Relayd with TLS and non-TLS backends - bug

Thu, 11 Jun 2020 13:26:24 -0700 

Hello Misc,

Full config at end of email.

I've discussed the below in #openbsd on freenode, and was told to come
here. At present, I have a setup where I need multiple unrelated
servers under a single IP address. I used relayd to do https
interception, read the Host header, and make decisions.

The very relevant part of my config is this:

forward to <httpback> port 80
forward with tls to <httpsback> port 443

The order here does not matter (unlike most relayd configs, I know,
but I've tested in my configuration and it works).

When I have "with tls" on that second line, I see error lines like:
relay web, session 3 (1 active), 0, [redacted] -> 10.0.0.102:80, TLS
handshake error: handshake failed: error:14FFF3E7:SSL
routines:(UNKNOWN)SSL_internal:unknown failure occurred, GET:
Undefined error: 0

and, unhelpfully, relayd responds with no response. There is no
return. Or, as curl puts it: curl: (52) Empty reply from server

When I remove "with tls" then I successfully reach the http backend,
but since the https backend requires ssl, that connection no longer
works. So it seems that 'with tls" affects all "forward" clauses, not
just the one to which it's attached.

I believe this to be a bug.

cat >/etc/relayd.conf <<EOF
table <httpsback> { "10.0.0.101" }
table <httpback> { "10.0.0.102" }
# obviously obfuscated some values

interval 5
timeout 1000

log connection

http protocol web {
return error

match header set "X-Client-IP" value "$REMOTE_ADDR:$REMOTE_PORT"
match header set "X-Forwarded-For" value "$REMOTE_ADDR"
match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"

http websockets
pass request quick header "Host" value "myhost.example.com" path
"/Client/*" forward to <httpsback>
pass request quick header "Host" value "otherhost.example.com" forward
to <httpback>

block
}

relay web {
listen on 10.0.0.100 port 443 tls
protocol web

forward to <httpback> port 80 check http "/webservice.asmx" code 405
forward with tls to <httpsback> port 443 check https
"/Client/SupportedBrowsers.html" host "myhost.example.com" code 200
}
EOF

Reply via email to