summaryrefslogtreecommitdiff
path: root/etc/examples/relayd.conf
blob: 3ed437b79377fd63bea1d69f6d15a2bcc8c83ae4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# $OpenBSD: relayd.conf,v 1.6 2023/10/29 11:27:11 kn Exp $
#
# Macros
#
ext_addr="192.168.1.1"
webhost1="10.0.0.1"
webhost2="10.0.0.2"
sshhost1="10.0.0.3"

#
# Global Options
#
# interval 10
# timeout 1000
# prefork 5

#
# Each table will be mapped to a pf table.
#
table <webhosts> { $webhost1 $webhost2 }
table <fallback> { 127.0.0.1 }

#
# Services will be mapped to a rdr rule.
#
redirect www {
	listen on $ext_addr port http interface trunk0

	# tag every packet that goes thru the rdr rule with RELAYD
	pftag RELAYD

	forward to <webhosts> check http "/" code 200
	forward to <fallback> check icmp
}

#
# Relay and protocol for HTTP layer 7 loadbalancing and TLS acceleration
#
http protocol https {
	match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
	match request header append "X-Forwarded-By" \
	    value "$SERVER_ADDR:$SERVER_PORT"
	match request header set "Connection" value "close"

	# Various TCP options
	tcp { sack, backlog 128 }

#	tls { no tlsv1.0, ciphers HIGH }
#	tls no session tickets
}

relay wwwtls {
	# Run as a TLS accelerator
	listen on $ext_addr port 443 tls
	protocol https

	# Forward to hosts in the webhosts table using a src/dst hash
	forward to <webhosts> port http mode loadbalance \
		check http "/" code 200
}

#
# Relay and protocol for simple TCP forwarding on layer 7
#
protocol sshtcp {
	# The TCP_NODELAY option is required for "smooth" terminal sessions
	tcp nodelay
}

relay sshgw {
	# Run as a simple TCP relay
	listen on $ext_addr port 2222
	protocol sshtcp

	# Forward to the shared carp(4) address of an internal gateway
	forward to $sshhost1 port 22
}

#
# Relay and protocol for a transparent HTTP proxy
#
http protocol httpfilter {
	# Return HTTP/HTML error pages to the client
	return error

	# Block disallowed sites
	match request label "URL filtered!"
	block request quick url "www.example.com/" value "*"

	# Block disallowed browsers
	match request label "Please try a <em>different Browser</em>"
	block request quick header "User-Agent" \
	    value "Mozilla/4.0 (compatible; MSIE *"

	# Block some well-known Instant Messengers
	match request label "Instant messenger disallowed!"
	block response quick header "Content-Type" \
	    value "application/x-msn-messenger"
	block response quick header "Content-Type" value "app/x-hotbar-xip20"
	block response quick header "Content-Type" value "application/x-icq"
	block response quick header "Content-Type" value "AIM/HTTP"
	block response quick header "Content-Type" \
	    value "application/x-comet-log"
}

relay httpproxy {
	# Listen on localhost, accept diverted connections from pf(4)
	listen on 127.0.0.1 port 8080
	protocol httpfilter

	# Forward to the original target host
	forward to destination
}