Discussion:
Migrating nginx config to OpenBSD's httpd
Add Reply
C. L. Martinez
2018-04-13 10:30:08 UTC
Reply
Permalink
Raw Message
Hi all,

I am trying to migrate nginx configuration to OpenBSD's httpd. All it is
working ok, except for some proxy reverse config that I use with nginx's
config, like for example:

server {
listen 80;
server_name internal.w01.domain.org;

location / {
proxy_pass http://192.168.30.4;
}
}

I don't see what is the option to use with httpd.conf or is it best
option to use relayd.conf for this type of configs?

Thanks.
Pavel Korovin
2018-04-13 11:30:18 UTC
Reply
Permalink
Raw Message
Hi Carlos,

There's no analog of proxy_pass in httpd(8). relayd(8) is your friend.
Post by C. L. Martinez
I am trying to migrate nginx configuration to OpenBSD's httpd. All it is
working ok, except for some proxy reverse config that I use with nginx's
server {
listen 80;
server_name internal.w01.domain.org;
location / {
proxy_pass http://192.168.30.4;
}
}
I don't see what is the option to use with httpd.conf or is it best
option to use relayd.conf for this type of configs?
--
With best regards,
Pavel Korovin
Bogdan Kulbida
2018-04-13 13:31:06 UTC
Reply
Permalink
Raw Message
Hi Carlos,

HAproxy project exists and serves much better as load balancer and reverse
proxy server. It is more efficient than engine X. Any concerns using it?

- Bogdan
Post by Pavel Korovin
Hi Carlos,
There's no analog of proxy_pass in httpd(8). relayd(8) is your friend.
Post by C. L. Martinez
I am trying to migrate nginx configuration to OpenBSD's httpd. All it is
working ok, except for some proxy reverse config that I use with nginx's
server {
listen 80;
server_name internal.w01.domain.org;
location / {
proxy_pass http://192.168.30.4;
}
}
I don't see what is the option to use with httpd.conf or is it best
option to use relayd.conf for this type of configs?
--
With best regards,
Pavel Korovin
--
---
Best regards,
Bogdan Kulbida
CEO/CTO, Konstankino LLC <http://konstankino.com>
+1.802.793.8295
Henrik Friedrichsen
2018-04-16 09:09:39 UTC
Reply
Permalink
Raw Message
Post by Pavel Korovin
Hi Carlos,
There's no analog of proxy_pass in httpd(8). relayd(8) is your friend.
So far I have not been able to emulate proxy_pass with relayd.

I came across two issues:
- relayed HTTP requests resulted in cut off responses, similar to this
issue: https://github.com/reyk/relayd/issues/12
- I have not been able to come up with a configuration/filter setting
that will only match for a specific subdomain and will pass the
non-matching requests to the regular httpd listening on port 80

Did anyone have success in setting this up?
Pavel Korovin
2018-04-16 11:02:45 UTC
Reply
Permalink
Raw Message
Henrik,

Regarding cut off responses, I didn't have such problems, maybe it was fixed
since 2016.

Regarding multi-site setup, I have something like this:

--- httpd.conf ---
### default site behind relayd
server "waste.tristero.se" {
alias "tristero.se"
listen on 127.0.0.1 port 80
listen on ::1 port 80
root "/htdocs/waste.tristero.se"
}

server "openbsd.tristero.se" {
listen on 127.0.0.1 port 80
listen on ::1 port 80
root "/htdocs/openbsd.tristero.se"
}

### this one is not behind relayd, used for http to https redirection
server "waste.tristero.se" {
alias "openbsd.tristero.se"
alias "tristero.se"
listen on 188.244.46.111 port 80
listen on 2001:470:1f15:1492::2 port 80
root "/htdocs/waste.tristero.se"
block return 301 "https://$HTTP_HOST/$DOCUMENT_URI"
}

--- relayd.conf ---

ext4="188.244.46.111"
ext6="2001:470:1f15:1492::2"
localhost4="127.0.0.1"
localhost6="::1"

table <openbsd4> { $localhost4 }
table <openbsd6> { $localhost6 }
table <waste4> { $localhost4 }
table <waste6> { $localhost6 }

http protocol "https4" {
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" value "[$SERVER_ADDR]:$SERVER_PORT"
match request header "Host" value "tristero.se" forward to <waste4>
match request header "Host" value "waste.tristero.se" forward to <waste4>
match request header "Host" value "openbsd.tristero.se" forward to <openbsd4>
tls { no tlsv1.0, ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+SHA256:EECDH+SHA384:ECDHE+SHA256 }
}

http protocol "https6" {
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" value "[$SERVER_ADDR]:$SERVER_PORT"
match request header "Host" value "tristero.se" forward to <waste6>
match request header "Host" value "waste.tristero.se" forward to <waste6>
match request header "Host" value "openbsd.tristero.se" forward to <openbsd6>
tls { no tlsv1.0, ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+SHA256:EECDH+SHA384:ECDHE+SHA256 }
}

relay "https4" {
listen on $ext4 port 443 tls
protocol "https4"
forward to <openbsd4> port 80
forward to <waste4> port 80
}

relay "https6" {
listen on $ext6 port 443 tls
protocol "https6"
forward to <openbsd6> port 80
forward to <waste6> port 80
}

--- end cut ---

The only problem I have was configuring specific security headers for
specific hosts, i.e. I cannot have specific http protocol sections with
different responses for specific hosts, like:

http protocol "https4-flex" {
match request header "Host" value "not-secure.domain" forward to <backend-site1>
match response header set "Content-Security-Policy" value "<flex-policy-rules-follow>"
}
http protocol "https4-strict" {
match request header "Host" value "secure.domain" forward to <backend-site2>
match response header set "Content-Security-Policy" value "<strict-policy-rules-follow>"
}
--
With best regards,
Pavel Korovin
Post by Henrik Friedrichsen
So far I have not been able to emulate proxy_pass with relayd.
- relayed HTTP requests resulted in cut off responses, similar to this
issue: https://github.com/reyk/relayd/issues/12
- I have not been able to come up with a configuration/filter setting
that will only match for a specific subdomain and will pass the
non-matching requests to the regular httpd listening on port 80
Did anyone have success in setting this up?
Henrik Friedrichsen
2018-04-16 13:49:39 UTC
Reply
Permalink
Raw Message
Hey Pavel,

thanks for your response. I have adapted my configuration and came up
with this:

<SNIP>
ext4="51.15.10.194"
ext6="2001:bc8:2d08::1"

table <monit> { "127.0.0.1" }
table <httpd> { "127.0.0.1" }

http protocol "monit" {
match request header "Host" value "status.affekt.org" forward to <monit>
match request header "Host" value "affekt.org" forward to <httpd>
}

relay "proxy" {
listen on $ext4 port 80
protocol "monit"
forward to <monit> port 2812
forward to <httpd> port 80
}
</SNIP>

I have a local monit instance listening on 127.0.0.1:2812

This configuration works, sort of:
- Is there a way to match all hosts that are not "status.affekt.org"?
That way I don't have to write a filter rule for every subdomain
- Relayed HTTP output is cut off. As you can see below the HTTP DOM is not
closed and most of the HTTP response headers are missing (status code,
content-length, etc.)

Any idea what I'm doing wrong?

Thanks!

hera ~ % curl -v "http://status.affekt.org/"
* Trying 51.15.10.194...
* TCP_NODELAY set
* Connected to status.affekt.org (51.15.10.194) port 80 (#0)
GET / HTTP/1.1
Host: status.affekt.org
User-Agent: curl/7.58.0
Accept: */*
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="monit"

* Connection #0 to host status.affekt.org left intact
<html><head><title>401 Unauthorized</title></head><body
bgcolor=#FFFFFF><h2>Unauthorized</h2>You are not authorized to access
monit. Either you supplied the wrong credentials (e.g. bad password), or
your browser doesn't understand how to supply the credentials required
Pavel Korovin
2018-04-16 14:43:56 UTC
Reply
Permalink
Raw Message
Post by Henrik Friedrichsen
- Is there a way to match all hosts that are not "status.affekt.org"?
That way I don't have to write a filter rule for every subdomain
Didn't test, just the idea:

1. You put your default host (i.e. one that will respond to all http
requests which do not fall into specific configurations) first in
httpd.conf.

2. In relayd configure http protocol like this:
http protocol "monit" {
match request header "Host" value "status.affekt.org" forward to <monit>
forward to <httpd> port 80
}

So the requests that match Host header will go to monit, all other
requests will go to httpd, where default site will respond.
Post by Henrik Friedrichsen
- Relayed HTTP output is cut off. As you can see below the HTTP DOM is not
closed and most of the HTTP response headers are missing (status code,
content-length, etc.)
Any idea what I'm doing wrong?
I guess something is wrong on monit side.. I set up relayd with varous stuff
in the backend, but have seen anything like this.
--
With best regards,
Pavel Korovin
Henrik Friedrichsen
2018-04-16 14:58:43 UTC
Reply
Permalink
Raw Message
Thanks again.

This worked in case anyone is looking for it:

http protocol "monit" {
match request forward to <httpd>
match request header "Host" value "status.affekt.org" forward to <monit>
}

The order is important, if put in reversed the "status.affekt.org"
forward will be overwritten.

Now all I need to investigate is why HTTP responses are erroneous,
though you might be right that it could be a Monit problem.

Loading...