On 1/7/24 1:31 PM, Adriano Barbosa wrote:
On Sun, Jan 07, 2024 at 05:21:04AM -0800, Paul Pace wrote:
On 1/6/24 7:35 PM, Adriano Barbosa wrote:
On Thu, Jan 04, 2024 at 06:57:10PM -0800, Paul Pace wrote:
On 1/4/24 10:22 AM, Adriano Barbosa wrote:
Hi!
I'm trying to use relayd with multiple FQDNs mixing remote servers
with and without tls:
relayd -- fqdn1 --> 127.0.0.1 (no tls)
-- fqdn2 --> x.x.x.x (with tls)
I wrote my relayd.conf like this:
table <fqdn1> { 127.0.0.1 }
table <fqdn2> { x.x.x.x }
http protocol https {
tls keypair fqdn1
tls keypair fqdn2
match request header "Host" value "fqdn1" tag "fqdn1"
pass request tagged "fqdn1" forward to <fqdn1>
match request header "Host" value "fqdn2" tag "fqdn2"
pass request tagged "fqdn2" forward to <fqdn2>
}
relay wwwtls {
listen on egress port 443 tls
protocol https
forward to <fqdn1> port 80
forward with tls to <fqdn2> port 443
}
With one forward requiring TLS in a relay block, relayd will require TLS for
all forward statements in the relay block.
I have fqdn2 working and fqdn1 giving a "curl: (52) Empty reply from
server".
Removing "with tls" on the second forward, fqdn1 works and fqdn2 gives
a "Client sent an HTTP request to an HTTPS server."
Is it possible to have relayd working on this scenario? What am I
missing here?
Obrigado!
--
Adriano
Thank you for the response.
Digging a little more, I found that if I change the listen port from
443 to values other than 443 and 80, the "match request host" filter
stops working. The behaviour is the same with or without "with tls" on
the relay.
With port 443:
stable# curl --insecure https://fqdn1
<h1>Server 1</h1>
stable# curl --insecure https://fqdn2
<h1>Server 2</h1>
With port 4430 and allegedly any port other than 80 and 443:
stable# curl --insecure https://fqdn1:4430
<h1>Server 1</h1>
stable# curl --insecure https://fqdn2:4430
<h1>Server 1</h1>
What does curl -vk show?
Unfortunately, no difference. Follows:
$ curl --insecure -vk https://fqdn2
* Host fqdn2:443 was resolved.
* IPv6: (none)
* IPv4: 127.0.0.1
* Trying 127.0.0.1:443...
* Connected to fqdn2 (127.0.0.1) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: C=BR; ST=MS; L=DOU
* start date: Jan 6 20:12:43 2024 GMT
* expire date: Jan 5 20:12:43 2025 GMT
* issuer: C=BR; ST=MS; L=DOU
* SSL certificate verify result: self signed certificate (18), continuing
anyway.
* Certificate level 0: Public key type ? (4096/128 Bits/secBits), signed
using sha256WithRSAEncryption
* using HTTP/1.x
GET / HTTP/1.1
Host: fqdn2
User-Agent: curl/8.5.0
Accept: */*
< HTTP/1.1 200 OK
< Connection: keep-alive
< Content-Length: 18
< Content-Type: text/html
< Date: Sun, 07 Jan 2024 21:23:24 GMT
< Last-Modified: Sun, 07 Jan 2024 21:19:24 GMT
< Server: OpenBSD httpd
<
<h1>Server 2</h1>
* Connection #0 to host fqdn2 left intact
and
$ curl --insecure -vk https://fqdn2:4430
* Host fqdn2:4430 was resolved.
* IPv6: (none)
* IPv4: 127.0.0.1
* Trying 127.0.0.1:4430...
* Connected to fqdn2 (127.0.0.1) port 4430
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: C=BR; ST=MS; L=DOU
* start date: Jan 6 20:12:43 2024 GMT
* expire date: Jan 5 20:12:43 2025 GMT
* issuer: C=BR; ST=MS; L=DOU
* SSL certificate verify result: self signed certificate (18), continuing
anyway.
* Certificate level 0: Public key type ? (4096/128 Bits/secBits), signed
using sha256WithRSAEncryption
* using HTTP/1.x
GET / HTTP/1.1
Host: fqdn2:4430
User-Agent: curl/8.5.0
Accept: */*
< HTTP/1.1 200 OK
< Connection: keep-alive
< Content-Length: 18
< Content-Type: text/html
< Date: Sun, 07 Jan 2024 21:25:42 GMT
< Last-Modified: Sun, 07 Jan 2024 21:19:15 GMT
< Server: OpenBSD httpd
<
<h1>Server 1</h1>
* Connection #0 to host fqdn2 left intact
My best guess is httpd is not receiving a host header so is serving the
first server block.
Try setting relay logs verbose and then monitor with something like:
relayctl log verbose
tail -f /var/log/daemon | grep relay
You could also add a first server block that is only served when other
blocks aren't matched.
Port 8080 also reproduces this last result.
Is that the expected behaviour? BTW, I'm running 7.4.
Please find relayd.conf and httpd.conf below.
fqdn{1,2} are on /etc/hosts as 127.0.0.1 and the respective tls
certificates exists in /etc/ssl and keys in /etc/ssl/private.
Obrigado!
--
Adriano
# relayd.conf
addr="127.0.0.1"
table <fqdn1> { 127.0.0.1 }
table <fqdn2> { 127.0.0.1 }
http protocol https {
tls keypair fqdn1
tls keypair fqdn2
match request header "Host" value "fqdn1" tag "fqdn1"
pass request tagged "fqdn1" forward to <fqdn1>
match request header "Host" value "fqdn2" tag "fqdn2"
pass request tagged "fqdn2" forward to <fqdn2>
}
http protocol https2 {
tls keypair fqdn1
tls keypair fqdn2
match request header "Host" value "fqdn1" tag "fqdn1"
pass request tagged "fqdn1" forward to <fqdn1>
match request header "Host" value "fqdn2" tag "fqdn2"
pass request tagged "fqdn2" forward to <fqdn2>
}
relay wwwtls {
listen on $addr port 443 tls
protocol https
forward to <fqdn1> port 8080
forward to <fqdn2> port 8081
}
relay wwwtls2 {
listen on $addr port 4430 tls
protocol https2
forward to <fqdn1> port 8080
forward to <fqdn2> port 8081
}
# httpd.conf
addr="127.0.0.1"
server "fqdn1" {
listen on $addr port 8080
location "*" {
root "/htdocs/server1"
}
}
server "fqdn2" {
listen on $addr port 8081
location "*" {
root "/htdocs/server2"
}
}
