On Sat, October 1, 2016 12:00 pm, Chris Bennett wrote: > I like what I see in the FILTER RULES of relayd. > I just want to be able to add new filters as needed when seen in http > error_log. > But I only have one server. And I use SSL for two sites. And multiple > virtual hosts on each IP. > Would I then forward to a new local port such as 127.0.0.1:34567 for the > good requests, just block bad requests and do nothing at all for good > requests? > > Or is this not a good solution? > I'm not in a rush, but getting some experience and knowledge in tools > I'm not using is a plus. > I very much like the idea of removal before reaching the webserver. > > Thanks, > Chris Bennett >
I haven't used relayd to block, but experimented with a fairly complicated setup just as a proxy using the match rules. One shortcoming you might run into in your usecase is that relayd only supports one cert/key per listening port. So if you have relayd on 443 and multiple domains behind it, all of those domains have to be in that one cert. I don't know that you can dynamically update the match rules, either. Not without modifying the conf file and reloading. Be careful with this anyway. You don't want to start blocking because someone's iOS device gets a 404 on an apple-touch-icon not present on a site. Tim.
