I see what you're saying. I was wondering how MITM would work too, and I
just assumed there was some magic built into relayd.
I don't actually want to modify the headers and stuff, I really just want to
forward the traffic like a load balancer. I just followed the example for
setting up an http relay and assumed that setting up an https relay was
almost the same. I'll try using a regular tcp relay. Thank you.
Kevin
On Mon, Feb 9, 2009 at 3:15 PM, Stuart Henderson <s...@spacehopper.org>wrote:
> On 2009-02-09, kevin thompson <kevin.david.thomp...@gmail.com> wrote:
> > Is there something in my configuration file that I need to specify to
> ensure
> > that https requests are sent to the servers? I've looked at a few
> examples
> > online and I haven't seen anything that fits the bill. Here is my
> > relayd.conf file
>
> basically it looks like you want to decrypt, adjust the headers,
> and then re-encrypt to the server.
>
> relayd doesn't have this feature (mitm mode? :-)
>
> it could probably be added as an option to "forward to" for a
> relay, but this would bring some questions about how to handle
> invalid certificates at the backend server, etc... (and without
> safe ways to handle that, you might as well keep the cleartext
> to the backend).
>
> with what's currently available in relayd, you would have to
> use a plain TCP relay for HTTPS.
>
> > table <ssl_server> { www.mnsu.edu, secure.mnsu.edu }
> > web_port="80"
> > ssl_port="443"
> > bge0_ip="134.29.32.88"
> >
> > interval 10
> > timeout 200
> > prefork 5
> > log updates
> >
> > http protocol "httpfilter" {
> > # TCP Performance options
> > tcp { nodelay, sack, socket buffer 65536, backlog 100 }
> >
> > # Return HTTP/HTML error pages
> > return error
> >
> > # allow logging of remote client ips to internal web servers
> > header append "$REMOTE_ADDR" to "X-Forwarded-For"
> >
> > # Set keep alive timeout to global timeout
> > header change "Keep-Alive" to "$TIMEOUT"
> >
> > # Close connection upon receipt
> > header change "Connection" to "close"
> >
> > # Anonymize webservers name/type
> > response header change "Server" to "Something"
> >
> > # SSL options
> > ssl { sslv3, tlsv1, ciphers "HIGH:!ADH", no sslv2 }
> > }
> >
> > relay web_proxy {
> > listen on $bge0_ip port $ssl_port ssl
> > protocol "httpfilter"
> > forward to <ssl_server> port $ssl_port mode loadbalance check https
> "/"
> > code 200
> > }
