks
