Annotation of src/etc/relayd.conf, Revision 1.13
1.13 ! reyk 1: # $OpenBSD: relayd.conf,v 1.12 2007/12/08 17:15:01 reyk Exp $
1.1 pyr 2: #
3: # Macros
4: #
1.6 reyk 5: ext_addr="192.168.1.1"
1.1 pyr 6: webhost1="10.0.0.1"
7: webhost2="10.0.0.2"
1.7 reyk 8: sshhost1="10.0.0.3"
1.1 pyr 9:
10: #
11: # Global Options
12: #
13: # interval 10
1.13 ! reyk 14: # timeout 1000
1.4 reyk 15: # prefork 5
1.1 pyr 16:
17: #
18: # Each table will be mapped to a pf table.
19: #
1.11 reyk 20: table <webhosts> { $webhost1 $webhost2 }
21: table <fallback> { 127.0.0.1 }
1.1 pyr 22:
23: #
24: # Services will be mapped to a rdr rule.
25: #
1.11 reyk 26: redirect www {
27: listen on $ext_addr port http interface trunk0
1.1 pyr 28:
1.10 reyk 29: # tag every packet that goes thru the rdr rule with RELAYD
30: tag RELAYD
1.1 pyr 31:
1.11 reyk 32: forward to <webhosts> check http "/" code 200
33: forward to <fallback> check icmp
1.4 reyk 34: }
35:
36: #
1.7 reyk 37: # Relay and protocol for HTTP layer 7 loadbalancing and SSL acceleration
1.4 reyk 38: #
1.11 reyk 39: http protocol httpssl {
1.5 reyk 40: header append "$REMOTE_ADDR" to "X-Forwarded-For"
41: header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
42: header change "Connection" to "close"
1.4 reyk 43:
1.7 reyk 44: # Various TCP performance options
45: tcp { nodelay, sack, socket buffer 65536, backlog 128 }
1.4 reyk 46:
47: # ssl { no sslv2, sslv3, tlsv1, ciphers HIGH }
48: # ssl session cache disable
49: }
50:
51: relay wwwssl {
52: # Run as a SSL accelerator
1.6 reyk 53: listen on $ext_addr port 443 ssl
1.4 reyk 54: protocol httpssl
55:
56: # Forward to hosts in the webhosts table using a src/dst hash
1.11 reyk 57: forward to <webhosts> port http mode loadbalance \
58: check http "/" code 200
1.7 reyk 59: }
60:
61: #
62: # Relay and protocol for simple TCP forwarding on layer 7
63: #
1.12 reyk 64: protocol sshtcp {
1.7 reyk 65: # The TCP_NODELAY option is required for "smooth" terminal sessions
66: tcp nodelay
67: }
68:
69: relay sshgw {
70: # Run as a simple TCP relay
71: listen on $ext_addr port 2222
72: protocol sshtcp
73:
74: # Forward to the shared carp(4) address of an internal gateway
75: forward to $sshhost1 port 22
76: }
77:
78: #
79: # Relay and protocol for a transparent HTTP proxy
80: #
1.11 reyk 81: http protocol httpfilter {
1.9 reyk 82: # Return HTTP/HTML error pages to the client
83: return error
84:
1.8 reyk 85: # Block disallowed browsers
1.9 reyk 86: label "Please try a <em>different Browser</em>"
1.7 reyk 87: header filter "Mozilla/4.0 (compatible; MSIE *" from "User-Agent"
1.8 reyk 88:
89: # Block some well-known Instant Messengers
1.9 reyk 90: label "Instant messenger disallowed!"
1.8 reyk 91: response header filter "application/x-msn-messenger" from "Content-Type"
92: response header filter "app/x-hotbar-xip20" from "Content-Type"
93: response header filter "application/x-icq" from "Content-Type"
94: response header filter "AIM/HTTP" from "Content-Type"
95: response header filter "application/x-comet-log" from "Content-Type"
1.7 reyk 96: }
97:
98: relay httpproxy {
99: # Listen on localhost, accept redirected connections from pf(4)
100: listen on 127.0.0.1 port 8080
101: protocol httpfilter
102:
103: # Forward to the original target host
1.11 reyk 104: forward to nat lookup
1.1 pyr 105: }