On Sun, Jan 07, 2024 at 05:21:04AM -0800, Paul Pace wrote: > On 1/6/24 7:35 PM, Adriano Barbosa wrote: > > On Thu, Jan 04, 2024 at 06:57:10PM -0800, Paul Pace wrote: > > > On 1/4/24 10:22 AM, Adriano Barbosa wrote: > > > > Hi! > > > > I'm trying to use relayd with multiple FQDNs mixing remote servers > > > > with and without tls: > > > > > > > > relayd -- fqdn1 --> 127.0.0.1 (no tls) > > > > -- fqdn2 --> x.x.x.x (with tls) > > > > > > > > I wrote my relayd.conf like this: > > > > > > > > table <fqdn1> { 127.0.0.1 } > > > > table <fqdn2> { x.x.x.x } > > > > > > > > http protocol https { > > > > tls keypair fqdn1 > > > > tls keypair fqdn2 > > > > > > > > match request header "Host" value "fqdn1" tag "fqdn1" > > > > pass request tagged "fqdn1" forward to <fqdn1> > > > > > > > > match request header "Host" value "fqdn2" tag "fqdn2" > > > > pass request tagged "fqdn2" forward to <fqdn2> > > > > } > > > > > > > > relay wwwtls { > > > > listen on egress port 443 tls > > > > protocol https > > > > forward to <fqdn1> port 80 > > > > forward with tls to <fqdn2> port 443 > > > > } > > > > > > With one forward requiring TLS in a relay block, relayd will require TLS > > > for > > > all forward statements in the relay block. > > > > > > > > > > > I have fqdn2 working and fqdn1 giving a "curl: (52) Empty reply from > > > > server". > > > > Removing "with tls" on the second forward, fqdn1 works and fqdn2 gives > > > > a "Client sent an HTTP request to an HTTPS server." > > > > > > > > Is it possible to have relayd working on this scenario? What am I > > > > missing here? > > > > > > > > Obrigado! > > > > -- > > > > Adriano > > > > > > > Thank you for the response. > > > > Digging a little more, I found that if I change the listen port from > > 443 to values other than 443 and 80, the "match request host" filter > > stops working. The behaviour is the same with or without "with tls" on > > the relay. > > > > With port 443: > > stable# curl --insecure https://fqdn1 > > <h1>Server 1</h1> > > stable# curl --insecure https://fqdn2 > > <h1>Server 2</h1> > > > > With port 4430 and allegedly any port other than 80 and 443: > > stable# curl --insecure https://fqdn1:4430 > > <h1>Server 1</h1> > > stable# curl --insecure https://fqdn2:4430 > > <h1>Server 1</h1> > > > What does curl -vk show? >
Unfortunately, no difference. Follows: $ curl --insecure -vk https://fqdn2 * Host fqdn2:443 was resolved. * IPv6: (none) * IPv4: 127.0.0.1 * Trying 127.0.0.1:443... * Connected to fqdn2 (127.0.0.1) port 443 * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Unknown (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF * ALPN: server did not agree on a protocol. Uses default. * Server certificate: * subject: C=BR; ST=MS; L=DOU * start date: Jan 6 20:12:43 2024 GMT * expire date: Jan 5 20:12:43 2025 GMT * issuer: C=BR; ST=MS; L=DOU * SSL certificate verify result: self signed certificate (18), continuing anyway. * Certificate level 0: Public key type ? (4096/128 Bits/secBits), signed using sha256WithRSAEncryption * using HTTP/1.x > GET / HTTP/1.1 > Host: fqdn2 > User-Agent: curl/8.5.0 > Accept: */* > < HTTP/1.1 200 OK < Connection: keep-alive < Content-Length: 18 < Content-Type: text/html < Date: Sun, 07 Jan 2024 21:23:24 GMT < Last-Modified: Sun, 07 Jan 2024 21:19:24 GMT < Server: OpenBSD httpd < <h1>Server 2</h1> * Connection #0 to host fqdn2 left intact and $ curl --insecure -vk https://fqdn2:4430 * Host fqdn2:4430 was resolved. * IPv6: (none) * IPv4: 127.0.0.1 * Trying 127.0.0.1:4430... * Connected to fqdn2 (127.0.0.1) port 4430 * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Unknown (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF * ALPN: server did not agree on a protocol. Uses default. * Server certificate: * subject: C=BR; ST=MS; L=DOU * start date: Jan 6 20:12:43 2024 GMT * expire date: Jan 5 20:12:43 2025 GMT * issuer: C=BR; ST=MS; L=DOU * SSL certificate verify result: self signed certificate (18), continuing anyway. * Certificate level 0: Public key type ? (4096/128 Bits/secBits), signed using sha256WithRSAEncryption * using HTTP/1.x > GET / HTTP/1.1 > Host: fqdn2:4430 > User-Agent: curl/8.5.0 > Accept: */* > < HTTP/1.1 200 OK < Connection: keep-alive < Content-Length: 18 < Content-Type: text/html < Date: Sun, 07 Jan 2024 21:25:42 GMT < Last-Modified: Sun, 07 Jan 2024 21:19:15 GMT < Server: OpenBSD httpd < <h1>Server 1</h1> * Connection #0 to host fqdn2 left intact > > Port 8080 also reproduces this last result. > > Is that the expected behaviour? BTW, I'm running 7.4. > > > > Please find relayd.conf and httpd.conf below. > > fqdn{1,2} are on /etc/hosts as 127.0.0.1 and the respective tls > > certificates exists in /etc/ssl and keys in /etc/ssl/private. > > > > Obrigado! > > -- > > Adriano > > > > > > # relayd.conf > > addr="127.0.0.1" > > > > table <fqdn1> { 127.0.0.1 } > > table <fqdn2> { 127.0.0.1 } > > > > http protocol https { > > tls keypair fqdn1 > > tls keypair fqdn2 > > > > match request header "Host" value "fqdn1" tag "fqdn1" > > pass request tagged "fqdn1" forward to <fqdn1> > > > > match request header "Host" value "fqdn2" tag "fqdn2" > > pass request tagged "fqdn2" forward to <fqdn2> > > } > > > > http protocol https2 { > > tls keypair fqdn1 > > tls keypair fqdn2 > > > > match request header "Host" value "fqdn1" tag "fqdn1" > > pass request tagged "fqdn1" forward to <fqdn1> > > > > match request header "Host" value "fqdn2" tag "fqdn2" > > pass request tagged "fqdn2" forward to <fqdn2> > > } > > > > relay wwwtls { > > listen on $addr port 443 tls > > protocol https > > > > forward to <fqdn1> port 8080 > > forward to <fqdn2> port 8081 > > } > > > > relay wwwtls2 { > > listen on $addr port 4430 tls > > protocol https2 > > > > forward to <fqdn1> port 8080 > > forward to <fqdn2> port 8081 > > } > > > > > > # httpd.conf > > addr="127.0.0.1" > > > > server "fqdn1" { > > listen on $addr port 8080 > > location "*" { > > root "/htdocs/server1" > > } > > } > > > > server "fqdn2" { > > listen on $addr port 8081 > > location "*" { > > root "/htdocs/server2" > > } > > } >