# $OpenBSD: relayd.conf,v 1.8 2007/11/19 15:09:32 reyk Exp $ # # Macros # ext_addr="192.168.1.1" webhost1="10.0.0.1" webhost2="10.0.0.2" sshhost1="10.0.0.3" # # Global Options # # interval 10 # timeout 200 # prefork 5 # # Each table will be mapped to a pf table. # table webhosts { real port http check http "/" code 200 host $webhost1 host $webhost2 } table fallback { real port http check icmp host 127.0.0.1 } # # Services will be mapped to a rdr rule. # service www { virtual host $ext_addr port http interface trunk0 # tag every packet that goes thru the rdr rule with HOSTSTATED tag HOSTSTATED table webhosts backup table fallback } # # Relay and protocol for HTTP layer 7 loadbalancing and SSL acceleration # protocol httpssl { protocol http header append "$REMOTE_ADDR" to "X-Forwarded-For" header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By" header change "Connection" to "close" # Various TCP performance options tcp { nodelay, sack, socket buffer 65536, backlog 128 } # ssl { no sslv2, sslv3, tlsv1, ciphers HIGH } # ssl session cache disable } relay wwwssl { # Run as a SSL accelerator listen on $ext_addr port 443 ssl protocol httpssl # Forward to hosts in the webhosts table using a src/dst hash table webhosts loadbalance } # # Relay and protocol for simple TCP forwarding on layer 7 # protocol sshtcp { protocol tcp # The TCP_NODELAY option is required for "smooth" terminal sessions tcp nodelay } relay sshgw { # Run as a simple TCP relay listen on $ext_addr port 2222 protocol sshtcp # Forward to the shared carp(4) address of an internal gateway forward to $sshhost1 port 22 } # # Relay and protocol for a transparent HTTP proxy # protocol httpfilter { protocol http # Block disallowed browsers header filter "Mozilla/4.0 (compatible; MSIE *" from "User-Agent" # Block some well-known Instant Messengers response header filter "application/x-msn-messenger" from "Content-Type" response header filter "app/x-hotbar-xip20" from "Content-Type" response header filter "application/x-icq" from "Content-Type" response header filter "AIM/HTTP" from "Content-Type" response header filter "application/x-comet-log" from "Content-Type" } relay httpproxy { # Listen on localhost, accept redirected connections from pf(4) listen on 127.0.0.1 port 8080 protocol httpfilter # Forward to the original target host nat lookup }