Re: Migrating nginx config to OpenBSD's httpd
Thanks again.
This worked in case anyone is looking for it:
http protocol "monit" {
match request forward to
match request header "Host" value "status.affekt.org" forward to
}
The order is important, if put in reversed the "status.affekt.org"
forward will be overwritten.
Now all I need to investigate is why HTTP responses are erroneous,
though you might be right that it could be a Monit problem.
Re: Migrating nginx config to OpenBSD's httpd
On 04/16, Henrik Friedrichsen wrote:
> - Is there a way to match all hosts that are not "status.affekt.org"?
> That way I don't have to write a filter rule for every subdomain
Didn't test, just the idea:
1. You put your default host (i.e. one that will respond to all http
requests which do not fall into specific configurations) first in
httpd.conf.
2. In relayd configure http protocol like this:
http protocol "monit" {
match request header "Host" value "status.affekt.org" forward to
forward to port 80
}
So the requests that match Host header will go to monit, all other
requests will go to httpd, where default site will respond.
> - Relayed HTTP output is cut off. As you can see below the HTTP DOM is not
> closed and most of the HTTP response headers are missing (status code,
> content-length, etc.)
>
> Any idea what I'm doing wrong?
I guess something is wrong on monit side.. I set up relayd with varous stuff
in the backend, but have seen anything like this.
--
With best regards,
Pavel Korovin
Re: Migrating nginx config to OpenBSD's httpd
Hey Pavel,
thanks for your response. I have adapted my configuration and came up
with this:
ext4="51.15.10.194"
ext6="2001:bc8:2d08::1"
table { "127.0.0.1" }
table { "127.0.0.1" }
http protocol "monit" {
match request header "Host" value "status.affekt.org" forward to
match request header "Host" value "affekt.org" forward to
}
relay "proxy" {
listen on $ext4 port 80
protocol "monit"
forward to port 2812
forward to port 80
}
I have a local monit instance listening on 127.0.0.1:2812
This configuration works, sort of:
- Is there a way to match all hosts that are not "status.affekt.org"?
That way I don't have to write a filter rule for every subdomain
- Relayed HTTP output is cut off. As you can see below the HTTP DOM is not
closed and most of the HTTP response headers are missing (status code,
content-length, etc.)
Any idea what I'm doing wrong?
Thanks!
hera ~ % curl -v "http://status.affekt.org/";
* Trying 51.15.10.194...
* TCP_NODELAY set
* Connected to status.affekt.org (51.15.10.194) port 80 (#0)
> GET / HTTP/1.1
> Host: status.affekt.org
> User-Agent: curl/7.58.0
> Accept: */*
>
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="monit"
* Connection #0 to host status.affekt.org left intact
401 UnauthorizedUnauthorizedYou are not authorized to access
monit. Either you supplied the wrong credentials (e.g. bad password), or
your browser doesn't understand how to supply the credentials required
Re: Migrating nginx config to OpenBSD's httpd
Henrik,
Regarding cut off responses, I didn't have such problems, maybe it was fixed
since 2016.
Regarding multi-site setup, I have something like this:
--- httpd.conf ---
### default site behind relayd
server "waste.tristero.se" {
alias "tristero.se"
listen on 127.0.0.1 port 80
listen on ::1 port 80
root "/htdocs/waste.tristero.se"
}
server "openbsd.tristero.se" {
listen on 127.0.0.1 port 80
listen on ::1 port 80
root "/htdocs/openbsd.tristero.se"
}
### this one is not behind relayd, used for http to https redirection
server "waste.tristero.se" {
alias "openbsd.tristero.se"
alias "tristero.se"
listen on 188.244.46.111 port 80
listen on 2001:470:1f15:1492::2 port 80
root "/htdocs/waste.tristero.se"
block return 301 "https://$HTTP_HOST/$DOCUMENT_URI";
}
--- relayd.conf ---
ext4="188.244.46.111"
ext6="2001:470:1f15:1492::2"
localhost4="127.0.0.1"
localhost6="::1"
table { $localhost4 }
table { $localhost6 }
table { $localhost4 }
table { $localhost6 }
http protocol "https4" {
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" value
"[$SERVER_ADDR]:$SERVER_PORT"
match request header "Host" value "tristero.se" forward to
match request header "Host" value "waste.tristero.se" forward to
match request header "Host" value "openbsd.tristero.se" forward to
tls { no tlsv1.0, ciphers
EECDH+AESGCM:EECDH+CHACHA20:EECDH+SHA256:EECDH+SHA384:ECDHE+SHA256 }
}
http protocol "https6" {
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" value
"[$SERVER_ADDR]:$SERVER_PORT"
match request header "Host" value "tristero.se" forward to
match request header "Host" value "waste.tristero.se" forward to
match request header "Host" value "openbsd.tristero.se" forward to
tls { no tlsv1.0, ciphers
EECDH+AESGCM:EECDH+CHACHA20:EECDH+SHA256:EECDH+SHA384:ECDHE+SHA256 }
}
relay "https4" {
listen on $ext4 port 443 tls
protocol "https4"
forward to port 80
forward to port 80
}
relay "https6" {
listen on $ext6 port 443 tls
protocol "https6"
forward to port 80
forward to port 80
}
--- end cut ---
The only problem I have was configuring specific security headers for
specific hosts, i.e. I cannot have specific http protocol sections with
different responses for specific hosts, like:
http protocol "https4-flex" {
match request header "Host" value "not-secure.domain" forward to
match response header set "Content-Security-Policy" value
""
}
http protocol "https4-strict" {
match request header "Host" value "secure.domain" forward to
match response header set "Content-Security-Policy" value
""
}
--
With best regards,
Pavel Korovin
On 04/16, Henrik Friedrichsen wrote:
>
> So far I have not been able to emulate proxy_pass with relayd.
>
> I came across two issues:
> - relayed HTTP requests resulted in cut off responses, similar to this
> issue: https://github.com/reyk/relayd/issues/12
> - I have not been able to come up with a configuration/filter setting
> that will only match for a specific subdomain and will pass the
> non-matching requests to the regular httpd listening on port 80
>
> Did anyone have success in setting this up?
Re: Migrating nginx config to OpenBSD's httpd
On Fri, Apr 13, 2018 at 02:30:18PM +0300, Pavel Korovin wrote: > Hi Carlos, > > There's no analog of proxy_pass in httpd(8). relayd(8) is your friend. So far I have not been able to emulate proxy_pass with relayd. I came across two issues: - relayed HTTP requests resulted in cut off responses, similar to this issue: https://github.com/reyk/relayd/issues/12 - I have not been able to come up with a configuration/filter setting that will only match for a specific subdomain and will pass the non-matching requests to the regular httpd listening on port 80 Did anyone have success in setting this up?
Re: Migrating nginx config to OpenBSD's httpd
Hi Carlos,
HAproxy project exists and serves much better as load balancer and reverse
proxy server. It is more efficient than engine X. Any concerns using it?
- Bogdan
On Fri, Apr 13, 2018 at 04:47 Pavel Korovin wrote:
> Hi Carlos,
>
> There's no analog of proxy_pass in httpd(8). relayd(8) is your friend.
>
> On 04/13, C. L. Martinez wrote:
> > I am trying to migrate nginx configuration to OpenBSD's httpd. All it is
> > working ok, except for some proxy reverse config that I use with nginx's
> > config, like for example:
> >
> > server {
> > listen 80;
> > server_name internal.w01.domain.org;
> >
> > location / {
> > proxy_pass http://192.168.30.4;
> > }
> > }
> >
> > I don't see what is the option to use with httpd.conf or is it best
> > option to use relayd.conf for this type of configs?
>
> --
> With best regards,
> Pavel Korovin
>
> --
---
Best regards,
Bogdan Kulbida
CEO/CTO, Konstankino LLC
+1.802.793.8295
Re: Migrating nginx config to OpenBSD's httpd
Hi Carlos,
There's no analog of proxy_pass in httpd(8). relayd(8) is your friend.
On 04/13, C. L. Martinez wrote:
> I am trying to migrate nginx configuration to OpenBSD's httpd. All it is
> working ok, except for some proxy reverse config that I use with nginx's
> config, like for example:
>
> server {
> listen 80;
> server_name internal.w01.domain.org;
>
> location / {
> proxy_pass http://192.168.30.4;
> }
> }
>
> I don't see what is the option to use with httpd.conf or is it best
> option to use relayd.conf for this type of configs?
--
With best regards,
Pavel Korovin
Migrating nginx config to OpenBSD's httpd
Hi all,
I am trying to migrate nginx configuration to OpenBSD's httpd. All it is
working ok, except for some proxy reverse config that I use with nginx's
config, like for example:
server {
listen 80;
server_name internal.w01.domain.org;
location / {
proxy_pass http://192.168.30.4;
}
}
I don't see what is the option to use with httpd.conf or is it best
option to use relayd.conf for this type of configs?
Thanks.
