version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=Opera/9.80 (X11; Linux x86_64) Presto/2.12.388 Version/12.16 author=Naglfar charset=UTF-8 csum=Fix listening port for https ctime=1628324722 host=92.191.225.58 name=Relayd.TLSMulti rev=8 targets=Relayd.Acceleration,Openhttpd.Hosting,Acme-client.Configure,Ln.Intro,Ip.Myaddress,Openbsd.Ddos,Openbsd.Loginconf text=(:title TLS Acceleration for Multiple Domains with relayd:)%0a%0a!! Before You Begin%0a%0aPlease see the [[relayd/acceleration|TLS acceleration guide with relayd]] before following this guide.%0a%0aIn this guide, we assume you are following the [[openhttpd/hosting|openhttpd hosting guide]] and your https services are listening on port 443.%0a%0a!! Request SSL Certs%0a%0aYou will need the SSL certs for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]] if you have not already.%0a%0aBy default, [[https://man.openbsd.org/relayd|relayd]] searches @@/etc/ssl/name:port.crt@@ and @@/etc/ssl/private/name:port.key@@ for the public/private keypair. If those are not present, it uses @@/etc/ssl/name.crt@@ and @@/etc/ssl/private/name.key@@.%0a%0aIf your public cert and private key have different names, you should update [[acme-client/configure|/etc/acme-client.conf]]. It's recommended to use @@/etc/ssl/name.crt@@ and @@/etc/ssl/private/name.key@@, where @@name@@ is replaced with your actual domain name.%0a%0a'''Optional''': If your public cert ends in .fullchain.pem instead of .crt, you can create [[ln/intro|symbolic links]]:%0a%0a[@%0a$ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com.crt%0a@]%0a%0aYou will want to replace @@example.com@@ with your real domain. This will allow relayd to detect your public key. However, it is still highly recommended that you change [[acme-client/configure|acme-client.conf]] to create public keys that end with the extension @@.crt@@.%0a%0aMake sure to replace example.com with your actual domain.%0a%0a!! Edit relayd.conf%0a%0aLet's create [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]. This configuration will provide TLS acceleration for three services: for a webserver that listens on port 443, a second which listens on port 8000, and a third which listens on port 8080. Here is what we will put, one block at a time:%0a%0a[@%0aip4="192.168.1.1"%0aip6="2001:db8::"%0atable %3cwww> { 127.0.0.1 }%0atable %3cservice1> { 127.0.0.1 }%0atable %3cservice2> { 127.0.0.1 }%0alog connection%0a@]%0a%0aReplace @@192.168.1.1@@ and @@2001:db8::@@ with your [[ip/myaddress|real IPv4 and IPv6 address]]. Make sure the IPv4 is [[openbsd/ddos|DDoS-filtered]] if you have that option.%0a%0aReplace @@service1@@ and @@service2@@ with the names of your real services, such as bnc, www, and mail.%0a%0aDo '''NOT''' replace @@127.0.0.1@@. You want relayd to forward its requests to the web server listening on localhost.%0a%0a[@%0ahttp protocol https {%0a match request header append "X-Forwarded-For" value "$REMOTE_ADDR"%0a match request header append "X-Forwarded-By" \%0a value "$SERVER_ADDR:$SERVER_PORT"%0a match request header set "Connection" value "close"%0a tcp { sack, backlog 128 }%0a tls { keypair www.example.com }%0a tls { keypair www.sub.example.com }%0a tls { keypair service1.example.com }%0a tls { keypair service2.example.com }%0a match request header "Host" value "*" forward to %3cwww>%0a match request header "Host" value "service1.example.com" forward to %3cservice1>%0a match request header "Host" value "service2.example.com" forward to %3cservice2>%0a}%0a@]%0a%0arelayd will inspect the headers of the HTTP requests that users send. By default, request for any hostnames are forwarded to port 443 for [[openhttpd/hosting|openhttpd]] to handle. However, if the header says service1.example.com, it will forward to port 8000 for service1 to handle. If it says service2, then it will forward to port 8080 for service2. Note that relayd does last rule matching, so that the wildcard * must be placed as the first match rule.%0a%0aWe also define how to handle the http protocol. We add X-Forwarded-For, X-Forwarded-By, and Connection headers to HTTP requests before forwarding it to [[openhttpd/hosting|openhttpd]].%0a%0aWe turn on selective acknowledgments and set the maximum queue to 128 connections in the tcp block.%0a%0aWe define the keypair names. Below is a table which shows the order in which relayd searches for them. You will want to replace @@service1.example.com@@ and @@service2.example.com@@ with your real hostnames.%0a%0aThe last two lines in relayd.conf forward to the proper service based on the Host HTTP header.%0a%0a|| border=1 width=100%25 class="sortable simpletable"%0a||! Hostname: service1.example.com ||||||%0a||! Priority ||! Public Cert ||! Private Key ||%0a|| 1 || /etc/ssl/service1.example.com:443.crt || /etc/ssl/private/service1.example.com:443.key ||%0a|| 2 || /etc/ssl/service1.example.com.crt || /etc/ssl/private/service1.example.com.key ||%0a%0a|| border=1 width=100%25 class="sortable simpletable"%0a||! Hostname: service2.example.com ||||||%0a||! Priority ||! Public Cert ||! Private Key ||%0a|| 1 || /etc/ssl/service2.example.com:443.crt || /etc/ssl/private/service2.example.com:443.key ||%0a|| 2 || /etc/ssl/service2.example.com.crt || /etc/ssl/private/service2.example.com.key ||%0a%0a[@%0arelay wwwtls {%0a listen on $ip4 port 443 tls%0a protocol https%0a forward to %3cwww> port 443 check icmp%0a forward to %3cservice1> port 8000 check icmp%0a forward to %3cservice2> port 8080 check icmp%0a}%0arelay www6tls {%0a listen on $ip6 port 443 tls%0a protocol https%0a forward to %3cwww> port 443 check icmp%0a forward to %3cservice1> port 8000 check icmp%0a forward to %3cservice2> port 8080 check icmp%0a}%0a@]%0a%0aWe create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on ports 443, 8000, and 8080 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%0a!! Complete relayd.conf%0a%0aHere is the entire [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]] without commentary:%0a%0a[@%0aip4="192.168.1.1"%0aip6="2001:db8::"%0atable %3cwww> { 127.0.0.1 }%0atable %3cservice1> { 127.0.0.1 }%0atable %3cservice2> { 127.0.0.1 }%0alog connection%0a%0ahttp protocol https {%0a match request header append "X-Forwarded-For" value "$REMOTE_ADDR"%0a match request header append "X-Forwarded-By" \%0a value "$SERVER_ADDR:$SERVER_PORT"%0a match request header set "Connection" value "close"%0a tcp { sack, backlog 128 }%0a tls { keypair www.example.com }%0a tls { keypair www.sub.example.com }%0a tls { keypair service1.example.com }%0a tls { keypair service2.example.com }%0a match request header "Host" value "*" forward to %3cwww>%0a match request header "Host" value "service1.example.com" forward to %3cservice1>%0a match request header "Host" value "service2.example.com" forward to %3cservice2>%0a}%0a%0arelay wwwtls {%0a listen on $ip4 port 443 tls%0a protocol https%0a forward to %3cwww> port 443 check icmp%0a forward to %3cservice1> port 8000 check icmp%0a forward to %3cservice2> port 8080 check icmp%0a}%0arelay www6tls {%0a listen on $ip6 port 443 tls%0a protocol https%0a forward to %3cwww> port 443 check icmp%0a forward to %3cservice1> port 8000 check icmp%0a forward to %3cservice2> port 8080 check icmp%0a}%0a@]%0a%0aWe create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on ports 443, 8000, and 8080 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%0a!! Login class permissions%0a%0aIf you have a large number of TLS certs, you will need to increase the maximum number of files that relayd can open. Add this to the bottom of [[openbsd/loginconf|/etc/login.conf]]:%0a%0a[@%0arelayd:\%0a :openfiles=4096:\%0a :stacksize-cur=96M:\%0a :stacksize-max=96M:\%0a :tc=daemon:%0a@]%0a%0aMake sure there is no @@login.conf.db@@ database, which would prevent the changes in [[openbsd/loginconf|login.conf]] from being applied:%0a%0a[@%0a$ doas rm /etc/login.conf.db%0a@]%0a time=1644302741 title=TLS Acceleration for Multiple Domains with relayd author:1644302741=Naglfar csum:1644302741=Fix listening port for https diff:1644302741:1644302521:=7,8c7,8%0a%3c In this guide, we assume you are following the [[openhttpd/hosting|openhttpd hosting guide]] and your https services are listening on port 443.%0a%3c %0a---%0a> In this guide, we assume you are following the [[openhttpd/hosting|openhttpd hosting guide]] and your http services are listening on port 80.%0a> %0a29c29%0a%3c Let's create [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]. This configuration will provide TLS acceleration for three services: for a webserver that listens on port 443, a second which listens on port 8000, and a third which listens on port 8080. Here is what we will put, one block at a time:%0a---%0a> Let's create [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]. This configuration will provide TLS acceleration for three services: for a webserver that listens on port 80, a second which listens on port 8000, and a third which listens on port 8080. Here is what we will put, one block at a time:%0a host:1644302741=92.191.225.58 author:1644302521=Naglfar csum:1644302521=Fix: https forwarding port diff:1644302521:1644302207:=63,64c63,64%0a%3c relayd will inspect the headers of the HTTP requests that users send. By default, request for any hostnames are forwarded to port 443 for [[openhttpd/hosting|openhttpd]] to handle. However, if the header says service1.example.com, it will forward to port 8000 for service1 to handle. If it says service2, then it will forward to port 8080 for service2. Note that relayd does last rule matching, so that the wildcard * must be placed as the first match rule.%0a%3c %0a---%0a> relayd will inspect the headers of the HTTP requests that users send. By default, request for any hostnames are forwarded to port 80 for [[openhttpd/hosting|openhttpd]] to handle. However, if the header says service1.example.com, it will forward to port 8000 for service1 to handle. If it says service2, then it will forward to port 8080 for service2. Note that relayd does last rule matching, so that the wildcard * must be placed as the first match rule.%0a> %0a89c89%0a%3c forward to %3cwww> port 443 check icmp%0a---%0a> forward to %3cwww> port 80 check icmp%0a96c96%0a%3c forward to %3cwww> port 443 check icmp%0a---%0a> forward to %3cwww> port 80 check icmp%0a102,103c102,103%0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on ports 443, 8000, and 8080 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%3c %0a---%0a> We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on ports 80, 8000, and 8080 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a> %0a134c134%0a%3c forward to %3cwww> port 443 check icmp%0a---%0a> forward to %3cwww> port 80 check icmp%0a141c141%0a%3c forward to %3cwww> port 443 check icmp%0a---%0a> forward to %3cwww> port 80 check icmp%0a147c147%0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on ports 443, 8000, and 8080 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a---%0a> We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on ports 80, 8000, and 8080 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a host:1644302521=92.191.225.58 author:1644302207=Naglfar csum:1644302207=Remove the second duplicate and update the remaining on diff:1644302207:1644301895:=147c147,149%0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on ports 80, 8000, and 8080 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a---%0a> We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on port 80 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a> %0a> We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They handle use the protocol template for https and forward to the proper service on ports 80, 8000, and 8080 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a host:1644302207=92.191.225.58 author:1644301895=Naglfar csum:1644301895=Remove duplicate and update the remaining one diff:1644301895:1636773591:=102c102,104%0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on ports 80, 8000, and 8080 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a---%0a> We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on port 80 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a> %0a> We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They handle use the protocol template for https and forward to the proper service on ports 80, 8000, and 8080 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a host:1644301895=92.191.225.58 author:1636773591=jrmu diff:1636773591:1636217532:=57d56%0a%3c match request header "Host" value "*" forward to %3cwww>%0a59a59%0a> match request header "Host" value "*" forward to %3cwww>%0a63,64c63,64%0a%3c relayd will inspect the headers of the HTTP requests that users send. By default, request for any hostnames are forwarded to port 80 for [[openhttpd/hosting|openhttpd]] to handle. However, if the header says service1.example.com, it will forward to port 8000 for service1 to handle. If it says service2, then it will forward to port 8080 for service2. Note that relayd does last rule matching, so that the wildcard * must be placed as the first match rule.%0a%3c %0a---%0a> relayd will inspect the headers of the HTTP requests that users send. If the header says service1.example.com, it will forward to port 8000 for service1 to handle. If it says service2, then it will forward to port 8080 for service2. And finally, all the remaining hostnames are forwarded to port 80 for [[openhttpd/hosting|openhttpd]] to handle.%0a> %0a128d127%0a%3c match request header "Host" value "*" forward to %3cwww>%0a130a130%0a> match request header "Host" value "*" forward to %3cwww>%0a host:1636773591=38.87.162.8 author:1636217532=jrmu diff:1636217532:1628325508:=3,18c3,10%0a%3c !! Before You Begin%0a%3c %0a%3c Please see the [[relayd/acceleration|TLS acceleration guide with relayd]] before following this guide.%0a%3c %0a%3c In this guide, we assume you are following the [[openhttpd/hosting|openhttpd hosting guide]] and your http services are listening on port 80.%0a%3c %0a%3c !! Request SSL Certs%0a%3c %0a%3c You will need the SSL certs for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]] if you have not already.%0a%3c %0a%3c By default, [[https://man.openbsd.org/relayd|relayd]] searches @@/etc/ssl/name:port.crt@@ and @@/etc/ssl/private/name:port.key@@ for the public/private keypair. If those are not present, it uses @@/etc/ssl/name.crt@@ and @@/etc/ssl/private/name.key@@.%0a%3c %0a%3c If your public cert and private key have different names, you should update [[acme-client/configure|/etc/acme-client.conf]]. It's recommended to use @@/etc/ssl/name.crt@@ and @@/etc/ssl/private/name.key@@, where @@name@@ is replaced with your actual domain name.%0a%3c %0a%3c '''Optional''': If your public cert ends in .fullchain.pem instead of .crt, you can create [[ln/intro|symbolic links]]:%0a%3c %0a---%0a> Please see the [[relayd/acceleration|TLS acceleration guide with relayd]] before consulting this guide. Concepts from the earlier guide will be expanded upon in this guide.%0a> %0a> !! Check Server in Plaintext%0a> %0a> Before using relayd, make sure your server serves its content in plaintext. If the server doesn't respond to plaintext requests, relayd won't work, either.%0a> %0a> '''WARNING''': If you are using relayd for TLS acceleration for openhttpd, make sure openhttpd does '''not''' have a listener on port 443. Look for blocks like the ones below:%0a> %0a20c12,25%0a%3c $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com.crt%0a---%0a> server "example.com" {%0a> listen on * tls port 443%0a> tls {%0a> certificate "/etc/ssl/example.com.fullchain.pem"%0a> key "/etc/ssl/private/example.com.key"%0a> }%0a> location "/pub/*" {%0a> directory auto index%0a> }%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a> }%0a> }%0a23,24c28,42%0a%3c You will want to replace @@example.com@@ with your real domain. This will allow relayd to detect your public key. However, it is still highly recommended that you change [[acme-client/configure|acme-client.conf]] to create public keys that end with the extension @@.crt@@.%0a%3c %0a---%0a> Notice the line @@listen on * tls port 443@@ and the @@tls {...}@@ block. If httpd is listening on port 443 while relayd is running, the reverse proxy will fail to forward for android, iOS, and other devices!%0a> %0a> In the configuration below, we assume you are following the [[openhttpd/hosting|openhttpd hosting guide]] and your http services are listening on port 80.%0a> %0a> !! Request SSL Certs%0a> %0a> Make sure you have the SSL certs you need for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]] if you have not already.%0a> %0a> By default, relayd searches @@/etc/ssl/name:port.crt@@ and @@/etc/ssl/name:port.key@@ for the public/private keypair. So, we will create symlinks:%0a> %0a> [@%0a> $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com:443.crt%0a> $ doas ln -s /etc/ssl/private/example.com.key /etc/ssl/private/example.com:443.key%0a> @]%0a> %0a29,30c47,48%0a%3c Let's create [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]. This configuration will provide TLS acceleration for three services: for a webserver that listens on port 80, a second which listens on port 8000, and a third which listens on port 8080. Here is what we will put, one block at a time:%0a%3c %0a---%0a> Let's create [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]. This configuration will provide TLS acceleration for three services: one that listens on port 8001, a second which listens on port 8002, and a third which listens on port 80. Here is what we will put, one block at a time:%0a> %0a34d51%0a%3c table %3cwww> { 127.0.0.1 }%0a36a54%0a> table %3cwww> { 127.0.0.1 }%0a40,45c58,59%0a%3c Replace @@192.168.1.1@@ and @@2001:db8::@@ with your [[ip/myaddress|real IPv4 and IPv6 address]]. Make sure the IPv4 is [[openbsd/ddos|DDoS-filtered]] if you have that option.%0a%3c %0a%3c Replace @@service1@@ and @@service2@@ with the names of your real services, such as bnc, www, and mail.%0a%3c %0a%3c Do '''NOT''' replace @@127.0.0.1@@. You want relayd to forward its requests to the web server listening on localhost.%0a%3c %0a---%0a> Replace ip4 and ip6 with the actual IPv4 and IPv6 address you want to listen on. Make sure the IPv4 is DDoS-filtered if you have that option.%0a> %0a53,54d66%0a%3c tls { keypair www.example.com }%0a%3c tls { keypair www.sub.example.com }%0a56a69,70%0a> tls { keypair www.example.com }%0a> tls { keypair www.sub.example.com }%0a63,64c77,78%0a%3c relayd will inspect the headers of the HTTP requests that users send. If the header says service1.example.com, it will forward to port 8000 for service1 to handle. If it says service2, then it will forward to port 8080 for service2. And finally, all the remaining hostnames are forwarded to port 80 for [[openhttpd/hosting|openhttpd]] to handle.%0a%3c %0a---%0a> relayd will inspect the headers of the HTTP requests that users send. If the header says service1.example.com, it will forward to port 8001 for service1 to handle. If it says service2, then it will forward to port 8002 for service2. And finally, all the remaining domains are forwarded to port 80 for openhttpd to handle.%0a> %0a69,72c83,84%0a%3c We define the keypair names. Below is a table which shows the order in which relayd searches for them. You will want to replace @@service1.example.com@@ and @@service2.example.com@@ with your real hostnames.%0a%3c %0a%3c The last two lines in relayd.conf forward to the proper service based on the Host HTTP header.%0a%3c %0a---%0a> We then define the keypair names. Here's where relayd searches for them:%0a> %0a74,84c86,94%0a%3c ||! Hostname: service1.example.com ||||||%0a%3c ||! Priority ||! Public Cert ||! Private Key ||%0a%3c || 1 || /etc/ssl/service1.example.com:443.crt || /etc/ssl/private/service1.example.com:443.key ||%0a%3c || 2 || /etc/ssl/service1.example.com.crt || /etc/ssl/private/service1.example.com.key ||%0a%3c %0a%3c || border=1 width=100%25 class="sortable simpletable"%0a%3c ||! Hostname: service2.example.com ||||||%0a%3c ||! Priority ||! Public Cert ||! Private Key ||%0a%3c || 1 || /etc/ssl/service2.example.com:443.crt || /etc/ssl/private/service2.example.com:443.key ||%0a%3c || 2 || /etc/ssl/service2.example.com.crt || /etc/ssl/private/service2.example.com.key ||%0a%3c %0a---%0a> ||! Name ||! Public Cert ||! Private Key ||%0a> || name || /etc/ssl/name.crt || /etc/ssl/private/name.key ||%0a> || service1.example.com || /etc/ssl/service1.example.com.crt || /etc/ssl/private/service1.example.com.key ||%0a> || service2.example.com || /etc/ssl/service2.example.com.crt || /etc/ssl/private/service2.example.com.key ||%0a> || www.example.com || /etc/ssl/www.example.com.crt || /etc/ssl/private/www.example.com.key ||%0a> || www.sub.example.com || /etc/ssl/www.sub.example.com.crt || /etc/ssl/private/www.sub.example.com.key ||%0a> %0a> The last two lines forward to the proper service based on the Host HTTP header.%0a> %0a88a99,100%0a> forward to %3cservice1> port 8001 check icmp%0a> forward to %3cservice2> port 8002 check icmp%0a90,91d101%0a%3c forward to %3cservice1> port 8000 check icmp%0a%3c forward to %3cservice2> port 8080 check icmp%0a95a106,107%0a> forward to %3cservice1> port 8001 check icmp%0a> forward to %3cservice2> port 8002 check icmp%0a97,98d108%0a%3c forward to %3cservice1> port 8000 check icmp%0a%3c forward to %3cservice2> port 8080 check icmp%0a102,105c112,113%0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on port 80 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%3c %0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They handle use the protocol template for https and forward to the proper service on ports 80, 8000, and 8080 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%3c %0a---%0a> We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They handle use the protocol template for https and forward to the proper service on ports 8001, 8002, and 80 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a> %0a113d120%0a%3c table %3cwww> { 127.0.0.1 }%0a115a123%0a> table %3cwww> { 127.0.0.1 }%0a124,125d131%0a%3c tls { keypair www.example.com }%0a%3c tls { keypair www.sub.example.com }%0a127a134,135%0a> tls { keypair www.example.com }%0a> tls { keypair www.sub.example.com }%0a132d139%0a%3c %0a135a143,144%0a> forward to %3cservice1> port 8001 check icmp%0a> forward to %3cservice2> port 8002 check icmp%0a137,138d145%0a%3c forward to %3cservice1> port 8000 check icmp%0a%3c forward to %3cservice2> port 8080 check icmp%0a142a150,151%0a> forward to %3cservice1> port 8001 check icmp%0a> forward to %3cservice2> port 8020 check icmp%0a144,145d152%0a%3c forward to %3cservice1> port 8000 check icmp%0a%3c forward to %3cservice2> port 8080 check icmp%0a149,152d155%0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on port 80 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%3c %0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They handle use the protocol template for https and forward to the proper service on ports 80, 8000, and 8080 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%3c %0a155,156c158,159%0a%3c If you have a large number of TLS certs, you will need to increase the maximum number of files that relayd can open. Add this to the bottom of [[openbsd/loginconf|/etc/login.conf]]:%0a%3c %0a---%0a> If you have a large number of TLS certs, you will need to increase the maximum number of files that relayd can open. Add this to the bottom of [[https://man.openbsd.org/login.conf|/etc/login.conf]]:%0a> %0a165,166c168,169%0a%3c Make sure there is no @@login.conf.db@@ database, which would prevent the changes in [[openbsd/loginconf|login.conf]] from being applied:%0a%3c %0a---%0a> Then we must make sure there is no @@login.conf.db@@ database:%0a> %0a169a173,240%0a> %0a> !! Starting relayd%0a> %0a> [@%0a> $ doas rcctl enable relayd%0a> $ doas rcctl start relayd%0a> @]%0a> %0a> '''WARNING''': Make sure that [[pf/guide|packet filter]] is enabled! relayd will not run if pf is disabled. You can enable it by typing:%0a> %0a> [@%0a> $ doas pfctl -e%0a> @]%0a> %0a> To test relayd, we'll use [[openssl/http|openssl]]:%0a> %0a> [@%0a> %0a> @]%0a> %0a> !! Troubleshooting%0a> %0a> If relayd fails to start, you will see this message:%0a> %0a> [@%0a> relayd(failed)%0a> @]%0a> %0a> First, we check the conf file to see if there are any errors:%0a> %0a> [@%0a> $ doas relayd -n%0a> @]%0a> %0a> When properly configured, relayd will say @@configuration OK@@.%0a> %0a> Sample errors:%0a> %0a> # /etc/relayd.conf:NN: cannot load keypair example.com for relay wwwtls\\%0a> Check line NN. Your keypair may be missing, have the wrong permissions, or are not labeled correctly.%0a> # /etc/relayd.conf:NN: syntax error%0a> Check line NN for syntax errors.%0a> %0a> To turn on debugging, first stop any running instances of relayd then run it in the foreground:%0a> %0a> [@%0a> $ doas rcctl stop relayd%0a> $ doas relayd -dvv%0a> @]%0a> %0a> -d is for debug and -v is to increase verbosity.%0a> %0a> !!! %0a> %0a> [@%0a> log connection%0a> @]%0a> %0a> '''WARNING''': This may produce a verbose output which can dramatically increase the size of your ''/var/log/daemon'', especially on busy networks. To avoid this, simply have your ''syslogd'' send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a> %0a> In addition to splitting relayd logs to its own file, you may wish to create a new entry in your ''/etc/newsyslog.conf'' to handle log rotation for your relayd.%0a> %0a> !!! common errors%0a> %0a> # Make sure httpd is not listening on port 443%0a> # Make sure all domains have real dns records%0a> # Make sure nsd is set up properly%0a> # Make sure packet filter is turned on%0a host:1636217532=38.87.162.47 author:1628325508=jrmu diff:1628325508:1628324722:=3,4c3,21%0a%3c Please see the [[relayd/acceleration|TLS acceleration guide with relayd]] before consulting this guide. Concepts from the earlier guide will be expanded upon in this guide.%0a%3c %0a---%0a> [[https://bsd.plumbing/about.html|relayd]] can provide secure TLS acceleration.%0a> %0a> Features:%0a> # Load balancer%0a> # Application layer gateway%0a> # Transparent proxy%0a> # SSL/TLS gateway%0a> %0a> Pros:%0a> # Simpler to configure than haproxy or stunnel%0a> # Tight integration with OpenBSD's [[pf/guide|packet filter]]%0a> # Secure%0a> %0a> !! Introduction%0a> %0a> Sometimes a server does not provide TLS encryption by default. For example, [[leafnode/install|leafnode]] lacks TLS encryption by default. It serves all its content as plaintext, exposing users' data to eavesdropping. To protect your users, you can use TLS acceleration using relayd.%0a> %0a> Another time we will need relayd is when we have two servers that need to both listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[openbsd/znc|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve HTTPS content on the same IP address and on the same port 443. It is not possible, however, to have two servers bind to the same socket. To share the same socket, it is necessary to use relayd with TLS Server Name Indication (SNI).%0a> %0a7,8c24,28%0a%3c Before using relayd, make sure your server serves its content in plaintext. If the server doesn't respond to plaintext requests, relayd won't work, either.%0a%3c %0a---%0a> Before using relayd, you must make sure your server can serve its content in plaintext. If the server doesn't respond to plaintext requests, relayd won't work, either.%0a> %0a> # For providing webhosting, please see the [[openhttpd/hosting|openhttpd hosting guide]]. Afterwards, test the setup using the [[telnet/http|telnet troubleshooting guide]].%0a> # For providing public bouncers, please see the [[znc/chroot|znc chroot guide]]. Afterwards, test the setup using the [[openbsd/netcat|netcat troubleshooting guide]].%0a> %0a30,31c50,51%0a%3c In the configuration below, we assume you are following the [[openhttpd/hosting|openhttpd hosting guide]] and your http services are listening on port 80.%0a%3c %0a---%0a> In the configuration below, we assume you are following the [[openhttpd/hosting|openhttpd hosting guide]] and listening on port 80.%0a> %0a43,44d62%0a%3c Make sure to replace example.com with your actual domain.%0a%3c %0a47,48c65,66%0a%3c Let's create [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]. This configuration will provide TLS acceleration for three services: one that listens on port 8001, a second which listens on port 8002, and a third which listens on port 80. Here is what we will put, one block at a time:%0a%3c %0a---%0a> Let's create [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]. Here is what we will put, one block at a time:%0a> %0a54d71%0a%3c table %3cwww> { 127.0.0.1 }%0a67,70c84,85%0a%3c tls { keypair service1.example.com }%0a%3c tls { keypair service2.example.com }%0a%3c tls { keypair www.example.com }%0a%3c tls { keypair www.sub.example.com }%0a---%0a> tls { keypair service1.example.com%0a> keypair service2.example.com }%0a73d87%0a%3c match request header "Host" value "*" forward to %3cwww>%0a77,80c91,92%0a%3c relayd will inspect the headers of the HTTP requests that users send. If the header says service1.example.com, it will forward to port 8001 for service1 to handle. If it says service2, then it will forward to port 8002 for service2. And finally, all the remaining domains are forwarded to port 80 for openhttpd to handle.%0a%3c %0a%3c We also define how to handle the http protocol. We add X-Forwarded-For, X-Forwarded-By, and Connection headers to HTTP requests before forwarding it to [[openhttpd/hosting|openhttpd]].%0a%3c %0a---%0a> Here we define how to handle the http protocol. We add X-Forwarded-For, X-Forwarded-By, and Connection headers to HTTP requests before forwarding it to [[openhttpd/hosting|openhttpd]].%0a> %0a87,92c99,102%0a%3c || name || /etc/ssl/name.crt || /etc/ssl/private/name.key ||%0a%3c || service1.example.com || /etc/ssl/service1.example.com.crt || /etc/ssl/private/service1.example.com.key ||%0a%3c || service2.example.com || /etc/ssl/service2.example.com.crt || /etc/ssl/private/service2.example.com.key ||%0a%3c || www.example.com || /etc/ssl/www.example.com.crt || /etc/ssl/private/www.example.com.key ||%0a%3c || www.sub.example.com || /etc/ssl/www.sub.example.com.crt || /etc/ssl/private/www.sub.example.com.key ||%0a%3c %0a---%0a> || name || /etc/ssl/name:443.crt || /etc/ssl/private/name:443.key ||%0a> || service1.example.com || /etc/ssl/service1.example.com:443.crt || /etc/ssl/private/service1.example.com:443.key ||%0a> || service2.example.com || /etc/ssl/service2.example.com:443.crt || /etc/ssl/private/service2.example.com:443.key ||%0a> %0a99,101c109,110%0a%3c forward to %3cservice1> port 8001 check icmp%0a%3c forward to %3cservice2> port 8002 check icmp%0a%3c forward to %3cwww> port 80 check icmp%0a---%0a> forward to %3cservice1> port 80 check icmp%0a> forward to %3cservice2> port 80 check icmp%0a106,108c115,116%0a%3c forward to %3cservice1> port 8001 check icmp%0a%3c forward to %3cservice2> port 8002 check icmp%0a%3c forward to %3cwww> port 80 check icmp%0a---%0a> forward to %3cservice1> port 80 check icmp%0a> forward to %3cservice2> port 80 check icmp%0a112,113c120,121%0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They handle use the protocol template for https and forward to the proper service on ports 8001, 8002, and 80 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%3c %0a---%0a> We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They handle use the protocol template for https and forward to the proper service on port 80 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a> %0a123d130%0a%3c table %3cwww> { 127.0.0.1 }%0a132,135c139,140%0a%3c tls { keypair service1.example.com }%0a%3c tls { keypair service2.example.com }%0a%3c tls { keypair www.example.com }%0a%3c tls { keypair www.sub.example.com }%0a---%0a> tls { keypair service1.example.com%0a> keypair service2.example.com }%0a138d142%0a%3c match request header "Host" value "*" forward to %3cwww>%0a143,145c147,148%0a%3c forward to %3cservice1> port 8001 check icmp%0a%3c forward to %3cservice2> port 8002 check icmp%0a%3c forward to %3cwww> port 80 check icmp%0a---%0a> forward to %3cservice1> port 80 check icmp%0a> forward to %3cservice2> port 80 check icmp%0a150,152c153,154%0a%3c forward to %3cservice1> port 8001 check icmp%0a%3c forward to %3cservice2> port 8020 check icmp%0a%3c forward to %3cwww> port 80 check icmp%0a---%0a> forward to %3cservice1> port 80 check icmp%0a> forward to %3cservice2> port 80 check icmp%0a237,238c239,240%0a%3c # Make sure httpd is not listening on port 443%0a%3c # Make sure all domains have real dns records%0a---%0a> # Make sure httpd is not also listening on port 443%0a> # Make sure both www.ircnow.org and bnc.ircnow.org have real dns records%0a239a242%0a> # Make sure znc is listening on port 1338%0a host:1628325508=38.87.162.8 author:1628324722=jrmu diff:1628324722:1628324722:=1,243d0%0a%3c (:title TLS Acceleration for Multiple Domains with relayd:)%0a%3c %0a%3c [[https://bsd.plumbing/about.html|relayd]] can provide secure TLS acceleration.%0a%3c %0a%3c Features:%0a%3c # Load balancer%0a%3c # Application layer gateway%0a%3c # Transparent proxy%0a%3c # SSL/TLS gateway%0a%3c %0a%3c Pros:%0a%3c # Simpler to configure than haproxy or stunnel%0a%3c # Tight integration with OpenBSD's [[pf/guide|packet filter]]%0a%3c # Secure%0a%3c %0a%3c !! Introduction%0a%3c %0a%3c Sometimes a server does not provide TLS encryption by default. For example, [[leafnode/install|leafnode]] lacks TLS encryption by default. It serves all its content as plaintext, exposing users' data to eavesdropping. To protect your users, you can use TLS acceleration using relayd.%0a%3c %0a%3c Another time we will need relayd is when we have two servers that need to both listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[openbsd/znc|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve HTTPS content on the same IP address and on the same port 443. It is not possible, however, to have two servers bind to the same socket. To share the same socket, it is necessary to use relayd with TLS Server Name Indication (SNI).%0a%3c %0a%3c !! Check Server in Plaintext%0a%3c %0a%3c Before using relayd, you must make sure your server can serve its content in plaintext. If the server doesn't respond to plaintext requests, relayd won't work, either.%0a%3c %0a%3c # For providing webhosting, please see the [[openhttpd/hosting|openhttpd hosting guide]]. Afterwards, test the setup using the [[telnet/http|telnet troubleshooting guide]].%0a%3c # For providing public bouncers, please see the [[znc/chroot|znc chroot guide]]. Afterwards, test the setup using the [[openbsd/netcat|netcat troubleshooting guide]].%0a%3c %0a%3c '''WARNING''': If you are using relayd for TLS acceleration for openhttpd, make sure openhttpd does '''not''' have a listener on port 443. Look for blocks like the ones below:%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * tls port 443%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c Notice the line @@listen on * tls port 443@@ and the @@tls {...}@@ block. If httpd is listening on port 443 while relayd is running, the reverse proxy will fail to forward for android, iOS, and other devices!%0a%3c %0a%3c In the configuration below, we assume you are following the [[openhttpd/hosting|openhttpd hosting guide]] and listening on port 80.%0a%3c %0a%3c !! Request SSL Certs%0a%3c %0a%3c Make sure you have the SSL certs you need for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]] if you have not already.%0a%3c %0a%3c By default, relayd searches @@/etc/ssl/name:port.crt@@ and @@/etc/ssl/name:port.key@@ for the public/private keypair. So, we will create symlinks:%0a%3c %0a%3c [@%0a%3c $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com:443.crt%0a%3c $ doas ln -s /etc/ssl/private/example.com.key /etc/ssl/private/example.com:443.key%0a%3c @]%0a%3c %0a%3c !! Edit relayd.conf%0a%3c %0a%3c Let's create [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]. Here is what we will put, one block at a time:%0a%3c %0a%3c [@%0a%3c ip4="192.168.1.1"%0a%3c ip6="2001:db8::"%0a%3c table %3cservice1> { 127.0.0.1 }%0a%3c table %3cservice2> { 127.0.0.1 }%0a%3c log connection%0a%3c @]%0a%3c %0a%3c Replace ip4 and ip6 with the actual IPv4 and IPv6 address you want to listen on. Make sure the IPv4 is DDoS-filtered if you have that option.%0a%3c %0a%3c [@%0a%3c http protocol https {%0a%3c match request header append "X-Forwarded-For" value "$REMOTE_ADDR"%0a%3c match request header append "X-Forwarded-By" \%0a%3c value "$SERVER_ADDR:$SERVER_PORT"%0a%3c match request header set "Connection" value "close"%0a%3c tcp { sack, backlog 128 }%0a%3c tls { keypair service1.example.com%0a%3c keypair service2.example.com }%0a%3c match request header "Host" value "service1.example.com" forward to %3cservice1>%0a%3c match request header "Host" value "service2.example.com" forward to %3cservice2>%0a%3c }%0a%3c @]%0a%3c %0a%3c Here we define how to handle the http protocol. We add X-Forwarded-For, X-Forwarded-By, and Connection headers to HTTP requests before forwarding it to [[openhttpd/hosting|openhttpd]].%0a%3c %0a%3c We turn on selective acknowledgments and set the maximum queue to 128 connections in the tcp block.%0a%3c %0a%3c We then define the keypair names. Here's where relayd searches for them:%0a%3c %0a%3c || border=1 width=100%25 class="sortable simpletable"%0a%3c ||! Name ||! Public Cert ||! Private Key ||%0a%3c || name || /etc/ssl/name:443.crt || /etc/ssl/private/name:443.key ||%0a%3c || service1.example.com || /etc/ssl/service1.example.com:443.crt || /etc/ssl/private/service1.example.com:443.key ||%0a%3c || service2.example.com || /etc/ssl/service2.example.com:443.crt || /etc/ssl/private/service2.example.com:443.key ||%0a%3c %0a%3c The last two lines forward to the proper service based on the Host HTTP header.%0a%3c %0a%3c [@%0a%3c relay wwwtls {%0a%3c listen on $ip4 port 443 tls%0a%3c protocol https%0a%3c forward to %3cservice1> port 80 check icmp%0a%3c forward to %3cservice2> port 80 check icmp%0a%3c }%0a%3c relay www6tls {%0a%3c listen on $ip6 port 443 tls%0a%3c protocol https%0a%3c forward to %3cservice1> port 80 check icmp%0a%3c forward to %3cservice2> port 80 check icmp%0a%3c }%0a%3c @]%0a%3c %0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They handle use the protocol template for https and forward to the proper service on port 80 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%3c %0a%3c !! Complete relayd.conf%0a%3c %0a%3c Here is the entire [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]] without commentary:%0a%3c %0a%3c [@%0a%3c ip4="192.168.1.1"%0a%3c ip6="2001:db8::"%0a%3c table %3cservice1> { 127.0.0.1 }%0a%3c table %3cservice2> { 127.0.0.1 }%0a%3c log connection%0a%3c %0a%3c http protocol https {%0a%3c match request header append "X-Forwarded-For" value "$REMOTE_ADDR"%0a%3c match request header append "X-Forwarded-By" \%0a%3c value "$SERVER_ADDR:$SERVER_PORT"%0a%3c match request header set "Connection" value "close"%0a%3c tcp { sack, backlog 128 }%0a%3c tls { keypair service1.example.com%0a%3c keypair service2.example.com }%0a%3c match request header "Host" value "service1.example.com" forward to %3cservice1>%0a%3c match request header "Host" value "service2.example.com" forward to %3cservice2>%0a%3c }%0a%3c relay wwwtls {%0a%3c listen on $ip4 port 443 tls%0a%3c protocol https%0a%3c forward to %3cservice1> port 80 check icmp%0a%3c forward to %3cservice2> port 80 check icmp%0a%3c }%0a%3c relay www6tls {%0a%3c listen on $ip6 port 443 tls%0a%3c protocol https%0a%3c forward to %3cservice1> port 80 check icmp%0a%3c forward to %3cservice2> port 80 check icmp%0a%3c }%0a%3c @]%0a%3c %0a%3c !! Login class permissions%0a%3c %0a%3c If you have a large number of TLS certs, you will need to increase the maximum number of files that relayd can open. Add this to the bottom of [[https://man.openbsd.org/login.conf|/etc/login.conf]]:%0a%3c %0a%3c [@%0a%3c relayd:\%0a%3c :openfiles=4096:\%0a%3c :stacksize-cur=96M:\%0a%3c :stacksize-max=96M:\%0a%3c :tc=daemon:%0a%3c @]%0a%3c %0a%3c Then we must make sure there is no @@login.conf.db@@ database:%0a%3c %0a%3c [@%0a%3c $ doas rm /etc/login.conf.db%0a%3c @]%0a%3c %0a%3c !! Starting relayd%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable relayd%0a%3c $ doas rcctl start relayd%0a%3c @]%0a%3c %0a%3c '''WARNING''': Make sure that [[pf/guide|packet filter]] is enabled! relayd will not run if pf is disabled. You can enable it by typing:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -e%0a%3c @]%0a%3c %0a%3c To test relayd, we'll use [[openssl/http|openssl]]:%0a%3c %0a%3c [@%0a%3c %0a%3c @]%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c If relayd fails to start, you will see this message:%0a%3c %0a%3c [@%0a%3c relayd(failed)%0a%3c @]%0a%3c %0a%3c First, we check the conf file to see if there are any errors:%0a%3c %0a%3c [@%0a%3c $ doas relayd -n%0a%3c @]%0a%3c %0a%3c When properly configured, relayd will say @@configuration OK@@.%0a%3c %0a%3c Sample errors:%0a%3c %0a%3c # /etc/relayd.conf:NN: cannot load keypair example.com for relay wwwtls\\%0a%3c Check line NN. Your keypair may be missing, have the wrong permissions, or are not labeled correctly.%0a%3c # /etc/relayd.conf:NN: syntax error%0a%3c Check line NN for syntax errors.%0a%3c %0a%3c To turn on debugging, first stop any running instances of relayd then run it in the foreground:%0a%3c %0a%3c [@%0a%3c $ doas rcctl stop relayd%0a%3c $ doas relayd -dvv%0a%3c @]%0a%3c %0a%3c -d is for debug and -v is to increase verbosity.%0a%3c %0a%3c !!! %0a%3c %0a%3c [@%0a%3c log connection%0a%3c @]%0a%3c %0a%3c '''WARNING''': This may produce a verbose output which can dramatically increase the size of your ''/var/log/daemon'', especially on busy networks. To avoid this, simply have your ''syslogd'' send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a%3c %0a%3c In addition to splitting relayd logs to its own file, you may wish to create a new entry in your ''/etc/newsyslog.conf'' to handle log rotation for your relayd.%0a%3c %0a%3c !!! common errors%0a%3c %0a%3c # Make sure httpd is not also listening on port 443%0a%3c # Make sure both www.ircnow.org and bnc.ircnow.org have real dns records%0a%3c # Make sure nsd is set up properly%0a%3c # Make sure znc is listening on port 1338%0a%3c # Make sure packet filter is turned on%0a host:1628324722=38.87.162.8