Hi,
I am just getting acquainted with relayd and would like to request some
help with setting it up as a reverse proxy. I am on
`6.6 GENERIC.MP#315 amd64`, so I have the SNI support needed for what I
want (AFAIK).
Here's the idea:
request: https://example.com
request: https://matrix.example.com
+ +----------------------+
| |httpd localhost:1001 |
| +----------------^-----+
| |
| |
+---------v-----------+ |
| | https://example.com |
| relayd +-------------------------------+
| 192.168.0.20:443 +-------------------------------+
| | https://matrix.example.com |
+---------------------+ |
|
+----------------v------+
|synapse localhost:1002 |
+-----------------------+
Basically, I would like relayd to forward connections made to certain
subdomains (but the same port, 43) to their appropriate servers
listening only locally.
Please see my `/etc/relayd.conf` at the end of this email.
Mainly, my problem is that I am unsure in general about this setup (the
manual doesn't have an example for this and I struggle to find any guide
online) and that I can see relayd not using the correct keypairs:
---8<---
$ openssl s_client -connect example.com:443 | grep CN
[...]
depth=0 CN = example.com
[...]
subject=/CN=example.com
[...]
$ openssl s_client -connect matrix.example.com:443 | grep CN
[...]
depth=0 CN = example.com
[...]
subject=/CN=example.com
[...]
---8<---
If I am not mistaken, the CN for the second request should be
'matrix.example.com' if it were to work as I would like.
Thank you for your help!
Bertalan
---8<--- /etc/relayd.conf ---8<---
ext_inet = "192.168.0.20"
table <httpd_servers> { 127.0.0.1 }
table <matrix_servers> { 127.0.0.1 }
http protocol "http" {
tcp { backlog 100, nodelay, sack, socket buffer 65536 }
match request header set "X-Forwarded-For" \
value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
include "/etc/relayd/secure-headers.conf"
}
http protocol "https" {
return error
tcp { backlog 100, nodelay, sack, socket buffer 65536 }
match request header set "X-Forwarded-For" value \
"$REMOTE_ADDR"
match request header set "X-Forwarded-By" value \
"$SERVER_ADDR:$SERVER_PORT"
match request header "Host" value "matrix.example.com" \
forward to <matrix_servers>
tls keypair "example.com"
tls keypair "matrix.example.com"
include "/etc/relayd/secure-headers.conf"
}
relay "proxy" {
listen on $ext_inet port 80
protocol "http"
forward to <httpd_servers> port 1000
}
relay "proxy_secure" {
listen on $ext_inet port 443 tls
protocol "https"
forward to <httpd_servers> port 1001
forward to <matrix_servers> port 1002
}
---8<--- EOF /etc/relayd.conf ---8<---
(This config also includes listening on port 80 and forwarding to httpd
to port 1000, but I don't suppose that's relevant.)
--
Bertalan Z. Péter <[email protected]>
FB9B 34FE 3500 3977 92AE 4809 935C 3BEB 44C1 0F89
