IRCNow

Suppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both www.ircnow.org and bnc.ircnow.org need relayd to provide TLS acceleration, but run on separate ports (1338 and 8080).

ext_addr="192.168.1.1"
webhost="127.0.0.1"

table <www> { $webhost }
table <bnc> { $webhost }
http protocol https {
        match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
        match request header append "X-Forwarded-By" \
            value "$SERVER_ADDR:$SERVER_PORT"
        match request header set "Connection" value "close"

        # Various TCP options
        tcp { sack, backlog 128 }

#       tls { no tlsv1.0, ciphers HIGH }  
#       tls no session tickets
        match request header "Host" value "bnc.ircnow.org" forward to <bnc>
        match request header "Host" value "www.ircnow.org" forward to <www>
}

relay wwwtls {
        # Run as a SSL/TLS accelerator
        listen on $ext_addr port 443 tls
        protocol https

        # Forward to hosts in the table
        forward to <bnc> port 1338 mode loadbalance check icmp
        forward to <www> port 8080 mode loadbalance check icmp
}                                   

You'll need corresponding TLS certs:

# ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/192.168.1.1:443.crt
# ln -s /etc/ssl/private/example.com.key /etc/ssl/private/192.168.1.1:443.key
# rcctl enable relayd
# rcctl start relayd

WARNING: Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!