Dear Marcus,
thanks for your answer. The solution was to add a relay in front of the backend
webserver:
table <httpd> { 127.0.0.1 }
table <other> { 127.0.0.1 }
table <backend> { 45.67.158.169 }
http protocol "https" {
tls keypair "uprojekt.hu"
tls keypair "biztonsagimentes.hu"
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
return error
pass request quick header "Host" value "uprojekt.hu" forward to <httpd>
pass request quick header "Host" value "biztonsagimentes.hu" forward to
<other>
}
http protocol "https2" {
pass request header "Host" value "biztonsagimentes.hu" forward to <backend>
}
relay "relay" {
listen on lo0 port 8079
protocol https2
forward with tls to <backend> port 443
}
relay "https" {
listen on egress port 443 tls
protocol https
forward to <httpd> port 8081
forward to <other> port 8079
}
The problem was with the original configuration, that I used "forward with tls"
in the relay "https", so both connections were forwarded with encryption. The
httpd on the fronted server received encrypted requests.
So I created the "relay" relay listening on 8079. What happens now is that a
connection comes on the domain biztonsagimentes.hu, I relay it to the "relay"
relay, and that relay it encrypted to the backend server on a different network.
Gábor Hidvégi
On Sat, 21 Jun 2025 20:20:08 +0200
Marcus MERIGHI <mcmer-open...@tor.at> wrote:
> Hello,
>
> ga...@hidvegi.net (Hidvégi Gábor), 2025.06.20 (Fri) 19:30 (CEST):
> > Dear members,
> >
> > I wonder if it's possible to achieve my goal:
> > - I've got two servers, a virtual one with OpenBSD as frontend, and a real
> > one as backend on a different network,
> > - I've got two domains, uprojekt.hu and biztonsagimentes.hu,
> > - I'd like serve the first domain's website from the OpenBSD server,
> > - I'd like to serve the second domain's website from the real server, but
> > the OpenBSD server should act as a proxy before the backend
> >
> > My relayd configuration looks like this:
> > table <httpd> { 127.0.0.1 }
> > table <backend> { 45.67.158.169 }
> >
> > http protocol "https" {
> > match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
> >
> > return error
> >
> > pass request quick header "Host" value "uprojekt.hu" forward to <httpd>
> >
> > tls keypair "uprojekt.hu"
> > tls keypair "biztonsagimentes.hu"
>
> I'd try with these lines moved above the first "pass request" line.
> And I'd remove the "quick" keyword to maintain my sanity in the long run.
>
> Other then that I did not find errors in your config when comparing with
> my working configs, though I never used "forward with tls".
>
> Marcus
>
> > pass request quick header "Host" value "biztonsagimentes.hu" forward to
> > <backend>
> > }
> >
> > relay "https" {
> > listen on egress port 443 tls
> > protocol https
> > forward with tls to <backend> port 443
> > forward to <httpd> port 8081
> > }
> >
> > With this configuration only one domain works (biztonsagimentes.hu),
> > the other one does not. The log of the web server running on OpenBSD
> > tells me that relayd forwards the encrypted traffic to 127.0.0.1:8081
> > even though the rule "forward to <httpd> port 8081" does not contain
> > "with tls"
> >
> > Gábor Hidvégi
> >
