morgant/acme-client.conf

## acme-client.conf
authority letsencrypt {
	api url "https://acme-v02.api.letsencrypt.org/directory"
	account key "/etc/acme/letsencrypt-privkey.pem"
}

# example.net
domain example.net {
	alternative names { www.example.net }
	domain key "/etc/ssl/private/example.net.key"
	domain certificate "/etc/ssl/example.net.crt"
	domain full chain certificate "/etc/ssl/example.net.fullchain.pem"
	sign with letsencrypt
}

# moreexamples.com
domain moreexamples.com {
	alternative names { www.moreexamples.com }
	domain key "/etc/ssl/private/moreexamples.com.key"
	domain certificate "/etc/ssl/moreexamples.com.crt"
	domain full chain certificate "/etc/ssl/moreexamples.com.fullchain.pem"
	sign with letsencrypt
}

# toomanyexamples.com
domain toomanyexamples.com {
	alternative names { www.toomanyexampless.com }
	domain key "/etc/ssl/private/toomanyexamples.com.key"
	domain certificate "/etc/ssl/toomanyexamples.com.crt"
	domain full chain certificate "/etc/ssl/toomanyexampless.com.fullchain.pem"
	sign with letsencrypt
}

## httpd.conf
# HTTP-01 challenge for Let's Encrypt
# https://letsencrypt.org/docs/challenge-types/
server "*" {
  listen on 127.0.0.1 port 8080
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}

## relayd.conf
# servers
table <acme> { 127.0.0.1 }
table <server1> { 192.168.1.64 }
table <server2> { 192.168.1.65 }

log state changes
log connection

http protocol "http" {
  # log some details
  match header log "Host"
  match header log "X-Forwarded-For"
  match header log "User-Agent"
  match header log "Referer"
  match url log

  # update headers passed to the httpd servers
  match request header set "X-Forwarded-Proto" value "http"
  match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
  match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
  match request header set "Forwarded" value "by=$SERVER_ADDR:$SERVER_PORT;for=$REMOTE_ADDR;host=$HOST;proto=http"

  # hijack Let's Encrypt ACME challenge requests and handle them locally
  pass request quick path "/.well-known/acme-challenge/*" forward to <acme>

  # forward to specific hosts (need matching "forward to" in relay)
  # See: https://serverfault.com/questions/856807/openbsd-how-to-use-relayd-and-httpd-for-redirecting-subdomain-requests
  # example.org
  pass request quick header "Host" value "example.org" forward to <server2>
  pass request quick header "Host" value "www.example.org" forward to <server2>
  pass request quick header "Host" value "mirrors.example.org" forward to <server2>
  pass request quick header "Host" value "tools.example.org" forward to <server2>
  pass request quick header "Host" value "svn.example.org" forward to <server2>
  # example.net
  pass request quick header "Host" value "example.net" forward to <server1>
  pass request quick header "Host" value "www.example.net" forward to <server1>
  # example.com
  pass request quick header "Host" value "example.com" forward to <server1>
  pass request quick header "Host" value "www.example.com" forward to <server1>
  pass request quick header "Host" value "code.example.com" forward to <server1>
  pass request quick header "Host" value "store.example.com" forward to <server1>
  # anotherexample.com
  pass request quick header "Host" value "anotherexample.com" forward to <server1>
  pass request quick header "Host" value "www.anotherexample.com" forward to <server1>
  # example.info
  pass request quick header "Host" value "example.info" forward to <server1>
  pass request quick header "Host" value "www.example.info" forward to <server1>
  # moreexamples.com
  pass request quick header "Host" value "moreexamples.com" forward to <server1>
  pass request quick header "Host" value "www.moreexamples.com" forward to <server1>
  # toomanyexamples.com
  pass request quick header "Host" value "toomanyexamples.com" forward to <server1>
  pass request quick header "Host" value "www.toomanyexamples.com" forward to <server1>
#  return error
  block request
}

http protocol "https" {
  # Let's Encrypt certificates
  # example.net
  tls keypair "example.net"            # example.net, www.example.net
  tls keypair "moreexamples.com"         # moreexamples.com, www.moreexamples.com
  tls keypair "toomanyexampless.com" # toomanyexamples.com, www.toomanyexampless.com

  # log some details
  match header log "Host"
  match header log "X-Forwarded-For"
  match header log "User-Agent"
  match header log "Referer"
  match url log

  # update headers passed to the httpd servers
  match request header set "X-Forwarded-Proto" value "https"
  match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
  match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
  match request header set "Forwarded" value "by=$SERVER_ADDR:$SERVER_PORT;for=$REMOTE_ADDR;host=$HOST;proto=https"

  # forward to specific hosts (need matching "forward to" in relay)
  # See: https://serverfault.com/questions/856807/openbsd-how-to-use-relayd-and-httpd-for-redirecting-subdomain-requests
  # example.net
  pass request quick header "Host" value "example.net" forward to <server1>
  pass request quick header "Host" value "www.example.net" forward to <server1>
  # moreexampless.com
  pass request quick header "Host" value "moreexamples.com" forward to <server1>
  pass request quick header "Host" value "www.moreexamples.com" forward to <server1>
  # toomanyexamples.com
  pass request quick header "Host" value "toomanyexamples.com" forward to <server1>
  pass request quick header "Host" value "www.toomanyexamples.com" forward to <server1>
#  return error
  block request
}

relay "http_proxy" {
  listen on 192.168.1.32 port 80
  protocol "http"
  forward to <acme> port 8080
  forward to <server2> port 80
  forward to <server1> port 80
}

relay "https_proxy" {
  listen on 192.168.1.32 port 443 tls
  protocol "https"
  forward to <server1> port 80
}
	authority letsencrypt {
	api url "https://acme-v02.api.letsencrypt.org/directory"
	account key "/etc/acme/letsencrypt-privkey.pem"
	}

	# example.net
	domain example.net {
	alternative names { www.example.net }
	domain key "/etc/ssl/private/example.net.key"
	domain certificate "/etc/ssl/example.net.crt"
	domain full chain certificate "/etc/ssl/example.net.fullchain.pem"
	sign with letsencrypt
	}

	# moreexamples.com
	domain moreexamples.com {
	alternative names { www.moreexamples.com }
	domain key "/etc/ssl/private/moreexamples.com.key"
	domain certificate "/etc/ssl/moreexamples.com.crt"
	domain full chain certificate "/etc/ssl/moreexamples.com.fullchain.pem"
	sign with letsencrypt
	}

	# toomanyexamples.com
	domain toomanyexamples.com {
	alternative names { www.toomanyexampless.com }
	domain key "/etc/ssl/private/toomanyexamples.com.key"
	domain certificate "/etc/ssl/toomanyexamples.com.crt"
	domain full chain certificate "/etc/ssl/toomanyexampless.com.fullchain.pem"
	sign with letsencrypt
	}
	# HTTP-01 challenge for Let's Encrypt
	# https://letsencrypt.org/docs/challenge-types/
	server "*" {
	listen on 127.0.0.1 port 8080
	location "/.well-known/acme-challenge/*" {
	root "/acme"
	request strip 2
	}
	}
	# servers
	table <acme> { 127.0.0.1 }
	table <server1> { 192.168.1.64 }
	table <server2> { 192.168.1.65 }

	log state changes
	log connection

	http protocol "http" {
	# log some details
	match header log "Host"
	match header log "X-Forwarded-For"
	match header log "User-Agent"
	match header log "Referer"
	match url log

	# update headers passed to the httpd servers
	match request header set "X-Forwarded-Proto" value "http"
	match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
	match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
	match request header set "Forwarded" value "by=$SERVER_ADDR:$SERVER_PORT;for=$REMOTE_ADDR;host=$HOST;proto=http"

	# hijack Let's Encrypt ACME challenge requests and handle them locally
	pass request quick path "/.well-known/acme-challenge/*" forward to <acme>

	# forward to specific hosts (need matching "forward to" in relay)
	# See: https://serverfault.com/questions/856807/openbsd-how-to-use-relayd-and-httpd-for-redirecting-subdomain-requests
	# example.org
	pass request quick header "Host" value "example.org" forward to <server2>
	pass request quick header "Host" value "www.example.org" forward to <server2>
	pass request quick header "Host" value "mirrors.example.org" forward to <server2>
	pass request quick header "Host" value "tools.example.org" forward to <server2>
	pass request quick header "Host" value "svn.example.org" forward to <server2>
	# example.net
	pass request quick header "Host" value "example.net" forward to <server1>
	pass request quick header "Host" value "www.example.net" forward to <server1>
	# example.com
	pass request quick header "Host" value "example.com" forward to <server1>
	pass request quick header "Host" value "www.example.com" forward to <server1>
	pass request quick header "Host" value "code.example.com" forward to <server1>
	pass request quick header "Host" value "store.example.com" forward to <server1>
	# anotherexample.com
	pass request quick header "Host" value "anotherexample.com" forward to <server1>
	pass request quick header "Host" value "www.anotherexample.com" forward to <server1>
	# example.info
	pass request quick header "Host" value "example.info" forward to <server1>
	pass request quick header "Host" value "www.example.info" forward to <server1>
	# moreexamples.com
	pass request quick header "Host" value "moreexamples.com" forward to <server1>
	pass request quick header "Host" value "www.moreexamples.com" forward to <server1>
	# toomanyexamples.com
	pass request quick header "Host" value "toomanyexamples.com" forward to <server1>
	pass request quick header "Host" value "www.toomanyexamples.com" forward to <server1>
	# return error
	block request
	}

	http protocol "https" {
	# Let's Encrypt certificates
	# example.net
	tls keypair "example.net" # example.net, www.example.net
	tls keypair "moreexamples.com" # moreexamples.com, www.moreexamples.com
	tls keypair "toomanyexampless.com" # toomanyexamples.com, www.toomanyexampless.com

	# log some details
	match header log "Host"
	match header log "X-Forwarded-For"
	match header log "User-Agent"
	match header log "Referer"
	match url log

	# update headers passed to the httpd servers
	match request header set "X-Forwarded-Proto" value "https"
	match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
	match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
	match request header set "Forwarded" value "by=$SERVER_ADDR:$SERVER_PORT;for=$REMOTE_ADDR;host=$HOST;proto=https"

	# forward to specific hosts (need matching "forward to" in relay)
	# See: https://serverfault.com/questions/856807/openbsd-how-to-use-relayd-and-httpd-for-redirecting-subdomain-requests
	# example.net
	pass request quick header "Host" value "example.net" forward to <server1>
	pass request quick header "Host" value "www.example.net" forward to <server1>
	# moreexampless.com
	pass request quick header "Host" value "moreexamples.com" forward to <server1>
	pass request quick header "Host" value "www.moreexamples.com" forward to <server1>
	# toomanyexamples.com
	pass request quick header "Host" value "toomanyexamples.com" forward to <server1>
	pass request quick header "Host" value "www.toomanyexamples.com" forward to <server1>
	# return error
	block request
	}

	relay "http_proxy" {
	listen on 192.168.1.32 port 80
	protocol "http"
	forward to <acme> port 8080
	forward to <server2> port 80
	forward to <server1> port 80
	}

	relay "https_proxy" {
	listen on 192.168.1.32 port 443 tls
	protocol "https"
	forward to <server1> port 80
	}