> On Jun 11, 2020, at 4:28 PM, Toyam Cox <aviator45...@gmail.com> wrote: > > Hello Misc, > > Full config at end of email. > > I've discussed the below in #openbsd on freenode, and was told to come > here. At present, I have a setup where I need multiple unrelated > servers under a single IP address. I used relayd to do https > interception, read the Host header, and make decisions. > > The very relevant part of my config is this: > > forward to <httpback> port 80 > forward with tls to <httpsback> port 443 > > The order here does not matter (unlike most relayd configs, I know, > but I've tested in my configuration and it works). > > When I have "with tls" on that second line, I see error lines like: > relay web, session 3 (1 active), 0, [redacted] -> 10.0.0.102:80, TLS > handshake error: handshake failed: error:14FFF3E7:SSL > routines:(UNKNOWN)SSL_internal:unknown failure occurred, GET: > Undefined error: 0 > > and, unhelpfully, relayd responds with no response. There is no > return. Or, as curl puts it: curl: (52) Empty reply from server > > When I remove "with tls" then I successfully reach the http backend, > but since the https backend requires ssl, that connection no longer > works. So it seems that 'with tls" affects all "forward" clauses, not > just the one to which it's attached. > > I believe this to be a bug. > > cat >/etc/relayd.conf <<EOF > table <httpsback> { "10.0.0.101" } > table <httpback> { "10.0.0.102" } > # obviously obfuscated some values > > interval 5 > timeout 1000 > > log connection > > http protocol web { > return error > > match header set "X-Client-IP" value "$REMOTE_ADDR:$REMOTE_PORT" > match header set "X-Forwarded-For" value "$REMOTE_ADDR" > match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" > > http websockets > pass request quick header "Host" value "myhost.example.com" path > "/Client/*" forward to <httpsback> > pass request quick header "Host" value "otherhost.example.com" forward > to <httpback> > > block > } > > relay web { > listen on 10.0.0.100 port 443 tls > protocol web > > forward to <httpback> port 80 check http "/webservice.asmx" code 405 > forward with tls to <httpsback> port 443 check https > "/Client/SupportedBrowsers.html" host "myhost.example.com" code 200 > } > EOF >
Hi Toyam, Split http and https into two separate relay stanzas. The “with tls” will be needed on your https relay and not the http backhaul. I believe this gets what you want. I do not think this is a bug, but perhaps a design choice by the developers. Cheers, Brian