Re: Transparent 301-to-https redirection with relayd

Wed, 19 Jun 2019 11:01:24 -0700 

Try this for relayd.conf

    table <web> { 127.0.0.1 }

    http protocol httpfilter {
            return error
            match request header "Host" value "www.openbsd.org" tag "HOST_OK"
            block request
            pass tagged "HOST_OK"
    }

    relay "proxy" {
            listen on 127.0.0.1 port 8080
            protocol httpfilter
            forward to <web> port 8081
    }


________________________________________
From: owner-m...@openbsd.org <owner-m...@openbsd.org> on behalf of Anthony J. 
Bentley <anth...@anjbe.name>
Sent: Wednesday, June 19, 2019 4:19 AM
To: misc@openbsd.org
Subject: Transparent 301-to-https redirection with relayd

Hi,

I have relayd configured as a basic HTTP pass-through:

    http protocol httpfilter {
            return error
    }

    relay "proxy" {
            listen on 127.0.0.1 port 8080
            protocol httpfilter
            forward to destination
    }

I'd like to prevent certain domains from ever being accessed over
unencrypted http. So I set up httpd:

    server "httpfilter" {
            listen on localhost port 8081
            block return 301 "https://$HTTP_HOST$REQUEST_URI";
    }

The idea is to check the host header and if it matches my whitelist,
send it to httpd which will force a redirect to https before ever
leaving the LAN.

I don't understand relayd configuration too well. I tried this:

    table <web> { 127.0.0.1 }

    http protocol httpfilter {
            return error
            match request header "Host" value "www.openbsd.org" forward to <web>
    }

    relay "proxy" {
            listen on 127.0.0.1 port 8080
            protocol httpfilter
            forward to destination
            forward to <web> port 8081
    }

It seems to do what I want:

    $ ftp -o - http://www.openbsd.org/ >/dev/null
    Trying 129.128.5.194...
    Requesting http://www.openbsd.org/
    Redirected to https://www.openbsd.org/
    Trying 129.128.5.194...
    Requesting https://www.openbsd.org/
    4033 bytes received in 0.07 seconds (57.97 KB/s)

Except that it sends every host to httpd:

    $ ftp -o - http://neverssl.com/ >/dev/null
    Trying 13.33.67.177...
    Requesting http://neverssl.com/
    Redirected to https://neverssl.com/
    Trying 13.33.67.177...
    Requesting https://neverssl.com/
    ftp: SSL write error: name `neverssl.com' not present in server certificate

Fiddling with the config further doesn't seem to get me anywhere
closer to redirecting only whitelisted domains. I must be missing
something, but what?

--
Anthony J. Bentley

Reply via email to