Hi again!
So, read the book as suggested, got relayd working, headers set, HTTP
methods blocked just like I wanted (on my "test" box). However, when
starting to use TLS-by-relayd rather than by httpd, it seems I lost OCSP
stapling support. Does relayd.conf understand a line like
tls ocsp "/etc/ssl/pejorative.andreasthulin.se.ocsp"
or are there other ways of resolving this?
Cheers,
Andreas
--- httpd.conf ---
# $OpenBSD: httpd.conf,v 1.14 2015/02/04 08:39:35 florian Exp $
# Made from /etc/examples/httpd.conf 2015-03-19
# ------------------------------------------------------
# Include MIME types instead of the built-in ones
types {
include "/usr/share/misc/mime.types"
}
# pejorative.andreasthulin.se - HTTP
server "pejorative.andreasthulin.se" {
listen on * port 8080
block return 301 "https://$SERVER_NAME$REQUEST_URI";
log syslog
}
# pejorative.andreasthulin.se - HTTPS
server "pejorative.andreasthulin.se" {
hsts subdomains
listen on * tls port 8082
tls certificate "/etc/ssl/pejorative.andreasthulin.se.fullchain.pem"
tls key "/etc/ssl/private/pejorative.andreasthulin.se.key"
tls ocsp "/etc/ssl/pejorative.andreasthulin.se.ocsp"
root "/htdocs/andreasthulin.se"
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
directory { index "index.php" }
log syslog
}
--- relayd.conf ---
# $OpenBSD: relayd.conf,v 1.3 2014/12/12 10:05:09 reyk Exp $
# /etc/relayd.conf 2017-10-12
table <local> { 127.0.0.1 }
ext_ip = "192.168.1.40"
http protocol https {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
return error
block method CONNECT
block method DELETE
block method HEAD
block method OPTIONS
block method PUT
match response header remove "X-Powered-By"
match response header set "X-Bogus-Header" value "False"
match response header set "X-Frame-Options" value "deny"
match response header set "X-Content-Type-Options" value "nosniff"
match response header set "X-XSS-Protection" value "1; mode=block"
match response header append "Content-Security-Policy" value
"default-src 'none'"
match response header append "Content-Security-Policy" value
"script-src 'self'"
match response header append "Content-Security-Policy" value "style-src
'self'"
match response header append "Content-Security-Policy" value "img-src
'self'"
match response header append "Content-Security-Policy" value
"connect-src 'self'"
match response header append "Content-Security-Policy" value
"frame-ancestors 'none'"
}
relay "tlsforward" {
listen on $ext_ip port 4433 tls
protocol https
forward with tls to <local> port 8082 mode loadbalance check tcp
}
fre 13 okt. 2017 kl 09:28 skrev Andreas Thulin <[email protected]>:
> Thank you, I just bought the Kindle version. :-)
>
> BR, Andreas
> fre 13 okt. 2017 kl. 02:16 skrev Bryan Harris <[email protected]>:
>
>> There is a book called relayd and httpd. I think it has what you need.
>>
>> V/r,
>> Bryan
>>
>>
>>
>> > On Oct 12, 2017, at 1:33 PM, Andreas Thulin <[email protected]>
>> wrote:
>> >
>> > Hi!
>> >
>> > Before anything, thanks for yet another awesome OpenBSD release! I’ll
>> > extend my gratitude into the pockets of the Foundation and finally
>> donate
>> > this time.
>> >
>> > Then:
>> >
>> > I’m a relayd virgin. Consider all the following a lab exercise, I want
>> to
>> > learn and understand more.
>> >
>> > My target:
>> > Understanding how to score an A+ on the htbridge web server security
>> test.
>> > https://www.htbridge.com/websec/?id=BT1UmswV
>> >
>> > First objective:
>> > Set HTTP headers, such as
>> >
>> > CONTENT-SECURITY-POLICY
>> > X-CONTENT-TYPE-OPTIONS
>> > X-XSS-PROTECTION
>> >
>> > using relayd (since httpd can’t help out here).
>> >
>> > Assumptions etc:
>> > - I suppose only https traffic is in scope, since all http traffic is
>> > redirected to https.
>> > - Both httpd and relayd are (will be) run on the same 6.2 machine.
>> > - httpd runs just fine and scores an A+ on the htbridge TLS Server Test
>> > more or less out of the box. The web server test, however, was a
>> > disappointing F. :-)
>> >
>> > I’m only a mortal, so simply reading the relayd.conf man page and do
>> some
>> > trial-and-error has so far only made me go all CAPS. I seek examples (of
>> > something similar to the above use-case), a guide, turorial, or even a
>> > how-to to make this happen. I can learn all the config options and
>> settings
>> > afterwards, and keep tweaking and understanding.
>> >
>> > Anyone?
>> >
>> > Humbly,
>> > Andreas
>>
>
