Annotation of src/etc/relayd.conf, Revision 1.15
1.15 ! reyk 1: # $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $
1.1 pyr 2: #
3: # Macros
4: #
1.6 reyk 5: ext_addr="192.168.1.1"
1.1 pyr 6: webhost1="10.0.0.1"
7: webhost2="10.0.0.2"
1.7 reyk 8: sshhost1="10.0.0.3"
1.1 pyr 9:
10: #
11: # Global Options
12: #
13: # interval 10
1.13 reyk 14: # timeout 1000
1.4 reyk 15: # prefork 5
1.1 pyr 16:
17: #
18: # Each table will be mapped to a pf table.
19: #
1.11 reyk 20: table <webhosts> { $webhost1 $webhost2 }
21: table <fallback> { 127.0.0.1 }
1.1 pyr 22:
23: #
24: # Services will be mapped to a rdr rule.
25: #
1.11 reyk 26: redirect www {
27: listen on $ext_addr port http interface trunk0
1.1 pyr 28:
1.10 reyk 29: # tag every packet that goes thru the rdr rule with RELAYD
1.15 ! reyk 30: pftag RELAYD
1.1 pyr 31:
1.11 reyk 32: forward to <webhosts> check http "/" code 200
33: forward to <fallback> check icmp
1.4 reyk 34: }
35:
36: #
1.7 reyk 37: # Relay and protocol for HTTP layer 7 loadbalancing and SSL acceleration
1.4 reyk 38: #
1.11 reyk 39: http protocol httpssl {
1.15 ! reyk 40: match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
! 41: match request header append "X-Forwarded-By" \
! 42: value "$SERVER_ADDR:$SERVER_PORT"
! 43: match request header set "Connection" value "close"
1.4 reyk 44:
1.7 reyk 45: # Various TCP performance options
46: tcp { nodelay, sack, socket buffer 65536, backlog 128 }
1.4 reyk 47:
48: # ssl { no sslv2, sslv3, tlsv1, ciphers HIGH }
49: # ssl session cache disable
50: }
51:
52: relay wwwssl {
53: # Run as a SSL accelerator
1.6 reyk 54: listen on $ext_addr port 443 ssl
1.4 reyk 55: protocol httpssl
56:
57: # Forward to hosts in the webhosts table using a src/dst hash
1.11 reyk 58: forward to <webhosts> port http mode loadbalance \
59: check http "/" code 200
1.7 reyk 60: }
61:
62: #
63: # Relay and protocol for simple TCP forwarding on layer 7
64: #
1.12 reyk 65: protocol sshtcp {
1.7 reyk 66: # The TCP_NODELAY option is required for "smooth" terminal sessions
67: tcp nodelay
68: }
69:
70: relay sshgw {
71: # Run as a simple TCP relay
72: listen on $ext_addr port 2222
73: protocol sshtcp
74:
75: # Forward to the shared carp(4) address of an internal gateway
76: forward to $sshhost1 port 22
77: }
78:
79: #
80: # Relay and protocol for a transparent HTTP proxy
81: #
1.11 reyk 82: http protocol httpfilter {
1.9 reyk 83: # Return HTTP/HTML error pages to the client
84: return error
85:
1.14 reyk 86: # Block disallowed sites
1.15 ! reyk 87: match request label "URL filtered!"
! 88: block request quick url "www.example.com/" value "*"
1.14 reyk 89:
1.8 reyk 90: # Block disallowed browsers
1.15 ! reyk 91: match request label "Please try a <em>different Browser</em>"
! 92: block request quick header "User-Agent" \
! 93: value "Mozilla/4.0 (compatible; MSIE *"
1.8 reyk 94:
95: # Block some well-known Instant Messengers
1.15 ! reyk 96: match request label "Instant messenger disallowed!"
! 97: block response quick header "Content-Type" \
! 98: value "application/x-msn-messenger"
! 99: block response quick header "Content-Type" value "app/x-hotbar-xip20"
! 100: block response quick header "Content-Type" value "application/x-icq"
! 101: block response quick header "Content-Type" value "AIM/HTTP"
! 102: block response quick header "Content-Type" \
! 103: value "application/x-comet-log"
1.7 reyk 104: }
105:
106: relay httpproxy {
1.14 reyk 107: # Listen on localhost, accept diverted connections from pf(4)
1.7 reyk 108: listen on 127.0.0.1 port 8080
109: protocol httpfilter
110:
111: # Forward to the original target host
1.14 reyk 112: forward to destination
1.1 pyr 113: }