Ah I step in a giant puddle of egg for my first post here. My lines were all 
too long and my sample code had typos. Let's try this again:

> How-To-Repeat:

        ```
        $ mkdir relayd-confused-filters; cd relayd-confused-filters
        ```

        ```
        $ openssl req -x509 -newkey rsa:4096 -subj '/CN='"localhost" -nodes \
                  -keyout localhost.key -out localhost.pem -days 3
        $ doas cp localhost.pem /etc/ssl/localhost.crt
        $ doas cp localhost.key /etc/ssl/private/localhost.key
        ```

        ```
        $ mkdir -p site app
        $ echo "Static Site" > site/index.html
        $ echo "WebApp" > app/index.html
        $ mkdir -p logs
        ```

        ```
        # httpd.conf
        chroot "."

        server "default" {
                listen on localhost port 8080
                location * {
                    block return 302 "https://$HTTP_HOST$REQUEST_URI";
                }
        }

        server "site" {
                listen on localhost port 8081
                root "site"
                directory auto index
        }

        server "app" {
                listen on localhost port 8082
                root "app"
                request strip 1
                directory auto index
        }
        ```

        ```
        # relayd.conf
        table <web> { "127.0.0.1" }
        table <app> { "127.0.0.1" }

        http protocol web {
                # Return HTTP/HTML error pages to the client
                return error

                tls keypair localhost

                match request path "/app/*" forward to <app>
        }

        relay http_proxy {
                listen on 0.0.0.0 port 80

                protocol web
                forward to <web> port 8080
        }

        relay https_proxy { 
                listen on 0.0.0.0 port 443 tls

                protocol web
                forward to <web> port 8081
                forward to <app> port 8082
        }
        ```


        Forced-https seems to be working:

        ```
        $ curl -v http://localhost/
        *   Trying 127.0.0.1:80...
        * TCP_NODELAY set
        * Connected to localhost (127.0.0.1) port 80 (#0)
        > GET / HTTP/1.1
        > Host: localhost
        > User-Agent: curl/7.66.0
        > Accept: */*
        > 
        * Mark bundle as not supporting multiuse
        * HTTP 1.0, assume close after body
        < HTTP/1.0 302 Found
        < Connection: close
        < Content-Length: 419
        < Content-Type: text/html
        < Date: Tue, 11 Feb 2020 12:06:07 GMT
        < Location: https://localhost/
        < Server: OpenBSD httpd
        < 
        <!DOCTYPE html>
        <html>
        <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
        <title>302 Found</title>
        <style type="text/css"><!--
        body { background-color: white; color: black; font-family: 'Comic Sans 
MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }
        hr { border: 0; border-bottom: 1px dashed; }

        --></style>
        </head>
        <body>
        <h1>302 Found</h1>
        <hr>
        <address>OpenBSD httpd</address>
        </body>
        </html>
        ```

        The unified https:// site works too:

        ```
        $ curl --cacert /etc/ssl/localhost.crt  https://localhost/     
        Static Site
        $ curl --cacert /etc/ssl/localhost.crt  https://localhost/app/
        WebApp
        ```

        But here's the bug(!): I can talk to /app *unencrypted*, because the 
filter rule
        meant for the *other* relay is triggering in http_proxy:

        ```
        $ curl http://localhost/app/                                   
        WebApp
        ```

Reply via email to