relayd https relay

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

relayd https relay

Markus Rosjat
Hi there,

just a simple question about the  relaying of https connections. Is it
possible to simple pass the https traffic to the webserver with relayd?
My naive approach was simply checking the host name in the header and
then forward it to http or https port. This works for http  but with
https it doesnt.


here are my relayd.conf parts


http protocol "httpproxy" {

                             match request quick header "Host" value
"random-domain1.tld" forward to <new-webserver>
                             match request quick header "Host" value
"random-domain2.tld" forward to <old-webserver>

}

relay "proxy" {
                listen on $gateway  port http
                protocol "httpproxy"

                forward to <new-webserver>  port http
                forward to <old-webserver> port http

               }

relay "proxyssl" {
        listen on $gateway  port https
        protocol "httpproxy"

        forward to <new-webserver>  port https tls
}

with this I dont get a relay for https it seems, if I add tls to the
listen part I got told relayd cant find the certificates. And that is
totally understanable because there are no certs on this machine for
these domains because the are on the webserver machine.


So it all boils down to the question, do I have to set up my
certificates on the relay host to be able to use a https relay ?


regards


--
Markus Rosjat    fon: +49 351 8107223    mail: [hidden email]

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT

Reply | Threaded
Open this post in threaded view
|

Re: relayd https relay

Markus Rosjat
there is of course a tls to much in the config

its just

relay "proxyssl" {
         listen on $gateway  port https
         protocol "httpproxy"

         forward to <new-webserver>  port https
}


Am 20.09.2017 um 10:19 schrieb rosjat:

> Hi there,
>
> just a simple question about the  relaying of https connections. Is it
> possible to simple pass the https traffic to the webserver with relayd?
> My naive approach was simply checking the host name in the header and
> then forward it to http or https port. This works for http  but with
> https it doesnt.
>
>
> here are my relayd.conf parts
>
>
> http protocol "httpproxy" {
>
>                              match request quick header "Host" value
> "random-domain1.tld" forward to <new-webserver>
>                              match request quick header "Host" value
> "random-domain2.tld" forward to <old-webserver>
>
> }
>
> relay "proxy" {
>                 listen on $gateway  port http
>                 protocol "httpproxy"
>
>                 forward to <new-webserver>  port http
>                 forward to <old-webserver> port http
>
>                }
>
> relay "proxyssl" {
>         listen on $gateway  port https
>         protocol "httpproxy"
>
>         forward to <new-webserver>  port https tls
> }
>
> with this I dont get a relay for https it seems, if I add tls to the
> listen part I got told relayd cant find the certificates. And that is
> totally understanable because there are no certs on this machine for
> these domains because the are on the webserver machine.
>
>
> So it all boils down to the question, do I have to set up my
> certificates on the relay host to be able to use a https relay ?
>
>
> regards
>
>

--
Markus Rosjat    fon: +49 351 8107223    mail: [hidden email]

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT

Reply | Threaded
Open this post in threaded view
|

Re: relayd https relay

Bryan Harris
I don't think you can know the host header unless you decrypt the https
using a certificate.  It seems that idea would require SNI but I don't know
if they have SNI in relayd/httpd.  (I could be wrong about that.)

In mine I have listen on $ext_addr port 443 tls.  Then exists
/etc/ssl/ipaddr:443.crt file.  Look at phrase "/etc/ssl/address:port.crt"
in relayd.conf(5).

The book below shows this scenario and how to use acme-client to get a free
certificate from Let's Encrypt.

https://www.michaelwlucas.com/tools/relayd

V/r,
Bryan

On Wed, Sep 20, 2017 at 4:37 AM, rosjat <[hidden email]> wrote:

> there is of course a tls to much in the config
>
> its just
>
> relay "proxyssl" {
>         listen on $gateway  port https
>         protocol "httpproxy"
>
>         forward to <new-webserver>  port https
> }
>
>
> Am 20.09.2017 um 10:19 schrieb rosjat:
>
>> Hi there,
>>
>> just a simple question about the  relaying of https connections. Is it
>> possible to simple pass the https traffic to the webserver with relayd? My
>> naive approach was simply checking the host name in the header and then
>> forward it to http or https port. This works for http  but with https it
>> doesnt.
>>
>>
>> here are my relayd.conf parts
>>
>>
>> http protocol "httpproxy" {
>>
>>                              match request quick header "Host" value
>> "random-domain1.tld" forward to <new-webserver>
>>                              match request quick header "Host" value
>> "random-domain2.tld" forward to <old-webserver>
>>
>> }
>>
>> relay "proxy" {
>>                 listen on $gateway  port http
>>                 protocol "httpproxy"
>>
>>                 forward to <new-webserver>  port http
>>                 forward to <old-webserver> port http
>>
>>                }
>>
>> relay "proxyssl" {
>>         listen on $gateway  port https
>>         protocol "httpproxy"
>>
>>         forward to <new-webserver>  port https tls
>> }
>>
>> with this I dont get a relay for https it seems, if I add tls to the
>> listen part I got told relayd cant find the certificates. And that is
>> totally understanable because there are no certs on this machine for these
>> domains because the are on the webserver machine.
>>
>>
>> So it all boils down to the question, do I have to set up my certificates
>> on the relay host to be able to use a https relay ?
>>
>>
>> regards
>>
>>
>>
> --
> Markus Rosjat    fon: +49 351 8107223    mail: [hidden email]
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT
>
>
Reply | Threaded
Open this post in threaded view
|

Re: relayd https relay

Markus Rosjat
Hi Brian,

I know that scenario but I want to serve a individual certificate for
every virtual host (httpd can do that) so I was looking for a simple
relay by looking at the header but I might cant get it to work this way :(



Am 20.09.2017 um 14:10 schrieb Bryan Harris:

> I don't think you can know the host header unless you decrypt the https
> using a certificate.  It seems that idea would require SNI but I don't know
> if they have SNI in relayd/httpd.  (I could be wrong about that.)
>
> In mine I have listen on $ext_addr port 443 tls.  Then exists
> /etc/ssl/ipaddr:443.crt file.  Look at phrase "/etc/ssl/address:port.crt"
> in relayd.conf(5).
>
> The book below shows this scenario and how to use acme-client to get a free
> certificate from Let's Encrypt.
>
> https://www.michaelwlucas.com/tools/relayd
>
> V/r,
> Bryan
>
> On Wed, Sep 20, 2017 at 4:37 AM, rosjat <[hidden email]> wrote:
>
>> there is of course a tls to much in the config
>>
>> its just
>>
>> relay "proxyssl" {
>>          listen on $gateway  port https
>>          protocol "httpproxy"
>>
>>          forward to <new-webserver>  port https
>> }
>>
>>
>> Am 20.09.2017 um 10:19 schrieb rosjat:
>>
>>> Hi there,
>>>
>>> just a simple question about the  relaying of https connections. Is it
>>> possible to simple pass the https traffic to the webserver with relayd? My
>>> naive approach was simply checking the host name in the header and then
>>> forward it to http or https port. This works for http  but with https it
>>> doesnt.
>>>
>>>
>>> here are my relayd.conf parts
>>>
>>>
>>> http protocol "httpproxy" {
>>>
>>>                               match request quick header "Host" value
>>> "random-domain1.tld" forward to <new-webserver>
>>>                               match request quick header "Host" value
>>> "random-domain2.tld" forward to <old-webserver>
>>>
>>> }
>>>
>>> relay "proxy" {
>>>                  listen on $gateway  port http
>>>                  protocol "httpproxy"
>>>
>>>                  forward to <new-webserver>  port http
>>>                  forward to <old-webserver> port http
>>>
>>>                 }
>>>
>>> relay "proxyssl" {
>>>          listen on $gateway  port https
>>>          protocol "httpproxy"
>>>
>>>          forward to <new-webserver>  port https tls
>>> }
>>>
>>> with this I dont get a relay for https it seems, if I add tls to the
>>> listen part I got told relayd cant find the certificates. And that is
>>> totally understanable because there are no certs on this machine for these
>>> domains because the are on the webserver machine.
>>>
>>>
>>> So it all boils down to the question, do I have to set up my certificates
>>> on the relay host to be able to use a https relay ?
>>>
>>>
>>> regards
>>>
>>>
>>>
>> --
>> Markus Rosjat    fon: +49 351 8107223    mail: [hidden email]
>>
>> G+H Webservice GbR Gorzolla, Herrmann
>> Königsbrücker Str. 70, 01099 Dresden
>>
>> http://www.ghweb.de
>> fon: +49 351 8107220   fax: +49 351 8107227
>>
>> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
>> you print it, think about your responsibility and commitment to the
>> ENVIRONMENT
>>
>>

--
Markus Rosjat    fon: +49 351 8107223    mail: [hidden email]

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT

Reply | Threaded
Open this post in threaded view
|

Re: relayd https relay

trondd-2
In reply to this post by Bryan Harris
On Wed, September 20, 2017 8:10 am, Bryan Harris wrote:
> I don't think you can know the host header unless you decrypt the https
> using a certificate.  It seems that idea would require SNI but I don't
> know
> if they have SNI in relayd/httpd.  (I could be wrong about that.)
>

httpd has SNI, relayd does not.

https://marc.info/?l=openbsd-cvs&m=147187817314952&w=2

For these scenarios, I have to turn to www/pound which I like for it's
small size, and chroot support.

Reply | Threaded
Open this post in threaded view
|

Re: relayd https relay

Ronan Viel
Hi,
This kind of config works perfectly on my box. I am not sure SNI has something to do here as relayd terminates the https connection, gets all the headers and reopens a new one.
I just think you forgot the "with tls"  in your forward directive below:

relay "proxyssl" {
       listen on $gateway  port https
       protocol "httpproxy"

       forward with tls to <new-webserver>  port https
}

Do not forget to set a "ca file" in your protocol section if you want relayd to check the certificate of your target's server (see relayd.conf man).

Ronan
Reply | Threaded
Open this post in threaded view
|

Re: relayd https relay

Markus Rosjat
Hi Ronan,

thanks for the hint I'll give it a try!

regards

Markus

Am 20.09.2017 um 21:30 schrieb Ronan Viel:

> Hi,
> This kind of config works perfectly on my box. I am not sure SNI has something to do here as relayd terminates the https connection, gets all the headers and reopens a new one.
> I just think you forgot the "with tls"  in your forward directive below:
>
> relay "proxyssl" {
>         listen on $gateway  port https
>         protocol "httpproxy"
>
>         forward with tls to <new-webserver>  port https
> }
>
> Do not forget to set a "ca file" in your protocol section if you want relayd to check the certificate of your target's server (see relayd.conf man).
>
> Ronan
>

--
Markus Rosjat    fon: +49 351 8107223    mail: [hidden email]

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT

Reply | Threaded
Open this post in threaded view
|

Re: relayd https relay

Markus Rosjat
Hi there,

ok I tried the with tls option and I can al least see relayd tries to
send the request to the webserver. I still cant get a proper response
from the webserver. When I do da simple rdr-to rule in pf it just works.

Do I need to do some magic that I miss still?

Regards

MArkus

Am 21.09.2017 um 07:19 schrieb rosjat:

> Hi Ronan,
>
> thanks for the hint I'll give it a try!
>
> regards
>
> Markus
>
> Am 20.09.2017 um 21:30 schrieb Ronan Viel:
>> Hi,
>> This kind of config works perfectly on my box. I am not sure SNI has
>> something to do here as relayd terminates the https connection, gets
>> all the headers and reopens a new one.
>> I just think you forgot the "with tls"  in your forward directive below:
>>
>> relay "proxyssl" {
>>         listen on $gateway  port https
>>         protocol "httpproxy"
>>
>>         forward with tls to <new-webserver>  port https
>> }
>>
>> Do not forget to set a "ca file" in your protocol section if you want
>> relayd to check the certificate of your target's server (see
>> relayd.conf man).
>>
>> Ronan
>>
>

--
Markus Rosjat    fon: +49 351 8107223    mail: [hidden email]

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT

Reply | Threaded
Open this post in threaded view
|

Re: relayd https relay

Markus Rosjat
Hi,

so I added the with tls keywords to the relay and my webserver gets
request now but from my relayhost and this is making the way back quiet
hard :(

so I added the X Headers for Forwarded-For and Forwarded-By but it still
leaves the question how to tell the relayhost to just let it all out
like in a normal rdr-to rule in pf? Like I said pf rule just works fine
so the traffic can go thorugh all the interfaces just fine.

regards

MArkus

Am 21.09.2017 um 08:27 schrieb rosjat:

> Hi there,
>
> ok I tried the with tls option and I can al least see relayd tries to
> send the request to the webserver. I still cant get a proper response
> from the webserver. When I do da simple rdr-to rule in pf it just works.
>
> Do I need to do some magic that I miss still?
>
> Regards
>
> MArkus
>
> Am 21.09.2017 um 07:19 schrieb rosjat:
>> Hi Ronan,
>>
>> thanks for the hint I'll give it a try!
>>
>> regards
>>
>> Markus
>>
>> Am 20.09.2017 um 21:30 schrieb Ronan Viel:
>>> Hi,
>>> This kind of config works perfectly on my box. I am not sure SNI has
>>> something to do here as relayd terminates the https connection, gets
>>> all the headers and reopens a new one.
>>> I just think you forgot the "with tls"  in your forward directive below:
>>>
>>> relay "proxyssl" {
>>>         listen on $gateway  port https
>>>         protocol "httpproxy"
>>>
>>>         forward with tls to <new-webserver>  port https
>>> }
>>>
>>> Do not forget to set a "ca file" in your protocol section if you want
>>> relayd to check the certificate of your target's server (see
>>> relayd.conf man).
>>>
>>> Ronan
>>>
>>
>

--
Markus Rosjat    fon: +49 351 8107223    mail: [hidden email]

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT

Reply | Threaded
Open this post in threaded view
|

Re: relayd https relay

trondd-2
On Thu, September 21, 2017 3:49 am, rosjat wrote:

> Hi,
>
> so I added the with tls keywords to the relay and my webserver gets
> request now but from my relayhost and this is making the way back quiet
> hard :(
>
> so I added the X Headers for Forwarded-For and Forwarded-By but it still
> leaves the question how to tell the relayhost to just let it all out
> like in a normal rdr-to rule in pf? Like I said pf rule just works fine
> so the traffic can go thorugh all the interfaces just fine.
>
> regards
>
> MArkus
>

You can't do what you want with a layer 7 relay in relayd.  Redirect rules
in pf work because pf doesn't know or care about DNS host names.

Because you are using SSL, once you need to make decisions based on the
host, you have two options:

A relay server that supports SNI so it can see the Host and forward to the
right server.  Or terminating the SSL encryption at the relay server so
you can read the unencrypted host value.

Option 2 is required for relayd as it does not support SNI.  But that
means the relay server holds the SSL certificate.  You can only have 1
certificate per IP and port.  If you want to use individual certs for each
web site, you're stuck.  You either need to use different ports, which is
typically a non-starter for web sites, or put multiple IPs on the relay
box.

If security between the relay server and web servers is necessary (don't
trust someone else's network, and if possible, don't trust your own) you
can re-encrypt the communication from relayd and the web server but it'll
be relayd using the web server certificate, not the user.

Reply | Threaded
Open this post in threaded view
|

Re: relayd https relay

Markus Rosjat
I try to figure out the ca file option mentioned by ronan maybe this is
some kind of option here.

Am 21.09.2017 um 14:11 schrieb trondd:

> On Thu, September 21, 2017 3:49 am, rosjat wrote:
>> Hi,
>>
>> so I added the with tls keywords to the relay and my webserver gets
>> request now but from my relayhost and this is making the way back quiet
>> hard :(
>>
>> so I added the X Headers for Forwarded-For and Forwarded-By but it still
>> leaves the question how to tell the relayhost to just let it all out
>> like in a normal rdr-to rule in pf? Like I said pf rule just works fine
>> so the traffic can go thorugh all the interfaces just fine.
>>
>> regards
>>
>> MArkus
>>
>
> You can't do what you want with a layer 7 relay in relayd.  Redirect rules
> in pf work because pf doesn't know or care about DNS host names.
>
> Because you are using SSL, once you need to make decisions based on the
> host, you have two options:
>
> A relay server that supports SNI so it can see the Host and forward to the
> right server.  Or terminating the SSL encryption at the relay server so
> you can read the unencrypted host value.
>
> Option 2 is required for relayd as it does not support SNI.  But that
> means the relay server holds the SSL certificate.  You can only have 1
> certificate per IP and port.  If you want to use individual certs for each
> web site, you're stuck.  You either need to use different ports, which is
> typically a non-starter for web sites, or put multiple IPs on the relay
> box.
>
> If security between the relay server and web servers is necessary (don't
> trust someone else's network, and if possible, don't trust your own) you
> can re-encrypt the communication from relayd and the web server but it'll
> be relayd using the web server certificate, not the user.
>

--
Markus Rosjat    fon: +49 351 8107223    mail: [hidden email]

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT

Reply | Threaded
Open this post in threaded view
|

Re: relayd https relay

trondd-2
On Thu, September 21, 2017 8:25 am, rosjat wrote:
> I try to figure out the ca file option mentioned by ronan maybe this is
> some kind of option here.
>

Using 'ca file' means you have to decrypt the SSL connection from the
clients with relayd then re-encrypt from relayd to the web servers.
Clients will only see relayd's SSL certificate.  Originally you said you
want to use a different cert for each web site.

What CA signs the web server certificates?  There was a bug, I don't know
if it got fixed, in relayd that you can't use a big file of CAs for the
'ca file', the imsg was not chunked and if the file is too big, relayd
will fail to start the relay.  Take the CA cert that signed the web server
certificates and put that into a file and reference that file like 'ca
file "/etc/ssl/webca.pem"'

> Am 21.09.2017 um 14:11 schrieb trondd:
>> On Thu, September 21, 2017 3:49 am, rosjat wrote:
>>> Hi,
>>>
>>> so I added the with tls keywords to the relay and my webserver gets
>>> request now but from my relayhost and this is making the way back quiet
>>> hard :(
>>>
>>> so I added the X Headers for Forwarded-For and Forwarded-By but it
>>> still
>>> leaves the question how to tell the relayhost to just let it all out
>>> like in a normal rdr-to rule in pf? Like I said pf rule just works fine
>>> so the traffic can go thorugh all the interfaces just fine.
>>>
>>> regards
>>>
>>> MArkus
>>>
>>
>> You can't do what you want with a layer 7 relay in relayd.  Redirect
>> rules
>> in pf work because pf doesn't know or care about DNS host names.
>>
>> Because you are using SSL, once you need to make decisions based on the
>> host, you have two options:
>>
>> A relay server that supports SNI so it can see the Host and forward to
>> the
>> right server.  Or terminating the SSL encryption at the relay server so
>> you can read the unencrypted host value.
>>
>> Option 2 is required for relayd as it does not support SNI.  But that
>> means the relay server holds the SSL certificate.  You can only have 1
>> certificate per IP and port.  If you want to use individual certs for
>> each
>> web site, you're stuck.  You either need to use different ports, which
>> is
>> typically a non-starter for web sites, or put multiple IPs on the relay
>> box.
>>
>> If security between the relay server and web servers is necessary (don't
>> trust someone else's network, and if possible, don't trust your own) you
>> can re-encrypt the communication from relayd and the web server but
>> it'll
>> be relayd using the web server certificate, not the user.
>>



Reply | Threaded
Open this post in threaded view
|

Re: relayd https relay

Markus Rosjat
I want to go with let's encrypt certifcates so if I provide the pem
created by the acme-client it should be ok even it seems not for now.

I dont know if relayd development is going to add SNI sometime soon but
for now I could live with a certificate that basically has all my served
domains as in the SAN field.



Am 21.09.2017 um 14:49 schrieb trondd:

> On Thu, September 21, 2017 8:25 am, rosjat wrote:
>> I try to figure out the ca file option mentioned by ronan maybe this is
>> some kind of option here.
>>
>
> Using 'ca file' means you have to decrypt the SSL connection from the
> clients with relayd then re-encrypt from relayd to the web servers.
> Clients will only see relayd's SSL certificate.  Originally you said you
> want to use a different cert for each web site.
>
> What CA signs the web server certificates?  There was a bug, I don't know
> if it got fixed, in relayd that you can't use a big file of CAs for the
> 'ca file', the imsg was not chunked and if the file is too big, relayd
> will fail to start the relay.  Take the CA cert that signed the web server
> certificates and put that into a file and reference that file like 'ca
> file "/etc/ssl/webca.pem"'
>
>> Am 21.09.2017 um 14:11 schrieb trondd:
>>> On Thu, September 21, 2017 3:49 am, rosjat wrote:
>>>> Hi,
>>>>
>>>> so I added the with tls keywords to the relay and my webserver gets
>>>> request now but from my relayhost and this is making the way back quiet
>>>> hard :(
>>>>
>>>> so I added the X Headers for Forwarded-For and Forwarded-By but it
>>>> still
>>>> leaves the question how to tell the relayhost to just let it all out
>>>> like in a normal rdr-to rule in pf? Like I said pf rule just works fine
>>>> so the traffic can go thorugh all the interfaces just fine.
>>>>
>>>> regards
>>>>
>>>> MArkus
>>>>
>>>
>>> You can't do what you want with a layer 7 relay in relayd.  Redirect
>>> rules
>>> in pf work because pf doesn't know or care about DNS host names.
>>>
>>> Because you are using SSL, once you need to make decisions based on the
>>> host, you have two options:
>>>
>>> A relay server that supports SNI so it can see the Host and forward to
>>> the
>>> right server.  Or terminating the SSL encryption at the relay server so
>>> you can read the unencrypted host value.
>>>
>>> Option 2 is required for relayd as it does not support SNI.  But that
>>> means the relay server holds the SSL certificate.  You can only have 1
>>> certificate per IP and port.  If you want to use individual certs for
>>> each
>>> web site, you're stuck.  You either need to use different ports, which
>>> is
>>> typically a non-starter for web sites, or put multiple IPs on the relay
>>> box.
>>>
>>> If security between the relay server and web servers is necessary (don't
>>> trust someone else's network, and if possible, don't trust your own) you
>>> can re-encrypt the communication from relayd and the web server but
>>> it'll
>>> be relayd using the web server certificate, not the user.
>>>
>
>
>

--
Markus Rosjat    fon: +49 351 8107223    mail: [hidden email]

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT

Reply | Threaded
Open this post in threaded view
|

Weard pf.conf isue wen opening port for remote access

Ton Muller-3
In reply to this post by Markus Rosjat
For a friend who host a game server i create localy a SQL database for
fetching stats, so i created below rule

pass in quick on $ext_if proto { tcp,udp } from (ip adres here) to
$ext_if port 3306 rdr-to 192.168.0.228


after a pfctl the database returnd a sql error, that it was unable to
connect to it.

So i created a 2nd rule set (and did a # in front of the 1st rule)

pass in quick on $ext_if proto { tcp,udp } from any to $ext_if port 3306
rdr-to 192.168.0.228

And yes, a connection was made.

so, i revered the settings, i dont want unwanted hammering on my sql server.
all went well, no isues.
so i set up the 2nd pool connection.
and again, NO connection possible, and the 1st pool also died with it.


what am i doing wrong so remote connection are possible ?

any suggestions ?

Tony.

Reply | Threaded
Open this post in threaded view
|

Re: Weard pf.conf isue wen opening port for remote access

Ton Muller-3
Does not work here.
global connections are working, but i only want ONE remote machine to
connect to it.

i guess i have my firewall a bit to tight here.

well, short cut from my rules

int_if ="sk0"
ext_if ="re0"

match out on egress inet from !(egress) to any nat-to (egress:0)

pass in quick on $ext_if proto { tcp } from any to $ext_if port 16000
rdr-to 192.168.0.228
pass in quick on $ext_if proto { tcp,udp } from x.x.x.x to $ext_if port
3306 rdr-to 192.168.0.228

block in quick on $ext_if all
antispoof for $ext_if inet

pass out quick keep state
pass in quick inet proto icmp all icmp-type $icmp_types
pass in quick on $int_if keep state

On 26-9-2017 11:29, Zé Loff wrote:

>
>
> On Tue, Sep 26, 2017 at 09:02:13AM +0200, Ton Muller wrote:
>> For a friend who host a game server i create localy a SQL database for
>> fetching stats, so i created below rule
>>
>> pass in quick on $ext_if proto { tcp,udp } from (ip adres here) to $ext_if
>> port 3306 rdr-to 192.168.0.228
>>
>>
>> after a pfctl the database returnd a sql error, that it was unable to
>> connect to it.
>>
>> So i created a 2nd rule set (and did a # in front of the 1st rule)
>>
>> pass in quick on $ext_if proto { tcp,udp } from any to $ext_if port 3306
>> rdr-to 192.168.0.228
>>
>> And yes, a connection was made.
>>
>> so, i revered the settings, i dont want unwanted hammering on my sql server.
>> all went well, no isues.
>> so i set up the 2nd pool connection.
>> and again, NO connection possible, and the 1st pool also died with it.
>>
>>
>> what am i doing wrong so remote connection are possible ?
>>
>> any suggestions ?
>>
>> Tony.
>>
>
> I'm having trouble understanding most of your message but anyway, this
> is how I do it:
>
>      match in on $ext_if inet proto { tcp, udp } to ($ext_if) port 3306 rdr-to 192.168.0.228
>      pass in on $ext_if inet proto { tcp, udp } from XXX.XXX.XXX.XXX to 192.168.0.228 port 3306
>
> Also, add log keywords to the block rules (and optionally to the rules
> above) and use
>
>      # tcpdump -neti pflog0
>
> to see what is happening.
>
> Cheers
> Zé
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Weard pf.conf isue wen opening port for remote access

Ton Muller-3
pROLY RIGHT.
i tested it with GRC.com ,that works.

weard, i have entered the correct ip, even a /24, /16, and /8 !! isnt
working.
think the guy need to ask the GSP for the proper ip adres ,Well,
anyways, experiment still sucsesfull ,

thank u for the time, and the other solution.

Tony.

On 26-9-2017 16:28, Zé Loff wrote:

> On Tue, Sep 26, 2017 at 04:04:45PM +0200, Ton Muller wrote:
>> Does not work here.
>> global connections are working, but i only want ONE remote machine to
>> connect to it.
>
> Well, if the problem arises when you change "from any" to "from x.x.x.x"
> then I'd say you are specifying the wrong IP (maybe NATing or the like
> on the other end is mixing things up).  I'll suggest tcpdump again:
>
>    # tcpdump -nti <your external iface> port 3306
>
> This might help in figuring out which IP the connection requests are
> coming from.
>
> OT: I don't know if you have considered it or not, but you very much
> want to be using TLS on this connection and/or using client certificates
> for authentication.
>
> Cheers
> Zé
>
>>
>> i guess i have my firewall a bit to tight here.
>>
>> well, short cut from my rules
>>
>> int_if ="sk0"
>> ext_if ="re0"
>>
>> match out on egress inet from !(egress) to any nat-to (egress:0)
>>
>> pass in quick on $ext_if proto { tcp } from any to $ext_if port 16000 rdr-to
>> 192.168.0.228
>> pass in quick on $ext_if proto { tcp,udp } from x.x.x.x to $ext_if port 3306
>> rdr-to 192.168.0.228
>>
>> block in quick on $ext_if all
>> antispoof for $ext_if inet
>>
>> pass out quick keep state
>> pass in quick inet proto icmp all icmp-type $icmp_types
>> pass in quick on $int_if keep state
>>
>> On 26-9-2017 11:29, Zé Loff wrote:
>>>
>>>
>>> On Tue, Sep 26, 2017 at 09:02:13AM +0200, Ton Muller wrote:
>>>> For a friend who host a game server i create localy a SQL database for
>>>> fetching stats, so i created below rule
>>>>
>>>> pass in quick on $ext_if proto { tcp,udp } from (ip adres here) to $ext_if
>>>> port 3306 rdr-to 192.168.0.228
>>>>
>>>>
>>>> after a pfctl the database returnd a sql error, that it was unable to
>>>> connect to it.
>>>>
>>>> So i created a 2nd rule set (and did a # in front of the 1st rule)
>>>>
>>>> pass in quick on $ext_if proto { tcp,udp } from any to $ext_if port 3306
>>>> rdr-to 192.168.0.228
>>>>
>>>> And yes, a connection was made.
>>>>
>>>> so, i revered the settings, i dont want unwanted hammering on my sql server.
>>>> all went well, no isues.
>>>> so i set up the 2nd pool connection.
>>>> and again, NO connection possible, and the 1st pool also died with it.
>>>>
>>>>
>>>> what am i doing wrong so remote connection are possible ?
>>>>
>>>> any suggestions ?
>>>>
>>>> Tony.
>>>>
>>>
>>> I'm having trouble understanding most of your message but anyway, this
>>> is how I do it:
>>>
>>>       match in on $ext_if inet proto { tcp, udp } to ($ext_if) port 3306 rdr-to 192.168.0.228
>>>       pass in on $ext_if inet proto { tcp, udp } from XXX.XXX.XXX.XXX to 192.168.0.228 port 3306
>>>
>>> Also, add log keywords to the block rules (and optionally to the rules
>>> above) and use
>>>
>>>       # tcpdump -neti pflog0
>>>
>>> to see what is happening.
>>>
>>> Cheers
>>> Zé
>>>
>>>
>>
>