Thanks. Look at the PF rules in the relayd table. See what's redirecting from where to what.
If that all looks ok, there's always tcpdump... On Wed, Mar 15, 2017 at 11:42:32PM -0700, Dave Cohen wrote: > Michael, > > Appreciate you chiming in. I'm a fan of Absolute OpenBSD! > > I'm having trouble reproducing the settings that I originally wrote about. > I've tried to restore /etc/relayd.conf and /etc/pf.conf to what they were > when I wrote the email. But right now, neither port 80 nor 443 are > redirecting to the other ports. Earlier, port 80 was working while 443 was > not. I'm at a loss as to why the behavior is not the same as before. > > Despite that trouble, I tried the commands you suggested. `relayd -dvvv` > shows > > $ doas relayd -dvvv > startup > socket_rlimit: max open files 1024 > init_filter: filter init done > init_tables: created 2 tables > socket_rlimit: max open files 1024 > socket_rlimit: max open files 1024 > socket_rlimit: max open files 1024 > hce_notify_done: 127.0.0.1 (icmp ok) > host 127.0.0.1, check icmp (32ms,icmp ok), state unknown -> up, availability > 100.00% > pfe_dispatch_hce: state 1 for host 1 127.0.0.1 > hce_notify_done: 127.0.0.1 (icmp ok) > host 127.0.0.1, check icmp (33ms,icmp ok), state unknown -> up, availability > 100.00% > pfe_dispatch_hce: state 1 for host 2 127.0.0.1 > table https: 1 added, 0 deleted, 0 changed, 0 killed > pfe_sync: enabling ruleset > sync_ruleset: rule added to anchor "relayd/https" > hce_notify_done: 127.0.0.1 (icmp ok) > hce_notify_done: 127.0.0.1 (icmp ok) > table http: 1 added, 0 deleted, 0 changed, 0 killed > pfe_sync: enabling ruleset > sync_ruleset: rule added to anchor "relayd/http" > hce_notify_done: 127.0.0.1 (icmp ok) > hce_notify_done: 127.0.0.1 (icmp ok) > hce_notify_done: 127.0.0.1 (icmp ok) > ...etc... > > and `relayctl sho sum` > > $ relayctl sho sum > Id Type Name Avlblty Status > 1 redirect https active > 1 table httpshosts:8443 active (1 > hosts) > 1 host 127.0.0.1 100.00% up > 2 redirect http active > 2 table httpshosts:8080 active (1 > hosts) > > > -Dave > > On Sun, Mar 12, 2017, at 03:16 PM, Michael W. Lucas wrote: > > On Sun, Mar 12, 2017 at 09:26:53AM +0100, Salvatore Cuzzilla wrote: > > > Ciao Dave, > > > > > > I'm also playing with relayd as a L7 gateway and as far as I can see from > > > your > > > config there is no CA and key configured. In order for HTTPS to work > > > relayd > > > needs to be able to do TLS inspection and of course you should redirect > > > all > > > your https traffic to port 8443 (using PF for example). If you check the > > > pf.conf man page under both the sections RELAYS and Examples you should be > > > able to find a lot of good hints. > > > > He's using a redirect, not a relay, so it should work just fine. No L7 > > stuff here, only low-level IP. > > > > Dave, looks OK to me. What does relayd -dvvv say? And relayctl sho sum ? > > > > -- > > Michael W. Lucas Twitter @mwlauthor > > nonfiction: https://www.michaelwlucas.com/ > > fiction: https://www.michaelwarrenlucas.com/ > > blog: http://blather.michaelwlucas.com/ -- Michael W. Lucas Twitter @mwlauthor nonfiction: https://www.michaelwlucas.com/ fiction: https://www.michaelwarrenlucas.com/ blog: http://blather.michaelwlucas.com/
