Hello Stuart, Hello Fabio, thanks for reading and suggesting!
[email protected] (Fabio Martins), 2022.05.04 (Wed) 22:29 (CEST): > On Wednesday, May 4, 2022, Stuart Henderson <[email protected]> > wrote: > > On 2022-05-04, Marcus MERIGHI <[email protected]> wrote: > > > I need to block http/s traffic, but only for some Host: header values. > > > I.e. domain "xyz.abc" should be reachable, domain "klm.opq" not, both > > > behind the same IP. > > > > > > This rules out blocking with PF. > > > > > ... > > > > > > Thanks in advance for any pointers! > > > > Maybe redirect connections from the PF table to a different port, then > > handle the two ports differently in relayd? This is one of the "OMG, why didn't i think of that myself" moments. Thanks for the clue stick! pseudo code, order matters: pass in on egress from any to port 443 rdr-to $relayd port 8443 pass in on egress from <geoallowed> to port 443 rdr-to $relayd port 9443 > This may be possible to do via httpd listening on different ports for each > domain, since they share the same IP address. Exactly, though it is going to be relayd that is listening and forwarding to the application (or not, in case of geoblocking). Marcus
