File: [local] / src / etc / Attic / relayd.conf (download)
Revision 1.15, Wed Jul 9 16:43:30 2014 UTC (9 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.14: +19 -15 lines
Update the default relayd.conf with the new filtering grammar.
OK benno@
|
# $OpenBSD: relayd.conf,v 1.15 2014/07/09 16:43:30 reyk Exp $
#
# Macros
#
ext_addr="192.168.1.1"
webhost1="10.0.0.1"
webhost2="10.0.0.2"
sshhost1="10.0.0.3"
#
# Global Options
#
# interval 10
# timeout 1000
# prefork 5
#
# Each table will be mapped to a pf table.
#
table <webhosts> { $webhost1 $webhost2 }
table <fallback> { 127.0.0.1 }
#
# Services will be mapped to a rdr rule.
#
redirect www {
listen on $ext_addr port http interface trunk0
# tag every packet that goes thru the rdr rule with RELAYD
pftag RELAYD
forward to <webhosts> check http "/" code 200
forward to <fallback> check icmp
}
#
# Relay and protocol for HTTP layer 7 loadbalancing and SSL acceleration
#
http protocol httpssl {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Connection" value "close"
# Various TCP performance options
tcp { nodelay, sack, socket buffer 65536, backlog 128 }
# ssl { no sslv2, sslv3, tlsv1, ciphers HIGH }
# ssl session cache disable
}
relay wwwssl {
# Run as a SSL accelerator
listen on $ext_addr port 443 ssl
protocol httpssl
# Forward to hosts in the webhosts table using a src/dst hash
forward to <webhosts> port http mode loadbalance \
check http "/" code 200
}
#
# Relay and protocol for simple TCP forwarding on layer 7
#
protocol sshtcp {
# The TCP_NODELAY option is required for "smooth" terminal sessions
tcp nodelay
}
relay sshgw {
# Run as a simple TCP relay
listen on $ext_addr port 2222
protocol sshtcp
# Forward to the shared carp(4) address of an internal gateway
forward to $sshhost1 port 22
}
#
# Relay and protocol for a transparent HTTP proxy
#
http protocol httpfilter {
# Return HTTP/HTML error pages to the client
return error
# Block disallowed sites
match request label "URL filtered!"
block request quick url "www.example.com/" value "*"
# Block disallowed browsers
match request label "Please try a <em>different Browser</em>"
block request quick header "User-Agent" \
value "Mozilla/4.0 (compatible; MSIE *"
# Block some well-known Instant Messengers
match request label "Instant messenger disallowed!"
block response quick header "Content-Type" \
value "application/x-msn-messenger"
block response quick header "Content-Type" value "app/x-hotbar-xip20"
block response quick header "Content-Type" value "application/x-icq"
block response quick header "Content-Type" value "AIM/HTTP"
block response quick header "Content-Type" \
value "application/x-comet-log"
}
relay httpproxy {
# Listen on localhost, accept diverted connections from pf(4)
listen on 127.0.0.1 port 8080
protocol httpfilter
# Forward to the original target host
forward to destination
}