Friday, February 26, 2021

Re: relayd, ipv6, and tls keypair names

PS: I am running OpenBSD 6.8 stable on amd64.

On Sat, Feb 27, 2021 at 03:48:04PM +0800, jrmu@ircnow.org wrote:
> I was trying to configure relayd for TLS acceleration when I noticed an unusual
> error.
>
> Here is my /etc/relayd.conf (with actual IPs and domains replaced):
>
> ip4="192.0.2.1"
> ip6="2001:db8::"
> table <www> { 127.0.0.1 }
> table <bnc> { 127.0.0.1 }
>
> log connection
>
> http protocol https {
> match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
> match request header append "X-Forwarded-By" \
> value "$SERVER_ADDR:$SERVER_PORT"
> match request header set "Connection" value "close"
>
> # Various TCP options
> tcp { sack, backlog 128 }
>
> tls { keypair example.com }
> match request header "Host" value "www.example.com" forward to <www>
> }
>
> relay wwwtls {
> listen on $ip4 port 443 tls
> listen on $ip6 port 443 tls
> protocol https
> forward to <www> port 8001 check icmp
> }
>
> I set up symlinks for the SSL certs as follows:
>
> $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com:443.crt
> $ doas ln -s /etc/ssl/private/example.com.key /etc/ssl/private/example.com:443.key
>
> I then start relayd:
>
> $ doas relayd -dvv
>
> and get the following errors:
>
> relay_load_certfiles: using certificate /etc/ssl/example.com:443.crt
> relay_load_certfiles: using private key /etc/ssl/private/example.com:443.key
> /etc/relayd.conf:26: cannot load certificates for relay wwwtls2:443
>
> I discovered that if I comment out the below line, line 23, relayd works:
>
> listen on $ip6 port 443 tls
>
> So if I uncomment out the IPv6 listener, relayd works just fine.
>
> If I include the IPv6 listener but create symlinks with IPv6 addresses like follows:
>
> $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8:::443.crt
> $ doas ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8:::443.key
>
> Then it seems relayd also works. So I suspect relayd is ignoring
> the tls keypair directive for IPv6 addresses. In other words, when IPv6 is enabled,
> relayd appears to ignore:
>
> tls { keypair example.com }
>
> Can someone verify if this is correct behavior, if I misconfigured, or
> if this is a bug?
>
> jrmu

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)