# $OpenBSD: relayd.conf,v 1.12 2007/12/08 17:15:01 reyk Exp $ # # Macros # ext_addr="192.168.1.1" webhost1="10.0.0.1" webhost2="10.0.0.2" sshhost1="10.0.0.3" # # Global Options # # interval 10 # timeout 200 # prefork 5 # # Each table will be mapped to a pf table. # table { $webhost1 $webhost2 } table { 127.0.0.1 } # # Services will be mapped to a rdr rule. # redirect www { listen on $ext_addr port http interface trunk0 # tag every packet that goes thru the rdr rule with RELAYD tag RELAYD forward to check http "/" code 200 forward to check icmp } # # Relay and protocol for HTTP layer 7 loadbalancing and SSL acceleration # http protocol httpssl { header append "$REMOTE_ADDR" to "X-Forwarded-For" header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By" header change "Connection" to "close" # Various TCP performance options tcp { nodelay, sack, socket buffer 65536, backlog 128 } # ssl { no sslv2, sslv3, tlsv1, ciphers HIGH } # ssl session cache disable } relay wwwssl { # Run as a SSL accelerator listen on $ext_addr port 443 ssl protocol httpssl # Forward to hosts in the webhosts table using a src/dst hash forward to port http mode loadbalance \ check http "/" code 200 } # # Relay and protocol for simple TCP forwarding on layer 7 # protocol sshtcp { # The TCP_NODELAY option is required for "smooth" terminal sessions tcp nodelay } relay sshgw { # Run as a simple TCP relay listen on $ext_addr port 2222 protocol sshtcp # Forward to the shared carp(4) address of an internal gateway forward to $sshhost1 port 22 } # # Relay and protocol for a transparent HTTP proxy # http protocol httpfilter { # Return HTTP/HTML error pages to the client return error # Block disallowed browsers label "Please try a different Browser" header filter "Mozilla/4.0 (compatible; MSIE *" from "User-Agent" # Block some well-known Instant Messengers label "Instant messenger disallowed!" response header filter "application/x-msn-messenger" from "Content-Type" response header filter "app/x-hotbar-xip20" from "Content-Type" response header filter "application/x-icq" from "Content-Type" response header filter "AIM/HTTP" from "Content-Type" response header filter "application/x-comet-log" from "Content-Type" } relay httpproxy { # Listen on localhost, accept redirected connections from pf(4) listen on 127.0.0.1 port 8080 protocol httpfilter # Forward to the original target host forward to nat lookup }