relayd, ipv6, and tls keypair names
I was trying to configure relayd for TLS acceleration when I noticed an unusual error. Here is my /etc/relayd.conf (with actual IPs and domains replaced): ip4="192.0.2.1" ip6="2001:db8::" table { 127.0.0.1 } table { 127.0.0.1 } log connection http protocol https { match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" match request header set "Connection" value "close" # Various TCP options tcp { sack, backlog 128 } tls { keypair example.com } match request header "Host" value "www.example.com" forward to } relay wwwtls { listen on $ip4 port 443 tls listen on $ip6 port 443 tls protocol https forward to port 8001 check icmp } I set up symlinks for the SSL certs as follows: $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com:443.crt $ doas ln -s /etc/ssl/private/example.com.key /etc/ssl/private/example.com:443.key I then start relayd: $ doas relayd -dvv and get the following errors: relay_load_certfiles: using certificate /etc/ssl/example.com:443.crt relay_load_certfiles: using private key /etc/ssl/private/example.com:443.key /etc/relayd.conf:26: cannot load certificates for relay wwwtls2:443 I discovered that if I comment out the below line, line 23, relayd works: listen on $ip6 port 443 tls So if I uncomment out the IPv6 listener, relayd works just fine. If I include the IPv6 listener but create symlinks with IPv6 addresses like follows: $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8:::443.crt $ doas ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8:::443.key Then it seems relayd also works. So I suspect relayd is ignoring the tls keypair directive for IPv6 addresses. In other words, when IPv6 is enabled, relayd appears to ignore: tls { keypair example.com } Can someone verify if this is correct behavior, if I misconfigured, or if this is a bug? jrmu
Re: relayd, ipv6, and tls keypair names
PS: I am running OpenBSD 6.8 stable on amd64. On Sat, Feb 27, 2021 at 03:48:04PM +0800, j...@ircnow.org wrote: > I was trying to configure relayd for TLS acceleration when I noticed an > unusual > error. > > Here is my /etc/relayd.conf (with actual IPs and domains replaced): > > ip4="192.0.2.1" > ip6="2001:db8::" > table { 127.0.0.1 } > table { 127.0.0.1 } > > log connection > > http protocol https { > match request header append "X-Forwarded-For" value "$REMOTE_ADDR" > match request header append "X-Forwarded-By" \ > value "$SERVER_ADDR:$SERVER_PORT" > match request header set "Connection" value "close" > > # Various TCP options > tcp { sack, backlog 128 } > > tls { keypair example.com } > match request header "Host" value "www.example.com" forward to > } > > relay wwwtls { > listen on $ip4 port 443 tls > listen on $ip6 port 443 tls > protocol https > forward to port 8001 check icmp > } > > I set up symlinks for the SSL certs as follows: > > $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com:443.crt > $ doas ln -s /etc/ssl/private/example.com.key > /etc/ssl/private/example.com:443.key > > I then start relayd: > > $ doas relayd -dvv > > and get the following errors: > > relay_load_certfiles: using certificate /etc/ssl/example.com:443.crt > relay_load_certfiles: using private key /etc/ssl/private/example.com:443.key > /etc/relayd.conf:26: cannot load certificates for relay wwwtls2:443 > > I discovered that if I comment out the below line, line 23, relayd works: > > listen on $ip6 port 443 tls > > So if I uncomment out the IPv6 listener, relayd works just fine. > > If I include the IPv6 listener but create symlinks with IPv6 addresses like > follows: > > $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8:::443.crt > $ doas ln -s /etc/ssl/private/example.com.key > /etc/ssl/private/2001:db8:::443.key > > Then it seems relayd also works. So I suspect relayd is ignoring > the tls keypair directive for IPv6 addresses. In other words, when IPv6 is > enabled, > relayd appears to ignore: > > tls { keypair example.com } > > Can someone verify if this is correct behavior, if I misconfigured, or > if this is a bug? > > jrmu
Re: relayd, ipv6, and tls keypair names
Hi, j...@ircnow.org writes: > Then it seems relayd also works. So I suspect relayd is ignoring > the tls keypair directive for IPv6 addresses. In other words, when IPv6 is en > abled, > relayd appears to ignore: > > tls { keypair example.com } > > Can someone verify if this is correct behavior, if I misconfigured, or > if this is a bug? You're making things a bit harder for yourself with your choice of certificate filenames. For starters, on webservers I've never had any use for a certificate without full chain. So I just create a full chain certificate under the usual certificate filename in my acme-client config. domain example.com { domain key "/etc/ssl/private/example.com.key" domain full chain certificate "/etc/ssl/example.com.crt" sign with letsencrypt } No symlinks necessary. Then in relayd I create two relays, listening to the same protocol block. table { 127.0.0.1 } log connection http protocol myremote { tls keypair "example.com" return error pass } relay mysite4 { listen on 127.0.0.1 port 443 tls protocol myremote forward to check tcp port 80 } relay mysite6 { listen on ::1 port 443 tls protocol myremote forward to check tcp port 80 } The problem really is that you can't listen on IPv4 and IPv6 in the same relay block. This might be a bug although I suppose it could be intentional (I've never found relayd's configuration very intuitive). -- Anthony J. Bentley
Re: relayd, ipv6, and tls keypair names
Hello ! I configured relayd months ago and did not have my config here. The keypair option works as it should (name.tld) and requires no symlinks (tested with public IPs) but the paths to the certs are hardcoded as described in the acme config file in /etc/examples. IIRC the path must be /etc/acme/ or so. Regards, Christoph > Am 27.02.2021 um 09:25 schrieb jrmu : > > PS: I am running OpenBSD 6.8 stable on amd64. > >> On Sat, Feb 27, 2021 at 03:48:04PM +0800, j...@ircnow.org wrote: >> I was trying to configure relayd for TLS acceleration when I noticed an >> unusual >> error. >> >> Here is my /etc/relayd.conf (with actual IPs and domains replaced): >> >> ip4="192.0.2.1" >> ip6="2001:db8::" >> table { 127.0.0.1 } >> table { 127.0.0.1 } >> >> log connection >> >> http protocol https { >>match request header append "X-Forwarded-For" value "$REMOTE_ADDR" >>match request header append "X-Forwarded-By" \ >>value "$SERVER_ADDR:$SERVER_PORT" >>match request header set "Connection" value "close" >> >># Various TCP options >>tcp { sack, backlog 128 } >> >>tls { keypair example.com } >>match request header "Host" value "www.example.com" forward to >> } >> >> relay wwwtls { >>listen on $ip4 port 443 tls >>listen on $ip6 port 443 tls >>protocol https >>forward to port 8001 check icmp >> } >> >> I set up symlinks for the SSL certs as follows: >> >> $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com:443.crt >> $ doas ln -s /etc/ssl/private/example.com.key >> /etc/ssl/private/example.com:443.key >> >> I then start relayd: >> >> $ doas relayd -dvv >> >> and get the following errors: >> >> relay_load_certfiles: using certificate /etc/ssl/example.com:443.crt >> relay_load_certfiles: using private key /etc/ssl/private/example.com:443.key >> /etc/relayd.conf:26: cannot load certificates for relay wwwtls2:443 >> >> I discovered that if I comment out the below line, line 23, relayd works: >> >> listen on $ip6 port 443 tls >> >> So if I uncomment out the IPv6 listener, relayd works just fine. >> >> If I include the IPv6 listener but create symlinks with IPv6 addresses like >> follows: >> >> $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8:::443.crt >> $ doas ln -s /etc/ssl/private/example.com.key >> /etc/ssl/private/2001:db8:::443.key >> >> Then it seems relayd also works. So I suspect relayd is ignoring >> the tls keypair directive for IPv6 addresses. In other words, when IPv6 is >> enabled, >> relayd appears to ignore: >> >> tls { keypair example.com } >> >> Can someone verify if this is correct behavior, if I misconfigured, or >> if this is a bug? >> >> jrmu >
Re: relayd, ipv6, and tls keypair names
Adding two relay blocks does seem to fix the problem, thank you. jrmu On Sat, Feb 27, 2021 at 02:50:11AM -0700, Anthony J. Bentley wrote: > Hi, > > j...@ircnow.org writes: > > Then it seems relayd also works. So I suspect relayd is ignoring > > the tls keypair directive for IPv6 addresses. In other words, when IPv6 is > > en > > abled, > > relayd appears to ignore: > > > > tls { keypair example.com } > > > > Can someone verify if this is correct behavior, if I misconfigured, or > > if this is a bug? > > You're making things a bit harder for yourself with your choice of > certificate filenames. For starters, on webservers I've never had > any use for a certificate without full chain. So I just create a > full chain certificate under the usual certificate filename in my > acme-client config. > > domain example.com { > domain key "/etc/ssl/private/example.com.key" > domain full chain certificate "/etc/ssl/example.com.crt" > sign with letsencrypt > } > > No symlinks necessary. > > Then in relayd I create two relays, listening to the same protocol > block. > > table { 127.0.0.1 } > > log connection > > http protocol myremote { > tls keypair "example.com" > > return error > pass > } > > relay mysite4 { > listen on 127.0.0.1 port 443 tls > protocol myremote > forward to check tcp port 80 > } > > relay mysite6 { > listen on ::1 port 443 tls > protocol myremote > forward to check tcp port 80 > } > > The problem really is that you can't listen on IPv4 and IPv6 in the > same relay block. This might be a bug although I suppose it could be > intentional (I've never found relayd's configuration very intuitive). > > -- > Anthony J. Bentley signature.asc Description: PGP signature