Ah I step in a giant puddle of egg for my first post here. My lines were all
too long and my sample code had typos. Let's try this again:
> How-To-Repeat:
```
$ mkdir relayd-confused-filters; cd relayd-confused-filters
```
```
$ openssl req -x509 -newkey rsa:4096 -subj '/CN='"localhost" -nodes \
-keyout localhost.key -out localhost.pem -days 3
$ doas cp localhost.pem /etc/ssl/localhost.crt
$ doas cp localhost.key /etc/ssl/private/localhost.key
```
```
$ mkdir -p site app
$ echo "Static Site" > site/index.html
$ echo "WebApp" > app/index.html
$ mkdir -p logs
```
```
# httpd.conf
chroot "."
server "default" {
listen on localhost port 8080
location * {
block return 302 "https://$HTTP_HOST$REQUEST_URI";
}
}
server "site" {
listen on localhost port 8081
root "site"
directory auto index
}
server "app" {
listen on localhost port 8082
root "app"
request strip 1
directory auto index
}
```
```
# relayd.conf
table <web> { "127.0.0.1" }
table <app> { "127.0.0.1" }
http protocol web {
# Return HTTP/HTML error pages to the client
return error
tls keypair localhost
match request path "/app/*" forward to <app>
}
relay http_proxy {
listen on 0.0.0.0 port 80
protocol web
forward to <web> port 8080
}
relay https_proxy {
listen on 0.0.0.0 port 443 tls
protocol web
forward to <web> port 8081
forward to <app> port 8082
}
```
Forced-https seems to be working:
```
$ curl -v http://localhost/
* Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.66.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 302 Found
< Connection: close
< Content-Length: 419
< Content-Type: text/html
< Date: Tue, 11 Feb 2020 12:06:07 GMT
< Location: https://localhost/
< Server: OpenBSD httpd
<
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>302 Found</title>
<style type="text/css"><!--
body { background-color: white; color: black; font-family: 'Comic Sans
MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }
hr { border: 0; border-bottom: 1px dashed; }
--></style>
</head>
<body>
<h1>302 Found</h1>
<hr>
<address>OpenBSD httpd</address>
</body>
</html>
```
The unified https:// site works too:
```
$ curl --cacert /etc/ssl/localhost.crt https://localhost/
Static Site
$ curl --cacert /etc/ssl/localhost.crt https://localhost/app/
WebApp
```
But here's the bug(!): I can talk to /app *unencrypted*, because the
filter rule
meant for the *other* relay is triggering in http_proxy:
```
$ curl http://localhost/app/
WebApp
```
