setlocale in cp/rm/mv

[Jan Stary]

cp(1) and rm(1) call setlocale(LC_ALL, "") but mv(1) does not.
Why do they do that, and why mv doesn't?

Jan

Re: FDE on BeagleBone Black

[Tuyosi T]

hi all .

using snaphots of october 2nd and ports , i can compile x11vnc .
but it taks long hours ( about two days) .

i have memorized openbsd on beaglebone black(BBB)
openbsd on BBB is very small system , so it can run on everything ( for
example door , baby car  )

http://akita-arm.blogspot.jp/2016/09/bbb.html
-
regards

Re: what all touches the carp demote counter?

[R0me0 ***]

Hello sorry my bad english

So, Let's debug

Review carp/pfsync ( NODE1-carp0/NODE2-carp0 samepassword  and same vhid
 for each pair ) ( pfsync syncdev ) ( /etc/hostname.pfsync0 = up syndev
IFACE )

check default gateway on both ( /etc/mygate)  /  sysctl ip.forwarding=1 and
carp.preempt=1  (  /etc/sysctl.conf )

( pf rules )

put carp and pfsync rules on the TOP of your rules ( for debug purpose set
skip on { lo0 $pfsyncdev }

=> pass quick on { $carpdev $carpdev2 $carpdev3 } proto carp keep state
(no-sync) <=

- Check with tcpdump pflog if carp packets are being dropped

- Check if all carps interfaces are as  MASTER in the current node and
check if all is as BACKUP on another

- Check if in the current backup node the states are syncing ( systat
states )  ( compare on both pfctl -ss | wc -l )  almost the same quantity .


Bring up to MASTER  the primary node ( ifconfig -g carp carpdemote 30 on
current master node ) the slave need to have a lower value of carpdemote
 and  NOT DEFINE advskew in the Primary leave default ( 0 )  just on backup
set  advskew and put a high value ( advskew 100 )  ( hostname.carp )

- Check  carpdemote on the new primary master  ( ifconfig -g carp )  if the
value is not 0 set to

- Reboot the slave node ... and when back check if  keep as slave ( check
systat states ) ( compare on both pfctl -ss | wc -l ) must be almost equal.

- Check carpdemote on slave should be 0

Reboot the Primary/Master and when back its supposed to be Master


* if you have a huge traffic ( the node you rebooted must delay until
states be syncronized )

About ospf I have no experience working with carp.

one more time sorry any typo

[]'s



2016-10-10 22:58 GMT-03:00 Paul B. Henson :

> On Mon, Oct 10, 2016 at 09:43:56PM -0300, R0me0 *** wrote:
>
> > Did you adjust advskew value on the machine you want to be Backup ?
>
> Yes, the backup has an advskew of 5 and the primary an advskew of 1. As
> I mentioned, when I first configured the interfaces by hand the two
> systems properly negotiated master/backup roles, it was only after I
> rebooted the one that was supposed to be primary on this interface that
> it came up as backup, and I traced it to the fact the the carp demote value
> was set to 2. When I manually changed the carp demote value to 0, the
> system once again pre-empted the master role on the interface.
>
> I'm just not sure what is twiddling with the carp demotion value. Unless
> ospdf does it by default? The man page for the config file reads like it
> would only do it if you explicitly include the demote keyword in the
> area or interface section.
>
> Thanks for the suggestion though.

Re: what all touches the carp demote counter?

[Paul B. Henson]

On Mon, Oct 10, 2016 at 09:43:56PM -0300, R0me0 *** wrote:

> Did you adjust advskew value on the machine you want to be Backup ?

Yes, the backup has an advskew of 5 and the primary an advskew of 1. As
I mentioned, when I first configured the interfaces by hand the two
systems properly negotiated master/backup roles, it was only after I
rebooted the one that was supposed to be primary on this interface that
it came up as backup, and I traced it to the fact the the carp demote value
was set to 2. When I manually changed the carp demote value to 0, the
system once again pre-empted the master role on the interface.

I'm just not sure what is twiddling with the carp demotion value. Unless
ospdf does it by default? The man page for the config file reads like it
would only do it if you explicitly include the demote keyword in the
area or interface section.

Thanks for the suggestion though.

Re: what all touches the carp demote counter?

[R0me0 ***]

Hello Paul,

Did you adjust advskew value on the machine you want to be Backup ?

For example:


Primary/Master

# cat hostname.carp0

vhid 1 cardev em0 pass THEPASSWORD
inet 10.20.30.40 255.255.255.0


Slave/Backup
# cat hostname.carp0

vhid 1 cardev em0 advskew 100 pass THEPASSWORD
inet 10.20.30.40 255.255.255.0

I think could be it

Regards,

2016-10-10 20:30 GMT-03:00 Paul B. Henson :

> I'm setting up a second router that's going to sit next to an existing
> one and become a redundant failover system. The current one is in
> production, and I've been converting some of the existing LAN subnets on it
> to use carp interfaces and making them primary and the new box
> secondary. I also set up a carp interface on the WAN side and made the
> new box primary for testing as that didn't exist before. That all
> worked fine when I set it up by hand, but when I rebooted the new box,
> the old box stayed primary for everything including the WAN interface,
> which I tracked down to the carp demote counter, which ended up at 2 on
> the new box after the reboot:
>
> bash-4.3# ifconfig -g carp
> carp: carp demote count 2
>
> After I manually decreased the demote counter by 2 back to 0 the WAN
> interface master switched back to the new box.
>
> I'm not sure what's doing that at boot? I am running ospfd on the box,
> but I don't have any demote statements in my configuration. I'm also
> running npppd, but I don't see anything about that and carp demotion.
> What else might be setting carp demotion values?
>
> Thanks...

what all touches the carp demote counter?

[Paul B. Henson]

I'm setting up a second router that's going to sit next to an existing
one and become a redundant failover system. The current one is in
production, and I've been converting some of the existing LAN subnets on it
to use carp interfaces and making them primary and the new box
secondary. I also set up a carp interface on the WAN side and made the
new box primary for testing as that didn't exist before. That all
worked fine when I set it up by hand, but when I rebooted the new box,
the old box stayed primary for everything including the WAN interface,
which I tracked down to the carp demote counter, which ended up at 2 on
the new box after the reboot:

bash-4.3# ifconfig -g carp
carp: carp demote count 2

After I manually decreased the demote counter by 2 back to 0 the WAN
interface master switched back to the new box.

I'm not sure what's doing that at boot? I am running ospfd on the box,
but I don't have any demote statements in my configuration. I'm also
running npppd, but I don't see anything about that and carp demotion.
What else might be setting carp demotion values?

Thanks...

Failure to get unbound to talk to nsd on the same server

[Johan Mellberg]

Hi all,

I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my
home network with DNS. I have a custom zone (only for LAN use) set up
and previously used BIND successfully (but that VM crashed and its
disk was hosed...) both as authoritative and caching/resolving.

So now I am trying to learn to set up NSD to be authoritative for my
small zone and Unbound to serve the LAN with all other queries. But
there is a problem:

1. Unbound successfully responds to queries and provides lookup to the
LAN machines for "the internet".
2. NSD successfully responds to queries for the custom zone.
3. But I cannot get Unbound to get a reply from NSD...

I have tried multiple combinations of ports and interface bindings and
I suspect that I am missing something simple here. Currently I have
set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 -
so there should not be a conflict. In fact it works fine if I use dig
@localhost  and dig @192.168.x.91 
respectively, but the second version only provides an answer-less
response if asked for a LAN hostname.

Unbound is set to ask localhost for the stub zones, forward and reverse.

And, yes, I could of course use Unbound to serve my local zone and
drop NSD - but that would be giving up... It's supposed to work from
all I read! :-)

I have also tried having NSD listen on 127.0.0.1@5353, and telling
unbound to use that as the stub-address, while then having Unbound
listen on 127.0.0.1 as well as 192.168.x.91 to be able to set
127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I
can't test NSD with dig as it can't use an alternative port.

A possibly related question: I can't seem to be able to use
shortnames. The domain part should be picked up from the host name as
given in /etc/myname, but that does not seem to work as I expect, I
always have to provide the FQDN. Again something I have missed
perhaps?

Anyway, I am staring blindly at the config files now and really need
help figuring it out. I have removed all that is commented, otherwise
it's the default except for changes of course.

Thanks for any clue bats coming my way...
/Johan

* resolv.conf
lookup file bind
nameserver 192.168.x.91

# cat /etc/myname
dns03.my.domain

# cat /etc/hosts
127.0.0.1   localhost
::1 localhost
192.168.x.91   dns03.my.domain dns03

# cat /var/unbound/etc/unbound.conf
# $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $

server:
interface: 192.168.x.91
interface: ::1
do-not-query-localhost: no

access-control: 192.168.x.64/24 allow
access-control: 127.0.0.0/8 allow
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: ::1 allow

hide-identity: yes
hide-version: yes

# Uncomment to enable DNSSEC validation.
#
auto-trust-anchor-file: "/var/unbound/db/root.key"

root-hints: /var/unbound/etc/root.hints

remote-control:
control-enable: yes
control-use-cert: no
control-interface: /var/run/unbound.sock

stub-zone:
name: "my.domain"
stub-addr: 127.0.0.1
stub-zone:
name: "x.168.192.in-addr.arpa"
stub-addr: 127.0.0.1

# cat /var/nsd/etc/nsd.conf
# $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $

server:
hide-version: yes
verbosity: 1
database: "" # disable database

## bind to a specific address/port
ip-address: 127.0.0.1

remote-control:
control-enable: yes

zone:
name: "my.domain"
zonefile: "master/my.domain"
zone:
name: "x.168.192.in-addr.arpa"
zonefile: "master/192.168.x.rev"

Re: error: [drm:pid10679:i915_hangcheck_elapsed] *ERROR* Hangcheck timer elapsed... render ring idle

[Alexis de BRUYN]

On 10/03/16 13:43, Mark Kettenis wrote:


This is expected.  You should use the "modesetting" driver instead of
the "intel" driver.  And if you don't have an /etc/X11/xorg.conf file,
that would be the default.

If you really need an /etc/X11/xorg.conf file, change the driver

Thanks Mark, this is now working fine.


there.  Otherwise, just delete the file.

Cheers,

Mark



--
Alexis de BRUYN

Re: Multiple web servers behind NAT

[trondd]

On Mon, October 10, 2016 6:01 am, Radek wrote:
>
> The second thing to do is enabling wesites' SSL/TLS certs.
> Each website has its own certificate on its server. I suppose that I have
> to configure man-in-the-middle "TLS inspecion" mode to enable TLS
> connection using these certs again.
> Am I right?
>

No.  TLS inspection doesn't work that way.  It's for LAN systems
connecting out through the relayd server to sites on the internet.  It
doesn't work in the other direction.  You would have needed to use
'forward to destination' in place of 'forward to ' but that
original destination will be the relayd machine again as it's IP based,
not domain name based.

You need one certificate that matches all of your web site hostnames and
configure relayd as a TLS server as you had it.

Tim.

> I did the following conf:
>
> #grep divert /etc/pf.conf
> pass in on $ext_if inet proto tcp to port 443 divert-to localhost port
> 8443
>
> #openssl req -x509 -days 365 -newkey rsa:2048 -keyout
> /etc/ssl/private/ca.key -out /etc/ssl/ca.crt
> #openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout
> /etc/ssl/private/127.0.0.1.key -out /etc/ssl/127.0.0.1.crt
>
> #ls -la /etc/ssl/*.crt
> -rwxr-x---  1 root  _relayd  1298 Oct 10 09:29 /etc/ssl/127.0.0.1.crt
> -rwxr-x---  1 root  _relayd  1371 Oct  6 13:11 /etc/ssl/ca.crt
>
> #ls -la /etc/ssl/private/*.key
> -rwxr-x---  1 root  _relayd  1704 Oct 10 09:29
> /etc/ssl/private/127.0.0.1.key
> -rwxr-x---  1 root  _relayd  1858 Oct  6 13:11 /etc/ssl/private/ca.key
>
> #cat /etc/relayd.conf
> ext_addr="msk0"
> host1="10.0.30.101"
> host2="10.0.30.201"
>
> table  { $host1 }
> table  { $host2 }
>
> http protocol "web_one" {
>return error
>pass request header "Host" value "1.domain.com" forward to 
>pass request header "Host" value "2.domain.com" forward to 
>pass request header "Host" value "3.domain.com" forward to 
>
>pass request header "Host" value "4.domain.com" forward to 
>pass request header "Host" value "5.domain.com" forward to 
>pass request header "Host" value "6.domain.com" forward to 
> }
>
> http protocol "web_tls" {
>return error
>pass request header "Host" value "1.domain.com" forward to 
>pass request header "Host" value "2.domain.com" forward to 
>pass request header "Host" value "3.domain.com" forward to 
>
>pass request header "Host" value "4.domain.com" forward to 
>pass request header "Host" value "5.domain.com" forward to 
>pass request header "Host" value "6.domain.com" forward to 
>tls tlsv1
>tls ca key "/etc/ssl/private/ca.key" password "somepasshere"
>tls ca cert "/etc/ssl/ca.crt"
> }
>
> relay relay_one {
>listen on $ext_addr port 80
>protocol "web_one"
>forward to  check tcp port 80
>forward to  check tcp port 80
> }
>
> relay relay_tls {
>listen on 127.0.0.1 port 8443 tls
>protocol "web_tls"
>forward with tls to  check tcp port 443
>forward with tls to  check tcp port 443
> }
>
>
> #relayctl show relays
> Id  TypeNameAvlblty Status
> 1   relay   relay_one   active
> 2   relay   relay_tls   active
>
> #relayctl show summary
> Id  TypeNameAvlblty Status
> 1   relay   relay_one   active
> 1   table   www_101:80  active (1
> hosts)
> 1   host10.0.30.101 100.00% up
> 2   table   www_201:80  active (1
> hosts)
> 2   host10.0.30.201 100.00% up
> 2   relay   relay_tls   active
> 3   table   www_101:443 active (1
> hosts)
> 3   host10.0.30.101 100.00% up
> 4   table   www_201:443 active (1
> hosts)
> 4   host10.0.30.201 100.00% up
>
> Websites (https://4.domain, https://5.domain, https://6.domain) started to
> show the content of 1.domain.com
>
> If I changed the order of "forward" websites (https://1.domain,
> https://2.domain, https://3.domain) started to show content of
> 4.domain.com
>
> relay relay_tls {
>listen on 127.0.0.1 port 8443 tls
>protocol "web_tls"
>forward with tls to  check tcp port 443
>forward with tls to  check tcp port 443
> }
>
> All domains use relay_machine's certificate instead of the specific
> domain's cert.
>
> What am I doing wrong?

Re: OpenBSD on HPE DL20 G9

[Steve Shockley]

On 10/10/2016 11:44 AM, Todd C. Miller wrote:

Can't you enable serial console redirection with the built-in iLO?
That should make it easier to get the boot messages in legacy mode.


Alternatively, if you have the "Advanced iLO" license, you can ssh to 
iLO and view the text console.

opensmtpd-extras-[clamav|spamassassin] packages in 6.0

[mabi]

Hi,

Just noticed that the OpenBSD 6.0 release does not include the 
opensmtpd-extras-clamav nor the opensmtpd-extras-spamassassin packages. I would 
like to upgrade my 5.9 OpenBSD mail gateway to 6.0 and was wondering if I can 
use the old packages from 5.9 with 6.0?

Or what is the alternative to these two packages?

Regards,
Mabi

Re: OpenBSD on HPE DL20 G9

[Todd C. Miller]

Can't you enable serial console redirection with the built-in iLO?
That should make it easier to get the boot messages in legacy mode.

 - todd

Re: OpenBSD on HPE DL20 G9

[Marko Cupać]

On Mon, 10 Oct 2016 15:12:04 +
BARDOU Pierre  wrote:

> Hello,
>
> I have a brand new HPE DL20 G9, on which I am trying to boot OpenBSD
> (version 6.0).
>
> 1s try : UEFI. The boot loader does its work, and then the screen
> remains blank.
> I can't see any line with blue background.
> I tried to see what happend via console, but there is no serial port
> on these little beasts :(
>
> 2nd try : legacy bios.
> The kernel starts, lines startiong with "cpu" seem OK.
> But then there are a lot of "mem adress conflict" and "bridge mem
> address conflict".
> Then it freezes.
>
> Is there something I can do ?
> Would that be useful that I give you the full messages (long and
> painful process of copying the text from the video of the boot) ?

OMG I just placed an order for two of these, hoping to use OpenBSD on
them. Should I cancel? Is there anything from HP in same price range
that runs OpenBSD?

Thank you in advance,

--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

OpenBSD on HPE DL20 G9

[BARDOU Pierre]

Hello,

I have a brand new HPE DL20 G9, on which I am trying to boot OpenBSD (version
6.0).

1s try : UEFI. The boot loader does its work, and then the screen remains
blank.
I can't see any line with blue background.
I tried to see what happend via console, but there is no serial port on these
little beasts :(

2nd try : legacy bios.
The kernel starts, lines startiong with "cpu" seem OK.
But then there are a lot of "mem adress conflict" and "bridge mem address
conflict".
Then it freezes.

Is there something I can do ?
Would that be useful that I give you the full messages (long and painful
process of copying the text from the video of the boot) ?

Thank you

--
Cordialement,
Pierre Bardou

Re: Multiple web servers behind NAT

[Markus Hennecke]

Am 10.10.2016 um 12:01 schrieb Radek:


The second thing to do is enabling wesites' SSL/TLS certs.
Each website has its own certificate on its server. I suppose that I have to configure 
man-in-the-middle "TLS inspecion" mode to enable TLS connection using these 
certs again.
Am I right?

You can't do that. TLS exchange is done before the host name is send in 
the request.
The only thing you can do is to use one certificate for all hosts and 
terminate the TLS connection in relayd.


Regards
Markus

Re: segfault with stripped lib, works fine when non-stripped

[Jeremie Le Hen]

Hey,

On Tue, Jan 5, 2016 at 7:38 AM, Stuart Henderson  wrote:
> On 2016-01-04, Jeremie Le Hen  wrote:
>> Hi,
>>
>> Yeah... when you read that subject you probably had this weird gaze ô_Ò
>> like I did when I came to that conclusion.
>>
>> I've been experiencing segfaults in milter-greylist on one of my MX
>> running OpenBSD for a while.  I contacted Stuart (cc'ed) about 6 months
>> ago about this, but gave up because I couldn't manage to compile
>> everything with the debugging symbols.  This time after much struggle to
>> compile the ports chain with them, I finally managed to run
>> milter-greylist in gdb(1) with the hope to witness the live crash and
>> get a detailed stacktrace...
>>
>> Except that even after tinkling Postfix, it never happened.  This simply
>> worked fine.  So after some more tinkering I came to the following
>> conclusion: if I run strip(1) on /usr/local/lib/libbind/libbind.so.5.0
>> to remove the debugging symbols, then it will crash with the stacktrace
>> below.
>
> libbind in the package isn't stripped either, it's just that it isn't built
> with debug symbols. So I'm not sure what's going on there.
>
> Note for anyone else looking: this is all rather dirty because there are
> conflicts between symbols in libc and libbind. It works well enough for
net/mtr
> and for the test program spf_example in libspf2's distribution, but I
suspect
> using it as a milter in the address space of an MTA that's using the libc
> resolver is pushing our luck too far.

Alright, I finally got some time (vacations) to fix this. I got rid of
the problem by removing the actually useless dependency over libbind.
The binary has been running for one hour without crashing which was
impossible previously.

See the following patches for mail/libspf2 and mail/milter-greylist (I
cc'ed Jakob, the maintainer):

https://people.freebsd.org/~jlh/openbsd_mail_libspf2_no_libbind.diff
https://people.freebsd.org/~jlh/openbsd_mail_milter-greylist_no_libbind.diff


>
>
>> #0  0x1cc53e386d40 in memcpy (dst0=0x1cc5c48b7000, src0=Variable "src0"
is not available.
>> ) at /usr/src/lib/libc/string/memcpy.c:94
>> #1  0x1cc4f4d496d8 in __res_vinit () from
/usr/local/lib/libbind/libbind.so.5.0
>> #2  0x1cc4f4d48bda in __res_ninit () from
/usr/local/lib/libbind/libbind.so.5.0
>> #3  0x1cc50b181905 in SPF_dns_resolv_lookup
(spf_dns_server=0x1cc5c48ab780, domain=0x1cc55122c1d0 "mydomain.org",
rr_type=ns_t_spf, should_cache=1) at spf_dns_resolv.c:261
>> #4  0x1cc50b180117 in SPF_dns_lookup (spf_dns_server=0x1cc5c48ab780,
domain=0x1cc55122c1d0 "mydomain.org", rr_type=ns_t_spf, should_cache=1) at
spf_dns.c:141
>> #5  0x1cc50b180b16 in SPF_dns_cache_lookup
(spf_dns_server=0x1cc5c48abc80, domain=0x1cc55122c1d0 "mydomain.org",
rr_type=ns_t_spf, should_cache=1) at spf_dns_cache.c:408
>> #6  0x1cc50b180117 in SPF_dns_lookup (spf_dns_server=0x1cc5c48abc80,
domain=0x1cc55122c1d0 "mydomain.org", rr_type=ns_t_spf, should_cache=1) at
spf_dns.c:141
>> #7  0x1cc50b18e4e3 in SPF_server_get_record (spf_server=0x1cc5eb4154c0,
spf_request=0x1cc5c48aeb00, spf_response=0x1cc5eb41b400,
spf_recordp=0x1cc54f7c8700) at spf_server.c:351
>> #8  0x1cc50b18c959 in SPF_request_query_mailfrom
(spf_request=0x1cc5c48aeb00, spf_responsep=0x1cc54f7c87a0) at
spf_request.c:291
>> #9  0x1cc2ee1207ca in spf_check_internal (ad=0x1cc4f4c65948,
as=AS_RCPT, ap=0x1cc54f7c8cd0, priv=0x1cc5c48af000) at spf.c:388
>> #10 0x1cc2ee120c17 in spf_check (ad=0x1cc4f4c65948, as=AS_RCPT,
ap=0x1cc54f7c8cd0, priv=0x1cc5c48af000) at spf.c:524
>> #11 0x1cc2ee123a0d in acl_filter (stage=AS_RCPT, ctx=0x1cc5c48b2000,
priv=0x1cc5c48af000) at acl.c:1902
>> #12 0x1cc2ee1069ae in real_envrcpt (ctx=0x1cc5c48b2000,
envrcpt=0x1cc5eb41c280) at milter-greylist.c:601
>> #13 0x1cc2ee105de0 in mlfi_envrcpt (ctx=0x1cc5c48b2000,
envrcpt=0x1cc5eb41c280) at milter-greylist.c:213
>> #14 0x1cc52bfaa46e in st_rcpt () from /usr/local/lib/libmilter.so.4.0
>> #15 0x1cc52bfab557 in mi_engine () from
/usr/local/lib/libmilter.so.4.0
>> #16 0x1cc52bfaca10 in mi_handle_session () from
/usr/local/lib/libmilter.so.4.0
>> #17 0x1cc52bfab7d9 in mi_thread_handle_wrapper () from
/usr/local/lib/libmilter.so.4.0
>> #18 0x1cc5a247d90e in _rthread_start (v=Variable "v" is not available.
>> ) at /usr/src/lib/librthread/rthread.c:145
>> #19 0x1cc53e33649b in __tfork_thread () at
/usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:75
>> #20 0x in ?? ()
>


--
Jeremie Le Hen
j...@freebsd.org

Re: Multiple web servers behind NAT

[Radek]

Thank you for your precise explanation.

HTTP relay seems to work fine now. 

#cat /etc/relayd.conf 
ext_addr="msk0" 
host1="10.0.30.101" 
host2="10.0.30.201" 

table  { $host1 } 
table  { $host2 } 

http protocol "web_one" { 
   return error
   pass request header "Host" value "1.domain.com" forward to 
   pass request header "Host" value "2.domain.com" forward to 
   pass request header "Host" value "3.domain.com" forward to  

   pass request header "Host" value "4.domain.com" forward to  
   pass request header "Host" value "5.domain.com" forward to   
   pass request header "Host" value "6.domain.com" forward to  
} 

relay relay_one { 
   listen on $ext_addr port 80 
   protocol "web_one" 
   forward to  check tcp port 80 
   forward to  check tcp port 80
} 

#relayctl show relays
Id  TypeNameAvlblty Status
1   relay   relay_one   active

#relayctl show summary
Id  TypeNameAvlblty Status
1   relay   relay_one   active
1   table   www_101:80  active (1 hosts)
1   host10.0.30.101 100.00% up
2   table   www_201:80  active (1 hosts)
2   host10.0.30.201 100.00% up


The second thing to do is enabling wesites' SSL/TLS certs. 
Each website has its own certificate on its server. I suppose that I have to 
configure man-in-the-middle "TLS inspecion" mode to enable TLS connection using 
these certs again.
Am I right?

I did the following conf: 

#grep divert /etc/pf.conf 
pass in on $ext_if inet proto tcp to port 443 divert-to localhost port 8443

#openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ca.key 
-out /etc/ssl/ca.crt
#openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout 
/etc/ssl/private/127.0.0.1.key -out /etc/ssl/127.0.0.1.crt

#ls -la /etc/ssl/*.crt
-rwxr-x---  1 root  _relayd  1298 Oct 10 09:29 /etc/ssl/127.0.0.1.crt
-rwxr-x---  1 root  _relayd  1371 Oct  6 13:11 /etc/ssl/ca.crt

#ls -la /etc/ssl/private/*.key
-rwxr-x---  1 root  _relayd  1704 Oct 10 09:29 /etc/ssl/private/127.0.0.1.key
-rwxr-x---  1 root  _relayd  1858 Oct  6 13:11 /etc/ssl/private/ca.key

#cat /etc/relayd.conf 
ext_addr="msk0" 
host1="10.0.30.101" 
host2="10.0.30.201" 

table  { $host1 } 
table  { $host2 } 

http protocol "web_one" { 
   return error
   pass request header "Host" value "1.domain.com" forward to 
   pass request header "Host" value "2.domain.com" forward to 
   pass request header "Host" value "3.domain.com" forward to  

   pass request header "Host" value "4.domain.com" forward to  
   pass request header "Host" value "5.domain.com" forward to   
   pass request header "Host" value "6.domain.com" forward to  
} 

http protocol "web_tls" { 
   return error
   pass request header "Host" value "1.domain.com" forward to 
   pass request header "Host" value "2.domain.com" forward to 
   pass request header "Host" value "3.domain.com" forward to  

   pass request header "Host" value "4.domain.com" forward to  
   pass request header "Host" value "5.domain.com" forward to   
   pass request header "Host" value "6.domain.com" forward to  
   tls tlsv1
   tls ca key "/etc/ssl/private/ca.key" password "somepasshere" 
   tls ca cert "/etc/ssl/ca.crt" 
}
 
relay relay_one { 
   listen on $ext_addr port 80 
   protocol "web_one" 
   forward to  check tcp port 80 
   forward to  check tcp port 80
} 

relay relay_tls { 
   listen on 127.0.0.1 port 8443 tls
   protocol "web_tls" 
   forward with tls to  check tcp port 443
   forward with tls to  check tcp port 443
}


#relayctl show relays
Id  TypeNameAvlblty Status
1   relay   relay_one   active
2   relay   relay_tls   active

#relayctl show summary
Id  TypeNameAvlblty Status
1   relay   relay_one   active
1   table   www_101:80  active (1 hosts)
1   host10.0.30.101 100.00% up
2   table   www_201:80  active (1 hosts)
2   host10.0.30.201 100.00% up
2   relay   relay_tls   active
3   table   www_101:443 active (1 hosts)
3   host10.0.30.101 100.00% up
4   table   www_201:443 active (1 hosts)
4   host10.0.30.201 100.00% up

Websites (https://4.domain, https://5.domain, https://6.domain) started to show 
the content of 1.domain.com 

If I changed the order of "forward" websites (https://1.domain,