I don't think you can know the host header unless you decrypt the https
using a certificate. It seems that idea would require SNI but I don't know
if they have SNI in relayd/httpd. (I could be wrong about that.)
In mine I have listen on $ext_addr port 443 tls. Then exists
/etc/ssl/ipaddr:443.crt file. Look at phrase "/etc/ssl/address:port.crt"
in relayd.conf(5).
The book below shows this scenario and how to use acme-client to get a free
certificate from Let's Encrypt.
https://www.michaelwlucas.com/tools/relayd
V/r,
Bryan
On Wed, Sep 20, 2017 at 4:37 AM, rosjat <rosjat@ghweb.de> wrote:
> there is of course a tls to much in the config
>
> its just
>
> relay "proxyssl" {
> listen on $gateway port https
> protocol "httpproxy"
>
> forward to <new-webserver> port https
> }
>
>
> Am 20.09.2017 um 10:19 schrieb rosjat:
>
>> Hi there,
>>
>> just a simple question about the relaying of https connections. Is it
>> possible to simple pass the https traffic to the webserver with relayd? My
>> naive approach was simply checking the host name in the header and then
>> forward it to http or https port. This works for http but with https it
>> doesnt.
>>
>>
>> here are my relayd.conf parts
>>
>>
>> http protocol "httpproxy" {
>>
>> match request quick header "Host" value
>> "random-domain1.tld" forward to <new-webserver>
>> match request quick header "Host" value
>> "random-domain2.tld" forward to <old-webserver>
>>
>> }
>>
>> relay "proxy" {
>> listen on $gateway port http
>> protocol "httpproxy"
>>
>> forward to <new-webserver> port http
>> forward to <old-webserver> port http
>>
>> }
>>
>> relay "proxyssl" {
>> listen on $gateway port https
>> protocol "httpproxy"
>>
>> forward to <new-webserver> port https tls
>> }
>>
>> with this I dont get a relay for https it seems, if I add tls to the
>> listen part I got told relayd cant find the certificates. And that is
>> totally understanable because there are no certs on this machine for these
>> domains because the are on the webserver machine.
>>
>>
>> So it all boils down to the question, do I have to set up my certificates
>> on the relay host to be able to use a https relay ?
>>
>>
>> regards
>>
>>
>>
> --
> Markus Rosjat fon: +49 351 8107223 mail: rosjat@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220 fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT
>
>
No comments:
Post a Comment