Return to relayd.conf CVS log | Up to [local] / src / etc / examples |
File: [local] / src / etc / examples / relayd.conf (download)
Revision 1.6, Sun Oct 29 11:27:11 2023 UTC (7 months ago) by kn
Unmention/don't explain SSL, drop 9y old "ssl" keyword/deprecation warning Switch "ssl" to "tls" in relayd.conf(5) if you haven't done so in the last ten years, "ssl" is now an error. Say "TLS" not "SSL/TLS" and drop the primer in the TLS RELAYS section. OK benno |
# $OpenBSD: relayd.conf,v 1.6 2023/10/29 11:27:11 kn Exp $ # # Macros # ext_addr="192.168.1.1" webhost1="10.0.0.1" webhost2="10.0.0.2" sshhost1="10.0.0.3" # # Global Options # # interval 10 # timeout 1000 # prefork 5 # # Each table will be mapped to a pf table. # table <webhosts> { $webhost1 $webhost2 } table <fallback> { 127.0.0.1 } # # Services will be mapped to a rdr rule. # redirect www { listen on $ext_addr port http interface trunk0 # tag every packet that goes thru the rdr rule with RELAYD pftag RELAYD forward to <webhosts> check http "/" code 200 forward to <fallback> check icmp } # # Relay and protocol for HTTP layer 7 loadbalancing and TLS acceleration # http protocol https { match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" match request header set "Connection" value "close" # Various TCP options tcp { sack, backlog 128 } # tls { no tlsv1.0, ciphers HIGH } # tls no session tickets } relay wwwtls { # Run as a TLS accelerator listen on $ext_addr port 443 tls protocol https # Forward to hosts in the webhosts table using a src/dst hash forward to <webhosts> port http mode loadbalance \ check http "/" code 200 } # # Relay and protocol for simple TCP forwarding on layer 7 # protocol sshtcp { # The TCP_NODELAY option is required for "smooth" terminal sessions tcp nodelay } relay sshgw { # Run as a simple TCP relay listen on $ext_addr port 2222 protocol sshtcp # Forward to the shared carp(4) address of an internal gateway forward to $sshhost1 port 22 } # # Relay and protocol for a transparent HTTP proxy # http protocol httpfilter { # Return HTTP/HTML error pages to the client return error # Block disallowed sites match request label "URL filtered!" block request quick url "www.example.com/" value "*" # Block disallowed browsers match request label "Please try a <em>different Browser</em>" block request quick header "User-Agent" \ value "Mozilla/4.0 (compatible; MSIE *" # Block some well-known Instant Messengers match request label "Instant messenger disallowed!" block response quick header "Content-Type" \ value "application/x-msn-messenger" block response quick header "Content-Type" value "app/x-hotbar-xip20" block response quick header "Content-Type" value "application/x-icq" block response quick header "Content-Type" value "AIM/HTTP" block response quick header "Content-Type" \ value "application/x-comet-log" } relay httpproxy { # Listen on localhost, accept diverted connections from pf(4) listen on 127.0.0.1 port 8080 protocol httpfilter # Forward to the original target host forward to destination }