src/etc/relayd.conf - view

Return to relayd.conf CVS log

Up to [local] / src / etc

File: [local] / src / etc / Attic / relayd.conf (download)

Revision 1.14, Thu Apr 7 13:33:52 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE, OPENBSD_5_5, OPENBSD_5_4_BASE, OPENBSD_5_4, OPENBSD_5_3_BASE, OPENBSD_5_3, OPENBSD_5_2_BASE, OPENBSD_5_2, OPENBSD_5_1_BASE, OPENBSD_5_1, OPENBSD_5_0_BASE, OPENBSD_5_0
Changes since 1.13: +6 -2 lines

Update transparent HTTP proxy example:
- Use the URL filter to block www.example.com/
- Use "forward to destination" instead of "forward to nat lookup" to use
divert-to instead of rdr-to in PF.

# $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $
#
# Macros
#
ext_addr="192.168.1.1"
webhost1="10.0.0.1"
webhost2="10.0.0.2"
sshhost1="10.0.0.3"

#
# Global Options
#
# interval 10
# timeout 1000
# prefork 5

#
# Each table will be mapped to a pf table.
#
table <webhosts> { $webhost1 $webhost2 }
table <fallback> { 127.0.0.1 }

#
# Services will be mapped to a rdr rule.
#
redirect www {
	listen on $ext_addr port http interface trunk0

	# tag every packet that goes thru the rdr rule with RELAYD
	tag RELAYD

	forward to <webhosts> check http "/" code 200
	forward to <fallback> check icmp
}

#
# Relay and protocol for HTTP layer 7 loadbalancing and SSL acceleration
#
http protocol httpssl {
	header append "$REMOTE_ADDR" to "X-Forwarded-For"
	header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
	header change "Connection" to "close"

	# Various TCP performance options
	tcp { nodelay, sack, socket buffer 65536, backlog 128 }

#	ssl { no sslv2, sslv3, tlsv1, ciphers HIGH }
#	ssl session cache disable
}

relay wwwssl {
	# Run as a SSL accelerator
	listen on $ext_addr port 443 ssl
	protocol httpssl

	# Forward to hosts in the webhosts table using a src/dst hash
	forward to <webhosts> port http mode loadbalance \
		check http "/" code 200
}

#
# Relay and protocol for simple TCP forwarding on layer 7
#
protocol sshtcp {
	# The TCP_NODELAY option is required for "smooth" terminal sessions
	tcp nodelay
}

relay sshgw {
	# Run as a simple TCP relay
	listen on $ext_addr port 2222
	protocol sshtcp

	# Forward to the shared carp(4) address of an internal gateway
	forward to $sshhost1 port 22
}

#
# Relay and protocol for a transparent HTTP proxy
#
http protocol httpfilter {
	# Return HTTP/HTML error pages to the client
	return error

	# Block disallowed sites
	label "URL filtered!"
	request url filter "www.example.com/"

	# Block disallowed browsers
	label "Please try a <em>different Browser</em>"
	header filter "Mozilla/4.0 (compatible; MSIE *" from "User-Agent"

	# Block some well-known Instant Messengers
	label "Instant messenger disallowed!"
	response header filter "application/x-msn-messenger" from "Content-Type"
	response header filter "app/x-hotbar-xip20" from "Content-Type"
	response header filter "application/x-icq" from "Content-Type"
	response header filter "AIM/HTTP" from "Content-Type"
	response header filter "application/x-comet-log" from "Content-Type"
}

relay httpproxy {
	# Listen on localhost, accept diverted connections from pf(4)
	listen on 127.0.0.1 port 8080
	protocol httpfilter

	# Forward to the original target host
	forward to destination
}