On Thu, Jan 04, 2024 at 06:57:10PM -0800, Paul Pace wrote:
> On 1/4/24 10:22 AM, Adriano Barbosa wrote:
> > Hi!
> > I'm trying to use relayd with multiple FQDNs mixing remote servers
> > with and without tls:
> >
> > relayd -- fqdn1 --> 127.0.0.1 (no tls)
> > -- fqdn2 --> x.x.x.x (with tls)
> >
> > I wrote my relayd.conf like this:
> >
> > table <fqdn1> { 127.0.0.1 }
> > table <fqdn2> { x.x.x.x }
> >
> > http protocol https {
> > tls keypair fqdn1
> > tls keypair fqdn2
> >
> > match request header "Host" value "fqdn1" tag "fqdn1"
> > pass request tagged "fqdn1" forward to <fqdn1>
> >
> > match request header "Host" value "fqdn2" tag "fqdn2"
> > pass request tagged "fqdn2" forward to <fqdn2>
> > }
> >
> > relay wwwtls {
> > listen on egress port 443 tls
> > protocol https
> > forward to <fqdn1> port 80
> > forward with tls to <fqdn2> port 443
> > }
>
> With one forward requiring TLS in a relay block, relayd will require TLS for
> all forward statements in the relay block.
>
> >
> > I have fqdn2 working and fqdn1 giving a "curl: (52) Empty reply from
> > server".
> > Removing "with tls" on the second forward, fqdn1 works and fqdn2 gives
> > a "Client sent an HTTP request to an HTTPS server."
> >
> > Is it possible to have relayd working on this scenario? What am I
> > missing here?
> >
> > Obrigado!
> > --
> > Adriano
>
Thank you for the response.
Digging a little more, I found that if I change the listen port from
443 to values other than 443 and 80, the "match request host" filter
stops working. The behaviour is the same with or without "with tls" on
the relay.
With port 443:
stable# curl --insecure https://fqdn1
<h1>Server 1</h1>
stable# curl --insecure https://fqdn2
<h1>Server 2</h1>
With port 4430 and allegedly any port other than 80 and 443:
stable# curl --insecure https://fqdn1:4430
<h1>Server 1</h1>
stable# curl --insecure https://fqdn2:4430
<h1>Server 1</h1>
Port 8080 also reproduces this last result.
Is that the expected behaviour? BTW, I'm running 7.4.
Please find relayd.conf and httpd.conf below.
fqdn{1,2} are on /etc/hosts as 127.0.0.1 and the respective tls
certificates exists in /etc/ssl and keys in /etc/ssl/private.
Obrigado!
--
Adriano
# relayd.conf
addr="127.0.0.1"
table <fqdn1> { 127.0.0.1 }
table <fqdn2> { 127.0.0.1 }
http protocol https {
tls keypair fqdn1
tls keypair fqdn2
match request header "Host" value "fqdn1" tag "fqdn1"
pass request tagged "fqdn1" forward to <fqdn1>
match request header "Host" value "fqdn2" tag "fqdn2"
pass request tagged "fqdn2" forward to <fqdn2>
}
http protocol https2 {
tls keypair fqdn1
tls keypair fqdn2
match request header "Host" value "fqdn1" tag "fqdn1"
pass request tagged "fqdn1" forward to <fqdn1>
match request header "Host" value "fqdn2" tag "fqdn2"
pass request tagged "fqdn2" forward to <fqdn2>
}
relay wwwtls {
listen on $addr port 443 tls
protocol https
forward to <fqdn1> port 8080
forward to <fqdn2> port 8081
}
relay wwwtls2 {
listen on $addr port 4430 tls
protocol https2
forward to <fqdn1> port 8080
forward to <fqdn2> port 8081
}
# httpd.conf
addr="127.0.0.1"
server "fqdn1" {
listen on $addr port 8080
location "*" {
root "/htdocs/server1"
}
}
server "fqdn2" {
listen on $addr port 8081
location "*" {
root "/htdocs/server2"
}
}
