Hi,
Nick(n...@kousu.ca) on 2020.02.11 12:15:48 +0000:
> Ah I step in a giant puddle of egg for my first post here. My lines were all
> too long and my sample code had typos. Let's try this again:
To me it looks like the obvious solution is not to use a protocol intended
for tls connections with a protocol for http connections.
Your reports are a mix of misunderstanding the configuration, some valid
remarks about possible documentation improvements and some real bugs.
Because its getting confusing here what you actually try to do, I'm going to
disregard this and the other reports i have not replied to. At least until
the ones i replied to are resolved.
Thanks,
B.
> > How-To-Repeat:
>
> ```
> $ mkdir relayd-confused-filters; cd relayd-confused-filters
> ```
>
> ```
> $ openssl req -x509 -newkey rsa:4096 -subj '/CN='"localhost" -nodes \
> -keyout localhost.key -out localhost.pem -days 3
> $ doas cp localhost.pem /etc/ssl/localhost.crt
> $ doas cp localhost.key /etc/ssl/private/localhost.key
> ```
>
> ```
> $ mkdir -p site app
> $ echo "Static Site" > site/index.html
> $ echo "WebApp" > app/index.html
> $ mkdir -p logs
> ```
>
> ```
> # httpd.conf
> chroot "."
>
> server "default" {
> listen on localhost port 8080
> location * {
> block return 302 "https://$HTTP_HOST$REQUEST_URI";
> }
> }
>
> server "site" {
> listen on localhost port 8081
> root "site"
> directory auto index
> }
>
> server "app" {
> listen on localhost port 8082
> root "app"
> request strip 1
> directory auto index
> }
> ```
>
> ```
> # relayd.conf
> table <web> { "127.0.0.1" }
> table <app> { "127.0.0.1" }
>
> http protocol web {
> # Return HTTP/HTML error pages to the client
> return error
>
> tls keypair localhost
>
> match request path "/app/*" forward to <app>
> }
>
> relay http_proxy {
> listen on 0.0.0.0 port 80
>
> protocol web
> forward to <web> port 8080
> }
>
> relay https_proxy {
> listen on 0.0.0.0 port 443 tls
>
> protocol web
> forward to <web> port 8081
> forward to <app> port 8082
> }
> ```
>
>
> Forced-https seems to be working:
>
> ```
> $ curl -v http://localhost/
> * Trying 127.0.0.1:80...
> * TCP_NODELAY set
> * Connected to localhost (127.0.0.1) port 80 (#0)
> > GET / HTTP/1.1
> > Host: localhost
> > User-Agent: curl/7.66.0
> > Accept: */*
> >
> * Mark bundle as not supporting multiuse
> * HTTP 1.0, assume close after body
> < HTTP/1.0 302 Found
> < Connection: close
> < Content-Length: 419
> < Content-Type: text/html
> < Date: Tue, 11 Feb 2020 12:06:07 GMT
> < Location: https://localhost/
> < Server: OpenBSD httpd
> <
> <!DOCTYPE html>
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
> <title>302 Found</title>
> <style type="text/css"><!--
> body { background-color: white; color: black; font-family: 'Comic Sans
> MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }
> hr { border: 0; border-bottom: 1px dashed; }
>
> --></style>
> </head>
> <body>
> <h1>302 Found</h1>
> <hr>
> <address>OpenBSD httpd</address>
> </body>
> </html>
> ```
>
> The unified https:// site works too:
>
> ```
> $ curl --cacert /etc/ssl/localhost.crt https://localhost/
> Static Site
> $ curl --cacert /etc/ssl/localhost.crt https://localhost/app/
> WebApp
> ```
>
> But here's the bug(!): I can talk to /app *unencrypted*, because the
> filter rule
> meant for the *other* relay is triggering in http_proxy:
>
> ```
> $ curl http://localhost/app/
> WebApp
> ```
>
