Try this for relayd.conf table <web> { 127.0.0.1 }
http protocol httpfilter { return error match request header "Host" value "www.openbsd.org" tag "HOST_OK" block request pass tagged "HOST_OK" } relay "proxy" { listen on 127.0.0.1 port 8080 protocol httpfilter forward to <web> port 8081 } ________________________________________ From: owner-m...@openbsd.org <owner-m...@openbsd.org> on behalf of Anthony J. Bentley <anth...@anjbe.name> Sent: Wednesday, June 19, 2019 4:19 AM To: misc@openbsd.org Subject: Transparent 301-to-https redirection with relayd Hi, I have relayd configured as a basic HTTP pass-through: http protocol httpfilter { return error } relay "proxy" { listen on 127.0.0.1 port 8080 protocol httpfilter forward to destination } I'd like to prevent certain domains from ever being accessed over unencrypted http. So I set up httpd: server "httpfilter" { listen on localhost port 8081 block return 301 "https://$HTTP_HOST$REQUEST_URI" } The idea is to check the host header and if it matches my whitelist, send it to httpd which will force a redirect to https before ever leaving the LAN. I don't understand relayd configuration too well. I tried this: table <web> { 127.0.0.1 } http protocol httpfilter { return error match request header "Host" value "www.openbsd.org" forward to <web> } relay "proxy" { listen on 127.0.0.1 port 8080 protocol httpfilter forward to destination forward to <web> port 8081 } It seems to do what I want: $ ftp -o - http://www.openbsd.org/ >/dev/null Trying 129.128.5.194... Requesting http://www.openbsd.org/ Redirected to https://www.openbsd.org/ Trying 129.128.5.194... Requesting https://www.openbsd.org/ 4033 bytes received in 0.07 seconds (57.97 KB/s) Except that it sends every host to httpd: $ ftp -o - http://neverssl.com/ >/dev/null Trying 13.33.67.177... Requesting http://neverssl.com/ Redirected to https://neverssl.com/ Trying 13.33.67.177... Requesting https://neverssl.com/ ftp: SSL write error: name `neverssl.com' not present in server certificate Fiddling with the config further doesn't seem to get me anywhere closer to redirecting only whitelisted domains. I must be missing something, but what? -- Anthony J. Bentley