Is using relayd to block unwanted HTTP requests, with only having one server a good idea?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Is using relayd to block unwanted HTTP requests, with only having one server a good idea?

Chris Bennett
I like what I see in the FILTER RULES of relayd.
I just want to be able to add new filters as needed when seen in http
error_log.
But I only have one server. And I use SSL for two sites. And multiple
virtual hosts on each IP.
Would I then forward to a new local port such as 127.0.0.1:34567 for the
good requests, just block bad requests and do nothing at all for good
requests?

Or is this not a good solution?
I'm not in a rush, but getting some experience and knowledge in tools
I'm not using is a plus.
I very much like the idea of removal before reaching the webserver.

Thanks,
Chris Bennett

Reply | Threaded
Open this post in threaded view
|

Re: Is using relayd to block unwanted HTTP requests, with only having one server a good idea?

trondd-2
On Sat, October 1, 2016 12:00 pm, Chris Bennett wrote:

> I like what I see in the FILTER RULES of relayd.
> I just want to be able to add new filters as needed when seen in http
> error_log.
> But I only have one server. And I use SSL for two sites. And multiple
> virtual hosts on each IP.
> Would I then forward to a new local port such as 127.0.0.1:34567 for the
> good requests, just block bad requests and do nothing at all for good
> requests?
>
> Or is this not a good solution?
> I'm not in a rush, but getting some experience and knowledge in tools
> I'm not using is a plus.
> I very much like the idea of removal before reaching the webserver.
>
> Thanks,
> Chris Bennett
>

I haven't used relayd to block, but experimented with a fairly complicated
setup just as a proxy using the match rules.

One shortcoming you might run into in your usecase is that relayd only
supports one cert/key per listening port.  So if you have relayd on 443
and multiple domains behind it, all of those domains have to be in that
one cert.

I don't know that you can dynamically update the match rules, either.  Not
without modifying the conf file and reloading.  Be careful with this
anyway.  You don't want to start blocking because someone's iOS device
gets a 404 on an apple-touch-icon not present on a site.

Tim.