Solved Curl HTTPS does not work

I have installed a bhyeve FreeBSD guest VM. In this VM, `curl` does not work on all https URLs. While it works fine for regular http URLs. Also, `curl https://..` DOES work fine on my host machine (also FreeBSD of course).

Below are some info hopefully useful for diagnose. Any tips?


Code:
# =====================
# CURL HTTPS DOES NOT WORK:
# =====================
root@test-fb:~ # curl -v https://example.com
*   Trying 93.184.216.34:443...
*   Trying 2606:2800:220:1:248:1893:25c8:1946:443...
* Immediate connect fail for 2606:2800:220:1:248:1893:25c8:1946: No route to host
*   Trying 2606:2800:220:1:248:1893:25c8:1946:443...
* Immediate connect fail for 2606:2800:220:1:248:1893:25c8:1946: No route to host

# =====================
# CURL HTTP  WORKS FINE:
# =====================
root@test-fb:~ # curl -v http://example.com
*   Trying 93.184.216.34:80...
* Connected to example.com (93.184.216.34) port 80 (#0)
> GET / HTTP/1.1
> Host: example.com
> User-Agent: curl/7.69.1
> Accept: */*
...


# =====================
# SOME MORE INFO
# =====================
root@test-fb:~ # uname -UK
1102000 1102000

root@test-fb:~ # ifconfig
vtnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80028<VLAN_MTU,JUMBO_MTU,LINKSTATE>
        ether 58:9c:fc:0b:23:81
        hwaddr 58:9c:fc:0b:23:81
        inet 192.168.0.69 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo

root@test-fb:~ # cat /etc/hosts | grep -v '#'
::1                     localhost localhost.my.domain
127.0.0.1               localhost localhost.my.domain

root@test-fb:~ # cat /etc/rc.conf | grep -v #
hostname="test-fb"
ifconfig_vtnet0="DHCP"
dumpdev="AUTO"

root@test-fb:~ # curl -V
curl 7.69.1 (amd64-portbld-freebsd11.3) libcurl/7.69.1 OpenSSL/1.0.2o zlib/1.2.11 nghttp2/1.40.0
Release-Date: 2020-03-11
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets
 
OK turns out I shot myself in the foot (again). In my host `pf.conf`, I have one line that says:

Code:
rdr proto tcp from any to any port 443 -> <a LAN IP>

That was for hosting a HTTPS web service in a jail. It's a really bad idea to use any standard port on the host machine! And also I need to flex my skill on pf debugging :)
 
Bind the redirection to your external interface specifically if this is for incoming HTTPS. Your redirection is too broad, it will act on any traffic coming in on any interface.

Code:
rdr on $ext_if proto tcp from any to any port 443 -> <a LAN IP>
Note the addition of on $ext_if. You can restrict this even further:
Code:
rdr on $ext_if proto tcp from any to ($ext_if) port 443 -> <a LAN IP>
 
Back
Top