Re: relayd https relay

Wed, 20 Sep 2017 05:27:12 -0700 

Hi Brian,
I know that scenario but I want to serve a individual certificate for every virtual host (httpd can do that) so I was looking for a simple relay by looking at the header but I might cant get it to work this way :( 



Am 20.09.2017 um 14:10 schrieb Bryan Harris:

I don't think you can know the host header unless you decrypt the https
using a certificate.  It seems that idea would require SNI but I don't know
if they have SNI in relayd/httpd.  (I could be wrong about that.)

In mine I have listen on $ext_addr port 443 tls.  Then exists
/etc/ssl/ipaddr:443.crt file.  Look at phrase "/etc/ssl/address:port.crt"
in relayd.conf(5).

The book below shows this scenario and how to use acme-client to get a free
certificate from Let's Encrypt.

https://www.michaelwlucas.com/tools/relayd

V/r,
Bryan

On Wed, Sep 20, 2017 at 4:37 AM, rosjat <ros...@ghweb.de> wrote:


there is of course a tls to much in the config

its just

relay "proxyssl" {
         listen on $gateway  port https
         protocol "httpproxy"

         forward to <new-webserver>  port https
}


Am 20.09.2017 um 10:19 schrieb rosjat:


Hi there,

just a simple question about the  relaying of https connections. Is it
possible to simple pass the https traffic to the webserver with relayd? My
naive approach was simply checking the host name in the header and then
forward it to http or https port. This works for http  but with https it
doesnt.


here are my relayd.conf parts


http protocol "httpproxy" {

                              match request quick header "Host" value
"random-domain1.tld" forward to <new-webserver>
                              match request quick header "Host" value
"random-domain2.tld" forward to <old-webserver>

}

relay "proxy" {
                 listen on $gateway  port http
                 protocol "httpproxy"

                 forward to <new-webserver>  port http
                 forward to <old-webserver> port http

                }

relay "proxyssl" {
         listen on $gateway  port https
         protocol "httpproxy"

         forward to <new-webserver>  port https tls
}

with this I dont get a relay for https it seems, if I add tls to the
listen part I got told relayd cant find the certificates. And that is
totally understanable because there are no certs on this machine for these
domains because the are on the webserver machine.


So it all boils down to the question, do I have to set up my certificates
on the relay host to be able to use a https relay ?


regards




--
Markus Rosjat    fon: +49 351 8107223    mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT




--
Markus Rosjat    fon: +49 351 8107223    mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227


Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT
























					Reply via email to