Index | Thread | Search

From:
Mischa <openbsd@mlst.nl>
Subject:
Re: relayd: support multiple resolveble addresses
To:
tech@openbsd.org, rafael@sizeofvoid.org
Date:
Sat, 02 May 2026 17:08:18 +0200

Download raw body.

Thread 
Hi Kirill,

Just to make sure, it's confirmed to be working as expected in -current.

Mischa


On 2026-05-02 14:23, Mischa wrote:
> Hi Kirill,
> 
> I tried the patch and when using "tls keypair" it doesn't like it.
> Snippet of the config I used:
> 
> ###
> local_v4="46.23.xx.xx"
> local_v6="2a03:6000:xx.::x"
> table <localhost> { 127.0.0.1 }
> 
> http protocol httpsfilter {
>         tcp { nodelay, sack }
>         tls keypair example.com
>         tls { ciphers 
> "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:AES-256-GCM-SHA384", 
> ecdhe "default", no client-renegotiation }
> }
> relay default_tls {
>         listen on $local_v4 port 443 tls
>         listen on $local_v6 port 443 tls
>         protocol httpsfilter
>         forward to <localhost> port 443
> }
> ###
> 
> Mischa
> 
> On 2026-05-02 13:43, Kirill A. Korinsky wrote:
>> On Sat, 02 May 2026 11:16:13 +0200,
>> Chris Narkiewicz <hello@ezaquarii.com> wrote:
>>> 
>>> On Mon, Apr 06, 2026 at 11:33:21AM +0200, Kirill A. Korinsky wrote:
>>> > Here I changed parser to create a dedicated listener for each discovered
>>> > and confiugred on a local inerface address.
>>> 
>>> Update to /etc/examples/relayd.conf would be nice touch.
>>> 
>> 
>> What is actually good sugestion. I not sure how to make it, but the 
>> most
>> natural way is something like that:
>> 
>> Index: etc/examples/relayd.conf
>> ===================================================================
>> RCS file: /home/cvs/src/etc/examples/relayd.conf,v
>> diff -u -p -r1.6 relayd.conf
>> --- etc/examples/relayd.conf	29 Oct 2023 11:27:11 -0000	1.6
>> +++ etc/examples/relayd.conf	2 May 2026 11:41:39 -0000
>> @@ -2,7 +2,6 @@
>>  #
>>  # Macros
>>  #
>> -ext_addr="192.168.1.1"
>>  webhost1="10.0.0.1"
>>  webhost2="10.0.0.2"
>>  sshhost1="10.0.0.3"
>> @@ -24,7 +23,7 @@ table <fallback> { 127.0.0.1 }
>>  # Services will be mapped to a rdr rule.
>>  #
>>  redirect www {
>> -	listen on $ext_addr port http interface trunk0
>> +	listen on egress port http
>> 
>>  	# tag every packet that goes thru the rdr rule with RELAYD
>>  	pftag RELAYD
>> @@ -51,7 +50,7 @@ http protocol https {
>> 
>>  relay wwwtls {
>>  	# Run as a TLS accelerator
>> -	listen on $ext_addr port 443 tls
>> +	listen on egress port https tls
>>  	protocol https
>> 
>>  	# Forward to hosts in the webhosts table using a src/dst hash
>> @@ -69,7 +68,7 @@ protocol sshtcp {
>> 
>>  relay sshgw {
>>  	# Run as a simple TCP relay
>> -	listen on $ext_addr port 2222
>> +	listen on egress port 2222
>>  	protocol sshtcp
>> 
>>  	# Forward to the shared carp(4) address of an internal gateway