Re: relayd https relay
I want to go with let's encrypt certifcates so if I provide the pem created by the acme-client it should be ok even it seems not for now. I dont know if relayd development is going to add SNI sometime soon but for now I could live with a certificate that basically has all my served domains as in the SAN field. Am 21.09.2017 um 14:49 schrieb trondd: On Thu, September 21, 2017 8:25 am, rosjat wrote: I try to figure out the ca file option mentioned by ronan maybe this is some kind of option here. Using 'ca file' means you have to decrypt the SSL connection from the clients with relayd then re-encrypt from relayd to the web servers. Clients will only see relayd's SSL certificate. Originally you said you want to use a different cert for each web site. What CA signs the web server certificates? There was a bug, I don't know if it got fixed, in relayd that you can't use a big file of CAs for the 'ca file', the imsg was not chunked and if the file is too big, relayd will fail to start the relay. Take the CA cert that signed the web server certificates and put that into a file and reference that file like 'ca file "/etc/ssl/webca.pem"' Am 21.09.2017 um 14:11 schrieb trondd: On Thu, September 21, 2017 3:49 am, rosjat wrote: Hi, so I added the with tls keywords to the relay and my webserver gets request now but from my relayhost and this is making the way back quiet hard :( so I added the X Headers for Forwarded-For and Forwarded-By but it still leaves the question how to tell the relayhost to just let it all out like in a normal rdr-to rule in pf? Like I said pf rule just works fine so the traffic can go thorugh all the interfaces just fine. regards MArkus You can't do what you want with a layer 7 relay in relayd. Redirect rules in pf work because pf doesn't know or care about DNS host names. Because you are using SSL, once you need to make decisions based on the host, you have two options: A relay server that supports SNI so it can see the Host and forward to the right server. Or terminating the SSL encryption at the relay server so you can read the unencrypted host value. Option 2 is required for relayd as it does not support SNI. But that means the relay server holds the SSL certificate. You can only have 1 certificate per IP and port. If you want to use individual certs for each web site, you're stuck. You either need to use different ports, which is typically a non-starter for web sites, or put multiple IPs on the relay box. If security between the relay server and web servers is necessary (don't trust someone else's network, and if possible, don't trust your own) you can re-encrypt the communication from relayd and the web server but it'll be relayd using the web server certificate, not the user. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd https relay
On Thu, September 21, 2017 8:25 am, rosjat wrote: > I try to figure out the ca file option mentioned by ronan maybe this is > some kind of option here. > Using 'ca file' means you have to decrypt the SSL connection from the clients with relayd then re-encrypt from relayd to the web servers. Clients will only see relayd's SSL certificate. Originally you said you want to use a different cert for each web site. What CA signs the web server certificates? There was a bug, I don't know if it got fixed, in relayd that you can't use a big file of CAs for the 'ca file', the imsg was not chunked and if the file is too big, relayd will fail to start the relay. Take the CA cert that signed the web server certificates and put that into a file and reference that file like 'ca file "/etc/ssl/webca.pem"' > Am 21.09.2017 um 14:11 schrieb trondd: >> On Thu, September 21, 2017 3:49 am, rosjat wrote: >>> Hi, >>> >>> so I added the with tls keywords to the relay and my webserver gets >>> request now but from my relayhost and this is making the way back quiet >>> hard :( >>> >>> so I added the X Headers for Forwarded-For and Forwarded-By but it >>> still >>> leaves the question how to tell the relayhost to just let it all out >>> like in a normal rdr-to rule in pf? Like I said pf rule just works fine >>> so the traffic can go thorugh all the interfaces just fine. >>> >>> regards >>> >>> MArkus >>> >> >> You can't do what you want with a layer 7 relay in relayd. Redirect >> rules >> in pf work because pf doesn't know or care about DNS host names. >> >> Because you are using SSL, once you need to make decisions based on the >> host, you have two options: >> >> A relay server that supports SNI so it can see the Host and forward to >> the >> right server. Or terminating the SSL encryption at the relay server so >> you can read the unencrypted host value. >> >> Option 2 is required for relayd as it does not support SNI. But that >> means the relay server holds the SSL certificate. You can only have 1 >> certificate per IP and port. If you want to use individual certs for >> each >> web site, you're stuck. You either need to use different ports, which >> is >> typically a non-starter for web sites, or put multiple IPs on the relay >> box. >> >> If security between the relay server and web servers is necessary (don't >> trust someone else's network, and if possible, don't trust your own) you >> can re-encrypt the communication from relayd and the web server but >> it'll >> be relayd using the web server certificate, not the user. >>
Re: relayd https relay
I try to figure out the ca file option mentioned by ronan maybe this is some kind of option here. Am 21.09.2017 um 14:11 schrieb trondd: On Thu, September 21, 2017 3:49 am, rosjat wrote: Hi, so I added the with tls keywords to the relay and my webserver gets request now but from my relayhost and this is making the way back quiet hard :( so I added the X Headers for Forwarded-For and Forwarded-By but it still leaves the question how to tell the relayhost to just let it all out like in a normal rdr-to rule in pf? Like I said pf rule just works fine so the traffic can go thorugh all the interfaces just fine. regards MArkus You can't do what you want with a layer 7 relay in relayd. Redirect rules in pf work because pf doesn't know or care about DNS host names. Because you are using SSL, once you need to make decisions based on the host, you have two options: A relay server that supports SNI so it can see the Host and forward to the right server. Or terminating the SSL encryption at the relay server so you can read the unencrypted host value. Option 2 is required for relayd as it does not support SNI. But that means the relay server holds the SSL certificate. You can only have 1 certificate per IP and port. If you want to use individual certs for each web site, you're stuck. You either need to use different ports, which is typically a non-starter for web sites, or put multiple IPs on the relay box. If security between the relay server and web servers is necessary (don't trust someone else's network, and if possible, don't trust your own) you can re-encrypt the communication from relayd and the web server but it'll be relayd using the web server certificate, not the user. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd https relay
On Thu, September 21, 2017 3:49 am, rosjat wrote: > Hi, > > so I added the with tls keywords to the relay and my webserver gets > request now but from my relayhost and this is making the way back quiet > hard :( > > so I added the X Headers for Forwarded-For and Forwarded-By but it still > leaves the question how to tell the relayhost to just let it all out > like in a normal rdr-to rule in pf? Like I said pf rule just works fine > so the traffic can go thorugh all the interfaces just fine. > > regards > > MArkus > You can't do what you want with a layer 7 relay in relayd. Redirect rules in pf work because pf doesn't know or care about DNS host names. Because you are using SSL, once you need to make decisions based on the host, you have two options: A relay server that supports SNI so it can see the Host and forward to the right server. Or terminating the SSL encryption at the relay server so you can read the unencrypted host value. Option 2 is required for relayd as it does not support SNI. But that means the relay server holds the SSL certificate. You can only have 1 certificate per IP and port. If you want to use individual certs for each web site, you're stuck. You either need to use different ports, which is typically a non-starter for web sites, or put multiple IPs on the relay box. If security between the relay server and web servers is necessary (don't trust someone else's network, and if possible, don't trust your own) you can re-encrypt the communication from relayd and the web server but it'll be relayd using the web server certificate, not the user.
Re: relayd https relay
Hi, so I added the with tls keywords to the relay and my webserver gets request now but from my relayhost and this is making the way back quiet hard :( so I added the X Headers for Forwarded-For and Forwarded-By but it still leaves the question how to tell the relayhost to just let it all out like in a normal rdr-to rule in pf? Like I said pf rule just works fine so the traffic can go thorugh all the interfaces just fine. regards MArkus Am 21.09.2017 um 08:27 schrieb rosjat: Hi there, ok I tried the with tls option and I can al least see relayd tries to send the request to the webserver. I still cant get a proper response from the webserver. When I do da simple rdr-to rule in pf it just works. Do I need to do some magic that I miss still? Regards MArkus Am 21.09.2017 um 07:19 schrieb rosjat: Hi Ronan, thanks for the hint I'll give it a try! regards Markus Am 20.09.2017 um 21:30 schrieb Ronan Viel: Hi, This kind of config works perfectly on my box. I am not sure SNI has something to do here as relayd terminates the https connection, gets all the headers and reopens a new one. I just think you forgot the "with tls" in your forward directive below: relay "proxyssl" { listen on $gateway port https protocol "httpproxy" forward with tls to port https } Do not forget to set a "ca file" in your protocol section if you want relayd to check the certificate of your target's server (see relayd.conf man). Ronan -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd https relay
Hi there, ok I tried the with tls option and I can al least see relayd tries to send the request to the webserver. I still cant get a proper response from the webserver. When I do da simple rdr-to rule in pf it just works. Do I need to do some magic that I miss still? Regards MArkus Am 21.09.2017 um 07:19 schrieb rosjat: Hi Ronan, thanks for the hint I'll give it a try! regards Markus Am 20.09.2017 um 21:30 schrieb Ronan Viel: Hi, This kind of config works perfectly on my box. I am not sure SNI has something to do here as relayd terminates the https connection, gets all the headers and reopens a new one. I just think you forgot the "with tls" in your forward directive below: relay "proxyssl" { listen on $gateway port https protocol "httpproxy" forward with tls to port https } Do not forget to set a "ca file" in your protocol section if you want relayd to check the certificate of your target's server (see relayd.conf man). Ronan -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd https relay
Hi Ronan, thanks for the hint I'll give it a try! regards Markus Am 20.09.2017 um 21:30 schrieb Ronan Viel: Hi, This kind of config works perfectly on my box. I am not sure SNI has something to do here as relayd terminates the https connection, gets all the headers and reopens a new one. I just think you forgot the "with tls" in your forward directive below: relay "proxyssl" { listen on $gateway port https protocol "httpproxy" forward with tls to port https } Do not forget to set a "ca file" in your protocol section if you want relayd to check the certificate of your target's server (see relayd.conf man). Ronan -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd https relay
Hi, This kind of config works perfectly on my box. I am not sure SNI has something to do here as relayd terminates the https connection, gets all the headers and reopens a new one. I just think you forgot the "with tls" in your forward directive below: relay "proxyssl" { listen on $gateway port https protocol "httpproxy" forward with tls to port https } Do not forget to set a "ca file" in your protocol section if you want relayd to check the certificate of your target's server (see relayd.conf man). Ronan
Re: relayd https relay
On Wed, September 20, 2017 8:10 am, Bryan Harris wrote: > I don't think you can know the host header unless you decrypt the https > using a certificate. It seems that idea would require SNI but I don't > know > if they have SNI in relayd/httpd. (I could be wrong about that.) > httpd has SNI, relayd does not. https://marc.info/?l=openbsd-cvs=147187817314952=2 For these scenarios, I have to turn to www/pound which I like for it's small size, and chroot support.
Re: relayd https relay
Hi Brian, I know that scenario but I want to serve a individual certificate for every virtual host (httpd can do that) so I was looking for a simple relay by looking at the header but I might cant get it to work this way :( Am 20.09.2017 um 14:10 schrieb Bryan Harris: I don't think you can know the host header unless you decrypt the https using a certificate. It seems that idea would require SNI but I don't know if they have SNI in relayd/httpd. (I could be wrong about that.) In mine I have listen on $ext_addr port 443 tls. Then exists /etc/ssl/ipaddr:443.crt file. Look at phrase "/etc/ssl/address:port.crt" in relayd.conf(5). The book below shows this scenario and how to use acme-client to get a free certificate from Let's Encrypt. https://www.michaelwlucas.com/tools/relayd V/r, Bryan On Wed, Sep 20, 2017 at 4:37 AM, rosjatwrote: there is of course a tls to much in the config its just relay "proxyssl" { listen on $gateway port https protocol "httpproxy" forward to port https } Am 20.09.2017 um 10:19 schrieb rosjat: Hi there, just a simple question about the relaying of https connections. Is it possible to simple pass the https traffic to the webserver with relayd? My naive approach was simply checking the host name in the header and then forward it to http or https port. This works for http but with https it doesnt. here are my relayd.conf parts http protocol "httpproxy" { match request quick header "Host" value "random-domain1.tld" forward to match request quick header "Host" value "random-domain2.tld" forward to } relay "proxy" { listen on $gateway port http protocol "httpproxy" forward to port http forward to port http } relay "proxyssl" { listen on $gateway port https protocol "httpproxy" forward to port https tls } with this I dont get a relay for https it seems, if I add tls to the listen part I got told relayd cant find the certificates. And that is totally understanable because there are no certs on this machine for these domains because the are on the webserver machine. So it all boils down to the question, do I have to set up my certificates on the relay host to be able to use a https relay ? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd https relay
I don't think you can know the host header unless you decrypt the https using a certificate. It seems that idea would require SNI but I don't know if they have SNI in relayd/httpd. (I could be wrong about that.) In mine I have listen on $ext_addr port 443 tls. Then exists /etc/ssl/ipaddr:443.crt file. Look at phrase "/etc/ssl/address:port.crt" in relayd.conf(5). The book below shows this scenario and how to use acme-client to get a free certificate from Let's Encrypt. https://www.michaelwlucas.com/tools/relayd V/r, Bryan On Wed, Sep 20, 2017 at 4:37 AM, rosjatwrote: > there is of course a tls to much in the config > > its just > > relay "proxyssl" { > listen on $gateway port https > protocol "httpproxy" > > forward to port https > } > > > Am 20.09.2017 um 10:19 schrieb rosjat: > >> Hi there, >> >> just a simple question about the relaying of https connections. Is it >> possible to simple pass the https traffic to the webserver with relayd? My >> naive approach was simply checking the host name in the header and then >> forward it to http or https port. This works for http but with https it >> doesnt. >> >> >> here are my relayd.conf parts >> >> >> http protocol "httpproxy" { >> >> match request quick header "Host" value >> "random-domain1.tld" forward to >> match request quick header "Host" value >> "random-domain2.tld" forward to >> >> } >> >> relay "proxy" { >> listen on $gateway port http >> protocol "httpproxy" >> >> forward to port http >> forward to port http >> >>} >> >> relay "proxyssl" { >> listen on $gateway port https >> protocol "httpproxy" >> >> forward to port https tls >> } >> >> with this I dont get a relay for https it seems, if I add tls to the >> listen part I got told relayd cant find the certificates. And that is >> totally understanable because there are no certs on this machine for these >> domains because the are on the webserver machine. >> >> >> So it all boils down to the question, do I have to set up my certificates >> on the relay host to be able to use a https relay ? >> >> >> regards >> >> >> > -- > Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de > > G+H Webservice GbR Gorzolla, Herrmann > Königsbrücker Str. 70, 01099 Dresden > > http://www.ghweb.de > fon: +49 351 8107220 fax: +49 351 8107227 > > Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before > you print it, think about your responsibility and commitment to the > ENVIRONMENT > >
Re: relayd https relay
there is of course a tls to much in the config its just relay "proxyssl" { listen on $gateway port https protocol "httpproxy" forward to port https } Am 20.09.2017 um 10:19 schrieb rosjat: Hi there, just a simple question about the relaying of https connections. Is it possible to simple pass the https traffic to the webserver with relayd? My naive approach was simply checking the host name in the header and then forward it to http or https port. This works for http but with https it doesnt. here are my relayd.conf parts http protocol "httpproxy" { match request quick header "Host" value "random-domain1.tld" forward to match request quick header "Host" value "random-domain2.tld" forward to } relay "proxy" { listen on $gateway port http protocol "httpproxy" forward to port http forward to port http } relay "proxyssl" { listen on $gateway port https protocol "httpproxy" forward to port https tls } with this I dont get a relay for https it seems, if I add tls to the listen part I got told relayd cant find the certificates. And that is totally understanable because there are no certs on this machine for these domains because the are on the webserver machine. So it all boils down to the question, do I have to set up my certificates on the relay host to be able to use a https relay ? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
relayd https relay
Hi there, just a simple question about the relaying of https connections. Is it possible to simple pass the https traffic to the webserver with relayd? My naive approach was simply checking the host name in the header and then forward it to http or https port. This works for http but with https it doesnt. here are my relayd.conf parts http protocol "httpproxy" { match request quick header "Host" value "random-domain1.tld" forward to match request quick header "Host" value "random-domain2.tld" forward to } relay "proxy" { listen on $gateway port http protocol "httpproxy" forward to port http forward to port http } relay "proxyssl" { listen on $gateway port https protocol "httpproxy" forward to port https tls } with this I dont get a relay for https it seems, if I add tls to the listen part I got told relayd cant find the certificates. And that is totally understanable because there are no certs on this machine for these domains because the are on the webserver machine. So it all boils down to the question, do I have to set up my certificates on the relay host to be able to use a https relay ? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT