Re: relayd https relay

2017-09-21 Thread rosjat 
I want to go with let's encrypt certifcates so if I provide the pem 
created by the acme-client it should be ok even it seems not for now.


I dont know if relayd development is going to add SNI sometime soon but 
for now I could live with a certificate that basically has all my served 
domains as in the SAN field.




Am 21.09.2017 um 14:49 schrieb trondd:

On Thu, September 21, 2017 8:25 am, rosjat wrote:

I try to figure out the ca file option mentioned by ronan maybe this is
some kind of option here.



Using 'ca file' means you have to decrypt the SSL connection from the
clients with relayd then re-encrypt from relayd to the web servers.
Clients will only see relayd's SSL certificate.  Originally you said you
want to use a different cert for each web site.

What CA signs the web server certificates?  There was a bug, I don't know
if it got fixed, in relayd that you can't use a big file of CAs for the
'ca file', the imsg was not chunked and if the file is too big, relayd
will fail to start the relay.  Take the CA cert that signed the web server
certificates and put that into a file and reference that file like 'ca
file "/etc/ssl/webca.pem"'


Am 21.09.2017 um 14:11 schrieb trondd:

On Thu, September 21, 2017 3:49 am, rosjat wrote:

Hi,

so I added the with tls keywords to the relay and my webserver gets
request now but from my relayhost and this is making the way back quiet
hard :(

so I added the X Headers for Forwarded-For and Forwarded-By but it
still
leaves the question how to tell the relayhost to just let it all out
like in a normal rdr-to rule in pf? Like I said pf rule just works fine
so the traffic can go thorugh all the interfaces just fine.

regards

MArkus



You can't do what you want with a layer 7 relay in relayd.  Redirect
rules
in pf work because pf doesn't know or care about DNS host names.

Because you are using SSL, once you need to make decisions based on the
host, you have two options:

A relay server that supports SNI so it can see the Host and forward to
the
right server.  Or terminating the SSL encryption at the relay server so
you can read the unencrypted host value.

Option 2 is required for relayd as it does not support SNI.  But that
means the relay server holds the SSL certificate.  You can only have 1
certificate per IP and port.  If you want to use individual certs for
each
web site, you're stuck.  You either need to use different ports, which
is
typically a non-starter for web sites, or put multiple IPs on the relay
box.

If security between the relay server and web servers is necessary (don't
trust someone else's network, and if possible, don't trust your own) you
can re-encrypt the communication from relayd and the web server but
it'll
be relayd using the web server certificate, not the user.







--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: relayd https relay

2017-09-21 Thread trondd 
On Thu, September 21, 2017 8:25 am, rosjat wrote:
> I try to figure out the ca file option mentioned by ronan maybe this is
> some kind of option here.
>

Using 'ca file' means you have to decrypt the SSL connection from the
clients with relayd then re-encrypt from relayd to the web servers. 
Clients will only see relayd's SSL certificate.  Originally you said you
want to use a different cert for each web site.

What CA signs the web server certificates?  There was a bug, I don't know
if it got fixed, in relayd that you can't use a big file of CAs for the
'ca file', the imsg was not chunked and if the file is too big, relayd
will fail to start the relay.  Take the CA cert that signed the web server
certificates and put that into a file and reference that file like 'ca
file "/etc/ssl/webca.pem"'

> Am 21.09.2017 um 14:11 schrieb trondd:
>> On Thu, September 21, 2017 3:49 am, rosjat wrote:
>>> Hi,
>>>
>>> so I added the with tls keywords to the relay and my webserver gets
>>> request now but from my relayhost and this is making the way back quiet
>>> hard :(
>>>
>>> so I added the X Headers for Forwarded-For and Forwarded-By but it
>>> still
>>> leaves the question how to tell the relayhost to just let it all out
>>> like in a normal rdr-to rule in pf? Like I said pf rule just works fine
>>> so the traffic can go thorugh all the interfaces just fine.
>>>
>>> regards
>>>
>>> MArkus
>>>
>>
>> You can't do what you want with a layer 7 relay in relayd.  Redirect
>> rules
>> in pf work because pf doesn't know or care about DNS host names.
>>
>> Because you are using SSL, once you need to make decisions based on the
>> host, you have two options:
>>
>> A relay server that supports SNI so it can see the Host and forward to
>> the
>> right server.  Or terminating the SSL encryption at the relay server so
>> you can read the unencrypted host value.
>>
>> Option 2 is required for relayd as it does not support SNI.  But that
>> means the relay server holds the SSL certificate.  You can only have 1
>> certificate per IP and port.  If you want to use individual certs for
>> each
>> web site, you're stuck.  You either need to use different ports, which
>> is
>> typically a non-starter for web sites, or put multiple IPs on the relay
>> box.
>>
>> If security between the relay server and web servers is necessary (don't
>> trust someone else's network, and if possible, don't trust your own) you
>> can re-encrypt the communication from relayd and the web server but
>> it'll
>> be relayd using the web server certificate, not the user.
>>

Re: relayd https relay

2017-09-21 Thread rosjat 
I try to figure out the ca file option mentioned by ronan maybe this is 
some kind of option here.


Am 21.09.2017 um 14:11 schrieb trondd:

On Thu, September 21, 2017 3:49 am, rosjat wrote:

Hi,

so I added the with tls keywords to the relay and my webserver gets
request now but from my relayhost and this is making the way back quiet
hard :(

so I added the X Headers for Forwarded-For and Forwarded-By but it still
leaves the question how to tell the relayhost to just let it all out
like in a normal rdr-to rule in pf? Like I said pf rule just works fine
so the traffic can go thorugh all the interfaces just fine.

regards

MArkus



You can't do what you want with a layer 7 relay in relayd.  Redirect rules
in pf work because pf doesn't know or care about DNS host names.

Because you are using SSL, once you need to make decisions based on the
host, you have two options:

A relay server that supports SNI so it can see the Host and forward to the
right server.  Or terminating the SSL encryption at the relay server so
you can read the unencrypted host value.

Option 2 is required for relayd as it does not support SNI.  But that
means the relay server holds the SSL certificate.  You can only have 1
certificate per IP and port.  If you want to use individual certs for each
web site, you're stuck.  You either need to use different ports, which is
typically a non-starter for web sites, or put multiple IPs on the relay
box.

If security between the relay server and web servers is necessary (don't
trust someone else's network, and if possible, don't trust your own) you
can re-encrypt the communication from relayd and the web server but it'll
be relayd using the web server certificate, not the user.



--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: relayd https relay

2017-09-21 Thread trondd 
On Thu, September 21, 2017 3:49 am, rosjat wrote:
> Hi,
>
> so I added the with tls keywords to the relay and my webserver gets
> request now but from my relayhost and this is making the way back quiet
> hard :(
>
> so I added the X Headers for Forwarded-For and Forwarded-By but it still
> leaves the question how to tell the relayhost to just let it all out
> like in a normal rdr-to rule in pf? Like I said pf rule just works fine
> so the traffic can go thorugh all the interfaces just fine.
>
> regards
>
> MArkus
>

You can't do what you want with a layer 7 relay in relayd.  Redirect rules
in pf work because pf doesn't know or care about DNS host names.

Because you are using SSL, once you need to make decisions based on the
host, you have two options:

A relay server that supports SNI so it can see the Host and forward to the
right server.  Or terminating the SSL encryption at the relay server so
you can read the unencrypted host value.

Option 2 is required for relayd as it does not support SNI.  But that
means the relay server holds the SSL certificate.  You can only have 1
certificate per IP and port.  If you want to use individual certs for each
web site, you're stuck.  You either need to use different ports, which is
typically a non-starter for web sites, or put multiple IPs on the relay
box.

If security between the relay server and web servers is necessary (don't
trust someone else's network, and if possible, don't trust your own) you
can re-encrypt the communication from relayd and the web server but it'll
be relayd using the web server certificate, not the user.

Re: relayd https relay

2017-09-21 Thread rosjat 

Hi,

so I added the with tls keywords to the relay and my webserver gets 
request now but from my relayhost and this is making the way back quiet 
hard :(


so I added the X Headers for Forwarded-For and Forwarded-By but it still 
leaves the question how to tell the relayhost to just let it all out 
like in a normal rdr-to rule in pf? Like I said pf rule just works fine 
so the traffic can go thorugh all the interfaces just fine.


regards

MArkus

Am 21.09.2017 um 08:27 schrieb rosjat:

Hi there,

ok I tried the with tls option and I can al least see relayd tries to 
send the request to the webserver. I still cant get a proper response 
from the webserver. When I do da simple rdr-to rule in pf it just works.


Do I need to do some magic that I miss still?

Regards

MArkus

Am 21.09.2017 um 07:19 schrieb rosjat:

Hi Ronan,

thanks for the hint I'll give it a try!

regards

Markus

Am 20.09.2017 um 21:30 schrieb Ronan Viel:

Hi,
This kind of config works perfectly on my box. I am not sure SNI has 
something to do here as relayd terminates the https connection, gets 
all the headers and reopens a new one.

I just think you forgot the "with tls"  in your forward directive below:

relay "proxyssl" {
    listen on $gateway  port https
    protocol "httpproxy"

    forward with tls to   port https
}

Do not forget to set a "ca file" in your protocol section if you want 
relayd to check the certificate of your target's server (see 
relayd.conf man).


Ronan







--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: relayd https relay

2017-09-21 Thread rosjat 

Hi there,

ok I tried the with tls option and I can al least see relayd tries to 
send the request to the webserver. I still cant get a proper response 
from the webserver. When I do da simple rdr-to rule in pf it just works.


Do I need to do some magic that I miss still?

Regards

MArkus

Am 21.09.2017 um 07:19 schrieb rosjat:

Hi Ronan,

thanks for the hint I'll give it a try!

regards

Markus

Am 20.09.2017 um 21:30 schrieb Ronan Viel:

Hi,
This kind of config works perfectly on my box. I am not sure SNI has 
something to do here as relayd terminates the https connection, gets 
all the headers and reopens a new one.

I just think you forgot the "with tls"  in your forward directive below:

relay "proxyssl" {
    listen on $gateway  port https
    protocol "httpproxy"

    forward with tls to   port https
}

Do not forget to set a "ca file" in your protocol section if you want 
relayd to check the certificate of your target's server (see 
relayd.conf man).


Ronan





--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: relayd https relay

2017-09-20 Thread rosjat 

Hi Ronan,

thanks for the hint I'll give it a try!

regards

Markus

Am 20.09.2017 um 21:30 schrieb Ronan Viel:

Hi,
This kind of config works perfectly on my box. I am not sure SNI has something 
to do here as relayd terminates the https connection, gets all the headers and 
reopens a new one.
I just think you forgot the "with tls"  in your forward directive below:

relay "proxyssl" {
listen on $gateway  port https
protocol "httpproxy"

forward with tls to   port https
}

Do not forget to set a "ca file" in your protocol section if you want relayd to 
check the certificate of your target's server (see relayd.conf man).

Ronan



--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: relayd https relay

2017-09-20 Thread Ronan Viel 
Hi,
This kind of config works perfectly on my box. I am not sure SNI has something 
to do here as relayd terminates the https connection, gets all the headers and 
reopens a new one. 
I just think you forgot the "with tls"  in your forward directive below:

relay "proxyssl" {
   listen on $gateway  port https
   protocol "httpproxy"

   forward with tls to   port https
}

Do not forget to set a "ca file" in your protocol section if you want relayd to 
check the certificate of your target's server (see relayd.conf man).

Ronan

Re: relayd https relay

2017-09-20 Thread trondd 
On Wed, September 20, 2017 8:10 am, Bryan Harris wrote:
> I don't think you can know the host header unless you decrypt the https
> using a certificate.  It seems that idea would require SNI but I don't
> know
> if they have SNI in relayd/httpd.  (I could be wrong about that.)
>

httpd has SNI, relayd does not.

https://marc.info/?l=openbsd-cvs=147187817314952=2

For these scenarios, I have to turn to www/pound which I like for it's
small size, and chroot support.

Re: relayd https relay

2017-09-20 Thread rosjat 

Hi Brian,

I know that scenario but I want to serve a individual certificate for 
every virtual host (httpd can do that) so I was looking for a simple 
relay by looking at the header but I might cant get it to work this way :(




Am 20.09.2017 um 14:10 schrieb Bryan Harris:

I don't think you can know the host header unless you decrypt the https
using a certificate.  It seems that idea would require SNI but I don't know
if they have SNI in relayd/httpd.  (I could be wrong about that.)

In mine I have listen on $ext_addr port 443 tls.  Then exists
/etc/ssl/ipaddr:443.crt file.  Look at phrase "/etc/ssl/address:port.crt"
in relayd.conf(5).

The book below shows this scenario and how to use acme-client to get a free
certificate from Let's Encrypt.

https://www.michaelwlucas.com/tools/relayd

V/r,
Bryan

On Wed, Sep 20, 2017 at 4:37 AM, rosjat  wrote:


there is of course a tls to much in the config

its just

relay "proxyssl" {
 listen on $gateway  port https
 protocol "httpproxy"

 forward to   port https
}


Am 20.09.2017 um 10:19 schrieb rosjat:


Hi there,

just a simple question about the  relaying of https connections. Is it
possible to simple pass the https traffic to the webserver with relayd? My
naive approach was simply checking the host name in the header and then
forward it to http or https port. This works for http  but with https it
doesnt.


here are my relayd.conf parts


http protocol "httpproxy" {

  match request quick header "Host" value
"random-domain1.tld" forward to 
  match request quick header "Host" value
"random-domain2.tld" forward to 

}

relay "proxy" {
 listen on $gateway  port http
 protocol "httpproxy"

 forward to   port http
 forward to  port http

}

relay "proxyssl" {
 listen on $gateway  port https
 protocol "httpproxy"

 forward to   port https tls
}

with this I dont get a relay for https it seems, if I add tls to the
listen part I got told relayd cant find the certificates. And that is
totally understanable because there are no certs on this machine for these
domains because the are on the webserver machine.


So it all boils down to the question, do I have to set up my certificates
on the relay host to be able to use a https relay ?


regards




--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT




--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: relayd https relay

2017-09-20 Thread Bryan Harris 
I don't think you can know the host header unless you decrypt the https
using a certificate.  It seems that idea would require SNI but I don't know
if they have SNI in relayd/httpd.  (I could be wrong about that.)

In mine I have listen on $ext_addr port 443 tls.  Then exists
/etc/ssl/ipaddr:443.crt file.  Look at phrase "/etc/ssl/address:port.crt"
in relayd.conf(5).

The book below shows this scenario and how to use acme-client to get a free
certificate from Let's Encrypt.

https://www.michaelwlucas.com/tools/relayd

V/r,
Bryan

On Wed, Sep 20, 2017 at 4:37 AM, rosjat  wrote:

> there is of course a tls to much in the config
>
> its just
>
> relay "proxyssl" {
> listen on $gateway  port https
> protocol "httpproxy"
>
> forward to   port https
> }
>
>
> Am 20.09.2017 um 10:19 schrieb rosjat:
>
>> Hi there,
>>
>> just a simple question about the  relaying of https connections. Is it
>> possible to simple pass the https traffic to the webserver with relayd? My
>> naive approach was simply checking the host name in the header and then
>> forward it to http or https port. This works for http  but with https it
>> doesnt.
>>
>>
>> here are my relayd.conf parts
>>
>>
>> http protocol "httpproxy" {
>>
>>  match request quick header "Host" value
>> "random-domain1.tld" forward to 
>>  match request quick header "Host" value
>> "random-domain2.tld" forward to 
>>
>> }
>>
>> relay "proxy" {
>> listen on $gateway  port http
>> protocol "httpproxy"
>>
>> forward to   port http
>> forward to  port http
>>
>>}
>>
>> relay "proxyssl" {
>> listen on $gateway  port https
>> protocol "httpproxy"
>>
>> forward to   port https tls
>> }
>>
>> with this I dont get a relay for https it seems, if I add tls to the
>> listen part I got told relayd cant find the certificates. And that is
>> totally understanable because there are no certs on this machine for these
>> domains because the are on the webserver machine.
>>
>>
>> So it all boils down to the question, do I have to set up my certificates
>> on the relay host to be able to use a https relay ?
>>
>>
>> regards
>>
>>
>>
> --
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT
>
>

Re: relayd https relay

2017-09-20 Thread rosjat 

there is of course a tls to much in the config

its just

relay "proxyssl" {
listen on $gateway  port https
protocol "httpproxy"

forward to   port https
}


Am 20.09.2017 um 10:19 schrieb rosjat:

Hi there,

just a simple question about the  relaying of https connections. Is it 
possible to simple pass the https traffic to the webserver with relayd? 
My naive approach was simply checking the host name in the header and 
then forward it to http or https port. This works for http  but with 
https it doesnt.



here are my relayd.conf parts


http protocol "httpproxy" {

     match request quick header "Host" value 
"random-domain1.tld" forward to 
     match request quick header "Host" value 
"random-domain2.tld" forward to 


}

relay "proxy" {
    listen on $gateway  port http
    protocol "httpproxy"

    forward to   port http
    forward to  port http

   }

relay "proxyssl" {
    listen on $gateway  port https
    protocol "httpproxy"

    forward to   port https tls
}

with this I dont get a relay for https it seems, if I add tls to the 
listen part I got told relayd cant find the certificates. And that is 
totally understanable because there are no certs on this machine for 
these domains because the are on the webserver machine.



So it all boils down to the question, do I have to set up my 
certificates on the relay host to be able to use a https relay ?



regards




--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

relayd https relay

2017-09-20 Thread rosjat 

Hi there,

just a simple question about the  relaying of https connections. Is it 
possible to simple pass the https traffic to the webserver with relayd? 
My naive approach was simply checking the host name in the header and 
then forward it to http or https port. This works for http  but with 
https it doesnt.



here are my relayd.conf parts


http protocol "httpproxy" {

    match request quick header "Host" value 
"random-domain1.tld" forward to 
    match request quick header "Host" value 
"random-domain2.tld" forward to 


}

relay "proxy" {
   listen on $gateway  port http
   protocol "httpproxy"

   forward to   port http
   forward to  port http

  }

relay "proxyssl" {
   listen on $gateway  port https
   protocol "httpproxy"

   forward to   port https tls
}

with this I dont get a relay for https it seems, if I add tls to the 
listen part I got told relayd cant find the certificates. And that is 
totally understanable because there are no certs on this machine for 
these domains because the are on the webserver machine.



So it all boils down to the question, do I have to set up my 
certificates on the relay host to be able to use a https relay ?



regards


--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you 
print it, think about your responsibility and commitment to the ENVIRONMENT