Monday, August 15, 2022

Relayd.conf forward with tls option applies to all forwards in a relay block.

Hello,

I have just discovered that when using multiple forward to directives in
a relay block, the relay block seems to support all "forward to..."
(without TLS) as "forward with tls to..." when there is even one
"forward with tls to..." directive.

Simple relayd.conf example:

ext_ip = "203.0.113.5"

log connection
prefork 3

table <httpd> { 127.0.0.1 }
table <server1> { 172.16.90.181 }

http protocol "https" {

pass request header "Host" value "example.com" forward to <httpd>
pass request header "Host" value "example.net" forward to <server1>

block
}

relay "https" {
listen on $ext_ip port 443 tls
protocol "https"
forward to <httpd> port 8080
forward with tls to <server1> port 443
}

Running relayd -n reports configuration OK and relayctl reload does not
print any errors.

External curl -I https://example.com prints empty reply from server.

The relayd log has the following entry:

Aug 14 11:03:54 relay relayd[42568]: relay https, session 2 (1 active),
203.0.113.99 -> 127.0.0.1:8080, TLS handshake error: handshake failed:
error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol
version, HEAD: Undefined error: 0

The httpd access log has the following entry:

example.org 127.0.0.1 - - [14/Aug/2022:11:03:54 -0700] "<UNKNOWN> " 400
0 "" "" - -

("example.org" is the first server block listed in httpd.conf - I
believe this is the correct behavior when no matching server name is
found, which I'm guessing means that relayd did not pass a hostname to
httpd.)

If I configure forward to <server1> port 80, everything works as
expected.

If I use the above relayd.conf configuration and instead configure httpd
to support TLS for requests from lo0 using self-signed cert, everything
works as expected.

It's just a little unusual and I didn't find this mentioned in
relayd.conf(5), but it's possible or even probable that I missed it.

I then did some searching and discovered a previous thread on misc@ that
seems to be the same thing:

https://marc.info/?l=openbsd-misc&m=162866423427344&w=2

Is it possible that if this isn't somewhere in relayd.conf(5) already
that I have missed, it could be added, even if just a summary such as:

The with tls directive enables client-side TLS mode to connect to the
remote host and when used will apply to all forward directives in a
relay.

I don't know if this is a good way to state it, but something would be
nice. It took me a while to figure this behavior out, assuming I am
understanding it correctly.

Thank you,


Paul

No comments:

Post a Comment