fosforo@gmail.com (Fabio Martins), 2022.05.06 (Fri) 00:43 (CEST):
> On Thursday, May 5, 2022, Stuart Henderson <stu.lists@spacehopper.org>
> wrote:
> > not quite, PF is looking up the IP in the table to decide which port
> > number to use
> > then the different port number is handled in relayd to pick between
> > two contexts:
> > one does not inspect Host (for those requests coming from
> > addresses on "geoallow")
> > the other (for all other requests) does inspect Host
> >
> > Understood. Also possible this way.
Just got around to implement it, this is for the archives:
(Thanks again for the hint, sthen@)
pf.conf(5):
table <geoallow> persist file "/etc/pf/geoallow"
pass in on egress proto tcp from any port > 1023 \
to (self) port { http https }
pass in on egress proto tcp from <geoallow> port > 1023 \
to (self) port http rdr-to 127.0.0.1 port 8880
pass in on egress proto tcp from <geoallow> port > 1023 \
to (self) port https rdr-to 127.0.0.1 port 8443
relayd.conf(5):
relay httpredir { # without geoblocking
listen on 0.0.0.0 port http
listen on 0.0.0.0 port https tls
protocol httpproto
forward to <httpd> port 19000
forward to <acme> port 17000
}
http protocol httpproto {
return error
block
match request header "Host" value "somesite.somewhere" \
forward to <httpd> tag httpd
match request path "/.well-known/acme-challenge/*" \
forward to <acme> tag acme
pass request tagged httpd method HEAD
pass request tagged httpd method GET
pass request tagged httpd method POST
pass request tagged acme method GET
}
relay httpredirgeo { # with geoblocking
listen on 0.0.0.0 port 8880
listen on 0.0.0.0 port 8443 tls
protocol httpprotogeo
forward to <httpd> port 19000
forward to <hato> port 8083
forward to <cam00> port 80
forward to <calcard_app> port 20000
forward to <calcard_static> port 18000
forward to <acme> port 17000
}
http protocol httpprotogeo {
return error
block
match request header "Host" value "somesite.somewhere" \
forward to <httpd> tag httpd
match request path "/.well-known/acme-challenge/*" \
forward to <acme> tag acme
match request header "Host" value "webm.somesite" path "/SOGo/*" \
forward to <calcard_app> tag dav
match request tagged dav header set "X-Real-IP" \
value "https://$REMOTE_ADDR"
match request tagged dav header set "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match request tagged dav header set "X-Forwarded-For" \
value "$REMOTE_ADDR"
match request tagged dav header set \
"x-webobjects-server-protocol" value "HTTP/1.0"
match request tagged dav header set \
"x-webobjects-remote-host" value "127.0.0.1"
match request tagged dav header set \
"x-webobjects-server-name" value "webm.somesite"
match request tagged dav header set "x-webobjects-server-port" \
value "$SERVER_PORT"
pass request tagged httpd method HEAD
pass request tagged httpd method GET
pass request tagged httpd method POST
pass request tagged acme method GET
pass request tagged dav method HEAD
pass request tagged dav method GET
pass request tagged dav method POST
pass request tagged dav method PUT
pass request tagged dav method DELETE
pass request tagged dav method MKCOL
pass request tagged dav method MOVE
pass request tagged dav method OPTIONS
pass request tagged dav method PROPFIND
pass request tagged dav method REPORT
pass request tagged dav method PROPPATCH
}
No comments:
Post a Comment