Wednesday, September 20, 2017

Re: relayd https relay

Hi Brian,

I know that scenario but I want to serve a individual certificate for
every virtual host (httpd can do that) so I was looking for a simple
relay by looking at the header but I might cant get it to work this way :(



Am 20.09.2017 um 14:10 schrieb Bryan Harris:
> I don't think you can know the host header unless you decrypt the https
> using a certificate. It seems that idea would require SNI but I don't know
> if they have SNI in relayd/httpd. (I could be wrong about that.)
>
> In mine I have listen on $ext_addr port 443 tls. Then exists
> /etc/ssl/ipaddr:443.crt file. Look at phrase "/etc/ssl/address:port.crt"
> in relayd.conf(5).
>
> The book below shows this scenario and how to use acme-client to get a free
> certificate from Let's Encrypt.
>
> https://www.michaelwlucas.com/tools/relayd
>
> V/r,
> Bryan
>
> On Wed, Sep 20, 2017 at 4:37 AM, rosjat <rosjat@ghweb.de> wrote:
>
>> there is of course a tls to much in the config
>>
>> its just
>>
>> relay "proxyssl" {
>> listen on $gateway port https
>> protocol "httpproxy"
>>
>> forward to <new-webserver> port https
>> }
>>
>>
>> Am 20.09.2017 um 10:19 schrieb rosjat:
>>
>>> Hi there,
>>>
>>> just a simple question about the relaying of https connections. Is it
>>> possible to simple pass the https traffic to the webserver with relayd? My
>>> naive approach was simply checking the host name in the header and then
>>> forward it to http or https port. This works for http but with https it
>>> doesnt.
>>>
>>>
>>> here are my relayd.conf parts
>>>
>>>
>>> http protocol "httpproxy" {
>>>
>>> match request quick header "Host" value
>>> "random-domain1.tld" forward to <new-webserver>
>>> match request quick header "Host" value
>>> "random-domain2.tld" forward to <old-webserver>
>>>
>>> }
>>>
>>> relay "proxy" {
>>> listen on $gateway port http
>>> protocol "httpproxy"
>>>
>>> forward to <new-webserver> port http
>>> forward to <old-webserver> port http
>>>
>>> }
>>>
>>> relay "proxyssl" {
>>> listen on $gateway port https
>>> protocol "httpproxy"
>>>
>>> forward to <new-webserver> port https tls
>>> }
>>>
>>> with this I dont get a relay for https it seems, if I add tls to the
>>> listen part I got told relayd cant find the certificates. And that is
>>> totally understanable because there are no certs on this machine for these
>>> domains because the are on the webserver machine.
>>>
>>>
>>> So it all boils down to the question, do I have to set up my certificates
>>> on the relay host to be able to use a https relay ?
>>>
>>>
>>> regards
>>>
>>>
>>>
>> --
>> Markus Rosjat fon: +49 351 8107223 mail: rosjat@ghweb.de
>>
>> G+H Webservice GbR Gorzolla, Herrmann
>> Königsbrücker Str. 70, 01099 Dresden
>>
>> http://www.ghweb.de
>> fon: +49 351 8107220 fax: +49 351 8107227
>>
>> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
>> you print it, think about your responsibility and commitment to the
>> ENVIRONMENT
>>
>>

--
Markus Rosjat fon: +49 351 8107223 mail: rosjat@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT

No comments:

Post a Comment