On Mon, April 11, 2016 7:55 pm, igor.kos wrote:
> I am confused using relayd & certificates & pf
>
> First of all, I want to do ssl-accel, so do I need to do "divert" in
> pf.conf,
> as:
>
> pass in quick inet proto tcp from lan:network to any port https divert-to
> localhost port 8443
>
You don't have to do this, no. You can have relayd listen on port 443
directly if you want.
> or is it OK just to use IP of relayd device, as:
>
> # $OpenBSD: relayd.conf,v 1.3 2014/12/12 10:05:09 reyk Exp $
>
> www2=13.13.15.2
> www3=13.13.15.3
> in_addr=10.10.11.55 <====================
>
> interval 5
>
> table <hosts> { $www2, $www3 }
>
> http protocol "http_tls" {
> tls tlsv1
> tls ca key "/etc/ssl/private/ca.key" password "some_passwd"
> tls ca cert "/etc/ssl/ca.crt"
> }
The ca options are for TLS inspection. If all you want to do is SSL
acceleration, you don't need these.
>
> relay "tlsaccel" {
> listen on $in_addr port 443 tls <====================
> protocol "http_tls"
> forward to <hosts> port 80 timeout 300 \
> check icmp
> }
>
>
> or ca must be in /etc/ssl/cert.pem ??
>
>
> also ca.crt must be on every client?
>
>
> Do I need 10.10.11.55.crt & key ? Or I need 127.0.0.1.crt .... ?
You need a cert and key since relayd is functioning as a TLS server.
Servers require both.
>
> Do I need to sign 10.10.11.crt (or 127.0.0.1.crt) by some public cert?
>
Yes, if you want your clients to not get a warning about a self signed
cert. Or create your own CA to sign the server cert with, but then that
CA will have to be put on every client machine.
> some link to COMPLETE example (not only relayd.conf) will be fine!
>
> thanks
