Hi All,
I am trying to move to relayd (OpenBSD 6.7) from HAproxy by keeping my
config to serve multiple domains in SSL passthrough but I'm having some
difficulties. If I correctly understand, according to the man page it
looks like that redirections are used for passthrough traffic and relays
for SSL acceleration/Layer 7 proxy.
Here my config with redirections:
ext_if = "172.16.101.35"
lab1_web1 = "172.16.101.31"
lab1_web2 = "172.16.101.32"
interval 3
log state changes
log connection
table <web_servers> {
$lab1_web1 retry 2
}
table <nc_servers> {
$lab1_web2 retry 2
}
http protocol "http" {
return error
tcp { backlog 100, nodelay, sack, socket buffer 65536 }
match header log "Host"
match header log "X-Forwarded-For"
match header log "User-Agent"
match header log "Referer"
match url log
match request header set "X-Forwarded-For" \
value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match request header "Host" value "test1.domain.com" \
forward to <web_servers>
match request header "Host" value "test2.domain.com" \
forward to <nc_servers>
}
http protocol "https" {
return error
tcp { backlog 100, nodelay, sack, socket buffer 65536 }
match header log "Host"
match header log "X-Forwarded-For"
match header log "User-Agent"
match header log "Referer"
match url log
match request header set "X-Forwarded-For" \
value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
pass request header "Host" value "test1.domain.com" \
forward to <web_servers>
pass request header "Host" value "test2.domain.com" \
forward to <nc_servers>
tls keypair "test1.domain.com"
tls keypair "test2.domain.com"
}
redirect "http" {
listen on $ext_if port 80
forward to <web_servers> check http "/" code 200
forward to <nc_servers> check http "/" code 200
sticky-address
}
redirect "https" {
listen on $ext_if port 443
forward to <web_servers> check http "/" code 200
forward to <nc_servers> check http "/" code 200
sticky-address
}
Here when I use the relays instead of redirections in the config:
relay "http" {
listen on $ext_if port 80
protocol "http"
forward to <web_servers> check http "/" code 200
forward to <nc_servers> check http "/" code 200
}
relay "https" {
listen on $ext_if port 443
protocol "https"
forward to <web_servers> check https "/" code 200
forward to <nc_servers> check https "/" code 200
}
With relays I see relayd listening on port 80 and 443 and I'm able
to reach each individual backend server by pointing to the related
configured domain (just in http as I have not defined any local
certificates for https).
When using redirections, no listening ports are open (I guess due to
relayd using pf nat rules) and I'm unable to reach both backend
servers.
I have added the relayd anchor to pf.conf as following:
anchor "relayd/*"
set skip on lo
block return
pass
block return in on ! lo0 proto tcp to port 6000:6010
block return out log proto {tcp udp} user _pbuild
And here how pf lists what's in the anchor:
#pfctl -a relayd/* -s rules
anchor "http" all {
pass in quick on rdomain 0 inet proto tcp from any to 172.16.101.35 \
port = 80 flags S/SA keep state (tcp.established 600) rdr-to <http> \
port 80 round-robin sticky-address
}
anchor "https" all {
}
I'm sure I'm doing something wrong here but I can't find where.
My goal to use SSL passthrough is to leverage the use of SNI and not
generate additional certificates on the load balancer, but using the
already implemented ones on the backend servers.
Thank you!
