On Mon, October 10, 2016 6:01 am, Radek wrote:
>
> The second thing to do is enabling wesites' SSL/TLS certs.
> Each website has its own certificate on its server. I suppose that I have
> to configure man-in-the-middle "TLS inspecion" mode to enable TLS
> connection using these certs again.
> Am I right?
>
No. TLS inspection doesn't work that way. It's for LAN systems
connecting out through the relayd server to sites on the internet. It
doesn't work in the other direction. You would have needed to use
'forward to destination' in place of 'forward to <www_101>' but that
original destination will be the relayd machine again as it's IP based,
not domain name based.
You need one certificate that matches all of your web site hostnames and
configure relayd as a TLS server as you had it.
Tim.
> I did the following conf:
>
> #grep divert /etc/pf.conf
> pass in on $ext_if inet proto tcp to port 443 divert-to localhost port
> 8443
>
> #openssl req -x509 -days 365 -newkey rsa:2048 -keyout
> /etc/ssl/private/ca.key -out /etc/ssl/ca.crt
> #openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout
> /etc/ssl/private/127.0.0.1.key -out /etc/ssl/127.0.0.1.crt
>
> #ls -la /etc/ssl/*.crt
> -rwxr-x--- 1 root _relayd 1298 Oct 10 09:29 /etc/ssl/127.0.0.1.crt
> -rwxr-x--- 1 root _relayd 1371 Oct 6 13:11 /etc/ssl/ca.crt
>
> #ls -la /etc/ssl/private/*.key
> -rwxr-x--- 1 root _relayd 1704 Oct 10 09:29
> /etc/ssl/private/127.0.0.1.key
> -rwxr-x--- 1 root _relayd 1858 Oct 6 13:11 /etc/ssl/private/ca.key
>
> #cat /etc/relayd.conf
> ext_addr="msk0"
> host1="10.0.30.101"
> host2="10.0.30.201"
>
> table <www_101> { $host1 }
> table <www_201> { $host2 }
>
> http protocol "web_one" {
> return error
> pass request header "Host" value "1.domain.com" forward to <www_101>
> pass request header "Host" value "2.domain.com" forward to <www_101>
> pass request header "Host" value "3.domain.com" forward to <www_101>
>
> pass request header "Host" value "4.domain.com" forward to <www_201>
> pass request header "Host" value "5.domain.com" forward to <www_201>
> pass request header "Host" value "6.domain.com" forward to <www_201>
> }
>
> http protocol "web_tls" {
> return error
> pass request header "Host" value "1.domain.com" forward to <www_101>
> pass request header "Host" value "2.domain.com" forward to <www_101>
> pass request header "Host" value "3.domain.com" forward to <www_101>
>
> pass request header "Host" value "4.domain.com" forward to <www_201>
> pass request header "Host" value "5.domain.com" forward to <www_201>
> pass request header "Host" value "6.domain.com" forward to <www_201>
> tls tlsv1
> tls ca key "/etc/ssl/private/ca.key" password "somepasshere"
> tls ca cert "/etc/ssl/ca.crt"
> }
>
> relay relay_one {
> listen on $ext_addr port 80
> protocol "web_one"
> forward to <www_101> check tcp port 80
> forward to <www_201> check tcp port 80
> }
>
> relay relay_tls {
> listen on 127.0.0.1 port 8443 tls
> protocol "web_tls"
> forward with tls to <www_101> check tcp port 443
> forward with tls to <www_201> check tcp port 443
> }
>
>
> #relayctl show relays
> Id Type Name Avlblty Status
> 1 relay relay_one active
> 2 relay relay_tls active
>
> #relayctl show summary
> Id Type Name Avlblty Status
> 1 relay relay_one active
> 1 table www_101:80 active (1
> hosts)
> 1 host 10.0.30.101 100.00% up
> 2 table www_201:80 active (1
> hosts)
> 2 host 10.0.30.201 100.00% up
> 2 relay relay_tls active
> 3 table www_101:443 active (1
> hosts)
> 3 host 10.0.30.101 100.00% up
> 4 table www_201:443 active (1
> hosts)
> 4 host 10.0.30.201 100.00% up
>
> Websites (https://4.domain, https://5.domain, https://6.domain) started to
> show the content of 1.domain.com
>
> If I changed the order of "forward" websites (https://1.domain,
> https://2.domain, https://3.domain) started to show content of
> 4.domain.com
>
> relay relay_tls {
> listen on 127.0.0.1 port 8443 tls
> protocol "web_tls"
> forward with tls to <www_201> check tcp port 443
> forward with tls to <www_101> check tcp port 443
> }
>
> All domains use relay_machine's certificate instead of the specific
> domain's cert.
>
> What am I doing wrong?
