Henrik,
Regarding cut off responses, I didn't have such problems, maybe it was fixed
since 2016.
Regarding multi-site setup, I have something like this:
--- httpd.conf ---
### default site behind relayd
server "waste.tristero.se" {
alias "tristero.se"
listen on 127.0.0.1 port 80
listen on ::1 port 80
root "/htdocs/waste.tristero.se"
}
server "openbsd.tristero.se" {
listen on 127.0.0.1 port 80
listen on ::1 port 80
root "/htdocs/openbsd.tristero.se"
}
### this one is not behind relayd, used for http to https redirection
server "waste.tristero.se" {
alias "openbsd.tristero.se"
alias "tristero.se"
listen on 188.244.46.111 port 80
listen on 2001:470:1f15:1492::2 port 80
root "/htdocs/waste.tristero.se"
block return 301 "https://$HTTP_HOST/$DOCUMENT_URI";
}
--- relayd.conf ---
ext4="188.244.46.111"
ext6="2001:470:1f15:1492::2"
localhost4="127.0.0.1"
localhost6="::1"
table <openbsd4> { $localhost4 }
table <openbsd6> { $localhost6 }
table <waste4> { $localhost4 }
table <waste6> { $localhost6 }
http protocol "https4" {
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" value
"[$SERVER_ADDR]:$SERVER_PORT"
match request header "Host" value "tristero.se" forward to <waste4>
match request header "Host" value "waste.tristero.se" forward to <waste4>
match request header "Host" value "openbsd.tristero.se" forward to
<openbsd4>
tls { no tlsv1.0, ciphers
EECDH+AESGCM:EECDH+CHACHA20:EECDH+SHA256:EECDH+SHA384:ECDHE+SHA256 }
}
http protocol "https6" {
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" value
"[$SERVER_ADDR]:$SERVER_PORT"
match request header "Host" value "tristero.se" forward to <waste6>
match request header "Host" value "waste.tristero.se" forward to <waste6>
match request header "Host" value "openbsd.tristero.se" forward to
<openbsd6>
tls { no tlsv1.0, ciphers
EECDH+AESGCM:EECDH+CHACHA20:EECDH+SHA256:EECDH+SHA384:ECDHE+SHA256 }
}
relay "https4" {
listen on $ext4 port 443 tls
protocol "https4"
forward to <openbsd4> port 80
forward to <waste4> port 80
}
relay "https6" {
listen on $ext6 port 443 tls
protocol "https6"
forward to <openbsd6> port 80
forward to <waste6> port 80
}
--- end cut ---
The only problem I have was configuring specific security headers for
specific hosts, i.e. I cannot have specific http protocol sections with
different responses for specific hosts, like:
http protocol "https4-flex" {
match request header "Host" value "not-secure.domain" forward to
<backend-site1>
match response header set "Content-Security-Policy" value
"<flex-policy-rules-follow>"
}
http protocol "https4-strict" {
match request header "Host" value "secure.domain" forward to <backend-site2>
match response header set "Content-Security-Policy" value
"<strict-policy-rules-follow>"
}
--
With best regards,
Pavel Korovin
On 04/16, Henrik Friedrichsen wrote:
>
> So far I have not been able to emulate proxy_pass with relayd.
>
> I came across two issues:
> - relayed HTTP requests resulted in cut off responses, similar to this
> issue: https://github.com/reyk/relayd/issues/12
> - I have not been able to come up with a configuration/filter setting
> that will only match for a specific subdomain and will pass the
> non-matching requests to the regular httpd listening on port 80
>
> Did anyone have success in setting this up?
