I have a super simple (sanitised) relayd.conf
$ext_ip = 192.168.1.1
table <t-http> { 127.0.0.1 }
table <t-https> { 127.0.0.1 }
http protocol "p-https" {
tls session tickets
tls keypair domain.example
tls ca file "/etc/ssl/cert.pem"
http websockets
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
return error
block
pass request path log "/http*" forward to <t-http>
pass request path log "/https*" forward to <t-https>
pass response
}
relay "tlsforward" {
listen on $ext_ip port 443 tls
protocol "p-https"
forward to <t-http> port 81
forward with tls to <t-https> port 82
}
The the problem is with the second-to-last line.
If I remove "with tls",
then requests to 82 are forwarded unencrypted, and curl test reports
curl: (52) Empty reply from server.
However, if I keep "with tls", the requests to port 81 are going
encrypted, and are failing with the following message in relayd logs:
SSL routines:ST_CONNECT:tlsv1 alert protocol version,
TLS handshake error: handshake failed:.
There should not be any TLS handshakes at port 81, because the backend
at port 81 is http-only.
This issue was first discussed at openbsd-misc.
https://marc.info/?l=openbsd-misc&m=162866423427344&w=2
I have a super simple (sanitised) relayd.conf
The the problem is with the second-to-last line.
If I remove "with tls",
then requests to 82 are forwarded unencrypted, and curl test reports
curl: (52) Empty reply from server.However, if I keep "with tls", the requests to port 81 are going
encrypted, and are failing with the following message in relayd logs:
SSL routines:ST_CONNECT:tlsv1 alert protocol version,TLS handshake error: handshake failed:.There should not be any TLS handshakes at port 81, because the backend
at port 81 is http-only.
This issue was first discussed at openbsd-misc.
https://marc.info/?l=openbsd-misc&m=162866423427344&w=2