Multi-domain reverse proxy

[d47081]

Hello,

I want to use single IPv4 to make proxy for 2 domains, but on defining 2 servers as on example - get certificate mismatch

server "betahowto.duckdns.org" {
    listen on 94.140.114.89 port 1965
    cert "/home/gmid/betahowto.duckdns.org/cert.pem"
    key "/home/gmid/betahowto.duckdns.org/key.rsa"

    proxy {
        relay-to 301:5eb5:f061:678e::b port 1965
        verifyname off
    }
}

server "kevachat.duckdns.org" {
    listen on 94.140.114.89 port 1965
    cert "/home/gmid/kevachat.duckdns.org/cert.pem"
    key "/home/gmid/kevachat.duckdns.org/key.rsa"

    proxy {
        relay-to 201:23b4:991a:634d:8359:4521:5576:15b7 port 1965
        verifyname off
    }
}

[d47081]

As understand, the listen address should be common and server defined as child construction, but it's not work

[omar-polo]

Hello, thanks for the report.

The configuration seems correct to me.

I believe the certificate error comes from the upstream server, the one listening at the IPv6 addresses. When using a IP address (v4 or v6 doesn't matter) in a relay-to directive, the SNI (the remote server name) is missing and should be specified in the configuration file. I should point this out in the documentation.

Do you still get errors when specifying the remote server name using the sni directive in the proxy block, for e.g.:

proxy {
    relay-to 301:5eb5:f061:678e::b port 1965
    verifyname off
    sni "remote-server-name"
}

verifyname off only applies to gmid-the-proxy itself, it won't complain if the certificate used by the upstream server doesn't match what it expects, but doesn't stop the upstream server from complaining that there's a missing SNI.

[d47081]

Thanks much! it works properly with sni provided!

[omar-polo]

Happy to know that it worked :) I'll try to make the documentation more clear in this regard.

Thanks

[d47081]

Just one question: how can I define default server case?

Something like default in nginx

[omar-polo]

Not sure, as I never really considered this use-case, but maybe something like:

server "*" {
    alias "example.com" # eventually
    # ...
}

should do it. It should be put ~last~ first however, otherwise it would match all the requests.

edit: I should document the order of which the server are matched, and should probably be inverted too to match the locations, since they currently use a different order from each other.

[omar-polo]

It should be fairly easy to add a keyword (e.g. default server { ... }) for this however, or maybe just use the first if no server was matched.

[d47081]

Thanks, will try - seems it getting last one in list