Re: relayd ssl to ssl not working. Sends http request to https port
Sorry to dredge this back up from a month ago, but I wanted to get some clarification. If I wanted to have a gateway that accepts https connections from clients and then proxies them over to https servers am I just out of luck? Is it that it cannot be done at all, or just that it cannot be done with relayd and there is some other tool I should look at. I'd like to look at making an open version of an Application Layer Firewall (as required by the PCI DSS). Ideally, I would be able to have clients connect to port 443 on the OpenBSD gateway and the OpenBSD gateway would decrypt the traffic, reassemble it, run it through snort, and maybe check the headers for some expected values. Then if everything is good, open a connection to the server and pass the traffic on. Can it be done on OpenBSD? Where do I need to look to learn more? I've poured over the documentation for relayd and pf, but I'm not seeing the ability to do what I'm talking about here. It probably sounds like Man in the Middle mode described below. You're right, dealing with bad certificates would be a pain in the butt. Maybe we could require the firewall admin to provide the certificate that is expected from the server. So whether it is bad or not, it has to match what the firewall was expecting or the host is considered down and taken out of rotation. Kevin On Mon, Feb 9, 2009 at 4:15 PM, Stuart Henderson s...@spacehopper.orgwrote: On 2009-02-09, kevin thompson kevin.david.thomp...@gmail.com wrote: Is there something in my configuration file that I need to specify to ensure that https requests are sent to the servers? I've looked at a few examples online and I haven't seen anything that fits the bill. Here is my relayd.conf file basically it looks like you want to decrypt, adjust the headers, and then re-encrypt to the server. relayd doesn't have this feature (mitm mode? :-) it could probably be added as an option to forward to for a relay, but this would bring some questions about how to handle invalid certificates at the backend server, etc... (and without safe ways to handle that, you might as well keep the cleartext to the backend). with what's currently available in relayd, you would have to use a plain TCP relay for HTTPS. table ssl_server { www.mnsu.edu, secure.mnsu.edu } web_port=80 ssl_port=443 bge0_ip=134.29.32.88 interval 10 timeout 200 prefork 5 log updates http protocol httpfilter { # TCP Performance options tcp { nodelay, sack, socket buffer 65536, backlog 100 } # Return HTTP/HTML error pages return error # allow logging of remote client ips to internal web servers header append $REMOTE_ADDR to X-Forwarded-For # Set keep alive timeout to global timeout header change Keep-Alive to $TIMEOUT # Close connection upon receipt header change Connection to close # Anonymize webservers name/type response header change Server to Something # SSL options ssl { sslv3, tlsv1, ciphers HIGH:!ADH, no sslv2 } } relay web_proxy { listen on $bge0_ip port $ssl_port ssl protocol httpfilter forward to ssl_server port $ssl_port mode loadbalance check https / code 200 }
Re: NAT, Firewall pf
I'm a lurker on this mailing list, and I'm no master of pf, but I think the problem is that your block statement comes before all of your pass statements. In most firewall configurations, rules are processed until one matches and then no others are processed. So if the first rule that matches your packets is block everything and log it then that is all you will get. Try moving your block statement to the end of the pf.conf file. Kevin On Mon, Feb 23, 2009 at 7:58 PM, Hilco Wijbenga hilco.wijbe...@gmail.comwrote: Hi all, I've been trying to get a simple firewall system up-and-running in OpenBSD. I have The Book of PF and Secure Architectures with OpenBSD so I thought it would be very simple. Well, we're two weeks later now and still no firewall. :-) The pf rules I found in those books don't seem to work as I expected them to work. Before I list my current pf.conf, let me give a few more details. My firewall will be running a few services for my network (DHCP, NTP, and DNS). I need to use NAT to get my own network Internet access. DHCP works. I seem to have managed to get DNS (maradns on lo0 and sk1) and ICMP working. /etc/pf.conf 01 ext_if = sk0 02 int_if = sk1 03 localnet = $int_if:network 04 internet = $ext_if:network 05 udp_services = { domain, ntp } 06 icmp_types = { echoreq, unreach } 07 08 nat log on $ext_if from $localnet to any - ($ext_if) 09 10 block log all 11 12 pass quick inet proto { tcp, udp } from $internet to any port $udp_services 13 pass quick inet proto { tcp, udp } from $localnet to any port $udp_services 14 pass quick inet proto { tcp, udp } from $lo0:network to any port $udp_services 15 16 pass inet proto icmp all icmp-type $icmp_types 17 pass from { lo0, $localnet } to any keep state a. Why do I need 12? I had expected 13 (which I don't seem to need). Wouldn't 12 be for incoming requests from the Internet? b. Given that ping works from my network (so that presumably routing is okay), why doesn't anything else work? HTTP seems blocked by the firewall. c. How can I get pflog to flush immediately? I noticed I have to wait a minute or so before logged lines show up. d. Any other pointers? Cheers, Hilco
relayd ssl to ssl not working. Sends http request to https port
I posted a couple weeks ago about my relayd configuration and how it seemed that it was not relaying traffic. Since then I have been trying to simply the configuration and make *something* work. I was successful in getting relayd to listen on port 80 and forward traffic to a group of other web servers on port 80. However, I haven't been able to do anything more complicated than that. Right now I am trying to listen on port 443 for incoming connections and relay them to a group of web servers that are listening on port 443. Most of the time, nothing happens. It just seems to hang there. However, I did manage to get a useful error from a web server the other day. Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Is there something in my configuration file that I need to specify to ensure that https requests are sent to the servers? I've looked at a few examples online and I haven't seen anything that fits the bill. Here is my relayd.conf file table ssl_server { www.mnsu.edu, secure.mnsu.edu } web_port=80 ssl_port=443 bge0_ip=134.29.32.88 interval 10 timeout 200 prefork 5 log updates http protocol httpfilter { # TCP Performance options tcp { nodelay, sack, socket buffer 65536, backlog 100 } # Return HTTP/HTML error pages return error # allow logging of remote client ips to internal web servers header append $REMOTE_ADDR to X-Forwarded-For # Set keep alive timeout to global timeout header change Keep-Alive to $TIMEOUT # Close connection upon receipt header change Connection to close # Anonymize webservers name/type response header change Server to Something # SSL options ssl { sslv3, tlsv1, ciphers HIGH:!ADH, no sslv2 } } relay web_proxy { listen on $bge0_ip port $ssl_port ssl protocol httpfilter forward to ssl_server port $ssl_port mode loadbalance check https / code 200 }
Re: relayd ssl to ssl not working. Sends http request to https port
I see what you're saying. I was wondering how MITM would work too, and I just assumed there was some magic built into relayd. I don't actually want to modify the headers and stuff, I really just want to forward the traffic like a load balancer. I just followed the example for setting up an http relay and assumed that setting up an https relay was almost the same. I'll try using a regular tcp relay. Thank you. Kevin On Mon, Feb 9, 2009 at 3:15 PM, Stuart Henderson s...@spacehopper.orgwrote: On 2009-02-09, kevin thompson kevin.david.thomp...@gmail.com wrote: Is there something in my configuration file that I need to specify to ensure that https requests are sent to the servers? I've looked at a few examples online and I haven't seen anything that fits the bill. Here is my relayd.conf file basically it looks like you want to decrypt, adjust the headers, and then re-encrypt to the server. relayd doesn't have this feature (mitm mode? :-) it could probably be added as an option to forward to for a relay, but this would bring some questions about how to handle invalid certificates at the backend server, etc... (and without safe ways to handle that, you might as well keep the cleartext to the backend). with what's currently available in relayd, you would have to use a plain TCP relay for HTTPS. table ssl_server { www.mnsu.edu, secure.mnsu.edu } web_port=80 ssl_port=443 bge0_ip=134.29.32.88 interval 10 timeout 200 prefork 5 log updates http protocol httpfilter { # TCP Performance options tcp { nodelay, sack, socket buffer 65536, backlog 100 } # Return HTTP/HTML error pages return error # allow logging of remote client ips to internal web servers header append $REMOTE_ADDR to X-Forwarded-For # Set keep alive timeout to global timeout header change Keep-Alive to $TIMEOUT # Close connection upon receipt header change Connection to close # Anonymize webservers name/type response header change Server to Something # SSL options ssl { sslv3, tlsv1, ciphers HIGH:!ADH, no sslv2 } } relay web_proxy { listen on $bge0_ip port $ssl_port ssl protocol httpfilter forward to ssl_server port $ssl_port mode loadbalance check https / code 200 }
relayd not relaying - I think. Maybe it is. I don't know
How do you like that for a descriptive subject line? Sorry, but I really don't know what is going wrong so I don't know how to write a better one. I have an OpenBSD host running 4.4 stable. I have configured relayd to accept connections on port 443 and forward them on to one of two hosts using loadbalancing. I am able to connect to the OpenBSD host on port 443, but the nothing happens. According to relayctl show sessions there is a connection being relayed: # relayctl show sessions session 0:1 134.29.3.217:50025 - 134.29.52.142:443RUNNING age 00:00:09, idle 00:00:09, relay 1 According to relayctl show hosts both of my destinations are up: # relayctl show hosts Id TypeNameAvlbltyStatus 1 table cas_server:443 active (2 hosts up) 1 host134.29.52.141 100.00%up total: 9/9 checks 2 host134.29.52.142 100.00%up total: 9/9 checks My relayd.conf file is pretty simple since I'm just trying to work up a proof of concept right now: table cas_server { 134.29.52.141, 134.29.52.142 } cas_port=443 bge0_ip=134.29.32.88 relayd_port=443 interval 10 timeout 200 prefork 5 log updates http protocol httpfilter { # TCP Performance options tcp { nodelay, sack, socket buffer 65536, backlog 100 } # Return HTTP/HTML error pages return error # allow logging of remote client ips to internal web servers header append $REMOTE_ADDR to X-Forwarded-For # Set keep alive timeout to global timeout header change Keep-Alive to $TIMEOUT # Close connection upon receipt header change Connection to close # Anonymize webservers name/type response header change Server to DeezNuts # SSL options ssl { sslv3, tlsv1, ciphers HIGH:!ADH, no sslv2 } } relay cas_proxy { listen on $bge0_ip port $relayd_port ssl protocol httpfilter forward to cas_server port $cas_port mode loadbalance check https / code 200 } And my pf.conf file is pretty much the stock example file, with my interface put in ext_if and uncommenting the lines needed for relayd: # $OpenBSD: pf.conf,v 1.37 2008/05/09 06:04:08 reyk Exp $ # # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if=bge0 #int_if=int0 #table spamd-white persist #set skip on lo #scrub in #nat-anchor ftp-proxy/* #rdr-anchor ftp-proxy/* rdr-anchor relayd/* #nat on $ext_if from !($ext_if) - ($ext_if:0) #rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021 #no rdr on $ext_if proto tcp from spamd-white to any port smtp #rdr pass on $ext_if proto tcp from any to any port smtp \ # - 127.0.0.1 port spamd #anchor ftp-proxy/* anchor relayd/* #block in #pass out #pass quick on $int_if no state #antispoof quick for { lo $int_if } #pass in on $ext_if proto icmp to ($ext_if) #pass in on $ext_if proto tcp to ($ext_if) port ssh pass in on $ext_if proto tcp to ($ext_if) port 443 #pass in log on $ext_if proto tcp to ($ext_if) port smtp #pass out log on $ext_if proto tcp from ($ext_if) to port smtp When I try to connect to this machine, I see that a session is being set up, and pf also knows that something is going on: # pfctl -ss all tcp 134.29.32.88:443 - 134.29.3.217:50090 FIN_WAIT_2:FIN_WAIT_2 What I don't see is any session going to the two servers that I am supposed to be load balancing for. Also, pf knows that it is supposed to be reading anchors for relayd but those files dont seem to be showing up anywhere. # pfctl -sn rdr-anchor relayd/* all # pfctl -sr anchor relayd/* all pass in on bge0 proto tcp from any to (bge0) port = https flags S/SA keep state Shouldn't there be a folder called /etc/relayd that would have some files in it? I don't have that. Does anyone have any thoughts on what I'm missing here? Kevin Thompson