You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
$ext_ip = 192.168.1.1
table <t-http> { 127.0.0.1 }
table <t-https> { 127.0.0.1 }
http protocol "p-https" {
tls session tickets
tls keypair domain.example
tls ca file "/etc/ssl/cert.pem"
http websockets
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
return error
block
pass request path log "/http*" forward to <t-http>
pass request path log "/https*" forward to <t-https>
pass response
}
relay "tlsforward" {
listen on $ext_ip port 443 tls
protocol "p-https"
forward to <t-http> port 81
forward with tls to <t-https> port 82
}
The the problem is with the second-to-last line.
If I remove "with tls",
then requests to 82 are forwarded unencrypted, and curl test reports curl: (52) Empty reply from server.
However, if I keep "with tls", the requests to port 81 are going
encrypted, and are failing with the following message in relayd logs: SSL routines:ST_CONNECT:tlsv1 alert protocol version, TLS handshake error: handshake failed:.
There should not be any TLS handshakes at port 81, because the backend
at port 81 is http-only.
I have a super simple (sanitised) relayd.conf
The the problem is with the second-to-last line.
If I remove "with tls",
then requests to 82 are forwarded unencrypted, and curl test reports
curl: (52) Empty reply from server.However, if I keep "with tls", the requests to port 81 are going
encrypted, and are failing with the following message in relayd logs:
SSL routines:ST_CONNECT:tlsv1 alert protocol version,TLS handshake error: handshake failed:.There should not be any TLS handshakes at port 81, because the backend
at port 81 is http-only.
This issue was first discussed at openbsd-misc.
https://marc.info/?l=openbsd-misc&m=162866423427344&w=2
The text was updated successfully, but these errors were encountered: