Relayd with multiple lets encrypt cert's

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Relayd with multiple lets encrypt cert's

Flipchan
Hello,

im trying to get relayd to work with multiple letsencrypt certificates,

i want to go user -> https -> http backendhost based on Host header

relayd:

table <onehosts> { 192.168.3.3 192.168.3.3 }
table <locals> { 127.0.0.1 }
table <twohosts> { 192.168.3.6 192.168.3.5 }

http protocol vhost {
        match request header "Host" value "0.domain.tld" forward to <locals>
    match request header "Host" value "1.domain.tld" forward to <onehost>
    match request header "Host" value "2.domain.tld" forward to <twohosts>
}

relay vhost {
        listen on 127.0.0.1 port 8089
        protocol vhost
        forward to <locals> port http check icmp
    forward to <onehosts> port http check icmp
        forward to <twohosts> port http check icmp
}

http protocol https {
        tcp { nodelay, sack, socket buffer 65536, backlog 128 }
#       tls ca cert "/etc/ssl/1.domain.tld.crt"
#       tls ca file "/etc/ssl/1.domain.tld.fullchain.pem"
#       tls ca key "/etc/ssl/private/1.domain.tld.key" password ""

}

relay sslhost {
        listen on 127.0.0.1 port 8443 ssl
        protocol https
        forward with tls to <locals> port https check icmp
}

Does anyone know how to get this working with multiple letsencrypt certs?



Sincerely
flipchan

Reply | Threaded
Open this post in threaded view
|

Re: Relayd with multiple lets encrypt cert's

Claudio Jeker
On Sat, Dec 22, 2018 at 07:07:58AM +0100, Flipchan wrote:

> Hello,
>
> im trying to get relayd to work with multiple letsencrypt certificates,
>
> i want to go user -> https -> http backendhost based on Host header
>
> relayd:
>
> table <onehosts> { 192.168.3.3 192.168.3.3 }
> table <locals> { 127.0.0.1 }
> table <twohosts> { 192.168.3.6 192.168.3.5 }
>
> http protocol vhost {
>         match request header "Host" value "0.domain.tld" forward to <locals>
>     match request header "Host" value "1.domain.tld" forward to <onehost>
>     match request header "Host" value "2.domain.tld" forward to <twohosts>
> }
>
> relay vhost {
>         listen on 127.0.0.1 port 8089
>         protocol vhost
>         forward to <locals> port http check icmp
>     forward to <onehosts> port http check icmp
>         forward to <twohosts> port http check icmp
> }
>
> http protocol https {
>         tcp { nodelay, sack, socket buffer 65536, backlog 128 }
> #       tls ca cert "/etc/ssl/1.domain.tld.crt"
> #       tls ca file "/etc/ssl/1.domain.tld.fullchain.pem"
> #       tls ca key "/etc/ssl/private/1.domain.tld.key" password ""
>
> }
>
> relay sslhost {
>         listen on 127.0.0.1 port 8443 ssl
>         protocol https
>         forward with tls to <locals> port https check icmp
> }
>
> Does anyone know how to get this working with multiple letsencrypt certs?
>

You need individual IP:port settings for each of the certs. Also don't
forward to different hosts based on match rules unless you really know
what you are doing. The backend system is only evaluated at the start of
the connection and so keepalive sessions will not route correctly.

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: Relayd with multiple lets encrypt cert's

Aham Brahmasmi
Hi,

> On Sat, Dec 22, 2018 at 07:07:58AM +0100, Flipchan wrote:
> > Hello,
> > Does anyone know how to get this working with multiple letsencrypt certs?
> >
>
> You need individual IP:port settings for each of the certs. Also don't
> forward to different hosts based on match rules unless you really know
> what you are doing. The backend system is only evaluated at the start of
> the connection and so keepalive sessions will not route correctly.
>
> --
> :wq Claudio

Would having a single SAN certificate help in this case [1]?

Regards,
ab
[1] - https://certbot.eff.org/faq/#can-i-get-a-certificate-for-multiple-domain-names-san-certificates
---------|---------|---------|---------|---------|---------|---------|--

Reply | Threaded
Open this post in threaded view
|

Re: Relayd with multiple lets encrypt cert's

Claudio Jeker
On Sat, Dec 22, 2018 at 12:28:46PM +0100, Aham Brahmasmi wrote:

> Hi,
>
> > On Sat, Dec 22, 2018 at 07:07:58AM +0100, Flipchan wrote:
> > > Hello,
> > > Does anyone know how to get this working with multiple letsencrypt certs?
> > >
> >
> > You need individual IP:port settings for each of the certs. Also don't
> > forward to different hosts based on match rules unless you really know
> > what you are doing. The backend system is only evaluated at the start of
> > the connection and so keepalive sessions will not route correctly.
> >
> > --
> > :wq Claudio
>
> Would having a single SAN certificate help in this case [1]?
>

Yes and no. It would make listening on one port possible but it does not
solve the issue of 'match forward to' being sticky for a connection.

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: Relayd with multiple lets encrypt cert's

Aham Brahmasmi
> On Sat, Dec 22, 2018 at 12:28:46PM +0100, Aham Brahmasmi wrote:
> > Hi,
> >
> > > On Sat, Dec 22, 2018 at 07:07:58AM +0100, Flipchan wrote:
> > > > Hello,
> > > > Does anyone know how to get this working with multiple letsencrypt certs?
> > > >
> > >
> > > You need individual IP:port settings for each of the certs. Also don't
> > > forward to different hosts based on match rules unless you really know
> > > what you are doing. The backend system is only evaluated at the start of
> > > the connection and so keepalive sessions will not route correctly.
> > >
> > > --
> > > :wq Claudio
> >
> > Would having a single SAN certificate help in this case [1]?
> >
>
> Yes and no. It would make listening on one port possible but it does not
> solve the issue of 'match forward to' being sticky for a connection.
>
> --
> :wq Claudio

Danke Claudio for your response.

Would it be possible for you to please elaborate on the 'match forward
to' being sticky for a connection? I presume that there is some problem
which might occur due to this.

Dhanyavaad.

Regards,
ab
---------|---------|---------|---------|---------|---------|---------|--

Reply | Threaded
Open this post in threaded view
|

Re: Relayd with multiple lets encrypt cert's

Flipchan
In reply to this post by Claudio Jeker
So the only way is to have each vhost listen on on port each?

On December 22, 2018 12:31:54 PM GMT+01:00, Claudio Jeker <[hidden email]> wrote:

>On Sat, Dec 22, 2018 at 12:28:46PM +0100, Aham Brahmasmi wrote:
>> Hi,
>>
>> > On Sat, Dec 22, 2018 at 07:07:58AM +0100, Flipchan wrote:
>> > > Hello,
>> > > Does anyone know how to get this working with multiple
>letsencrypt certs?
>> > >
>> >
>> > You need individual IP:port settings for each of the certs. Also
>don't
>> > forward to different hosts based on match rules unless you really
>know
>> > what you are doing. The backend system is only evaluated at the
>start of
>> > the connection and so keepalive sessions will not route correctly.
>> >
>> > --
>> > :wq Claudio
>>
>> Would having a single SAN certificate help in this case [1]?
>>
>
>Yes and no. It would make listening on one port possible but it does
>not
>solve the issue of 'match forward to' being sticky for a connection.
>
>--
>:wq Claudio

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Reply | Threaded
Open this post in threaded view
|

Re: Relayd with multiple lets encrypt cert's

Stuart Henderson
In reply to this post by Aham Brahmasmi
On 2018-12-22, Aham Brahmasmi <[hidden email]> wrote:

>> On Sat, Dec 22, 2018 at 12:28:46PM +0100, Aham Brahmasmi wrote:
>> > Hi,
>> >
>> > > On Sat, Dec 22, 2018 at 07:07:58AM +0100, Flipchan wrote:
>> > > > Hello,
>> > > > Does anyone know how to get this working with multiple letsencrypt certs?
>> > > >
>> > >
>> > > You need individual IP:port settings for each of the certs. Also don't
>> > > forward to different hosts based on match rules unless you really know
>> > > what you are doing. The backend system is only evaluated at the start of
>> > > the connection and so keepalive sessions will not route correctly.
>> > >
>> > > --
>> > > :wq Claudio
>> >
>> > Would having a single SAN certificate help in this case [1]?
>> >
>>
>> Yes and no. It would make listening on one port possible but it does not
>> solve the issue of 'match forward to' being sticky for a connection.
>>
>> --
>> :wq Claudio
>
> Danke Claudio for your response.
>
> Would it be possible for you to please elaborate on the 'match forward
> to' being sticky for a connection? I presume that there is some problem
> which might occur due to this.

A request comes in with some Host geader, relayd decides the destination
based on this and proxies the request. Client does keepalive and
holds on to the connection for use with another request to the same
destination IP. Client then sends a second request - different Host:
header on the same IP. relayd already picked a backend with the first
request and sends it there rather than doing a fresh lookup based on the
second Host header.

Reply | Threaded
Open this post in threaded view
|

Re: Relayd with multiple lets encrypt cert's

Aham Brahmasmi
Hi Stuart,

> Sent: Monday, December 24, 2018 at 1:13 AM
> From: "Stuart Henderson" <[hidden email]>
> To: [hidden email]
> Subject: Re: Relayd with multiple lets encrypt cert's
>
> On 2018-12-22, Aham Brahmasmi <[hidden email]> wrote:
> >> On Sat, Dec 22, 2018 at 12:28:46PM +0100, Aham Brahmasmi wrote:
> >> > Hi,
> >> >
> >> > > On Sat, Dec 22, 2018 at 07:07:58AM +0100, Flipchan wrote:
> >> > > > Hello,
> >> > > > Does anyone know how to get this working with multiple letsencrypt certs?
> >> > > >
> >> > >
> >> > > You need individual IP:port settings for each of the certs. Also don't
> >> > > forward to different hosts based on match rules unless you really know
> >> > > what you are doing. The backend system is only evaluated at the start of
> >> > > the connection and so keepalive sessions will not route correctly.
> >> > >
> >> > > --
> >> > > :wq Claudio
> >> >
> >> > Would having a single SAN certificate help in this case [1]?
> >> >
> >>
> >> Yes and no. It would make listening on one port possible but it does not
> >> solve the issue of 'match forward to' being sticky for a connection.
> >>
> >> --
> >> :wq Claudio
> >
> > Danke Claudio for your response.
> >
> > Would it be possible for you to please elaborate on the 'match forward
> > to' being sticky for a connection? I presume that there is some problem
> > which might occur due to this.
>
> A request comes in with some Host geader, relayd decides the destination
> based on this and proxies the request. Client does keepalive and
> holds on to the connection for use with another request to the same
> destination IP. Client then sends a second request - different Host:
> header on the same IP. relayd already picked a backend with the first
> request and sends it there rather than doing a fresh lookup based on the
> second Host header.

I am sorry for the delay in my response.

Thank you for the simple and helpful explanation. I had not thought
about this possibility of the client reusing the underlying connection
to an IP:port shared by different hosts.

Dhanyavaad.

Regards,
ab
---------|---------|---------|---------|---------|---------|---------|--