subject:"Re\: relayd TLS load balancer for multiple websites"

Re: relayd TLS load balancer for multiple websites

2017-09-29 Thread Stuart Henderson

On 2017-09-28, Darren Tucker  wrote:
> On 28 September 2017 at 06:32, mabi  wrote:
>> Thanks for the pointer regarding SNI not being supported in relayd. I will 
>> go on and find another solution, probably HAproxy.
>
> For a small number of domains it would probably be feasible to get a
> single certificate with multiple SANs.  Letsencrypt at least supports
> this as long as all of the domains map (or can be made to map) to the
> place requesting the certificate.

With the dns-01 challenge type they don't need to be mapped to the same
place at all. Though the normal http-01 challenge requests don't use TLS,
so it should be easy enough to proxy them, even with relayd.

Re: relayd TLS load balancer for multiple websites

2017-09-29 Thread Comète

28 septembre 2017 15:50 "mabi" <m...@protonmail.ch> a écrit:

> Thanks for the pointer regarding SNI not being supported in relayd. I will go 
> on and find another
> solution, probably HAproxy.
> 
>>  Original Message ----
>> Subject: Re: relayd TLS load balancer for multiple websites
>> Local Time: September 28, 2017 3:02 PM
>> UTC Time: September 28, 2017 1:02 PM
>> From: mcmer-open...@tor.at
>> To: mabi <m...@protonmail.ch>
>> openbsd-misc <misc@openbsd.org>
>> 
>> m...@protonmail.ch (mabi), 2017.09.28 (Thu) 13:32 (CEST):
>>> I was wondering if it is possible to use relayd as load balancer with
>>> TLS termination for multiple different websites residing on different
>>> server.
>> 
>> With a public IP per website: yes. Else: no.
>> 
>> reyk@, 2014-07-24, "no SNI yet"
>> https://marc.info/?l=openbsd-misc=140621533620964
>> 
>> recent thread:
>> https://marc.info/?l=openbsd-misc=150599591326006
>> 
>> Marcus
>> 
>> btw, protonmail"s "text/plain, base64, utf-8" reportedly keeps people
>> from seeing these messages.

Hi,

I use Nginx for this, in production, since many years, it's simple and works 
well.

Comete

Re: relayd TLS load balancer for multiple websites

2017-09-28 Thread Darren Tucker

On 28 September 2017 at 06:32, mabi  wrote:
> Thanks for the pointer regarding SNI not being supported in relayd. I will go 
> on and find another solution, probably HAproxy.

For a small number of domains it would probably be feasible to get a
single certificate with multiple SANs.  Letsencrypt at least supports
this as long as all of the domains map (or can be made to map) to the
place requesting the certificate.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: relayd TLS load balancer for multiple websites

2017-09-28 Thread mabi

Thanks for the pointer regarding SNI not being supported in relayd. I will go 
on and find another solution, probably HAproxy.

>  Original Message 
> Subject: Re: relayd TLS load balancer for multiple websites
> Local Time: September 28, 2017 3:02 PM
> UTC Time: September 28, 2017 1:02 PM
> From: mcmer-open...@tor.at
> To: mabi <m...@protonmail.ch>
> openbsd-misc <misc@openbsd.org>
>
> m...@protonmail.ch (mabi), 2017.09.28 (Thu) 13:32 (CEST):
>> I was wondering if it is possible to use relayd as load balancer with
>> TLS termination for multiple different websites residing on different
>> server.
>
> With a public IP per website: yes. Else: no.
>
> reyk@, 2014-07-24, "no SNI yet"
> https://marc.info/?l=openbsd-misc=140621533620964
>
> recent thread:
> https://marc.info/?l=openbsd-misc=150599591326006
>
> Marcus
>
> btw, protonmail"s "text/plain, base64, utf-8" reportedly keeps people
> from seeing these messages.

Re: relayd TLS load balancer for multiple websites

2017-09-28 Thread Marcus MERIGHI

m...@protonmail.ch (mabi), 2017.09.28 (Thu) 13:32 (CEST):
> I was wondering if it is possible to use relayd as load balancer with
> TLS termination for multiple different websites residing on different
> server.

With a public IP per website: yes. Else: no. 

reyk@, 2014-07-24, "no SNI yet"
https://marc.info/?l=openbsd-misc=140621533620964

recent thread:
https://marc.info/?l=openbsd-misc=150599591326006

Marcus

btw, protonmail's "text/plain, base64, utf-8" reportedly keeps people
from seeing these messages.

Re: relayd TLS load balancer for multiple websites

2017-09-28 Thread mabi

Thanks Bryan for your example.

I saw in your example you only use the example.com domain. I would be using 
multiple domains such as example1.com, example2.com, exampleX.com, and so on. 
Would it also work in that case? Again I suppose here that I need to have all 
these different domains in one single SSL certificate file, right?

On the relayd.conf man page I read that the second "forward to" config 
parameter in a "relay" entity is used as backup in case the first "forward to" 
table is down. So one could think in your config that your second "forward to 
" would be used as you backup table.

Finally what is the purpose of setting the Connection HTTP header to close as 
you have here below?

match request header set "Connection" value "close"

> ---- Original Message ----
> Subject: Re: relayd TLS load balancer for multiple websites
> Local Time: September 28, 2017 2:21 PM
> UTC Time: September 28, 2017 12:21 PM
> From: bryanlhar...@gmail.com
> To: mabi <m...@protonmail.ch>
> openbsd-misc <misc@openbsd.org>
>
> Here is what I did, which I learned from the httpd & relayd book by Michael W 
> Lucas (I recommend).  I cannot remember why I set the top header options, I 
> must have been trying to learn about them.  The host ones are to figure out 
> the site and send the connection to the table above.
>
> ext_addr="..."
> int_addr="127.0.0.1"
> vm1_addr="192.0.2.11"
> vm2_addr="192.0.2.12"
> vm3_addr="192.0.2.13"
> vm4_addr="192.0.2.14"
>
> table  { $int_addr }
> table  {
>   $vm1_addr
>   $vm2_addr
>   $vm3_addr
>   $vm4_addr
> }
>
> # Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
> http protocol https {
>   # playing with these options
>   match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
>   match request header append "X-Forwarded-By" value 
> "$SERVER_ADDR:$SERVER_PORT"
>   match request header set "Keep-Alive" value "$TIMEOUT"
>   match request header set "Connection" value "close"
>
>   match request header "Host" value "website.example.com" forward to 
>   match request header "Host" value "example.com" forward to 
>   match request header "Host" value "www.example.com" forward to 
>
> }
>
> relay wwwtls {
>   # Run as a SSL/TLS accelerator
>   listen on $ext_addr port 443 tls
>   protocol https
>
>   forward to  port 80 check tcp
>   forward to  port 80 mode loadbalance check tcp
> }
>
> V/r,
> Bryan
>
> On Thu, Sep 28, 2017 at 7:32 AM, mabi <m...@protonmail.ch> wrote:
>
>> Hi,
>>
>> I was wondering if it is possible to use relayd as load balancer with TLS 
>> termination for multiple different websites residing on different server.
>>
>> From reading the man page I understand that for this purpose I will need to 
>> use one "relay" entity per website which will then have its own "http 
>> protocol" entity. If this is correct, this means I will require one public 
>> IP address per website which seems to me a bit a waste hence my asking.
>>
>> The alternative would be to have one "relay" entity but this means I can 
>> only have one "http protocol" entity assigned to it from my understanding. 
>> This also means that I would have to have to use one single SSL certificate 
>> file which includes every CN for each of my website. My feeling tells me 
>> that this does not sound good practice. Then how would relayd know that 
>> website www.website1.com has to be forwarded to the hosts in  and 
>> that website www.website2.com has to be forwarded to the hosts in ? 
>> Would you in the "http protocol" entity filter using the HTTP "Host" header 
>> (such as SNI)?
>>
>> Sorry for all these questions but I am trying to find out the best way/good 
>> practice to setup a relayd TLS load balancer for a different 
>> websites/webapps/domains and can't find much documentation about this 
>> specific case.
>>
>> Note here that I will be using the acme-client for all of the domains.
>>
>> Thanks for your input.
>>
>> Best,
>> Mabi

Re: relayd TLS load balancer for multiple websites

2017-09-28 Thread Bryan Harris

Here is what I did, which I learned from the httpd & relayd book by Michael
W Lucas (I recommend).  I cannot remember why I set the top header options,
I must have been trying to learn about them.  The host ones are to figure
out the site and send the connection to the table above.

ext_addr="..."
int_addr="127.0.0.1"
vm1_addr="192.0.2.11"
vm2_addr="192.0.2.12"
vm3_addr="192.0.2.13"
vm4_addr="192.0.2.14"

table  { $int_addr }
table  {
  $vm1_addr
  $vm2_addr
  $vm3_addr
  $vm4_addr
}

# Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
http protocol https {
  # playing with these options
  match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
  match request header append "X-Forwarded-By" value
"$SERVER_ADDR:$SERVER_PORT"
  match request header set "Keep-Alive" value "$TIMEOUT"
  match request header set "Connection" value "close"

  match request header "Host" value "website.example.com" forward to

  match request header "Host" value "example.com" forward to 
  match request header "Host" value "www.example.com" forward to 

}

relay wwwtls {
  # Run as a SSL/TLS accelerator
  listen on $ext_addr port 443 tls
  protocol https

  forward to  port 80 check tcp
  forward to  port 80 mode loadbalance check tcp
}

V/r,
Bryan

On Thu, Sep 28, 2017 at 7:32 AM, mabi  wrote:

> Hi,
>
> I was wondering if it is possible to use relayd as load balancer with TLS
> termination for multiple different websites residing on different server.
>
> From reading the man page I understand that for this purpose I will need
> to use one "relay" entity per website which will then have its own "http
> protocol" entity. If this is correct, this means I will require one public
> IP address per website which seems to me a bit a waste hence my asking.
>
> The alternative would be to have one "relay" entity but this means I can
> only have one "http protocol" entity assigned to it from my understanding.
> This also means that I would have to have to use one single SSL certificate
> file which includes every CN for each of my website. My feeling tells me
> that this does not sound good practice. Then how would relayd know that
> website www.website1.com has to be forwarded to the hosts in  and
> that website www.website2.com has to be forwarded to the hosts in
> ? Would you in the "http protocol" entity filter using the HTTP
> "Host" header (such as SNI)?
>
> Sorry for all these questions but I am trying to find out the best
> way/good practice to setup a relayd TLS load balancer for a different
> websites/webapps/domains and can't find much documentation about this
> specific case.
>
> Note here that I will be using the acme-client for all of the domains.
>
> Thanks for your input.
>
> Best,
> Mabi

Re: relayd TLS load balancer for multiple websites

Re: relayd TLS load balancer for multiple websites

Re: relayd TLS load balancer for multiple websites

Re: relayd TLS load balancer for multiple websites

Re: relayd TLS load balancer for multiple websites

Re: relayd TLS load balancer for multiple websites

Re: relayd TLS load balancer for multiple websites

7 matches

Site Navigation

Mail list logo

Footer information