Migrating my servers to OpenBSD – Update
This post was published on 16 Mar 2025
Yesterday, I made a blog post detailing how I went about moving my websites / servers over to OpenBSD using both httpd and relayd to loadbalance between the VPS and a server connected to the VPS via WireGuard. One of my main problems was that I was seemingly unable to make relayd route traffic to the correct webserver depending on hostname despite having pass request header "Host" value "domain.tld" forward to <server_table> statements for every domain. However, almost immediately after posting my blog post on Mastodon, I was told by a very nice critter that it absolutely does work the way that I had intended it to work and they even sent me their old relayd.conf and httpd.conf files. I tried it out and it … just worked. I have absoutely no clue what I did wrong the first time I tried this, but the configuration now looks so much nicer and less convoluted, so I am very happy about that!
I had to go into my httpd.conf and change the listening ports of every one of my virtual hosts to the same one (I used port 10000). I also had to make sure they all had the correct name and I added an alias for every domain for the www.* subdomain as well. I then also had to remove all but one of each table in the relayd.conf and make sure the relay always forwarded things to port 10000 instead of a different port for every domain. I would still like to know why my first attempt at this did not work, but I guess I must’ve missed something probably quite minor yet still important. The end result was as follows:
relayd.conf
table <webservers> { 10.5.0.11 localhost }
table <acme> { localhost }
http protocol "http_acme" {
block request header "Host" value "*"
# == DOMAIN1.TLD == #
pass request header "Host" value "domain1.tld" forward to <acme>
pass request header "Host" value "www.domain1.tld" forward to <acme>
# == DOMAIN2.TLD == #
pass request header "Host" value "domain2.tld" forward to <acme>
pass request header "Host" value "www.domain2.tld" forward to <acme>
}
http protocol "https" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
block request header "Host" value "*"
tls keypair "domain1.tld"
tls keypair "domain2.tld"
# == DOMAIN1.TLD == #
pass request header "Host" value "domain1.tld" forward to <webservers>
pass request header "Host" value "www.domain1.tld" forward to <webservers>
# == DOMAIN2.TLD == #
pass request header "Host" value "domain2.tld" forward to <webservers>
pass request header "Host" value "www.domain2.tld" forward to <webservers>
}
# === HTTP RELAY ===#
relay "http_relay" {
listen on $ipv4 port 80
listen on $ipv6 port 80
protocol "http_acme"
forward to <acme> port 10000
}
# === HTTPS RELAY ===#
relay "https_relay" {
listen on $ipv4 port 443 tls
protocol "https"
forward to <webservers> port 10000 mode loadbalance check tcp
}
relay "https_relay_v6" {
listen on $ipv6 port 443 tls
protocol "https"
forward to <webservers> port 10000 mode loadbalance check tcp
}
httpd.conf
server "domain1.tld" {
alias "www.domain1.tld"
listen on localhost port 10000
root "/htdocs/domain1.tld"
location "/.well-known/acme-challenge/*" {
root "/htdocs/acme"
request strip 2
}
}
server "domain2.tld" {
alias "www.domain1.tld"
listen on localhost port 10000
root "/htdocs/domain2.tld"
location "/.well-known/acme-challenge/*" {
root "/htdocs/acme"
request strip 2
}
}
As you can tell, this look way cleaner than the previous config I had where I had to not only have a different port for every website, but also a different table and a different forward to statement in the relayd.conf in addition to that which made the entire config really long and confusing (at least in my opinion). This way, it looks much nicer and adding a new website is much less of a hassle than it was before! There are still a handful of things that I am not quite sure how to fix, especially HTTP -> HTTPS redirection, everything I have tried so far either makes the websites stop functioning (too many redirect errors) or makes it so that even the ACME directory is always served through HTTPS. I guess I still have some stuff to play around with!
