setlocale in cp/rm/mv
cp(1) and rm(1) call setlocale(LC_ALL, "") but mv(1) does not. Why do they do that, and why mv doesn't? Jan
Re: FDE on BeagleBone Black
hi all . using snaphots of october 2nd and ports , i can compile x11vnc . but it taks long hours ( about two days) . i have memorized openbsd on beaglebone black(BBB) openbsd on BBB is very small system , so it can run on everything ( for example door , baby car ) http://akita-arm.blogspot.jp/2016/09/bbb.html - regards
Re: what all touches the carp demote counter?
Hello sorry my bad english So, Let's debug Review carp/pfsync ( NODE1-carp0/NODE2-carp0 samepassword and same vhid for each pair ) ( pfsync syncdev ) ( /etc/hostname.pfsync0 = up syndev IFACE ) check default gateway on both ( /etc/mygate) / sysctl ip.forwarding=1 and carp.preempt=1 ( /etc/sysctl.conf ) ( pf rules ) put carp and pfsync rules on the TOP of your rules ( for debug purpose set skip on { lo0 $pfsyncdev } => pass quick on { $carpdev $carpdev2 $carpdev3 } proto carp keep state (no-sync) <= - Check with tcpdump pflog if carp packets are being dropped - Check if all carps interfaces are as MASTER in the current node and check if all is as BACKUP on another - Check if in the current backup node the states are syncing ( systat states ) ( compare on both pfctl -ss | wc -l ) almost the same quantity . Bring up to MASTER the primary node ( ifconfig -g carp carpdemote 30 on current master node ) the slave need to have a lower value of carpdemote and NOT DEFINE advskew in the Primary leave default ( 0 ) just on backup set advskew and put a high value ( advskew 100 ) ( hostname.carp ) - Check carpdemote on the new primary master ( ifconfig -g carp ) if the value is not 0 set to - Reboot the slave node ... and when back check if keep as slave ( check systat states ) ( compare on both pfctl -ss | wc -l ) must be almost equal. - Check carpdemote on slave should be 0 Reboot the Primary/Master and when back its supposed to be Master * if you have a huge traffic ( the node you rebooted must delay until states be syncronized ) About ospf I have no experience working with carp. one more time sorry any typo []'s 2016-10-10 22:58 GMT-03:00 Paul B. Henson: > On Mon, Oct 10, 2016 at 09:43:56PM -0300, R0me0 *** wrote: > > > Did you adjust advskew value on the machine you want to be Backup ? > > Yes, the backup has an advskew of 5 and the primary an advskew of 1. As > I mentioned, when I first configured the interfaces by hand the two > systems properly negotiated master/backup roles, it was only after I > rebooted the one that was supposed to be primary on this interface that > it came up as backup, and I traced it to the fact the the carp demote value > was set to 2. When I manually changed the carp demote value to 0, the > system once again pre-empted the master role on the interface. > > I'm just not sure what is twiddling with the carp demotion value. Unless > ospdf does it by default? The man page for the config file reads like it > would only do it if you explicitly include the demote keyword in the > area or interface section. > > Thanks for the suggestion though.
Re: what all touches the carp demote counter?
On Mon, Oct 10, 2016 at 09:43:56PM -0300, R0me0 *** wrote: > Did you adjust advskew value on the machine you want to be Backup ? Yes, the backup has an advskew of 5 and the primary an advskew of 1. As I mentioned, when I first configured the interfaces by hand the two systems properly negotiated master/backup roles, it was only after I rebooted the one that was supposed to be primary on this interface that it came up as backup, and I traced it to the fact the the carp demote value was set to 2. When I manually changed the carp demote value to 0, the system once again pre-empted the master role on the interface. I'm just not sure what is twiddling with the carp demotion value. Unless ospdf does it by default? The man page for the config file reads like it would only do it if you explicitly include the demote keyword in the area or interface section. Thanks for the suggestion though.
Re: what all touches the carp demote counter?
Hello Paul, Did you adjust advskew value on the machine you want to be Backup ? For example: Primary/Master # cat hostname.carp0 vhid 1 cardev em0 pass THEPASSWORD inet 10.20.30.40 255.255.255.0 Slave/Backup # cat hostname.carp0 vhid 1 cardev em0 advskew 100 pass THEPASSWORD inet 10.20.30.40 255.255.255.0 I think could be it Regards, 2016-10-10 20:30 GMT-03:00 Paul B. Henson: > I'm setting up a second router that's going to sit next to an existing > one and become a redundant failover system. The current one is in > production, and I've been converting some of the existing LAN subnets on it > to use carp interfaces and making them primary and the new box > secondary. I also set up a carp interface on the WAN side and made the > new box primary for testing as that didn't exist before. That all > worked fine when I set it up by hand, but when I rebooted the new box, > the old box stayed primary for everything including the WAN interface, > which I tracked down to the carp demote counter, which ended up at 2 on > the new box after the reboot: > > bash-4.3# ifconfig -g carp > carp: carp demote count 2 > > After I manually decreased the demote counter by 2 back to 0 the WAN > interface master switched back to the new box. > > I'm not sure what's doing that at boot? I am running ospfd on the box, > but I don't have any demote statements in my configuration. I'm also > running npppd, but I don't see anything about that and carp demotion. > What else might be setting carp demotion values? > > Thanks...
what all touches the carp demote counter?
I'm setting up a second router that's going to sit next to an existing one and become a redundant failover system. The current one is in production, and I've been converting some of the existing LAN subnets on it to use carp interfaces and making them primary and the new box secondary. I also set up a carp interface on the WAN side and made the new box primary for testing as that didn't exist before. That all worked fine when I set it up by hand, but when I rebooted the new box, the old box stayed primary for everything including the WAN interface, which I tracked down to the carp demote counter, which ended up at 2 on the new box after the reboot: bash-4.3# ifconfig -g carp carp: carp demote count 2 After I manually decreased the demote counter by 2 back to 0 the WAN interface master switched back to the new box. I'm not sure what's doing that at boot? I am running ospfd on the box, but I don't have any demote statements in my configuration. I'm also running npppd, but I don't see anything about that and carp demotion. What else might be setting carp demotion values? Thanks...
Failure to get unbound to talk to nsd on the same server
Hi all, I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my home network with DNS. I have a custom zone (only for LAN use) set up and previously used BIND successfully (but that VM crashed and its disk was hosed...) both as authoritative and caching/resolving. So now I am trying to learn to set up NSD to be authoritative for my small zone and Unbound to serve the LAN with all other queries. But there is a problem: 1. Unbound successfully responds to queries and provides lookup to the LAN machines for "the internet". 2. NSD successfully responds to queries for the custom zone. 3. But I cannot get Unbound to get a reply from NSD... I have tried multiple combinations of ports and interface bindings and I suspect that I am missing something simple here. Currently I have set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 - so there should not be a conflict. In fact it works fine if I use dig @localhost and dig @192.168.x.91 respectively, but the second version only provides an answer-less response if asked for a LAN hostname. Unbound is set to ask localhost for the stub zones, forward and reverse. And, yes, I could of course use Unbound to serve my local zone and drop NSD - but that would be giving up... It's supposed to work from all I read! :-) I have also tried having NSD listen on 127.0.0.1@5353, and telling unbound to use that as the stub-address, while then having Unbound listen on 127.0.0.1 as well as 192.168.x.91 to be able to set 127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I can't test NSD with dig as it can't use an alternative port. A possibly related question: I can't seem to be able to use shortnames. The domain part should be picked up from the host name as given in /etc/myname, but that does not seem to work as I expect, I always have to provide the FQDN. Again something I have missed perhaps? Anyway, I am staring blindly at the config files now and really need help figuring it out. I have removed all that is commented, otherwise it's the default except for changes of course. Thanks for any clue bats coming my way... /Johan * resolv.conf lookup file bind nameserver 192.168.x.91 # cat /etc/myname dns03.my.domain # cat /etc/hosts 127.0.0.1 localhost ::1 localhost 192.168.x.91 dns03.my.domain dns03 # cat /var/unbound/etc/unbound.conf # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $ server: interface: 192.168.x.91 interface: ::1 do-not-query-localhost: no access-control: 192.168.x.64/24 allow access-control: 127.0.0.0/8 allow access-control: 0.0.0.0/0 refuse access-control: ::0/0 refuse access-control: ::1 allow hide-identity: yes hide-version: yes # Uncomment to enable DNSSEC validation. # auto-trust-anchor-file: "/var/unbound/db/root.key" root-hints: /var/unbound/etc/root.hints remote-control: control-enable: yes control-use-cert: no control-interface: /var/run/unbound.sock stub-zone: name: "my.domain" stub-addr: 127.0.0.1 stub-zone: name: "x.168.192.in-addr.arpa" stub-addr: 127.0.0.1 # cat /var/nsd/etc/nsd.conf # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $ server: hide-version: yes verbosity: 1 database: "" # disable database ## bind to a specific address/port ip-address: 127.0.0.1 remote-control: control-enable: yes zone: name: "my.domain" zonefile: "master/my.domain" zone: name: "x.168.192.in-addr.arpa" zonefile: "master/192.168.x.rev"
Re: error: [drm:pid10679:i915_hangcheck_elapsed] *ERROR* Hangcheck timer elapsed... render ring idle
On 10/03/16 13:43, Mark Kettenis wrote: This is expected. You should use the "modesetting" driver instead of the "intel" driver. And if you don't have an /etc/X11/xorg.conf file, that would be the default. If you really need an /etc/X11/xorg.conf file, change the driver Thanks Mark, this is now working fine. there. Otherwise, just delete the file. Cheers, Mark -- Alexis de BRUYN
Re: Multiple web servers behind NAT
On Mon, October 10, 2016 6:01 am, Radek wrote: > > The second thing to do is enabling wesites' SSL/TLS certs. > Each website has its own certificate on its server. I suppose that I have > to configure man-in-the-middle "TLS inspecion" mode to enable TLS > connection using these certs again. > Am I right? > No. TLS inspection doesn't work that way. It's for LAN systems connecting out through the relayd server to sites on the internet. It doesn't work in the other direction. You would have needed to use 'forward to destination' in place of 'forward to ' but that original destination will be the relayd machine again as it's IP based, not domain name based. You need one certificate that matches all of your web site hostnames and configure relayd as a TLS server as you had it. Tim. > I did the following conf: > > #grep divert /etc/pf.conf > pass in on $ext_if inet proto tcp to port 443 divert-to localhost port > 8443 > > #openssl req -x509 -days 365 -newkey rsa:2048 -keyout > /etc/ssl/private/ca.key -out /etc/ssl/ca.crt > #openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout > /etc/ssl/private/127.0.0.1.key -out /etc/ssl/127.0.0.1.crt > > #ls -la /etc/ssl/*.crt > -rwxr-x--- 1 root _relayd 1298 Oct 10 09:29 /etc/ssl/127.0.0.1.crt > -rwxr-x--- 1 root _relayd 1371 Oct 6 13:11 /etc/ssl/ca.crt > > #ls -la /etc/ssl/private/*.key > -rwxr-x--- 1 root _relayd 1704 Oct 10 09:29 > /etc/ssl/private/127.0.0.1.key > -rwxr-x--- 1 root _relayd 1858 Oct 6 13:11 /etc/ssl/private/ca.key > > #cat /etc/relayd.conf > ext_addr="msk0" > host1="10.0.30.101" > host2="10.0.30.201" > > table { $host1 } > table { $host2 } > > http protocol "web_one" { >return error >pass request header "Host" value "1.domain.com" forward to >pass request header "Host" value "2.domain.com" forward to >pass request header "Host" value "3.domain.com" forward to > >pass request header "Host" value "4.domain.com" forward to >pass request header "Host" value "5.domain.com" forward to >pass request header "Host" value "6.domain.com" forward to > } > > http protocol "web_tls" { >return error >pass request header "Host" value "1.domain.com" forward to >pass request header "Host" value "2.domain.com" forward to >pass request header "Host" value "3.domain.com" forward to > >pass request header "Host" value "4.domain.com" forward to >pass request header "Host" value "5.domain.com" forward to >pass request header "Host" value "6.domain.com" forward to >tls tlsv1 >tls ca key "/etc/ssl/private/ca.key" password "somepasshere" >tls ca cert "/etc/ssl/ca.crt" > } > > relay relay_one { >listen on $ext_addr port 80 >protocol "web_one" >forward to check tcp port 80 >forward to check tcp port 80 > } > > relay relay_tls { >listen on 127.0.0.1 port 8443 tls >protocol "web_tls" >forward with tls to check tcp port 443 >forward with tls to check tcp port 443 > } > > > #relayctl show relays > Id TypeNameAvlblty Status > 1 relay relay_one active > 2 relay relay_tls active > > #relayctl show summary > Id TypeNameAvlblty Status > 1 relay relay_one active > 1 table www_101:80 active (1 > hosts) > 1 host10.0.30.101 100.00% up > 2 table www_201:80 active (1 > hosts) > 2 host10.0.30.201 100.00% up > 2 relay relay_tls active > 3 table www_101:443 active (1 > hosts) > 3 host10.0.30.101 100.00% up > 4 table www_201:443 active (1 > hosts) > 4 host10.0.30.201 100.00% up > > Websites (https://4.domain, https://5.domain, https://6.domain) started to > show the content of 1.domain.com > > If I changed the order of "forward" websites (https://1.domain, > https://2.domain, https://3.domain) started to show content of > 4.domain.com > > relay relay_tls { >listen on 127.0.0.1 port 8443 tls >protocol "web_tls" >forward with tls to check tcp port 443 >forward with tls to check tcp port 443 > } > > All domains use relay_machine's certificate instead of the specific > domain's cert. > > What am I doing wrong?
Re: OpenBSD on HPE DL20 G9
On 10/10/2016 11:44 AM, Todd C. Miller wrote: Can't you enable serial console redirection with the built-in iLO? That should make it easier to get the boot messages in legacy mode. Alternatively, if you have the "Advanced iLO" license, you can ssh to iLO and view the text console.
opensmtpd-extras-[clamav|spamassassin] packages in 6.0
Hi, Just noticed that the OpenBSD 6.0 release does not include the opensmtpd-extras-clamav nor the opensmtpd-extras-spamassassin packages. I would like to upgrade my 5.9 OpenBSD mail gateway to 6.0 and was wondering if I can use the old packages from 5.9 with 6.0? Or what is the alternative to these two packages? Regards, Mabi
Re: OpenBSD on HPE DL20 G9
Can't you enable serial console redirection with the built-in iLO? That should make it easier to get the boot messages in legacy mode. - todd
Re: OpenBSD on HPE DL20 G9
On Mon, 10 Oct 2016 15:12:04 + BARDOU Pierrewrote: > Hello, > > I have a brand new HPE DL20 G9, on which I am trying to boot OpenBSD > (version 6.0). > > 1s try : UEFI. The boot loader does its work, and then the screen > remains blank. > I can't see any line with blue background. > I tried to see what happend via console, but there is no serial port > on these little beasts :( > > 2nd try : legacy bios. > The kernel starts, lines startiong with "cpu" seem OK. > But then there are a lot of "mem adress conflict" and "bridge mem > address conflict". > Then it freezes. > > Is there something I can do ? > Would that be useful that I give you the full messages (long and > painful process of copying the text from the video of the boot) ? OMG I just placed an order for two of these, hoping to use OpenBSD on them. Should I cancel? Is there anything from HP in same price range that runs OpenBSD? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
OpenBSD on HPE DL20 G9
Hello, I have a brand new HPE DL20 G9, on which I am trying to boot OpenBSD (version 6.0). 1s try : UEFI. The boot loader does its work, and then the screen remains blank. I can't see any line with blue background. I tried to see what happend via console, but there is no serial port on these little beasts :( 2nd try : legacy bios. The kernel starts, lines startiong with "cpu" seem OK. But then there are a lot of "mem adress conflict" and "bridge mem address conflict". Then it freezes. Is there something I can do ? Would that be useful that I give you the full messages (long and painful process of copying the text from the video of the boot) ? Thank you -- Cordialement, Pierre Bardou
Re: Multiple web servers behind NAT
Am 10.10.2016 um 12:01 schrieb Radek: The second thing to do is enabling wesites' SSL/TLS certs. Each website has its own certificate on its server. I suppose that I have to configure man-in-the-middle "TLS inspecion" mode to enable TLS connection using these certs again. Am I right? You can't do that. TLS exchange is done before the host name is send in the request. The only thing you can do is to use one certificate for all hosts and terminate the TLS connection in relayd. Regards Markus
Re: segfault with stripped lib, works fine when non-stripped
Hey, On Tue, Jan 5, 2016 at 7:38 AM, Stuart Hendersonwrote: > On 2016-01-04, Jeremie Le Hen wrote: >> Hi, >> >> Yeah... when you read that subject you probably had this weird gaze ô_Ò >> like I did when I came to that conclusion. >> >> I've been experiencing segfaults in milter-greylist on one of my MX >> running OpenBSD for a while. I contacted Stuart (cc'ed) about 6 months >> ago about this, but gave up because I couldn't manage to compile >> everything with the debugging symbols. This time after much struggle to >> compile the ports chain with them, I finally managed to run >> milter-greylist in gdb(1) with the hope to witness the live crash and >> get a detailed stacktrace... >> >> Except that even after tinkling Postfix, it never happened. This simply >> worked fine. So after some more tinkering I came to the following >> conclusion: if I run strip(1) on /usr/local/lib/libbind/libbind.so.5.0 >> to remove the debugging symbols, then it will crash with the stacktrace >> below. > > libbind in the package isn't stripped either, it's just that it isn't built > with debug symbols. So I'm not sure what's going on there. > > Note for anyone else looking: this is all rather dirty because there are > conflicts between symbols in libc and libbind. It works well enough for net/mtr > and for the test program spf_example in libspf2's distribution, but I suspect > using it as a milter in the address space of an MTA that's using the libc > resolver is pushing our luck too far. Alright, I finally got some time (vacations) to fix this. I got rid of the problem by removing the actually useless dependency over libbind. The binary has been running for one hour without crashing which was impossible previously. See the following patches for mail/libspf2 and mail/milter-greylist (I cc'ed Jakob, the maintainer): https://people.freebsd.org/~jlh/openbsd_mail_libspf2_no_libbind.diff https://people.freebsd.org/~jlh/openbsd_mail_milter-greylist_no_libbind.diff > > >> #0 0x1cc53e386d40 in memcpy (dst0=0x1cc5c48b7000, src0=Variable "src0" is not available. >> ) at /usr/src/lib/libc/string/memcpy.c:94 >> #1 0x1cc4f4d496d8 in __res_vinit () from /usr/local/lib/libbind/libbind.so.5.0 >> #2 0x1cc4f4d48bda in __res_ninit () from /usr/local/lib/libbind/libbind.so.5.0 >> #3 0x1cc50b181905 in SPF_dns_resolv_lookup (spf_dns_server=0x1cc5c48ab780, domain=0x1cc55122c1d0 "mydomain.org", rr_type=ns_t_spf, should_cache=1) at spf_dns_resolv.c:261 >> #4 0x1cc50b180117 in SPF_dns_lookup (spf_dns_server=0x1cc5c48ab780, domain=0x1cc55122c1d0 "mydomain.org", rr_type=ns_t_spf, should_cache=1) at spf_dns.c:141 >> #5 0x1cc50b180b16 in SPF_dns_cache_lookup (spf_dns_server=0x1cc5c48abc80, domain=0x1cc55122c1d0 "mydomain.org", rr_type=ns_t_spf, should_cache=1) at spf_dns_cache.c:408 >> #6 0x1cc50b180117 in SPF_dns_lookup (spf_dns_server=0x1cc5c48abc80, domain=0x1cc55122c1d0 "mydomain.org", rr_type=ns_t_spf, should_cache=1) at spf_dns.c:141 >> #7 0x1cc50b18e4e3 in SPF_server_get_record (spf_server=0x1cc5eb4154c0, spf_request=0x1cc5c48aeb00, spf_response=0x1cc5eb41b400, spf_recordp=0x1cc54f7c8700) at spf_server.c:351 >> #8 0x1cc50b18c959 in SPF_request_query_mailfrom (spf_request=0x1cc5c48aeb00, spf_responsep=0x1cc54f7c87a0) at spf_request.c:291 >> #9 0x1cc2ee1207ca in spf_check_internal (ad=0x1cc4f4c65948, as=AS_RCPT, ap=0x1cc54f7c8cd0, priv=0x1cc5c48af000) at spf.c:388 >> #10 0x1cc2ee120c17 in spf_check (ad=0x1cc4f4c65948, as=AS_RCPT, ap=0x1cc54f7c8cd0, priv=0x1cc5c48af000) at spf.c:524 >> #11 0x1cc2ee123a0d in acl_filter (stage=AS_RCPT, ctx=0x1cc5c48b2000, priv=0x1cc5c48af000) at acl.c:1902 >> #12 0x1cc2ee1069ae in real_envrcpt (ctx=0x1cc5c48b2000, envrcpt=0x1cc5eb41c280) at milter-greylist.c:601 >> #13 0x1cc2ee105de0 in mlfi_envrcpt (ctx=0x1cc5c48b2000, envrcpt=0x1cc5eb41c280) at milter-greylist.c:213 >> #14 0x1cc52bfaa46e in st_rcpt () from /usr/local/lib/libmilter.so.4.0 >> #15 0x1cc52bfab557 in mi_engine () from /usr/local/lib/libmilter.so.4.0 >> #16 0x1cc52bfaca10 in mi_handle_session () from /usr/local/lib/libmilter.so.4.0 >> #17 0x1cc52bfab7d9 in mi_thread_handle_wrapper () from /usr/local/lib/libmilter.so.4.0 >> #18 0x1cc5a247d90e in _rthread_start (v=Variable "v" is not available. >> ) at /usr/src/lib/librthread/rthread.c:145 >> #19 0x1cc53e33649b in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:75 >> #20 0x in ?? () > -- Jeremie Le Hen j...@freebsd.org
Re: Multiple web servers behind NAT
Thank you for your precise explanation. HTTP relay seems to work fine now. #cat /etc/relayd.conf ext_addr="msk0" host1="10.0.30.101" host2="10.0.30.201" table { $host1 } table { $host2 } http protocol "web_one" { return error pass request header "Host" value "1.domain.com" forward to pass request header "Host" value "2.domain.com" forward to pass request header "Host" value "3.domain.com" forward to pass request header "Host" value "4.domain.com" forward to pass request header "Host" value "5.domain.com" forward to pass request header "Host" value "6.domain.com" forward to } relay relay_one { listen on $ext_addr port 80 protocol "web_one" forward to check tcp port 80 forward to check tcp port 80 } #relayctl show relays Id TypeNameAvlblty Status 1 relay relay_one active #relayctl show summary Id TypeNameAvlblty Status 1 relay relay_one active 1 table www_101:80 active (1 hosts) 1 host10.0.30.101 100.00% up 2 table www_201:80 active (1 hosts) 2 host10.0.30.201 100.00% up The second thing to do is enabling wesites' SSL/TLS certs. Each website has its own certificate on its server. I suppose that I have to configure man-in-the-middle "TLS inspecion" mode to enable TLS connection using these certs again. Am I right? I did the following conf: #grep divert /etc/pf.conf pass in on $ext_if inet proto tcp to port 443 divert-to localhost port 8443 #openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ca.key -out /etc/ssl/ca.crt #openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/127.0.0.1.key -out /etc/ssl/127.0.0.1.crt #ls -la /etc/ssl/*.crt -rwxr-x--- 1 root _relayd 1298 Oct 10 09:29 /etc/ssl/127.0.0.1.crt -rwxr-x--- 1 root _relayd 1371 Oct 6 13:11 /etc/ssl/ca.crt #ls -la /etc/ssl/private/*.key -rwxr-x--- 1 root _relayd 1704 Oct 10 09:29 /etc/ssl/private/127.0.0.1.key -rwxr-x--- 1 root _relayd 1858 Oct 6 13:11 /etc/ssl/private/ca.key #cat /etc/relayd.conf ext_addr="msk0" host1="10.0.30.101" host2="10.0.30.201" table { $host1 } table { $host2 } http protocol "web_one" { return error pass request header "Host" value "1.domain.com" forward to pass request header "Host" value "2.domain.com" forward to pass request header "Host" value "3.domain.com" forward to pass request header "Host" value "4.domain.com" forward to pass request header "Host" value "5.domain.com" forward to pass request header "Host" value "6.domain.com" forward to } http protocol "web_tls" { return error pass request header "Host" value "1.domain.com" forward to pass request header "Host" value "2.domain.com" forward to pass request header "Host" value "3.domain.com" forward to pass request header "Host" value "4.domain.com" forward to pass request header "Host" value "5.domain.com" forward to pass request header "Host" value "6.domain.com" forward to tls tlsv1 tls ca key "/etc/ssl/private/ca.key" password "somepasshere" tls ca cert "/etc/ssl/ca.crt" } relay relay_one { listen on $ext_addr port 80 protocol "web_one" forward to check tcp port 80 forward to check tcp port 80 } relay relay_tls { listen on 127.0.0.1 port 8443 tls protocol "web_tls" forward with tls to check tcp port 443 forward with tls to check tcp port 443 } #relayctl show relays Id TypeNameAvlblty Status 1 relay relay_one active 2 relay relay_tls active #relayctl show summary Id TypeNameAvlblty Status 1 relay relay_one active 1 table www_101:80 active (1 hosts) 1 host10.0.30.101 100.00% up 2 table www_201:80 active (1 hosts) 2 host10.0.30.201 100.00% up 2 relay relay_tls active 3 table www_101:443 active (1 hosts) 3 host10.0.30.101 100.00% up 4 table www_201:443 active (1 hosts) 4 host10.0.30.201 100.00% up Websites (https://4.domain, https://5.domain, https://6.domain) started to show the content of 1.domain.com If I changed the order of "forward" websites (https://1.domain,