1# $OpenBSD: relayd.conf,v 1.6 2023/10/29 11:27:11 kn Exp $ 2# 3# Macros 4# 5ext_addr="192.168.1.1" 6webhost1="10.0.0.1" 7webhost2="10.0.0.2" 8sshhost1="10.0.0.3" 9 10# 11# Global Options 12# 13# interval 10 14# timeout 1000 15# prefork 5 16 17# 18# Each table will be mapped to a pf table. 19# 20table <webhosts> { $webhost1 $webhost2 } 21table <fallback> { 127.0.0.1 } 22 23# 24# Services will be mapped to a rdr rule. 25# 26redirect www { 27 listen on $ext_addr port http interface trunk0 28 29 # tag every packet that goes thru the rdr rule with RELAYD 30 pftag RELAYD 31 32 forward to <webhosts> check http "/" code 200 33 forward to <fallback> check icmp 34} 35 36# 37# Relay and protocol for HTTP layer 7 loadbalancing and TLS acceleration 38# 39http protocol https { 40 match request header append "X-Forwarded-For" value "$REMOTE_ADDR" 41 match request header append "X-Forwarded-By" \ 42 value "$SERVER_ADDR:$SERVER_PORT" 43 match request header set "Connection" value "close" 44 45 # Various TCP options 46 tcp { sack, backlog 128 } 47 48# tls { no tlsv1.0, ciphers HIGH } 49# tls no session tickets 50} 51 52relay wwwtls { 53 # Run as a TLS accelerator 54 listen on $ext_addr port 443 tls 55 protocol https 56 57 # Forward to hosts in the webhosts table using a src/dst hash 58 forward to <webhosts> port http mode loadbalance \ 59 check http "/" code 200 60} 61 62# 63# Relay and protocol for simple TCP forwarding on layer 7 64# 65protocol sshtcp { 66 # The TCP_NODELAY option is required for "smooth" terminal sessions 67 tcp nodelay 68} 69 70relay sshgw { 71 # Run as a simple TCP relay 72 listen on $ext_addr port 2222 73 protocol sshtcp 74 75 # Forward to the shared carp(4) address of an internal gateway 76 forward to $sshhost1 port 22 77} 78 79# 80# Relay and protocol for a transparent HTTP proxy 81# 82http protocol httpfilter { 83 # Return HTTP/HTML error pages to the client 84 return error 85 86 # Block disallowed sites 87 match request label "URL filtered!" 88 block request quick url "www.example.com/" value "*" 89 90 # Block disallowed browsers 91 match request label "Please try a <em>different Browser</em>" 92 block request quick header "User-Agent" \ 93 value "Mozilla/4.0 (compatible; MSIE *" 94 95 # Block some well-known Instant Messengers 96 match request label "Instant messenger disallowed!" 97 block response quick header "Content-Type" \ 98 value "application/x-msn-messenger" 99 block response quick header "Content-Type" value "app/x-hotbar-xip20" 100 block response quick header "Content-Type" value "application/x-icq" 101 block response quick header "Content-Type" value "AIM/HTTP" 102 block response quick header "Content-Type" \ 103 value "application/x-comet-log" 104} 105 106relay httpproxy { 107 # Listen on localhost, accept diverted connections from pf(4) 108 listen on 127.0.0.1 port 8080 109 protocol httpfilter 110 111 # Forward to the original target host 112 forward to destination 113} 114