Thanks Bryan for your example.

I saw in your example you only use the example.com domain. I would be using 
multiple domains such as example1.com, example2.com, exampleX.com, and so on. 
Would it also work in that case? Again I suppose here that I need to have all 
these different domains in one single SSL certificate file, right?

On the relayd.conf man page I read that the second "forward to" config 
parameter in a "relay" entity is used as backup in case the first "forward to" 
table is down. So one could think in your config that your second "forward to 
<website>" would be used as you backup table.

Finally what is the purpose of setting the Connection HTTP header to close as 
you have here below?

match request header set "Connection" value "close"

> -------- Original Message --------
> Subject: Re: relayd TLS load balancer for multiple websites
> Local Time: September 28, 2017 2:21 PM
> UTC Time: September 28, 2017 12:21 PM
> From: bryanlhar...@gmail.com
> To: mabi <m...@protonmail.ch>
> openbsd-misc <misc@openbsd.org>
>
> Here is what I did, which I learned from the httpd & relayd book by Michael W 
> Lucas (I recommend).  I cannot remember why I set the top header options, I 
> must have been trying to learn about them.  The host ones are to figure out 
> the site and send the connection to the table above.
>
> ext_addr="..."
> int_addr="127.0.0.1"
> vm1_addr="192.0.2.11"
> vm2_addr="192.0.2.12"
> vm3_addr="192.0.2.13"
> vm4_addr="192.0.2.14"
>
> table <myself> { $int_addr }
> table <website> {
>   $vm1_addr
>   $vm2_addr
>   $vm3_addr
>   $vm4_addr
> }
>
> # Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
> http protocol https {
>   # playing with these options
>   match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
>   match request header append "X-Forwarded-By" value 
> "$SERVER_ADDR:$SERVER_PORT"
>   match request header set "Keep-Alive" value "$TIMEOUT"
>   match request header set "Connection" value "close"
>
>   match request header "Host" value "website.example.com" forward to <website>
>   match request header "Host" value "example.com" forward to <myself>
>   match request header "Host" value "www.example.com" forward to <myself>
>
> }
>
> relay wwwtls {
>   # Run as a SSL/TLS accelerator
>   listen on $ext_addr port 443 tls
>   protocol https
>
>   forward to <myself> port 80 check tcp
>   forward to <website> port 80 mode loadbalance check tcp
> }
>
> V/r,
> Bryan
>
> On Thu, Sep 28, 2017 at 7:32 AM, mabi <m...@protonmail.ch> wrote:
>
>> Hi,
>>
>> I was wondering if it is possible to use relayd as load balancer with TLS 
>> termination for multiple different websites residing on different server.
>>
>> From reading the man page I understand that for this purpose I will need to 
>> use one "relay" entity per website which will then have its own "http 
>> protocol" entity. If this is correct, this means I will require one public 
>> IP address per website which seems to me a bit a waste hence my asking.
>>
>> The alternative would be to have one "relay" entity but this means I can 
>> only have one "http protocol" entity assigned to it from my understanding. 
>> This also means that I would have to have to use one single SSL certificate 
>> file which includes every CN for each of my website. My feeling tells me 
>> that this does not sound good practice. Then how would relayd know that 
>> website www.website1.com has to be forwarded to the hosts in <table1> and 
>> that website www.website2.com has to be forwarded to the hosts in <table2>? 
>> Would you in the "http protocol" entity filter using the HTTP "Host" header 
>> (such as SNI)?
>>
>> Sorry for all these questions but I am trying to find out the best way/good 
>> practice to setup a relayd TLS load balancer for a different 
>> websites/webapps/domains and can't find much documentation about this 
>> specific case.
>>
>> Note here that I will be using the acme-client for all of the domains.
>>
>> Thanks for your input.
>>
>> Best,
>> Mabi

Reply via email to