> On Jun 11, 2020, at 4:28 PM, Toyam Cox <aviator45...@gmail.com> wrote:
>
> Hello Misc,
>
> Full config at end of email.
>
> I've discussed the below in #openbsd on freenode, and was told to come
> here. At present, I have a setup where I need multiple unrelated
> servers under a single IP address. I used relayd to do https
> interception, read the Host header, and make decisions.
>
> The very relevant part of my config is this:
>
> forward to <httpback> port 80
> forward with tls to <httpsback> port 443
>
> The order here does not matter (unlike most relayd configs, I know,
> but I've tested in my configuration and it works).
>
> When I have "with tls" on that second line, I see error lines like:
> relay web, session 3 (1 active), 0, [redacted] -> 10.0.0.102:80, TLS
> handshake error: handshake failed: error:14FFF3E7:SSL
> routines:(UNKNOWN)SSL_internal:unknown failure occurred, GET:
> Undefined error: 0
>
> and, unhelpfully, relayd responds with no response. There is no
> return. Or, as curl puts it: curl: (52) Empty reply from server
>
> When I remove "with tls" then I successfully reach the http backend,
> but since the https backend requires ssl, that connection no longer
> works. So it seems that 'with tls" affects all "forward" clauses, not
> just the one to which it's attached.
>
> I believe this to be a bug.
>
> cat >/etc/relayd.conf <<EOF
> table <httpsback> { "10.0.0.101" }
> table <httpback> { "10.0.0.102" }
> # obviously obfuscated some values
>
> interval 5
> timeout 1000
>
> log connection
>
> http protocol web {
> return error
>
> match header set "X-Client-IP" value "$REMOTE_ADDR:$REMOTE_PORT"
> match header set "X-Forwarded-For" value "$REMOTE_ADDR"
> match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
>
> http websockets
> pass request quick header "Host" value "myhost.example.com" path
> "/Client/*" forward to <httpsback>
> pass request quick header "Host" value "otherhost.example.com" forward
> to <httpback>
>
> block
> }
>
> relay web {
> listen on 10.0.0.100 port 443 tls
> protocol web
>
> forward to <httpback> port 80 check http "/webservice.asmx" code 405
> forward with tls to <httpsback> port 443 check https
> "/Client/SupportedBrowsers.html" host "myhost.example.com" code 200
> }
> EOF
>
Not to change topics too drastically :)
Consider running the backend connection over a different encrypted transport,
such as mesh iked(8) or upcoming wg(4). It’s super easy to setup, and
compatible with the other server OS. Go further into the “SDN realm” with
everything encapsulated in vxlan(4) for even more flexibility, including
long-haul internet endpoints across varying firewall and NAT designs. Pimp out
the configs of your networking groups’ routers to de-encapsulate and decrypt
the traffic for even more performance and compatibility. Anything is possible
as a front-end relay server with OpenBSD.
Why? Well for one, you save on many rounds of TLS negotiation. Upcoming
performance enhancements to the networking stack will only help scale this
method of relaying to more and more acceptable levels compared to non-encrypted
networking. My subjective net gain is simplicity, security, performance, and
flexibility.
-Brian
