On Sun, 2025-08-31 at 20:09 +0200, ashley wrote:
> So, in summary, is it possible for relayd to know what the correct
> certificate to use is, before receiving the HTTP request from the
> client? Is this possible to achieve with SNI? I haven't found any
> mentions of SNI in the relayd man page, so I can only assume it
> doesn't support SNI?
Hi, TLS Server Name Indication should be supported, just add tls
keypair multiple times each with different name and forward based on
header "Host" value. As per relayd.conf(5):
tls option
...
keypair name
The relay will attempt to look up a private key in
/etc/ssl/private/name:port.key and a public certificate
in /etc/ssl/name:port.crt, where port is the specified
port that the relay listens on. If these files are not
present, the relay will continue to look in
/etc/ssl/private/name.key and /etc/ssl/name.crt. This
option can be specified multiple times for TLS Server
Name Indication. If not specified, a keypair will be
loaded using the specified IP address of the relay as
name. See ssl(8) for details about TLS server
certificates.
--
Reinis Martinsons
