With this config : --- relay "proxy" { listen on {{publicip}} port 443 tls protocol "httpproxy"
forward with tls to <web> port 443 forward to <app> port 10100 } --- relayd(8) will currently use TLS for all backends. This diff will use TLS only if 'with tls' is used. In the example above, relayd will forward to web with HTTPS and to app with HTTP. While at it, add a field in "relayctl sh" to display TLS state : --- # relayctl sh su Id Type Name Avlblty Status TLS 1 relay proxy active yes 1 table psono_web:443 empty yes 1 host 127.0.0.1 unknown 2 table psono_server:10100 empty no 2 host 127.0.0.1 unknown --- Regress still pass. Comments ? Index: relayctl/relayctl.c =================================================================== RCS file: /cvs/src/usr.sbin/relayctl/relayctl.c,v retrieving revision 1.58 diff -u -p -r1.58 relayctl.c --- relayctl/relayctl.c 29 Nov 2017 15:24:50 -0000 1.58 +++ relayctl/relayctl.c 26 Oct 2020 17:03:55 -0000 @@ -47,6 +47,7 @@ int show_session_msg(struct imsg *); int show_command_output(struct imsg *); char *print_rdr_status(int); char *print_host_status(int, int); +char *print_tls_status(int); char *print_table_status(int, int); char *print_relay_status(int); void print_statistics(struct ctl_stats[PROC_MAX_INSTANCES + 1]); @@ -162,8 +163,8 @@ main(int argc, char *argv[]) case SHOW_RELAYS: case SHOW_ROUTERS: imsg_compose(ibuf, IMSG_CTL_SHOW_SUM, 0, 0, -1, NULL, 0); - printf("%-4s\t%-8s\t%-24s\t%-7s\tStatus\n", - "Id", "Type", "Name", "Avlblty"); + printf("%-4s\t%-8s\t%-24s\t%-7s\t%s\t%s\n", + "Id", "Type", "Name", "Avlblty", "Status", "TLS"); break; case SHOW_SESSIONS: imsg_compose(ibuf, IMSG_CTL_SESSION, 0, 0, -1, NULL, 0); @@ -365,9 +366,10 @@ show_summary_msg(struct imsg *imsg, int if (!(type == SHOW_SUM || type == SHOW_HOSTS)) break; table = imsg->data; - printf("%-4u\t%-8s\t%-24s\t%-7s\t%s\n", + printf("%-4u\t%-8s\t%-24s\t%-7s\t%s\t%s\n", table->conf.id, "table", table->conf.name, "", - print_table_status(table->up, table->conf.flags)); + print_table_status(table->up, table->conf.flags), + print_tls_status(table->conf.flags)); break; case IMSG_CTL_HOST: if (!(type == SHOW_SUM || type == SHOW_HOSTS)) @@ -378,7 +380,7 @@ show_summary_msg(struct imsg *imsg, int host->conf.name, host->conf.parentid); else strlcpy(name, host->conf.name, sizeof(name)); - printf("%-4u\t%-8s\t%-24s\t%-7s\t%s\n", + printf("%-4u\t%-8s\t%-24s\t%-7s\t%s\t\n", host->conf.id, "host", name, print_availability(host->check_cnt, host->up_cnt), print_host_status(host->up, host->flags)); @@ -396,9 +398,10 @@ show_summary_msg(struct imsg *imsg, int if (!(type == SHOW_SUM || type == SHOW_RELAYS)) break; rlay = imsg->data; - printf("%-4u\t%-8s\t%-24s\t%-7s\t%s\n", + printf("%-4u\t%-8s\t%-24s\t%-7s\t%s\t%s\n", rlay->rl_conf.id, "relay", rlay->rl_conf.name, "", - print_relay_status(rlay->rl_conf.flags)); + print_relay_status(rlay->rl_conf.flags), + print_tls_status(rlay->rl_conf.flags)); break; case IMSG_CTL_RDR_STATS: if (type != SHOW_RDRS) @@ -543,6 +546,15 @@ print_host_status(int status, int fl) default: errx(1, "invalid status: %d", status); } +} + +char * +print_tls_status(int flags) +{ + if (flags & F_TLSCLIENT) + return ("yes"); + else + return ("no"); } char * Index: relayd/parse.y =================================================================== RCS file: /cvs/src/usr.sbin/relayd/parse.y,v retrieving revision 1.247 diff -u -p -r1.247 parse.y --- relayd/parse.y 25 Oct 2020 10:17:49 -0000 1.247 +++ relayd/parse.y 26 Oct 2020 17:03:55 -0000 @@ -109,6 +109,7 @@ objid_t last_nr_id = 0; static struct rdr *rdr = NULL; static struct table *table = NULL; +static struct relay_table *rlayt = NULL; static struct relay *rlay = NULL; static struct host *hst = NULL; struct relaylist relays; @@ -1953,6 +1954,16 @@ relayoptsl : LISTEN ON STRING port opttl rlay->rl_conf.flags |= F_TLSCLIENT; conf->sc_conf.flags |= F_TLSCLIENT; } + if (rlayt) { + if ($2) { + rlayt->rlt_table->conf.flags |= + F_TLSCLIENT; + rlayt->rlt_flags |= F_TLSCLIENT; + } + TAILQ_INSERT_TAIL(&rlay->rl_tables, rlayt, + rlt_entry); + rlayt = NULL; + } } | SESSION TIMEOUT NUMBER { if ((rlay->rl_conf.timeout.tv_sec = $3) < 0) { @@ -2030,19 +2041,17 @@ forwardspec : STRING port retry { rlay->rl_conf.dstretry = $2; } | tablespec { - struct relay_table *rlt; - - if ((rlt = calloc(1, sizeof(*rlt))) == NULL) { + if ((rlayt = calloc(1, sizeof(*rlayt))) == NULL) { yyerror("failed to allocate table reference"); YYERROR; } - rlt->rlt_table = $1; - rlt->rlt_table->conf.flags |= F_USED; - rlt->rlt_mode = dstmode; - rlt->rlt_flags = F_USED; + rlayt->rlt_table = $1; + rlayt->rlt_table->conf.flags |= F_USED; + rlayt->rlt_mode = dstmode; + rlayt->rlt_flags = F_USED; if (!TAILQ_EMPTY(&rlay->rl_tables)) - rlt->rlt_flags |= F_BACKUP; + rlayt->rlt_flags |= F_BACKUP; if (hashkey != NULL && (rlay->rl_conf.flags & F_HASHKEY) == 0) { @@ -2052,8 +2061,6 @@ forwardspec : STRING port retry { } free(hashkey); hashkey = NULL; - - TAILQ_INSERT_TAIL(&rlay->rl_tables, rlt, rlt_entry); } ; Index: relayd/relay.c =================================================================== RCS file: /cvs/src/usr.sbin/relayd/relay.c,v retrieving revision 1.251 diff -u -p -r1.251 relay.c --- relayd/relay.c 14 May 2020 17:27:38 -0000 1.251 +++ relayd/relay.c 26 Oct 2020 17:03:55 -0000 @@ -713,7 +713,11 @@ relay_connected(int fd, short sig, void } } - if ((rlay->rl_conf.flags & F_TLSCLIENT) && (out->tls == NULL)) { + struct relay_table *rlayt = TAILQ_FIRST(&rlay->rl_tables); + if (out->tls == NULL && + ((con->se_table && (con->se_table->rlt_flags & F_TLSCLIENT)) || + (!con->se_table && rlayt && (rlayt->rlt_flags & F_TLSCLIENT)) || + (!con->se_table && !rlayt && (rlay->rl_conf.flags & F_TLSCLIENT)))) { relay_tls_transaction(con, out); return; }