Re: relayd ssl to ssl not working. Sends http request to https port
Sorry to dredge this back up from a month ago, but I wanted to get some
clarification.
If I wanted to have a gateway that accepts https connections from clients
and then proxies them over to https servers am I just out of luck? Is it
that it cannot be done at all, or just that it cannot be done with relayd
and there is some other tool I should look at.
I'd like to look at making an open version of an Application Layer Firewall
(as required by the PCI DSS). Ideally, I would be able to have clients
connect to port 443 on the OpenBSD gateway and the OpenBSD gateway would
decrypt the traffic, reassemble it, run it through snort, and maybe check
the headers for some expected values. Then if everything is good, open a
connection to the server and pass the traffic on. Can it be done on
OpenBSD? Where do I need to look to learn more? I've poured over the
documentation for relayd and pf, but I'm not seeing the ability to do what
I'm talking about here.
It probably sounds like Man in the Middle mode described below. You're
right, dealing with bad certificates would be a pain in the butt. Maybe we
could require the firewall admin to provide the certificate that is expected
from the server. So whether it is bad or not, it has to match what the
firewall was expecting or the host is considered down and taken out of
rotation.
Kevin
On Mon, Feb 9, 2009 at 4:15 PM, Stuart Henderson s...@spacehopper.orgwrote:
On 2009-02-09, kevin thompson kevin.david.thomp...@gmail.com wrote:
Is there something in my configuration file that I need to specify to
ensure
that https requests are sent to the servers? I've looked at a few
examples
online and I haven't seen anything that fits the bill. Here is my
relayd.conf file
basically it looks like you want to decrypt, adjust the headers,
and then re-encrypt to the server.
relayd doesn't have this feature (mitm mode? :-)
it could probably be added as an option to forward to for a
relay, but this would bring some questions about how to handle
invalid certificates at the backend server, etc... (and without
safe ways to handle that, you might as well keep the cleartext
to the backend).
with what's currently available in relayd, you would have to
use a plain TCP relay for HTTPS.
table ssl_server { www.mnsu.edu, secure.mnsu.edu }
web_port=80
ssl_port=443
bge0_ip=134.29.32.88
interval 10
timeout 200
prefork 5
log updates
http protocol httpfilter {
# TCP Performance options
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
# Return HTTP/HTML error pages
return error
# allow logging of remote client ips to internal web servers
header append $REMOTE_ADDR to X-Forwarded-For
# Set keep alive timeout to global timeout
header change Keep-Alive to $TIMEOUT
# Close connection upon receipt
header change Connection to close
# Anonymize webservers name/type
response header change Server to Something
# SSL options
ssl { sslv3, tlsv1, ciphers HIGH:!ADH, no sslv2 }
}
relay web_proxy {
listen on $bge0_ip port $ssl_port ssl
protocol httpfilter
forward to ssl_server port $ssl_port mode loadbalance check https
/
code 200
}
Re: NAT, Firewall pf
I'm a lurker on this mailing list, and I'm no master of pf, but I think the
problem is that your block statement comes before all of your pass
statements. In most firewall configurations, rules are processed until one
matches and then no others are processed. So if the first rule that matches
your packets is block everything and log it then that is all you will get.
Try moving your block statement to the end of the pf.conf file.
Kevin
On Mon, Feb 23, 2009 at 7:58 PM, Hilco Wijbenga hilco.wijbe...@gmail.comwrote:
Hi all,
I've been trying to get a simple firewall system up-and-running in
OpenBSD. I have The Book of PF and Secure Architectures
with OpenBSD so I thought it would be very simple. Well, we're two
weeks later now and still no firewall. :-) The pf rules I found in
those books don't seem to work as I expected them to work.
Before I list my current pf.conf, let me give a few more details. My
firewall will be running a few services for my network (DHCP, NTP, and
DNS). I need to use NAT to get my own network Internet access. DHCP
works. I seem to have managed to get DNS (maradns on lo0 and sk1) and
ICMP working.
/etc/pf.conf
01 ext_if = sk0
02 int_if = sk1
03 localnet = $int_if:network
04 internet = $ext_if:network
05 udp_services = { domain, ntp }
06 icmp_types = { echoreq, unreach }
07
08 nat log on $ext_if from $localnet to any - ($ext_if)
09
10 block log all
11
12 pass quick inet proto { tcp, udp } from $internet to any port
$udp_services
13 pass quick inet proto { tcp, udp } from $localnet to any port
$udp_services
14 pass quick inet proto { tcp, udp } from $lo0:network to any port
$udp_services
15
16 pass inet proto icmp all icmp-type $icmp_types
17 pass from { lo0, $localnet } to any keep state
a. Why do I need 12? I had expected 13 (which I don't seem to need).
Wouldn't 12 be for incoming requests from the Internet?
b. Given that ping works from my network (so that presumably routing
is okay), why doesn't anything else work? HTTP seems blocked by the
firewall.
c. How can I get pflog to flush immediately? I noticed I have to wait
a minute or so before logged lines show up.
d. Any other pointers?
Cheers,
Hilco
relayd ssl to ssl not working. Sends http request to https port
I posted a couple weeks ago about my relayd configuration and how it seemed
that it was not relaying traffic. Since then I have been trying to simply
the configuration and make *something* work. I was successful in getting
relayd to listen on port 80 and forward traffic to a group of other web
servers on port 80. However, I haven't been able to do anything more
complicated than that.
Right now I am trying to listen on port 443 for incoming connections and
relay them to a group of web servers that are listening on port 443. Most
of the time, nothing happens. It just seems to hang there. However, I did
manage to get a useful error from a web server the other day.
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Is there something in my configuration file that I need to specify to ensure
that https requests are sent to the servers? I've looked at a few examples
online and I haven't seen anything that fits the bill. Here is my
relayd.conf file
table ssl_server { www.mnsu.edu, secure.mnsu.edu }
web_port=80
ssl_port=443
bge0_ip=134.29.32.88
interval 10
timeout 200
prefork 5
log updates
http protocol httpfilter {
# TCP Performance options
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
# Return HTTP/HTML error pages
return error
# allow logging of remote client ips to internal web servers
header append $REMOTE_ADDR to X-Forwarded-For
# Set keep alive timeout to global timeout
header change Keep-Alive to $TIMEOUT
# Close connection upon receipt
header change Connection to close
# Anonymize webservers name/type
response header change Server to Something
# SSL options
ssl { sslv3, tlsv1, ciphers HIGH:!ADH, no sslv2 }
}
relay web_proxy {
listen on $bge0_ip port $ssl_port ssl
protocol httpfilter
forward to ssl_server port $ssl_port mode loadbalance check https /
code 200
}
Re: relayd ssl to ssl not working. Sends http request to https port
I see what you're saying. I was wondering how MITM would work too, and I
just assumed there was some magic built into relayd.
I don't actually want to modify the headers and stuff, I really just want to
forward the traffic like a load balancer. I just followed the example for
setting up an http relay and assumed that setting up an https relay was
almost the same. I'll try using a regular tcp relay. Thank you.
Kevin
On Mon, Feb 9, 2009 at 3:15 PM, Stuart Henderson s...@spacehopper.orgwrote:
On 2009-02-09, kevin thompson kevin.david.thomp...@gmail.com wrote:
Is there something in my configuration file that I need to specify to
ensure
that https requests are sent to the servers? I've looked at a few
examples
online and I haven't seen anything that fits the bill. Here is my
relayd.conf file
basically it looks like you want to decrypt, adjust the headers,
and then re-encrypt to the server.
relayd doesn't have this feature (mitm mode? :-)
it could probably be added as an option to forward to for a
relay, but this would bring some questions about how to handle
invalid certificates at the backend server, etc... (and without
safe ways to handle that, you might as well keep the cleartext
to the backend).
with what's currently available in relayd, you would have to
use a plain TCP relay for HTTPS.
table ssl_server { www.mnsu.edu, secure.mnsu.edu }
web_port=80
ssl_port=443
bge0_ip=134.29.32.88
interval 10
timeout 200
prefork 5
log updates
http protocol httpfilter {
# TCP Performance options
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
# Return HTTP/HTML error pages
return error
# allow logging of remote client ips to internal web servers
header append $REMOTE_ADDR to X-Forwarded-For
# Set keep alive timeout to global timeout
header change Keep-Alive to $TIMEOUT
# Close connection upon receipt
header change Connection to close
# Anonymize webservers name/type
response header change Server to Something
# SSL options
ssl { sslv3, tlsv1, ciphers HIGH:!ADH, no sslv2 }
}
relay web_proxy {
listen on $bge0_ip port $ssl_port ssl
protocol httpfilter
forward to ssl_server port $ssl_port mode loadbalance check https
/
code 200
}
relayd not relaying - I think. Maybe it is. I don't know
How do you like that for a descriptive subject line? Sorry, but I
really don't know what is going wrong so I don't know how to write a
better one.
I have an OpenBSD host running 4.4 stable. I have configured relayd to
accept connections on port 443 and forward them on to one of two hosts
using loadbalancing. I am able to connect to the OpenBSD host on port
443, but the nothing happens.
According to relayctl show sessions there is a connection being relayed:
# relayctl show sessions
session 0:1 134.29.3.217:50025 - 134.29.52.142:443RUNNING
age 00:00:09, idle 00:00:09, relay 1
According to relayctl show hosts both of my destinations are up:
# relayctl show hosts
Id TypeNameAvlbltyStatus
1 table cas_server:443 active (2
hosts up)
1 host134.29.52.141 100.00%up
total: 9/9 checks
2 host134.29.52.142 100.00%up
total: 9/9 checks
My relayd.conf file is pretty simple since I'm just trying to work up a
proof of concept right now:
table cas_server { 134.29.52.141, 134.29.52.142 }
cas_port=443
bge0_ip=134.29.32.88
relayd_port=443
interval 10
timeout 200
prefork 5
log updates
http protocol httpfilter {
# TCP Performance options
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
# Return HTTP/HTML error pages
return error
# allow logging of remote client ips to internal web servers
header append $REMOTE_ADDR to X-Forwarded-For
# Set keep alive timeout to global timeout
header change Keep-Alive to $TIMEOUT
# Close connection upon receipt
header change Connection to close
# Anonymize webservers name/type
response header change Server to DeezNuts
# SSL options
ssl { sslv3, tlsv1, ciphers HIGH:!ADH, no sslv2 }
}
relay cas_proxy {
listen on $bge0_ip port $relayd_port ssl
protocol httpfilter
forward to cas_server port $cas_port mode loadbalance check https
/ code 200
}
And my pf.conf file is pretty much the stock example file, with my
interface put in ext_if and uncommenting the lines needed for relayd:
# $OpenBSD: pf.conf,v 1.37 2008/05/09 06:04:08 reyk Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if=bge0
#int_if=int0
#table spamd-white persist
#set skip on lo
#scrub in
#nat-anchor ftp-proxy/*
#rdr-anchor ftp-proxy/*
rdr-anchor relayd/*
#nat on $ext_if from !($ext_if) - ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from spamd-white to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
# - 127.0.0.1 port spamd
#anchor ftp-proxy/*
anchor relayd/*
#block in
#pass out
#pass quick on $int_if no state
#antispoof quick for { lo $int_if }
#pass in on $ext_if proto icmp to ($ext_if)
#pass in on $ext_if proto tcp to ($ext_if) port ssh
pass in on $ext_if proto tcp to ($ext_if) port 443
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
When I try to connect to this machine, I see that a session is being set
up, and pf also knows that something is going on:
# pfctl -ss
all tcp 134.29.32.88:443 - 134.29.3.217:50090 FIN_WAIT_2:FIN_WAIT_2
What I don't see is any session going to the two servers that I am
supposed to be load balancing for. Also, pf knows that it is supposed
to be reading anchors for relayd but those files dont seem to be showing
up anywhere.
# pfctl -sn
rdr-anchor relayd/* all
# pfctl -sr
anchor relayd/* all
pass in on bge0 proto tcp from any to (bge0) port = https flags S/SA
keep state
Shouldn't there be a folder called /etc/relayd that would have some
files in it? I don't have that. Does anyone have any thoughts on what
I'm missing here?
Kevin Thompson
