Annotation of src/etc/relayd.conf, Revision 1.10
1.10 ! reyk 1: # $OpenBSD: relayd.conf,v 1.9 2007/11/28 15:16:18 reyk Exp $
1.1 pyr 2: #
3: # Macros
4: #
1.6 reyk 5: ext_addr="192.168.1.1"
1.1 pyr 6: webhost1="10.0.0.1"
7: webhost2="10.0.0.2"
1.7 reyk 8: sshhost1="10.0.0.3"
1.1 pyr 9:
10: #
11: # Global Options
12: #
13: # interval 10
14: # timeout 200
1.4 reyk 15: # prefork 5
1.1 pyr 16:
17: #
18: # Each table will be mapped to a pf table.
19: #
20: table webhosts {
1.2 pyr 21: real port http
1.1 pyr 22: check http "/" code 200
1.2 pyr 23: host $webhost1
24: host $webhost2
1.1 pyr 25: }
26:
27: table fallback {
1.2 pyr 28: real port http
1.1 pyr 29: check icmp
30: host 127.0.0.1
31: }
32:
33: #
34: # Services will be mapped to a rdr rule.
35: #
36: service www {
1.6 reyk 37: virtual host $ext_addr port http interface trunk0
1.1 pyr 38:
1.10 ! reyk 39: # tag every packet that goes thru the rdr rule with RELAYD
! 40: tag RELAYD
1.1 pyr 41:
42: table webhosts
43: backup table fallback
1.4 reyk 44: }
45:
46: #
1.7 reyk 47: # Relay and protocol for HTTP layer 7 loadbalancing and SSL acceleration
1.4 reyk 48: #
49: protocol httpssl {
1.7 reyk 50: protocol http
1.5 reyk 51: header append "$REMOTE_ADDR" to "X-Forwarded-For"
52: header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
53: header change "Connection" to "close"
1.4 reyk 54:
1.7 reyk 55: # Various TCP performance options
56: tcp { nodelay, sack, socket buffer 65536, backlog 128 }
1.4 reyk 57:
58: # ssl { no sslv2, sslv3, tlsv1, ciphers HIGH }
59: # ssl session cache disable
60: }
61:
62: relay wwwssl {
63: # Run as a SSL accelerator
1.6 reyk 64: listen on $ext_addr port 443 ssl
1.4 reyk 65: protocol httpssl
66:
67: # Forward to hosts in the webhosts table using a src/dst hash
68: table webhosts loadbalance
1.7 reyk 69: }
70:
71: #
72: # Relay and protocol for simple TCP forwarding on layer 7
73: #
74: protocol sshtcp {
75: protocol tcp
76:
77: # The TCP_NODELAY option is required for "smooth" terminal sessions
78: tcp nodelay
79: }
80:
81: relay sshgw {
82: # Run as a simple TCP relay
83: listen on $ext_addr port 2222
84: protocol sshtcp
85:
86: # Forward to the shared carp(4) address of an internal gateway
87: forward to $sshhost1 port 22
88: }
89:
90: #
91: # Relay and protocol for a transparent HTTP proxy
92: #
93: protocol httpfilter {
94: protocol http
1.8 reyk 95:
1.9 reyk 96: # Return HTTP/HTML error pages to the client
97: return error
98:
1.8 reyk 99: # Block disallowed browsers
1.9 reyk 100: label "Please try a <em>different Browser</em>"
1.7 reyk 101: header filter "Mozilla/4.0 (compatible; MSIE *" from "User-Agent"
1.8 reyk 102:
103: # Block some well-known Instant Messengers
1.9 reyk 104: label "Instant messenger disallowed!"
1.8 reyk 105: response header filter "application/x-msn-messenger" from "Content-Type"
106: response header filter "app/x-hotbar-xip20" from "Content-Type"
107: response header filter "application/x-icq" from "Content-Type"
108: response header filter "AIM/HTTP" from "Content-Type"
109: response header filter "application/x-comet-log" from "Content-Type"
1.7 reyk 110: }
111:
112: relay httpproxy {
113: # Listen on localhost, accept redirected connections from pf(4)
114: listen on 127.0.0.1 port 8080
115: protocol httpfilter
116:
117: # Forward to the original target host
118: nat lookup
1.1 pyr 119: }