Quantcast

relayd redirect not working

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

relayd redirect not working

Dave Cohen
I'm struggling to figure out why network traffic is not making it to a service I'm running.

What I'm trying to do is serve http and https from a non-standard server.  (Called `caddy`, if you're curious).  I want to run this thing as non-root user.  I'm not aware of any way to have the non-root user open ports 80 or 443.  Which is great, so long as I can get traffic to those port to be redirected to my server, which I have listening on 8080 and 8443 respectively.

I prefer the TLS traffic to 443 terminate at my server on 8443.  And I've been trying to do this with relayd redirects.

Here's what I've tried, in /etc/relayd.conf:

table <httpshosts> {127.0.0.1}

redirect "https" {
        listen on 0.0.0.0 port 443
        forward to <httpshosts> port 8443 check icmp
}

redirect "http" {
        listen on 0.0.0.0 port 80
        forward to <httpshosts> port 8080 check icmp
}



With that configuration, traffic on port 80 works as expected, my server responds.  But https traffic on port 443, as far as I can tell, never makes it to my server listening on port 8443.  I'm not sure why the two redirects which are so similar do not behave the same way.

Possibly, the https redirect needs to use `route to` rather than `forward to`.  When I tried that, relayd errors with "missing interface to route to".  I couldn't figure out reading `man relayd.conf` how to get past that error.  If anyone has a working example, please share.

My questions for this group are (a) is there a smarter way than what I'm trying?  And if not (b) what am I doing wrong?  Thanks in advance for any info!

-Dave

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: relayd redirect not working

Salvatore Cuzzilla
Ciao Dave,

I'm also playing with relayd as a L7 gateway and as far as I can see from your
config there is no CA and key configured. In order for HTTPS to work relayd
needs to be able to do TLS inspection and of course you should redirect all
your https traffic to port 8443 (using PF for example). If you check the
pf.conf man page under both the sections RELAYS and Examples you should be
able to find a lot of good hints.


Regards,
Salvatore.

> On 12 Mar 2017, at 06:48, Dave Cohen <[hidden email]> wrote:
>
> I'm struggling to figure out why network traffic is not making it to a
service I'm running.
>
> What I'm trying to do is serve http and https from a non-standard server.
(Called `caddy`, if you're curious).  I want to run this thing as non-root
user.  I'm not aware of any way to have the non-root user open ports 80 or
443.  Which is great, so long as I can get traffic to those port to be
redirected to my server, which I have listening on 8080 and 8443
respectively.
>
> I prefer the TLS traffic to 443 terminate at my server on 8443.  And I've
been trying to do this with relayd redirects.

>
> Here's what I've tried, in /etc/relayd.conf:
>
> table <httpshosts> {127.0.0.1}
>
> redirect "https" {
>        listen on 0.0.0.0 port 443
>        forward to <httpshosts> port 8443 check icmp
> }
>
> redirect "http" {
>        listen on 0.0.0.0 port 80
>        forward to <httpshosts> port 8080 check icmp
> }
>
>
>
> With that configuration, traffic on port 80 works as expected, my server
responds.  But https traffic on port 443, as far as I can tell, never makes it
to my server listening on port 8443.  I'm not sure why the two redirects which
are so similar do not behave the same way.
>
> Possibly, the https redirect needs to use `route to` rather than `forward
to`.  When I tried that, relayd errors with "missing interface to route to".
I couldn't figure out reading `man relayd.conf` how to get past that error.
If anyone has a working example, please share.
>
> My questions for this group are (a) is there a smarter way than what I'm
trying?  And if not (b) what am I doing wrong?  Thanks in advance for any
info!
>
> -Dave

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: relayd redirect not working

Sebastien Marie-3
In reply to this post by Dave Cohen
On Sat, Mar 11, 2017 at 09:48:27PM -0800, Dave Cohen wrote:

> I'm struggling to figure out why network traffic is not making it to a service I'm running.
>
> What I'm trying to do is serve http and https from a non-standard server.  (Called `caddy`, if you're curious).  I want to run this thing as non-root user.  I'm not aware of any way to have the non-root user open ports 80 or 443.  Which is great, so long as I can get traffic to those port to be redirected to my server, which I have listening on 8080 and 8443 respectively.
>
> I prefer the TLS traffic to 443 terminate at my server on 8443.  And I've been trying to do this with relayd redirects.
>
> [...]
>
> My questions for this group are (a) is there a smarter way than what I'm trying?  And if not (b) what am I doing wrong?  Thanks in advance for any info!
>

does pf(4) rules shouldn't be better for that, instead of using
relayd(8) ?

something like these (untested) rules:

pass in on egress proto tcp from any to (self) port  80 rdr-to 127.0.0.1 port 8080
pass in on egress proto tcp from any to (self) port 443 rdr-to 127.0.0.1 port 8443

see pf.conf(5) and https://www.openbsd.org/faq/pf/rdr.html

--
Sebastien Marie

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: relayd redirect not working

Dave Cohen
Thanks all, for the several helpful responses in this thread.

Here's what I currently have, in /etc/pf.conf.  Appears to work.  Although, I am rethinking my approach and may terminate TLS at httpd in the future.  Still it is nice for me to learn what is possible.

match in on egress proto tcp from any to (self) port  80 rdr-to 127.0.0.1 port 8080
match in on egress proto tcp from any to (self) port 443 rdr-to 127.0.0.1 port 8443


To Salvatore Cuzzilla, note I was trying to use relayd for L3 redirect, which is why no CA or key configured.

To Kevin, I'm not trying to simply replace httpd with caddy.  Longer term I will be customizing the server, which I prefer to do in Go.

-Dave

On Sun, Mar 12, 2017, at 02:12 AM, Sebastien Marie wrote:
[snip]
>
> pass in on egress proto tcp from any to (self) port  80 rdr-to 127.0.0.1 port 8080
> pass in on egress proto tcp from any to (self) port 443 rdr-to 127.0.0.1 port 8443
>
> see pf.conf(5) and https://www.openbsd.org/faq/pf/rdr.html
>
> --
> Sebastien Marie

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: relayd redirect not working

Michael W. Lucas-2
In reply to this post by Salvatore Cuzzilla
On Sun, Mar 12, 2017 at 09:26:53AM +0100, Salvatore Cuzzilla wrote:
> Ciao Dave,
>
> I'm also playing with relayd as a L7 gateway and as far as I can see from your
> config there is no CA and key configured. In order for HTTPS to work relayd
> needs to be able to do TLS inspection and of course you should redirect all
> your https traffic to port 8443 (using PF for example). If you check the
> pf.conf man page under both the sections RELAYS and Examples you should be
> able to find a lot of good hints.

He's using a redirect, not a relay, so it should work just fine. No L7
stuff here, only low-level IP.

Dave, looks OK to me. What does relayd -dvvv say? And relayctl sho sum ?

--
Michael W. Lucas    Twitter @mwlauthor
nonfiction: https://www.michaelwlucas.com/
fiction: https://www.michaelwarrenlucas.com/
blog: http://blather.michaelwlucas.com/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: relayd redirect not working

Dave Cohen
Michael,

Appreciate you chiming in.  I'm a fan of Absolute OpenBSD!

I'm having trouble reproducing the settings that I originally wrote about.  I've tried to restore /etc/relayd.conf and /etc/pf.conf to what they were when I wrote the email.  But right now, neither port 80 nor 443 are redirecting to the other ports.  Earlier, port 80 was working while 443 was not.  I'm at a loss as to why the behavior is not the same as before.

Despite that trouble, I tried the commands you suggested.  `relayd -dvvv` shows

$ doas relayd -dvvv
startup
socket_rlimit: max open files 1024
init_filter: filter init done
init_tables: created 2 tables
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
hce_notify_done: 127.0.0.1 (icmp ok)
host 127.0.0.1, check icmp (32ms,icmp ok), state unknown -> up, availability 100.00%
pfe_dispatch_hce: state 1 for host 1 127.0.0.1
hce_notify_done: 127.0.0.1 (icmp ok)
host 127.0.0.1, check icmp (33ms,icmp ok), state unknown -> up, availability 100.00%
pfe_dispatch_hce: state 1 for host 2 127.0.0.1
table https: 1 added, 0 deleted, 0 changed, 0 killed
pfe_sync: enabling ruleset
sync_ruleset: rule added to anchor "relayd/https"
hce_notify_done: 127.0.0.1 (icmp ok)
hce_notify_done: 127.0.0.1 (icmp ok)
table http: 1 added, 0 deleted, 0 changed, 0 killed
pfe_sync: enabling ruleset
sync_ruleset: rule added to anchor "relayd/http"
hce_notify_done: 127.0.0.1 (icmp ok)
hce_notify_done: 127.0.0.1 (icmp ok)
hce_notify_done: 127.0.0.1 (icmp ok)
...etc...

and `relayctl sho sum`

$ relayctl sho sum
Id      Type            Name                            Avlblty Status
1       redirect        https                                   active
1       table           httpshosts:8443                         active (1 hosts)
1       host            127.0.0.1                       100.00% up
2       redirect        http                                    active
2       table           httpshosts:8080                         active (1 hosts)


-Dave

On Sun, Mar 12, 2017, at 03:16 PM, Michael W. Lucas wrote:

> On Sun, Mar 12, 2017 at 09:26:53AM +0100, Salvatore Cuzzilla wrote:
> > Ciao Dave,
> >
> > I'm also playing with relayd as a L7 gateway and as far as I can see from your
> > config there is no CA and key configured. In order for HTTPS to work relayd
> > needs to be able to do TLS inspection and of course you should redirect all
> > your https traffic to port 8443 (using PF for example). If you check the
> > pf.conf man page under both the sections RELAYS and Examples you should be
> > able to find a lot of good hints.
>
> He's using a redirect, not a relay, so it should work just fine. No L7
> stuff here, only low-level IP.
>
> Dave, looks OK to me. What does relayd -dvvv say? And relayctl sho sum ?
>
> --
> Michael W. Lucas    Twitter @mwlauthor
> nonfiction: https://www.michaelwlucas.com/
> fiction: https://www.michaelwarrenlucas.com/
> blog: http://blather.michaelwlucas.com/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: relayd redirect not working

Michael W. Lucas-2
Thanks.

Look at the PF rules in the relayd table. See what's redirecting from
where to what.

If that all looks ok, there's always tcpdump...

On Wed, Mar 15, 2017 at 11:42:32PM -0700, Dave Cohen wrote:

> Michael,
>
> Appreciate you chiming in.  I'm a fan of Absolute OpenBSD!
>
> I'm having trouble reproducing the settings that I originally wrote about.  I've tried to restore /etc/relayd.conf and /etc/pf.conf to what they were when I wrote the email.  But right now, neither port 80 nor 443 are redirecting to the other ports.  Earlier, port 80 was working while 443 was not.  I'm at a loss as to why the behavior is not the same as before.
>
> Despite that trouble, I tried the commands you suggested.  `relayd -dvvv` shows
>
> $ doas relayd -dvvv
> startup
> socket_rlimit: max open files 1024
> init_filter: filter init done
> init_tables: created 2 tables
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> hce_notify_done: 127.0.0.1 (icmp ok)
> host 127.0.0.1, check icmp (32ms,icmp ok), state unknown -> up, availability 100.00%
> pfe_dispatch_hce: state 1 for host 1 127.0.0.1
> hce_notify_done: 127.0.0.1 (icmp ok)
> host 127.0.0.1, check icmp (33ms,icmp ok), state unknown -> up, availability 100.00%
> pfe_dispatch_hce: state 1 for host 2 127.0.0.1
> table https: 1 added, 0 deleted, 0 changed, 0 killed
> pfe_sync: enabling ruleset
> sync_ruleset: rule added to anchor "relayd/https"
> hce_notify_done: 127.0.0.1 (icmp ok)
> hce_notify_done: 127.0.0.1 (icmp ok)
> table http: 1 added, 0 deleted, 0 changed, 0 killed
> pfe_sync: enabling ruleset
> sync_ruleset: rule added to anchor "relayd/http"
> hce_notify_done: 127.0.0.1 (icmp ok)
> hce_notify_done: 127.0.0.1 (icmp ok)
> hce_notify_done: 127.0.0.1 (icmp ok)
> ...etc...
>
> and `relayctl sho sum`
>
> $ relayctl sho sum
> Id      Type            Name                            Avlblty Status
> 1       redirect        https                                   active
> 1       table           httpshosts:8443                         active (1 hosts)
> 1       host            127.0.0.1                       100.00% up
> 2       redirect        http                                    active
> 2       table           httpshosts:8080                         active (1 hosts)
>
>
> -Dave
>
> On Sun, Mar 12, 2017, at 03:16 PM, Michael W. Lucas wrote:
> > On Sun, Mar 12, 2017 at 09:26:53AM +0100, Salvatore Cuzzilla wrote:
> > > Ciao Dave,
> > >
> > > I'm also playing with relayd as a L7 gateway and as far as I can see from your
> > > config there is no CA and key configured. In order for HTTPS to work relayd
> > > needs to be able to do TLS inspection and of course you should redirect all
> > > your https traffic to port 8443 (using PF for example). If you check the
> > > pf.conf man page under both the sections RELAYS and Examples you should be
> > > able to find a lot of good hints.
> >
> > He's using a redirect, not a relay, so it should work just fine. No L7
> > stuff here, only low-level IP.
> >
> > Dave, looks OK to me. What does relayd -dvvv say? And relayctl sho sum ?
> >
> > --
> > Michael W. Lucas    Twitter @mwlauthor
> > nonfiction: https://www.michaelwlucas.com/
> > fiction: https://www.michaelwarrenlucas.com/
> > blog: http://blather.michaelwlucas.com/

--
Michael W. Lucas    Twitter @mwlauthor
nonfiction: https://www.michaelwlucas.com/
fiction: https://www.michaelwarrenlucas.com/
blog: http://blather.michaelwlucas.com/

Loading...