I see what you're saying. I was wondering how MITM would work too, and I just assumed there was some magic built into relayd.
I don't actually want to modify the headers and stuff, I really just want to forward the traffic like a load balancer. I just followed the example for setting up an http relay and assumed that setting up an https relay was almost the same. I'll try using a regular tcp relay. Thank you. Kevin On Mon, Feb 9, 2009 at 3:15 PM, Stuart Henderson <s...@spacehopper.org>wrote: > On 2009-02-09, kevin thompson <kevin.david.thomp...@gmail.com> wrote: > > Is there something in my configuration file that I need to specify to > ensure > > that https requests are sent to the servers? I've looked at a few > examples > > online and I haven't seen anything that fits the bill. Here is my > > relayd.conf file > > basically it looks like you want to decrypt, adjust the headers, > and then re-encrypt to the server. > > relayd doesn't have this feature (mitm mode? :-) > > it could probably be added as an option to "forward to" for a > relay, but this would bring some questions about how to handle > invalid certificates at the backend server, etc... (and without > safe ways to handle that, you might as well keep the cleartext > to the backend). > > with what's currently available in relayd, you would have to > use a plain TCP relay for HTTPS. > > > table <ssl_server> { www.mnsu.edu, secure.mnsu.edu } > > web_port="80" > > ssl_port="443" > > bge0_ip="134.29.32.88" > > > > interval 10 > > timeout 200 > > prefork 5 > > log updates > > > > http protocol "httpfilter" { > > # TCP Performance options > > tcp { nodelay, sack, socket buffer 65536, backlog 100 } > > > > # Return HTTP/HTML error pages > > return error > > > > # allow logging of remote client ips to internal web servers > > header append "$REMOTE_ADDR" to "X-Forwarded-For" > > > > # Set keep alive timeout to global timeout > > header change "Keep-Alive" to "$TIMEOUT" > > > > # Close connection upon receipt > > header change "Connection" to "close" > > > > # Anonymize webservers name/type > > response header change "Server" to "Something" > > > > # SSL options > > ssl { sslv3, tlsv1, ciphers "HIGH:!ADH", no sslv2 } > > } > > > > relay web_proxy { > > listen on $bge0_ip port $ssl_port ssl > > protocol "httpfilter" > > forward to <ssl_server> port $ssl_port mode loadbalance check https > "/" > > code 200 > > }