1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
|
.\" $OpenBSD: relayd.conf.5,v 1.200 2020/10/22 07:48:50 benno Exp $
.\"
.\" Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
.\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: October 22 2020 $
.Dt RELAYD.CONF 5
.Os
.Sh NAME
.Nm relayd.conf
.Nd relay daemon configuration file
.Sh DESCRIPTION
.Nm
is the configuration file for the relay daemon,
.Xr relayd 8 .
.Pp
.Nm
is divided into the following main sections:
.Bl -tag -width xxxx
.It Sy Macros
User-defined variables may be defined and used later, simplifying the
configuration file.
.It Sy Global Configuration
Global settings for
.Xr relayd 8 .
Do note that the config file allows global settings to be added after
defining tables in the config file, but those tables will use the
built-in defaults instead of the global settings below them.
.It Sy Tables
Table definitions describe a list of hosts,
in a similar fashion to
.Xr pf 4
tables.
They are used for relay, redirection, and router target selection with
the described options and health checking on the host they contain.
.It Sy Redirections
Redirections are translated to
.Xr pf 4
rdr-to rules for stateful forwarding to a target host from a
health-checked table on layer 3.
.It Sy Relays
Relays allow application layer load balancing, TLS acceleration, and
general purpose TCP proxying on layer 7.
.It Sy Protocols
Protocols are predefined settings and filter rules for relays.
.It Sy Routers
Routers are used to insert routes with health-checked gateways for
(WAN) link balancing.
.El
.Pp
Within the sections,
a host
.Ar address
can be specified by IPv4 address, IPv6 address, interface name,
interface group, or DNS hostname.
If the address is an interface name,
.Xr relayd 8
will look up the first IPv4 address and any other IPv4 and IPv6
addresses of the specified network interface.
A
.Ar port
can be specified by number or name.
The port name to number mappings are found in the file
.Pa /etc/services ;
see
.Xr services 5
for details.
.Pp
The current line can be extended over multiple lines using a backslash
.Pq Sq \e .
Comments can be put anywhere in the file using a hash mark
.Pq Sq # ,
and extend to the end of the current line.
Care should be taken when commenting out multi-line text:
the comment is effective until the end of the entire block.
.Pp
Argument names not beginning with a letter, digit, or underscore
must be quoted.
.Pp
Additional configuration files can be included with the
.Ic include
keyword, for example:
.Bd -literal -offset indent
include "/etc/relayd.conf.local"
.Ed
.Sh MACROS
Macros can be defined that will later be expanded in context.
Macro names must start with a letter, digit, or underscore,
and may contain any of those characters.
Macro names may not be reserved words (for example,
.Ic table ,
.Ic relay ,
or
.Ic timeout ) .
Macros are not expanded inside quotes.
.Pp
For example:
.Bd -literal -offset indent
www1="10.0.0.1"
www2="10.0.0.2"
table <webhosts> {
$www1
$www2
}
.Ed
.Sh GLOBAL CONFIGURATION
Here are the settings that can be set globally:
.Bl -tag -width Ds
.It Ic agentx Oo Ic context Ar context Oc Oo Ic path Ar path Oc
Export
.Xr relayd 8
statistics via an agentx compatible
.Pq snmp
daemon by connecting to
.Ar path .
If
.Ar path
is omitted it will default to
.Pa /var/agentx/master .
.Ar Context
is the SNMPv3 context and can usually be omitted.
.It Ic interval Ar number
Set the interval in seconds at which the hosts will be checked.
The default interval is 10 seconds.
.It Xo
.Ic log
.Pq Ic state changes Ns | Ns Ic host checks
.Xc
Log host checks:
Either log only the
.Ic state changes
of hosts or log all
.Ic host checks
that were run, even if the state didn't change.
The host state can be
.Dq up
(the health check completed successfully),
.Dq down
(the host is down or didn't match the check criteria),
or
.Dq unknown
(the host is disabled or has not been checked yet).
.It Xo
.Ic log connection Op Ic errors
.Xc
When using relays, log all TCP connections.
Optionally log only
.Ic connection errors .
.It Ic prefork Ar number
When using relays, run the specified number of processes to handle
relayed connections.
This increases the performance and prevents delays when connecting
to a relay.
.Xr relayd 8
runs 3 relay processes by default and every process will handle
all configured relays.
.It Ic socket Qo Ar path Qc
Create a control socket at
.Ar path .
By default
.Pa /var/run/relayd.sock
is used.
.It Ic timeout Ar number
Set the global timeout in milliseconds for checks.
This can be overridden by the timeout value in the table definitions.
The default timeout is 200 milliseconds and it must not exceed the
global interval.
Please note that the default value is optimized for checks within the
same collision domain \(en use a higher timeout, such as 1000 milliseconds,
for checks of hosts in other subnets.
If this option is to be set, it should be placed before overrides in tables.
.El
.Sh TABLES
Tables are used to group a set of hosts as the target for redirections
or relays; they will be mapped to a
.Xr pf 4
table for redirections.
Tables may be defined with the following attribute:
.Bl -tag -width disable
.It Ic disable
Start the table disabled \(en no hosts will be checked in this table.
The table can be later enabled through
.Xr relayctl 8 .
.El
.Pp
Each table must contain at least one host
.Ar address ;
multiple hosts are separated by newline, comma, or whitespace.
Host entries may be defined with the following attributes:
.Bl -tag -width retry
.It Ic ip ttl Ar number
Change the default time-to-live value in the IP headers for host checks.
.It Ic parent Ar number
The optional parent option inherits the state from a parent
host with the specified identifier.
The check will be skipped for this host and copied from the parent host.
This can be used to prevent multiple checks on hosts with multiple IP
addresses for the same service.
The host identifiers are sequentially assigned to the configured hosts
starting with 1; it can be shown with the
.Xr relayctl 8
.Ic show summary
commands.
.It Ic priority Ar number
Change the route priority used when adding a route.
If not specified, the kernel will set a priority of 8
.Pq Dv RTP_STATIC .
In ordinary use, a fallback route should be added statically with a very
high (e.g. 52) priority.
Unused in all other modes.
.It Ic retry Ar number
The optional retry option adds a tolerance for failed host checks;
the check will be retried for
.Ar number
more times before setting the host state to down.
If this table is used by a relay, it will also specify the number of
retries for outgoing connection attempts.
.El
.Pp
For example:
.Bd -literal -offset indent
table <service> { 192.168.1.1, 192.168.1.2, 192.168.2.3 }
table <fallback> disable { 10.1.5.1 retry 2 }
redirect "www" {
listen on www.example.com port 80
forward to <service> check http "/" code 200
forward to <fallback> check http "/" code 200
}
.Ed
.Pp
Tables are used by
.Ic forward to
directives in redirections or relays with a set of general options,
health-checking rules, and timings;
see the
.Sx REDIRECTIONS
and
.Sx RELAYS
sections for more information about the forward context.
Table specific configuration directives are described below.
Multiple options can be appended to
.Ic forward to
directives, separated by whitespaces.
.Pp
The following options will configure the health-checking method for
the table, and is mandatory for redirections:
.Bl -tag -width Ds
.It Xo
.Ic check http Ar path
.Op Ic host Ar hostname
.Ic code Ar number
.Xc
For each host in the table, verify that retrieving the URL
.Ar path
gives the HTTP return code
.Ar number .
If
.Ar hostname
is specified, it is used as the
.Dq Host:
header to query a specific hostname at the target host.
To validate the HTTP return code, use this shell command:
.Bd -literal -offset indent
$ echo -n "HEAD <path> HTTP/1.0\er\en\er\en" | \e
nc <host> <port> | head -n1
.Ed
.Pp
This prints the status header including the actual return code:
.Bd -literal -offset indent
HTTP/1.1 200 OK
.Ed
.It Xo
.Ic check https Ar path
.Op Ic host Ar hostname
.Ic code Ar number
.Xc
This has the same effect as above but wraps the HTTP request in TLS.
.It Xo
.Ic check http Ar path
.Op Ic host Ar hostname
.Ic digest Ar string
.Xc
For each host in the table, verify that retrieving the URL
.Ar path
produces non-binary content whose message digest matches the defined string.
The algorithm used is determined by the string length of the
.Ar digest
argument, either SHA1 (40 characters) or MD5 (32 characters).
If
.Ar hostname
is specified, it is used as the
.Dq Host:
header to query a specific hostname at the target host.
The digest does not take the HTTP headers into account.
Do not specify a binary object (such as a graphic) as the target of the
request, as
.Nm
expects the data returned to be a string.
To compute the digest, use this simple command:
.Bd -literal -offset indent
$ ftp -o - http://host[:port]/path | sha1
.Ed
.Pp
This gives a digest that can be used as-is in a digest statement:
.Bd -literal -offset indent
a9993e36476816aba3e25717850c26c9cd0d89d
.Ed
.It Xo
.Ic check https Ar path
.Op Ic host Ar hostname
.Ic digest Ar string
.Xc
This has the same effect as above but wraps the HTTP request in TLS.
.It Ic check icmp
Ping hosts in this table to determine whether they are up or not.
This method will automatically use ICMP or ICMPV6 depending on the
address family of each host.
.It Ic check script Ar path
Execute an external program to check the host state.
The program will be executed for each host by specifying the hostname
on the command line:
.Bd -literal -offset indent
/usr/local/bin/checkload.pl front-www1.private.example.com
.Ed
.Pp
.Xr relayd 8
expects a positive return value on success and zero on failure.
Note that the script will be executed with the privileges of the
.Qq _relayd
user and terminated after
.Ar timeout
milliseconds.
.It Xo
.Ic check send
.Ar data
.Ic expect
.Ar pattern
.Op Ic tls
.Xc
For each host in the table, a TCP connection is established on the
port specified, then
.Ar data
is sent.
Incoming data is then read and is expected to match against
.Ar pattern
using shell globbing rules.
If
.Ar data
is an empty string or
.Ic nothing
then nothing is sent on the connection and data is immediately
read.
This can be useful with protocols that output a banner like
SMTP, NNTP, and FTP.
If the
.Ic tls
keyword is present,
the transaction will occur in a TLS tunnel.
.It Xo
.Ic check binary send
.Ar data
.Ic expect
.Ar data
.Op Ic tls
.Xc
For each host in the table, a TCP connection is established on the
port specified, then the
.Ic send
.Ar data
is converted into binary and sent.
Incoming (binary)
data is then read and is expected to match against a binary
conversion of the
.Ic expect
.Ar data
using
.Xr memcmp 3 .
.Ar data
must be populated with a string containing an even number of hexadecimal
single-byte characters and must not be empty.
This can be useful with binary protocols such as LDAP and SNMP.
If the
.Ic tls
keyword is present,
the transaction will occur in a TLS tunnel.
.It Ic check tcp
Use a simple TCP connect to check that hosts are up.
.It Ic check tls
Perform a complete TLS handshake with each host to check their availability.
.El
.Pp
The following general table options are available:
.Bl -tag -width Ds
.It Ic demote Ar group
Enable the per-table
.Xr carp 4
demotion option.
This will increment the carp demotion counter for the
specified interface group if all hosts in the table are down.
For more information on interface groups,
see the
.Ic group
keyword in
.Xr ifconfig 8 .
.It Ic interval Ar number
Override the global interval and specify one for this table.
It must be a multiple of the global interval.
.It Ic timeout Ar number
Set the timeout in milliseconds for each host that is checked using
TCP as the transport.
This will override the global timeout, which is 200 milliseconds by default.
.El
.Pp
The following options will set the scheduling algorithm to select a
host from the specified table:
.Bl -tag -width Ds
.It Ic mode hash Op Ar key
Balances the outgoing connections across the active hosts based on the
.Ar key ,
IP address and port of the relay.
Additional input can be fed into the
hash by looking at HTTP headers and GET variables;
see the
.Sx PROTOCOLS
section below.
This mode is only supported by relays.
.It Ic mode least-states
Forward each outgoing connection to the active host with the least
active
.Xr pf 4
states.
This mode is only supported by redirections.
.It Ic mode loadbalance Op Ar key
Balances the outgoing connections across the active hosts based on the
.Ar key ,
the source IP address of the client, and the IP address and port of the relay.
This mode is only supported by relays.
.It Ic mode random
Distributes the outgoing connections randomly through all active hosts.
This mode is supported by redirections and relays.
.It Ic mode roundrobin
Distributes the outgoing connections using a round-robin scheduler
through all active hosts.
This is the default mode and will be used if no option has been specified.
This mode is supported by redirections and relays.
.It Ic mode source-hash Op Ar key
Balances the outgoing connections across the active hosts based on the
.Ar key
and the source IP address of the client.
This mode is supported by redirections and relays.
.El
.Pp
The optional
.Ar key
argument can be specified for the
.Ic hash ,
.Ic loadbalance ,
and
.Ic source-hash
modes as either a hex value with a leading
.Ql 0x
or as a string.
If omitted,
.Xr relayd 8
generates a random key when the configuration is loaded.
.Sh REDIRECTIONS
Redirections represent a
.Xr pf 4
rdr-to rule.
They are used for stateful redirections to the hosts in the specified
tables.
.Xr pf 4
rewrites the target IP addresses and ports of the incoming
connections, operating on layer 3.
The configuration directives that are valid in the
.Ic redirect
context are described below:
.Bl -tag -width Ds
.It Ic disable
The redirection is initially disabled.
It can be later enabled through
.Xr relayctl 8 .
.It Xo
.Ic forward to
.Pf < Ar table Ns >
.Op Ic port Ar number
.Ar options ...
.Xc
Specify the tables of target hosts to be used; see the
.Sx TABLES
section above for information about table options.
If the
.Ic port
option is not specified, the first port from the
.Ic listen on
directive will be used.
This directive can be specified twice \(en the second entry will be used
as the backup table if all hosts in the main table are down.
At least one entry for the main table is mandatory.
.It Xo
.Ic listen on Ar address
.Op ip-proto
.Ic port Ar port
.Op Ic interface Ar name
.Xc
Specify an
.Ar address
and a
.Ar port
to listen on.
.Xr pf 4
will redirect incoming connections for the specified target to the
hosts in the main or backup table.
The
.Ar port
argument can optionally specify a port range instead of a single port;
the format is
.Ar min-port : Ns Ar max-port .
The optional argument
.Ar ip-proto
can be used to specify an IP protocol like
.Cm tcp
or
.Cm udp ;
it defaults to
.Cm tcp .
The rule can be optionally restricted to a given interface name.
.It Xo
.Op Ic match
.Ic pftag Ar name
.Xc
Automatically tag packets passing through the
.Xr pf 4
rdr-to rule with the name supplied.
This allows simpler filter rules.
The optional
.Ic match
keyword will change the default rule action from
.Ql pass in quick
to
.Ql match in
to allow further evaluation in the pf ruleset using the
.Cm tagged Ar name
rule option.
.It Xo
.Ic route to
.Pf < Ar table Ns >
.Op Ic port Ar number
.Ar options ...
.Xc
Like the
.Ic forward to
directive, but directly routes the packets to the target host without
modifying the target address using a
.Xr pf 4
route-to rule.
This can be used for
.Dq direct server return
to force the target host to respond via a different gateway.
Note that hosts have to accept sessions for the same address as
the gateway, which is typically done by configuring a loopback
interface on the host with this address.
.It Ic session timeout Ar seconds
Specify the inactivity timeout in seconds for established redirections.
The default timeout is 600 seconds (10 minutes).
The maximum is 2147483647 seconds (68 years).
.It Ic sticky-address
This has the same effect as specifying sticky-address
for an rdr-to rule in
.Xr pf.conf 5 .
It will ensure that multiple connections from the same source are
mapped to the same redirection address.
.El
.Sh RELAYS
Relays will forward traffic between a client and a target server.
In contrast to redirections and IP forwarding in the network stack, a
relay will accept incoming connections from remote clients as a
server, open an outgoing connection to a target host, and forward
any traffic between the target host and the remote client,
operating on layer 7.
A relay is also called an application layer gateway or layer 7 proxy.
.Pp
The main purpose of a relay is to provide advanced load balancing
functionality based on specified protocol characteristics, such as
HTTP headers, to provide TLS acceleration and to allow
basic handling of the underlying application protocol.
.Pp
The
.Ic relay
configuration directives are described below:
.Bl -tag -width Ds
.It Ic disable
Start the relay but immediately close any accepted connections.
.It Xo
.Op Ic transparent
.Ic forward
.Op Ic with tls
.Ic to
.Ar address
.Op Ic port Ar port
.Ar options ...
.Xc
Specify the address and port of the target host to connect to.
If the
.Ic port
option is not specified, the port from the
.Ic listen on
directive will be used.
Use the
.Ic transparent
keyword to enable fully-transparent mode; the source address of the
client will be retained in this case.
.Pp
The
.Ic with tls
directive enables client-side TLS mode to connect to the remote host.
Verification of server certificates can be enabled by setting the
.Ic ca file
option in the protocol section.
.Pp
The following options may be specified for forward directives:
.Bl -tag -width Ds
.It Ic inet
If the requested destination is an IPv6 address,
.Xr relayd 8
will forward the connection to an IPv4 address which is determined by
the last 4 octets of the original IPv6 destination.
For example, if the original IPv6 destination address is
2001:db8:7395:ffff::a01:101, the session is relayed to the IPv4
address 10.1.1.1 (a01:101).
.It Ic inet6 Ar address-prefix
If the requested destination is an IPv4 address,
.Xr relayd 8
will forward the connection to an IPv6 address which is determined by
setting the last 4 octets of the specified IPv6
.Ar address-prefix
to the 4 octets of the original IPv4 destination.
For example, if the original IPv4 destination address is 10.1.1.1 and
the specified address prefix is 2001:db8:7395:ffff::, the session is
relayed to the IPv6 address 2001:db8:7395:ffff::a01:101.
.It Ic retry Ar number
The optional host
.Ic retry
option will be used as a tolerance for failed
host connections; the connection will be retried for
.Ar number
more times.
.El
.It Xo
.Ic forward to
.Pf < Ar table Ns >
.Op Ic port Ar port
.Ar options ...
.Xc
Like the previous directive, but connect to a host from the specified
table; see the
.Sx TABLES
section above for information about table options.
This directive can be specified multiple times \(en subsequent entries
will be used as the backup table if all hosts in the previous table
are down.
At least one entry for the main table is mandatory.
As above, use the
.Ic with tls
directive to enable client-side TLS mode when connecting to the remote host.
.It Xo
.Ic forward to
.Ic destination
.Ar options ...
.Xc
When redirecting connections with a divert-to rule in
.Xr pf.conf 5
to a relay listening on localhost, this directive will
look up the real destination address of the intended target host,
allowing the relay to be run as a transparent proxy.
If an additional
.Ic forward to
directive to a specified address or table is present,
it will be used as a backup if the lookup failed.
As above, use the
.Ic with tls
directive to enable client-side TLS mode when connecting to the remote host.
.It Xo
.Ic forward to
.Ic nat lookup
.Ar options ...
.Xc
Like the previous directive, but for redirections with rdr-to in
.Xr pf.conf 5 .
.It Xo
.Ic listen on Ar address Ic port Ar port
.Op Ic tls
.Xc
Specify the address and port for the relay to listen on.
The relay will accept incoming connections to the specified address.
If the
.Ic tls
keyword is present, the relay will accept connections using the
encrypted TLS protocol.
.It Ic protocol Ar name
Use the specified protocol definition for the relay.
The generic TCP protocol options will be used by default;
see the
.Sx PROTOCOLS
section below.
.It Ic session timeout Ar seconds
Specify the inactivity timeout in seconds for accepted sessions.
The default timeout is 600 seconds (10 minutes).
The maximum is 2147483647 seconds (68 years).
.El
.Sh TLS RELAYS
In addition to plain TCP,
.Xr relayd 8
supports the Transport Layer Security (TLS) cryptographic protocol for
authenticated and encrypted relays.
TLS is the successor of the original Secure Sockets Layer (SSL) protocol,
but the term SSL is sometimes still used in modern TLS-based applications.
.Xr relayd 8
can operate as a TLS client or server to offer a variety of options
for different use cases related to TLS.
.Bl -tag -width Ds
.It Ic TLS client
When configuring the relay
.Ic forward
statements with the
.Ic with tls
directive,
.Xr relayd 8
will enable client-side TLS to connect to the remote host.
This is commonly used for TLS tunneling and transparent encapsulation
of plain TCP connections.
See the
.Ic forward to
description in the
.Sx RELAYS
section for more details.
.It Ic TLS server
When specifying the
.Ic tls
keyword in the relay
.Ic listen
statements,
.Xr relayd 8
will accept connections from clients as a TLS server.
This mode is also known as
.Dq SSL/TLS acceleration .
See the
.Ic listen on
description in the
.Sx RELAYS
section for more details.
.It Ic TLS client and server
When combining both modes, TLS server and client,
.Xr relayd 8
can filter TLS connections as a man-in-the-middle.
This combined mode is also called
.Dq TLS inspection .
The configuration requires additional X.509 certificate settings;
see the
.Ic ca key
description in the
.Sx PROTOCOLS
section for more details.
.El
.Pp
When configured for
.Dq TLS inspection
mode,
.Xr relayd 8
will listen for incoming connections which have been diverted to the
local socket by PF.
Before accepting and negotiating the incoming TLS connection as a
server, it will look up the original destination address on the
diverted socket, and pre-connect to the target server as a TLS client
to obtain the remote TLS certificate.
It will update or patch the obtained TLS certificate by replacing the
included public key with its local server key because it doesn't have
the private key of the remote server certificate.
It also updates the X.509 issuer name to the local CA subject name and
signs the certificate with its local CA key.
This way it keeps all the other X.509 attributes that are already
present in the server certificate, including the "green bar" extended
validation attributes.
Now it finally accepts the TLS connection from the diverted client
using the updated certificate and continues to handle the connection
and to connect to the remote server.
.Sh PROTOCOLS
Protocols are templates defining settings and rules for relays.
They allow setting generic TCP options, TLS settings, and rules
for the selected application layer protocol.
.Pp
The protocol directive is available for a number of different
application layer protocols.
There is no generic handler for UDP-based protocols because it is a
stateless datagram-based protocol which has to look into the
application layer protocol to find any possible state information.
.Bl -tag -width Ds
.It Ic dns protocol
(UDP)
Domain Name System (DNS) protocol.
The requested IDs in the DNS header will be used to match the state.
.Xr relayd 8
replaces these IDs with random values to compensate for
predictable values generated by some hosts.
.It Ic http protocol
Handle the HyperText Transfer Protocol
(HTTP, or "HTTPS" if encapsulated in a TLS tunnel).
.It Xo
.Op Ic tcp
.Ic protocol
.Xc
Generic handler for TCP-based protocols.
This is the default.
.El
.Pp
The available configuration directives are described below:
.Bl -tag -width Ds
.It Xo
.Pq Ic block Ns | Ns Ic pass Ns | Ns Ic match
.Op Ar rule
.Xc
Specify one or more rules to filter connections based on their
network or application layer headers;
see the
.Sx FILTER RULES
section for more details.
.It Ic return error Op Ar option
Return an error response to the client if an internal operation or the
forward connection to the client failed.
By default, the connection will be silently dropped.
The effect of this option depends on the protocol: HTTP will send an
error header and page to the client before closing the connection.
Additional valid options are:
.Bl -tag -width Ds
.It Ic style Ar string
Specify a Cascading Style Sheet (CSS) to be used for the returned
HTTP error pages, for example:
.Bd -literal -offset indent
body { background: #a00000; color: white; }
.Ed
.El
.It Ic tcp Ar option
Enable or disable the specified TCP/IP options; see
.Xr tcp 4
and
.Xr ip 4
for more information about the options.
Valid options are:
.Bl -tag -width Ds
.It Ic backlog Ar number
Set the maximum length the queue of pending connections may grow to.
The backlog option is 10 by default, is limited to 512 and capped by the
.Ic kern.somaxconn
.Xr sysctl 8
variable.
.It Ic ip minttl Ar number
This option for the underlying IP connection may be used to discard packets
with a TTL lower than the specified value.
This can be used to implement the
Generalized TTL Security Mechanism (GTSM)
according to RFC 5082.
.It Ic ip ttl Ar number
Change the default time-to-live value in the IP headers.
.It Ic nodelay
Enable the TCP NODELAY option for this connection.
This is recommended to avoid delays in the relayed data stream,
e.g. for SSH connections.
The default is
.Ic no nodelay .
.It Ic no splice
Disable socket splicing for zero-copy data transfer.
The default is to enable socket splicing.
.It Ic sack
Use selective acknowledgements for this connection.
The default is
.Ic no sack .
.It Ic socket buffer Ar number
Set the socket-level buffer size for input and output for this
connection.
This will affect the TCP window size.
.El
.It Ic tls Ar option
Set the TLS options and session settings.
This is only used if TLS is enabled in the relay.
Valid options are:
.Bl -tag -width Ds
.It Ic ca cert Ar path
Specify a CA certificate for TLS inspection.
For more information, see the
.Ic ca key
option below.
.It Ic ca file Ar path
This option enables CA verification in TLS client mode.
The daemon will load the CA (Certificate Authority) certificates from
the specified path to verify the server certificates.
.Ox
provides a default CA bundle in
.Pa /etc/ssl/cert.pem .
.It Ic ca key Ar path Ic password Ar password
Specify a CA key for TLS inspection.
The
.Ar password
argument will specify the password to decrypt the CA key
(typically an RSA key).
This option will enable TLS inspection if the following conditions
are true:
.Pp
.Bl -bullet -compact -offset indent
.It
TLS server mode is enabled by the
.Ic listen
directive:
.Ic listen on ... tls .
.It
TLS client mode and divert lookups are enabled by the
.Ic forward
directive:
.Ic forward with tls to destination .
.It
The
.Ic ca cert
option is specified.
.It
The
.Ic ca key
option is specified.
.El
.It Ic ciphers Ar string
Set the string defining the TLS cipher suite.
If not specified, the default value
.Ql HIGH:!aNULL
will be used (strong crypto cipher suites without anonymous DH).
See the CIPHERS section of
.Xr openssl 1
for information about SSL/TLS cipher suites and preference lists.
.It Ic client-renegotiation
Allow client-initiated renegotiation.
To mitigate a potential DoS risk,
the default is
.Ic no client-renegotiation .
.It Ic ecdhe Ar curves
Specify a comma separated list of elliptic curves to use for ECDHE cipher
suites, in order of preference.
The special value of "default" will use the default curves; see
.Xr tls_config_set_ecdhecurves 3
for further details.
.It Ic edh Op Ic params Pq Ic none Ns | Ns Ic auto Ns | Ns Ic legacy
Enable EDH-based cipher suites with Perfect Forward Secrecy (PFS) for
older clients that do not support ECDHE.
In
.Ic auto
mode, the key size of the ephemeral key is automatically selected
based on the size of the private key used for signing.
In
.Ic legacy
mode, a 1024 bit ephemeral key is used.
If
.Ic params
is omitted,
.Ic auto
is used.
The default is
.Ic no edh .
.It Ic keypair Ar name
The relay will attempt to look up a private key in
.Pa /etc/ssl/private/name:port.key
and a public certificate in
.Pa /etc/ssl/name:port.crt ,
where
.Ar port
is the specified port that the relay listens on.
If these files are not present, the relay will continue to look in
.Pa /etc/ssl/private/name.key
and
.Pa /etc/ssl/name.crt .
This option can be specified multiple times for TLS Server Name Indication.
If not specified,
a keypair will be loaded using the specified IP address of the relay as
.Ar name .
See
.Xr ssl 8
for details about SSL/TLS server certificates.
.Pp
An optional OCSP staple file will be used during TLS handshakes with
this server if it is found as a non-empty file in
.Pa /etc/ssl/name:port.ocsp
or
.Pa /etc/ssl/name.ocsp .
The file should contain a DER-format OCSP response retrieved from an
OCSP server for the certificate in use, and can be created using
.Xr ocspcheck 8 .
.It Ic no cipher-server-preference
Prefer the client's cipher list over the server's preferences when
choosing a cipher for the connection.
The default is to prefer the server's cipher list.
.It Ic no session tickets
Disable TLS session tickets.
.Xr relayd 8
supports stateless TLS session tickets (RFC 5077) to implement TLS session
resumption.
The default is to disable session tickets.
.It Ic no tlsv1.3
Disable the TLSv1.3 protocol.
The default is to enable TLSv1.3.
.It Ic no tlsv1.2
Disable the TLSv1.2 protocol.
The default is to enable TLSv1.2.
.It Ic sslv3
Enable the SSLv3 protocol.
The default is
.Ic no sslv3 .
.It Ic tlsv1
Enable all TLSv1 protocols.
This is an alias that includes
.Ic tlsv1.0 ,
.Ic tlsv1.1 ,
.Ic tlsv1.2 ,
and
.Ic tlsv1.3 .
The default is
.Ic no tlsv1 .
.It Ic tlsv1.0
Enable the TLSv1.0 protocol.
The default is
.Ic no tlsv1.0 .
.It Ic tlsv1.1
Enable the TLSv1.1 protocol.
The default is
.Ic no tlsv1.1 .
.El
.It Ic http Ar option
Set the HTTP options and session settings.
This is only used if HTTP is enabled in the relay.
Valid options are:
.Bl -tag -width Ds
.It Ic headerlen Ar number
Set the maximum size of all HTTP headers in bytes.
The default value is 8192 and it is limited to a maximum of 131072.
.It Ic websockets
Allow connection upgrade to websocket protocol.
The default is
.Ic no websockets .
.El
.El
.Sh FILTER RULES
Relays have the ability to filter connections based
on their network or application layer headers.
Filter rules apply options to connections based on the specified
filter parameters.
.Pp
For each connection that is processed by a relay, the filter rules are
evaluated in sequential order, from first to last.
For
.Ic block
and
.Ic pass ,
the last matching rule decides what action is taken;
if no rule matches the connection, the default action is to establish
the connection without any additional action.
For
.Ic match ,
rules are evaluated every time they match;
the pass/block state of a connection remains unchanged.
.Pp
The filter action may be one of the following:
.Bl -tag -width Ds
.It Ic block
The connection is blocked.
If a
.Ic block
rule matches a new connection attempt, it will not be established.
.Ic block
rules can also trigger for existing connections after evaluating
application layer parameters;
any connection of the relay session will be instantly dropped.
.It Ic match
The connection is matched.
This action does not alter the connection state, but allows
additional parameters to the connection.
.It Ic pass
The connection is passed;
.Xr relayd 8
will continue to process the relay session normally.
.El
.Pp
These filter parameters can be used in the rules:
.Bl -tag -width Ds
.It Ic request No or Ic response
A relay session always consists of two connections:
the
.Ic request ,
a client initiating a new connection to a server via the relay,
and the
.Ic response ,
the server accepting the connection.
Depending on the protocol,
an established session can be purely request/response-based (like
HTTP), exchange data in a bidirectional way (like arbitrary TCP
sessions), or just contain a single datagram and an optional response
(like UDP-based protocols).
But the client always
.Em requests
to communicate with a remote peer; the server.
.It Ic quick
If a connection is matched by a rule with the
.Ic quick
option set,
the rule is considered to be the last matching rule and any further
evaluation is skipped.
.It Ic inet No or Ic inet6
Only match connections with the specified address family,
either of type IPv4 or IPv6.
.It Ic from Ar address Ns Oo Li / Ns Ar prefix Oc
This rule only matches for connections from the specified source.
.It Ic to Ar address Ns Oo Li / Ns Ar prefix Oc
This rule only matches for connections to the specified destination.
The destination is the address the client was connecting to,
typically the relay's listen address in non-transparent mode,
not the address of the forwarded backend connection.
.It Ic forward to Pf < Ar table Ns >
Forward the request to a server in the specified table.
With this option, requests can be passed to specific backend servers.
A corresponding
.Ic forward to
declaration in the
.Sx RELAYS
section is required.
.It Ic label Ar string
The label will be printed as part of the error message if the
.Ic return error
option is set and may contain HTML tags, for example:
.Bd -literal -offset indent
block request url digest 5c1e03f58f8ce0b457474ffb371fd1ef \e
label "<a href='http://example.com/adv.pl?id=7359'>\e
Advisory provided by example.com</a>"
.Ed
.It Ic no Ar parameter
Reset a sticky parameter that was previously set by a matching rule.
The
.Ar parameter
is a keyword that can be either
.Ic label
or
.Ic tag .
.It Ic tag Ar string
Add a "sticky" tag to connections matching this filter rule.
Tags can be used to filter the connection by further rules using the
.Ic tagged
option.
Only one tag is assigned per connection;
the tag will be replaced if the connection is already tagged.
.It Ic tagged Ar string
Match the connection if it is already tagged with a given tag by a
previous rule.
.El
.Pp
The following parameters are available when using the
.Ic http
protocol:
.Bl -tag -width Ds
.It Ic method Ar name
Match the HTTP request method.
The method is specified by
.Ar name
and can be either
.Ic ACL ,
.Ic BASELINE-CONTROL ,
.Ic CHECKIN ,
.Ic CHECKOUT ,
.Ic CONNECT ,
.Ic COPY ,
.Ic DELETE ,
.Ic GET ,
.Ic HEAD ,
.Ic LABEL ,
.Ic LOCK ,
.Ic MERGE ,
.Ic MKACTIVITY ,
.Ic MKCOL ,
.Ic MKREDIRECTREF ,
.Ic MKWORKSPACE ,
.Ic MOVE ,
.Ic OPTIONS ,
.Ic ORDERPATCH ,
.Ic PATCH ,
.Ic POST ,
.Ic PROPFIND ,
.Ic PROPPATCH ,
.Ic PUT ,
.Ic REPORT ,
.Ic SEARCH ,
.Ic TRACE ,
.Ic UNCHECKOUT ,
.Ic UNLOCK ,
.Ic UPDATE ,
.Ic UPDATEREDIRECTREF ,
or
.Ic VERSION-CONTROL .
.It Xo
.Ar type option
.Oo Oo Ic digest Oc
.Pq Ar key Ns | Ns Ic file Ar path
.Oo Ic value Ar value Oc Oc
.Xc
Match a specified HTTP header entity and an optional
.Ic key
and
.Ic value .
An
.Ic option
can be specified to modify the matched entity or to trigger an event.
The entity is extracted from the HTTP request or response header and
can be either of
.Ar type
.Ic cookie ,
.Ic header ,
.Ic path ,
.Ic query ,
or
.Ic url .
.Pp
Instead of a single
.Ar key ,
multiple keys can be loaded from a
.Ic file
specified by
.Ar path
that contains one key per line.
Lines will be stripped at the first whitespace or newline character
and any empty lines or lines beginning with a hash mark
.Pq Ql #
will be ignored.
.Pp
If the
.Ic digest
keyword is specified,
compare the message digest of the key against the defined string.
The algorithm used is determined by the string length of the
.Ar key
argument, either SHA1 (40 characters) or MD5 (32 characters).
To compute the digest,
for example for a
.Ic url ,
use this simple command:
.Bd -literal -offset indent
$ echo -n "example.com/path/?args" | sha1
.Ed
.El
.Pp
.Bq Ar type
may be one of:
.Bl -tag -width Ds
.It Ic cookie Ar option Oo Ar key Oo Ic value Ar value Oc Oc
Look up the entity as a value in the Cookie header.
This type is only available with the direction
.Ic request .
.It Ic header Ar option Oo Ar key Oo Ic value Ar value Oc Oc
Look up the entity in the application protocol headers, like HTTP
headers in
.Ic http
mode.
.It Ic path Ar option Oo Ar key Oo Ic value Ar value Oc Oc
Look up the entity as a value in the URL path when using the
.Ic http
protocol.
This type is only available with the direction
.Ic request .
The
.Ar key
will match the path of the requested URL without the hostname
and query and the value will match the complete query,
for example:
.Bd -literal -offset indent
block path "/index.html"
block path "/cgi-bin/t.cgi" value "foo=bar*"
.Ed
.It Ic query Ar option Oo Ar key Oo Ic value Ar value Oc Oc
Look up the entity as a query variable in the URL when using the
.Ic http
protocol.
This type is only available with the direction
.Ic request ,
for example:
.Bd -literal -offset indent
# Will match /cgi-bin/example.pl?foo=bar&ok=yes
pass request query "foo" value "bar"
.Ed
.It Ic url Ar option Oo Oo Ic digest Oc Ar key Oo Ic value Ar value Oc Oc
Look up the entity as a URL suffix/prefix expression consisting of a
canonicalized hostname without port or suffix and a path name or
prefix when using the
.Ic http
protocol.
This type is only available with the direction
.Ic request ,
for example:
.Bd -literal -offset indent
block url "example.com/index.html"
block url "example.com/test.cgi?val=1"
.Ed
.Pp
.Xr relayd 8
will match the full URL and different possible suffix/prefix
combinations by stripping subdomains and path components (up to 5
levels), and the query string.
For example, the following
lookups will be done for
http://www.example.com:81/1/2/3/4/5.html?query=yes:
.Bd -literal -offset indent
www.example.com/1/2/3/4/5.html?query=yes
www.example.com/1/2/3/4/5.html
www.example.com/
www.example.com/1/
www.example.com/1/2/
www.example.com/1/2/3/
example.com/1/2/3/4/5.html?query=yes
example.com/1/2/3/4/5.html
example.com/
example.com/1/
example.com/1/2/
example.com/1/2/3/
.Ed
.El
.Pp
.Bq Ar option
may be one of:
.Bl -tag -width Ds
.It Ic append
Append the specified
.Ar value
to a protocol entity with the selected
.Ar key
name.
If it does not exist, it will be created with the new value.
.Pp
The value string may contain predefined macros that will be expanded
at runtime:
.Pp
.Bl -tag -width $SERVER_ADDR -offset indent -compact
.It Ic $HOST
The Host header's value of the relay.
.It Ic $REMOTE_ADDR
The IP address of the connected client.
.It Ic $REMOTE_PORT
The TCP source port of the connected client.
.It Ic $SERVER_ADDR
The configured IP address of the relay.
.It Ic $SERVER_PORT
The configured TCP server port of the relay.
.It Ic $SERVER_NAME
The server software name of
.Xr relayd 8 .
.It Ic $TIMEOUT
The configured session timeout of the relay.
.El
.It Ic hash
Feed the
.Ar value
of the selected entity into the load balancing hash to select the
target host.
See the
.Ic table
keyword in the
.Sx RELAYS
section above.
.It Ic log
Log the
.Ar key
name and the
.Ar value
of the entity.
.It Ic remove
Remove the entity with the selected
.Ar key
name.
.It Ic set
Like the
.Ic append
directive above, but change the contents of the specified entity.
If
.Ar key
does not exist in the request, it will be created with the new
.Ar value .
.Pp
The
.Ar value
string
may contain predefined macros that will be expanded at runtime,
as detailed for the
.Ic append
directive above.
.El
.Sh ROUTERS
Routers represent routing table entries in the kernel forwarding
database, see
.Xr route 4 ,
and a table of associated gateways.
They are used to dynamically insert or remove routes with gateways
based on their availability and health-check results.
A router can include multiple network statements and a single forward
statement with a table of one or more gateways.
All entries in a single router directive must match the same address
family, either IPv4 or IPv6.
.Pp
The kernel supports multipath routing when multiple gateways exist to
the same destination address.
The multipath routing behaviour can be changed globally using the
.Xr sysctl 8
variables
.Va net.inet.ip.multipath
and
.Va net.inet6.ip6.multipath .
With the default setting of 0,
the first route selected will be used for subsequent packets to that
destination regardless of source.
Setting it to 1 will enable load balancing based on the packet source
address across gateways; multiple routes with the same priority are
used equally.
The kernel will also check the link state of the related network
interface and try a different route if it is not active.
.Pp
The configuration directives that are valid in the
.Ic routers
context are described below:
.Bl -tag -width Ds
.It Xo
.Ic forward to
.Pf < Ar table Ns >
.Ic port Ar number
.Ar options ...
.Xc
Specify the table of target gateways to be used; see the
.Sx TABLES
section above for information about table options.
This entry is mandatory and must be specified once.
.It Xo
.Ic route
.Ar address Ns Li / Ns Ar prefix
.Xc
Specify the network address and prefix length of a route destination
that is reachable via the active gateways.
This entry must be specified at least once in a router directive.
.It Ic rtable Ar id
Add the routes to the kernel routing table with the specified
.Ar id .
.It Ic rtlabel Ar label
Add the routes with the specified
.Ar label
to the kernel routing table.
.El
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa /etc/relayd.conf
.Xr relayd 8
configuration file.
.Pp
.It Pa /etc/examples/relayd.conf
Example configuration file.
.Pp
.It Pa /etc/services
Service name database.
.Pp
.It Pa /etc/ssl/address.crt
.It Pa /etc/ssl/address:port.crt
.It Pa /etc/ssl/private/address.key
.It Pa /etc/ssl/private/address:port.key
Location of the relay TLS server certificates, where
.Ar address
is the configured IP address
and
.Ar port
is the configured port number of the relay.
.Pp
.It Pa /etc/ssl/cert.pem
Default location of the CA bundle that can be used with
.Xr relayd 8 .
.El
.Sh EXAMPLES
This configuration file would create a redirection service
.Dq www
which load balances four hosts
and falls back to one host containing a
.Dq sorry page :
.Bd -literal -offset indent
www1=front-www1.private.example.com
www2=front-www2.private.example.com
www3=front-www3.private.example.com
www4=front-www4.private.example.com
interval 5
table <phphosts> { $www1, $www2, $www3, $www4 }
table <sorryhost> disable { sorryhost.private.example.com }
redirect "www" {
listen on www.example.com port 8080 interface trunk0
listen on www6.example.com port 80 interface trunk0
pftag REDIRECTED
forward to <phphosts> port 8080 timeout 300 \e
check http "/" digest "630aa3c2f..."
forward to <sorryhost> port 8080 timeout 300 check icmp
}
.Ed
.Pp
It is possible to specify multiple listen directives with different IP
protocols in a single redirection configuration:
.Bd -literal -offset indent
redirect "dns" {
listen on dns.example.com tcp port 53
listen on dns.example.com udp port 53
forward to <dnshosts> port 53 check tcp
}
.Ed
.Pp
The following configuration would add a relay to forward
secure HTTPS connections to a pool of HTTP webservers
using the
.Ic loadbalance
mode (TLS acceleration and layer 7 load balancing).
The HTTP protocol definition will add two HTTP headers containing
address information of the client and the server, set the
.Dq Keep-Alive
header value to the configured session timeout,
and include the
.Dq sessid
variable in the hash to calculate the target host:
.Bd -literal -offset indent
http protocol "https" {
match header set "X-Forwarded-For" \e
value "$REMOTE_ADDR"
match header set "X-Forwarded-By" \e
value "$SERVER_ADDR:$SERVER_PORT"
match header set "Keep-Alive" value "$TIMEOUT"
match query hash "sessid"
pass
block path "/cgi-bin/index.cgi" value "*command=*"
tls { no tlsv1.0, ciphers "HIGH" }
}
relay "tlsaccel" {
listen on www.example.com port 443 tls
protocol "https"
forward to <phphosts> port 8080 mode loadbalance check tcp
}
.Ed
.Pp
The second relay example will accept incoming connections to port
2222 and forward them to a remote SSH server.
The TCP
.Ic nodelay
option will allow a
.Dq smooth
SSH session without delays between keystrokes or displayed output on
the terminal:
.Bd -literal -offset indent
protocol "myssh" {
tcp { nodelay, socket buffer 65536 }
}
relay "sshforward" {
listen on www.example.com port 2222
protocol "myssh"
forward to shell.example.com port 22
}
.Ed
.Pp
The following relay example will configure
.Dq TLS inspection
as described in the
.Sx TLS RELAYS
section.
To start, first generate a new local CA key and certificate:
.Bd -literal -offset indent
# openssl req -x509 -days 365 -newkey rsa:2048 \e
-keyout /etc/ssl/private/ca.key -out /etc/ssl/ca.crt
.Ed
.Pp
A TLS server key and self-signed cert for 127.0.0.1 are also required;
see
.Ic listen on
in the
.Sx RELAYS
section for more details about certificate locations.
Configure the packet filter with a matching divert rule in
.Xr pf.conf 5 :
.Bd -literal -offset indent
# Divert incoming HTTPS traffic to relayd
pass in on vlan1 inet proto tcp to port 443 \e
divert-to localhost port 8443
.Ed
.Pp
And finally configure the TLS inspection in
.Nm :
.Bd -literal -offset indent
http protocol httpfilter {
return error
pass
match label "Prohibited!"
block url "social.network.example.com/"
# New configuration directives for SSL/TLS Interception
tls ca key "/etc/ssl/private/ca.key" password "password123"
tls ca cert "/etc/ssl/ca.crt"
}
relay tlsinspect {
listen on 127.0.0.1 port 8443 tls
protocol httpfilter
forward with tls to destination
}
.Ed
.Pp
The next simple router configuration example can be used to run
redundant, health-checked WAN links:
.Bd -literal -offset indent
table <gateways> { $gw1 ip ttl 1, $gw2 ip ttl 1 }
router "uplinks" {
route 0.0.0.0/0
forward to <gateways> check icmp
}
.Ed
.Sh SEE ALSO
.Xr ocspcheck 8 ,
.Xr relayctl 8 ,
.Xr relayd 8 ,
.Xr ssl 8
.Sh HISTORY
The
.Nm
file format, formerly known as
.Ic hoststated.conf ,
first appeared in
.Ox 4.1 .
It was renamed to
.Nm
in
.Ox 4.3 .
.Sh AUTHORS
.An -nosplit
The
.Xr relayd 8
program was written by
.An Pierre-Yves Ritschard Aq Mt pyr@openbsd.org
and
.An Reyk Floeter Aq Mt reyk@openbsd.org .
.Sh CAVEATS
.Xr relayd 8
verification of TLS server certificates is based on a static CA bundle
and
.Xr relayd 8
currently does not support CRLs (Certificate Revocation Lists).
|