Using TLS with relayd for SNI (server name indication).
(multiple distinct https://server.com from one machine.)
My goal is one fallback to cover all TLS server failures: if
one site fails then any reference to that site gets the
fallback page.
But I only see disconnects not an http(s) response. curl returns
curl: (52) getsockname() failed with errno 61: Connection refused
It works with just one TLS keypair defined.
Is this expected behaviour? Is there a workaround?
thanks
J
OpenBSD 7.6 (GENERIC.MP) #4: Mon Jun 16 08:28:00 MDT 2025
relayd.conf looks like this:
# fallback appears not to work
table <sample> { 127.0.0.1 }
table <example> { 127.0.0.1 }
table <fallback> { 127.0.0.1 }
http protocol "https" {
tls { keypair example.com }
tls { keypair sample.com }
# note fnmatch * ; in test we use :8888 port numbers
pass request header "Host" value "example.com*" \
forward to <example>
pass request header "Host" value "sample.com*" \
forward to <sample>
}
relay "tlsaccel" {
listen on egress port 4043 tls
protocol "https"
forward to <sample> port 9001 check tcp
forward to <example> port 9002 check tcp
forward to <fallback> port 9003 check tcp
}
