Blame
Date:
Sun Oct 2 04:00:24 2022
UTC
Message:
Daily backup
010
2021-12-17
targets=Pf.Guide,Leafnode.Install,Tcpip.Sockets,Znc.Relayd,Openhttpd.Configure,Dns.Records,Host.Usage,Openhttpd.Hosting,Znc.Chroot,Telnet.Http,Netcat.Http,Acme-client.Configure,Ln.Intro,Ip.Myaddress,Openbsd.Ddos,Openbsd.Loginconf,Openbsd.Rcctl,Openssl.Http,Openbsd.Syslogd
011
2022-02-09
text=(:title TLS Acceleration with relayd:)%0a%0a[[https://bsd.plumbing/about.html|relayd]] can provide secure TLS acceleration.%0a%0aFeatures:%0a# Load balancer%0a# Application layer gateway%0a# Transparent proxy%0a# SSL/TLS gateway%0a%0aPros:%0a# Simpler to configure than haproxy or stunnel%0a# Tight integration with OpenBSD's [[pf/guide|packet filter]]%0a# Secure%0a%0a!! Introduction%0a%0aSometimes a server does not provide TLS encryption by default. For example, [[leafnode/install|leafnode]] lacks TLS encryption. It serves all its content as plaintext, exposing users' data to eavesdropping and forgery. When this happens, you can use relayd to provide TLS. This will encrypt connections and protect your users.%0a%0aAnother time relayd is useful is when we have two servers that both need to listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[znc/relayd|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve HTTPS content on the same IP address and on the same port, 443. It is not possible, however, to have two servers bind to the same socket. To share the same socket, it is necessary to use relayd with TLS Server Name Indication (SNI).%0a%0a!! Before You Begin%0a%0a!!! Configure DNS%0a%0aBefore you begin, you will want to make sure [[dns/records|DNS records]] are configured properly. You will want to use [[host/usage|host]] to test if your hostnames are resolving properly:%0a%0a[@%0a$ host service1.example.com%0aservice1.example.com has address 192.168.1.1%0aservice1.example.com has IPv6 address 2001:db8::%0a@]%0a%0a!!! Check Server in Plaintext%0a%0aBefore using relayd, you must make sure your server can serve its content in plaintext. If the server doesn't respond to plaintext requests, relayd won't work, either.%0a%0a# For webhosting, please see the [[openhttpd/hosting|openhttpd hosting guide]].%0a# For public bouncers, please see the [[znc/chroot|znc chroot guide]].%0a%0aAfterward, you will want to test the setup using the [[telnet/http|telnet]] or [[netcat/http|netcat]] troubleshooting guides. openhttpd usually listens on port 80, and on IRCNow, the convention is to use port 1338 for znc's web server.%0a%0a!!! httpd must NOT listen on port 443%0a%0a'''WARNING''': If you are using relayd for TLS acceleration for openhttpd, make sure openhttpd does '''not''' have a listener on port 443. Look for blocks like the ones below:%0a%0a[@%0aserver "example.com" {%0a listen on * tls port 443%0a tls {%0a certificate "/etc/ssl/example.com.fullchain.pem"%0a key "/etc/ssl/private/example.com.key"%0a }%0a location "/pub/*" {%0a directory auto index%0a }%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a}%0a@]%0a%0aNotice the line @@listen on * tls port 443@@ and the @@tls {...}@@ block. If httpd is listening on port 443 while relayd is running, the reverse proxy will fail to forward for android, iOS, and other devices!%0a%0aIn the configuration below, we assume you are following the [[openhttpd/hosting|openhttpd hosting guide]] and listening on port 80.%0a%0a!!! Request SSL Certs%0a%0aYou will need the SSL certs for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]] if you have not already.%0a%0aBy default, [[https://man.openbsd.org/relayd|relayd]] searches @@/etc/ssl/name:port.crt@@ and @@/etc/ssl/private/name:port.key@@ for the public/private keypair. If those are not present, it uses @@/etc/ssl/name.crt@@ and @@/etc/ssl/private/name.key@@.%0a%0aIf your public cert and private key have different names, you should update [[acme-client/configure|/etc/acme-client.conf]]. It's recommended to use @@/etc/ssl/name.crt@@ and @@/etc/ssl/private/name.key@@, where @@name@@ is replaced with your actual domain name.%0a%0a'''Optional''': If you used the template from @@/etc/examples/acme-client.conf@@, your public cert ends in .fullchain.pem instead of .crt. In that case, you can create [[ln/intro|symbolic links]]:%0a%0a[@%0a$ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com.crt%0a@]%0a%0aYou will want to replace @@example.com@@ with your real domain. This will allow relayd to detect your public key. However, it is still highly recommended that you change [[acme-client/configure|acme-client.conf]] to create public keys that end with the extension @@.crt@@.%0a%0a!! Edit relayd.conf%0a%0aLet's create [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]. Here is what we will put, one block at a time:%0a%0a[@%0aip4="192.168.1.1"%0aip6="2001:db8::"%0atable %3cservice1> { 127.0.0.1 }%0atable %3cservice2> { 127.0.0.1 }%0alog connection%0a@]%0a%0aReplace @@192.168.1.1@@ and @@2001:db8::@@ with your [[ip/myaddress|real IPv4 and IPv6 address]]. Make sure the IPv4 is [[openbsd/ddos|DDoS-filtered]] if you have that option.%0a%0aReplace @@service1@@ and @@service2@@ with the names of your real services, such as bnc, www, and mail.%0a%0aDo '''NOT''' replace @@127.0.0.1@@. You want relayd to forward its requests to the web server listening on localhost.%0a%0a[@%0ahttp protocol https {%0a match request header append "X-Forwarded-For" value "$REMOTE_ADDR"%0a match request header append "X-Forwarded-By" \%0a value "$SERVER_ADDR:$SERVER_PORT"%0a match request header set "Connection" value "close"%0a tcp { sack, backlog 128 }%0a tls { keypair service1.example.com }%0a tls { keypair service2.example.com }%0a match request header "Host" value "service1.example.com" forward to %3cservice1>%0a match request header "Host" value "service2.example.com" forward to %3cservice2>%0a}%0a@]%0a%0aHere we define how to handle the http protocol. We add X-Forwarded-For, X-Forwarded-By, and Connection headers to HTTP requests before forwarding it to [[openhttpd/hosting|openhttpd]].%0a%0aWe turn on selective acknowledgments and set the maximum queue to 128 connections in the tcp block.%0a%0aWe define the keypair names. Below is a table which shows the order in which relayd searches for them. Replace @@service1.example.com@@ and @@service2.example.com@@ with your real hostnames.%0a%0aThe last two lines in relayd.conf forward to the proper service based on the Host HTTP header.%0a%0a|| border=1 width=100%25 class="sortable simpletable"%0a||! Hostname: service1.example.com ||||||%0a||! Priority ||! Public Cert ||! Private Key ||%0a|| 1 || /etc/ssl/service1.example.com:443.crt || /etc/ssl/private/service1.example.com:443.key ||%0a|| 2 || /etc/ssl/service1.example.com.crt || /etc/ssl/private/service1.example.com.key ||%0a%0a|| border=1 width=100%25 class="sortable simpletable"%0a||! Hostname: service2.example.com ||||||%0a||! Priority ||! Public Cert ||! Private Key ||%0a|| 1 || /etc/ssl/service2.example.com:443.crt || /etc/ssl/private/service2.example.com:443.key ||%0a|| 2 || /etc/ssl/service2.example.com.crt || /etc/ssl/private/service2.example.com.key ||%0a%0aThe next section in relayd.conf indicates what port relayd should listen on, and where to forward:%0a%0a[@%0arelay wwwtls {%0a listen on $ip4 port 443 tls%0a protocol https%0a forward to %3cservice1> port 443 check icmp%0a forward to %3cservice2> port 443 check icmp%0a}%0arelay www6tls {%0a listen on $ip6 port 443 tls%0a protocol https%0a forward to %3cservice1> port 443 check icmp%0a forward to %3cservice2> port 443 check icmp%0a}%0a@]%0a%0aReplace @@service1@@ and @@service2@@ with the names of your real services.%0a%0aWe create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on port 443 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%0a!! Complete relayd.conf%0a%0aHere is the entire [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]] without commentary:%0a%0aAttach:relayd.conf%0a%0a[@%0aip4="192.168.1.1"%0aip6="2001:db8::"%0atable %3cservice1> { 127.0.0.1 }%0atable %3cservice2> { 127.0.0.1 }%0alog connection%0a%0ahttp protocol https {%0a match request header append "X-Forwarded-For" value "$REMOTE_ADDR"%0a match request header append "X-Forwarded-By" \%0a value "$SERVER_ADDR:$SERVER_PORT"%0a match request header set "Connection" value "close"%0a tcp { sack, backlog 128 }%0a tls { keypair service1.example.com }%0a tls { keypair service2.example.com }%0a match request header "Host" value "service1.example.com" forward to %3cservice1>%0a match request header "Host" value "service2.example.com" forward to %3cservice2>%0a}%0a%0arelay wwwtls {%0a listen on $ip4 port 443 tls%0a protocol https%0a forward to %3cservice1> port 443 check icmp%0a forward to %3cservice2> port 443 check icmp%0a}%0arelay www6tls {%0a listen on $ip6 port 443 tls%0a protocol https%0a forward to %3cservice1> port 443 check icmp%0a forward to %3cservice2> port 443 check icmp%0a}%0a@]%0a%0a!! Login class permissions%0a%0aIf you have a large number of TLS certs, you will need to increase the maximum number of files that relayd can open. Add this to the bottom of [[openbsd/loginconf|/etc/login.conf]]:%0a%0a[@%0arelayd:\%0a :openfiles=4096:\%0a :stacksize-cur=96M:\%0a :stacksize-max=96M:\%0a :tc=daemon:%0a@]%0a%0aMake sure there is no @@login.conf.db@@ database, which would prevent the changes in [[openbsd/loginconf|login.conf]] from being applied:%0a%0a[@%0a$ doas rm /etc/login.conf.db%0a@]%0a%0a!! Starting relayd%0a%0aTo start relayd, use [[openbsd/rcctl|rcctl]]:%0a%0a[@%0a$ doas rcctl enable relayd%0a$ doas rcctl start relayd%0a@]%0a%0a'''WARNING''': Make sure that [[pf/guide|packet filter]] is enabled! relayd will not run if pf is disabled. You can enable it by typing:%0a%0a[@%0a$ doas pfctl -e%0a@]%0a%0aTo test relayd, use [[openssl/http|openssl]].%0a%0a!!! Syslogd%0a%0aThe setting @@log connection@@ produces enormous logs which will quickly fill up @@/var/log/daemon@@. To avoid this, configure [[openbsd/syslogd|syslogd]] to send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a%0aIn addition to splitting relayd logs to its own file, you may wish to create a new entry in your ''/etc/newsyslog.conf'' to handle log rotation for your relayd.%0a%0a!! Configuring syslog%0a%0aAll log messages from relayd should go to [@/var/log/relayd.log@]. To do this, insert these three lines starting at line 3 (at the top) into [@/etc/syslog.conf@]:%0a%0a[@%0a!!relayd%0a*.* /var/log/relayd.log%0a!*%0a@]%0a%0aThis directs all logs from relayd to go straight to /var/log/relayd.log.%0a%0aNext, create the file /var/log/relayd.log and restart syslogd:%0a%0a[@%0a$ doas touch /var/log/relayd.log%0a$ doas rcctl restart syslogd%0a@]%0a%0a!! Troubleshooting%0a%0aIf relayd fails to start, you will see this message:%0a%0a[@%0arelayd(failed)%0a@]%0a%0aFirst, check the conf file to see if there are any errors:%0a%0a[@%0a$ doas relayd -n%0a@]%0a%0aWhen properly configured, relayd will say @@configuration OK@@.%0a%0a!!! Sample Errors%0a%0a# @@/etc/relayd.conf:NN: cannot load keypair example.com for relay wwwtls@@\\%0aCheck line NN. Your keypair may be missing, have the wrong permissions, or are not labeled correctly.%0a# @@/etc/relayd.conf:NN: syntax error@@%0aCheck line NN for syntax errors.%0a%0aTo turn on debugging, first stop any running instances of relayd, then run it in the foreground:%0a%0a[@%0a$ doas rcctl stop relayd%0a$ doas relayd -dvv%0a@]%0a%0a@@-d@@ is for debug and @@-v@@ is to increase verbosity.%0a%0a!! Common Mistakes%0a%0a# Make sure httpd is '''not''' also listening on port 443. Only one daemon can bind to the same [[tcpip/sockets|socket]] at any time.%0a# Make sure [[dns/records|DNS records]] are properly configured; test with [[host/usage|host]]%0a# Make sure znc is listening on port 1338; test with [[netcat/http|netcat]] or [[telnet/http|telnet]]%0a# Make sure [[pf/guide|packet filter]] is turned on%0a
016
2022-02-09
diff:1644301640:1640690259:=142,143c142,143%0a%3c forward to %3cservice1> port 443 check icmp%0a%3c forward to %3cservice2> port 443 check icmp%0a---%0a> forward to %3cservice1> port 80 check icmp%0a> forward to %3cservice2> port 80 check icmp%0a148,149c148,149%0a%3c forward to %3cservice1> port 443 check icmp%0a%3c forward to %3cservice2> port 443 check icmp%0a---%0a> forward to %3cservice1> port 80 check icmp%0a> forward to %3cservice2> port 80 check icmp%0a155,156c155,156%0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on port 443 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%3c %0a---%0a> We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on port 80 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a> %0a185,186c185,186%0a%3c forward to %3cservice1> port 443 check icmp%0a%3c forward to %3cservice2> port 443 check icmp%0a---%0a> forward to %3cservice1> port 80 check icmp%0a> forward to %3cservice2> port 80 check icmp%0a191,192c191,192%0a%3c forward to %3cservice1> port 443 check icmp%0a%3c forward to %3cservice2> port 443 check icmp%0a---%0a> forward to %3cservice1> port 80 check icmp%0a> forward to %3cservice2> port 80 check icmp%0a
019
2021-12-29
diff:1640690259:1640688494:=56,59d55%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a
022
2021-12-29
csum:1640688494=Remove duplicate: Location for acme-challenge already is in Server block 1
023
2021-12-29
diff:1640688494:1636212106:=55a56,59%0a> }%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a
029
2021-12-17
diff:1636212059:1636038705:minor=41c41%0a%3c Afterward, you will want to test the setup using the [[telnet/http|telnet]] or [[netcat/http|netcat]] troubleshooting guides. openhttpd usually listens on port 80, and on IRCNow, the convention is to use port 1338 for znc's web server.%0a---%0a> Afterward configuration, you will want to test the setup using the [[telnet/http|telnet]] or [[netcat/http|netcat]] troubleshooting guides. openhttpd usually listens on port 80, and on IRCNow, the convention is to use port 1338 for znc's web server.%0a
032
2021-12-17
diff:1636038705:1636038179:=120,121c120,121%0a%3c We define the keypair names. Below is a table which shows the order in which relayd searches for them. Replace @@service1.example.com@@ and @@service2.example.com@@ with your real hostnames.%0a%3c %0a---%0a> We define the keypair names. Below is a table which shows the order in which relayd searches for them. You will want to replace @@service1.example.com@@ and @@service2.example.com@@ with your real hostnames.%0a> %0a153,154d152%0a%3c Replace @@service1@@ and @@service2@@ with the names of your real services.%0a%3c %0a160,161d157%0a%3c %0a%3c Attach:relayd.conf%0a
035
2021-12-17
diff:1636038179:1636035501:=76c76%0a%3c '''Optional''': If you used the template from @@/etc/examples/acme-client.conf@@, your public cert ends in .fullchain.pem instead of .crt. In that case, you can create [[ln/intro|symbolic links]]:%0a---%0a> '''Optional''': If your public cert ends in .fullchain.pem instead of .crt, you can create [[ln/intro|symbolic links]]:%0a
038
2021-12-17
diff:1636035501:1636035305:=287,289c287,290%0a%3c # Make sure [[dns/records|DNS records]] are properly configured; test with [[host/usage|host]]%0a%3c # Make sure znc is listening on port 1338; test with [[netcat/http|netcat]] or [[telnet/http|telnet]]%0a%3c # Make sure [[pf/guide|packet filter]] is turned on%0a---%0a> # Make sure both www.ircnow.org and bnc.ircnow.org have real dns records%0a> # Make sure nsd is set up properly%0a> # Make sure znc is listening on port 1338%0a> # Make sure packet filter is turned on%0a
041
2021-12-17
diff:1636035305:1636024894:=227,236c227,230%0a%3c !!! Syslogd%0a%3c %0a%3c The setting @@log connection@@ produces enormous logs which will quickly fill up @@/var/log/daemon@@. To avoid this, configure [[openbsd/syslogd|syslogd]] to send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a%3c %0a%3c In addition to splitting relayd logs to its own file, you may wish to create a new entry in your ''/etc/newsyslog.conf'' to handle log rotation for your relayd.%0a%3c %0a%3c !! Configuring syslog%0a%3c %0a%3c All log messages from relayd should go to [@/var/log/relayd.log@]. To do this, insert these three lines starting at line 3 (at the top) into [@/etc/syslog.conf@]:%0a%3c %0a---%0a> !! Troubleshooting%0a> %0a> If relayd fails to start, you will see this message:%0a> %0a238,240c232%0a%3c !!relayd%0a%3c *.* /var/log/relayd.log%0a%3c !*%0a---%0a> relayd(failed)%0a243,246c235,236%0a%3c This directs all logs from relayd to go straight to /var/log/relayd.log.%0a%3c %0a%3c Next, create the file /var/log/relayd.log and restart syslogd:%0a%3c %0a---%0a> First, check the conf file to see if there are any errors:%0a> %0a248,249c238%0a%3c $ doas touch /var/log/relayd.log%0a%3c $ doas rcctl restart syslogd%0a---%0a> $ doas relayd -n%0a252,265d240%0a%3c !! Troubleshooting%0a%3c %0a%3c If relayd fails to start, you will see this message:%0a%3c %0a%3c [@%0a%3c relayd(failed)%0a%3c @]%0a%3c %0a%3c First, check the conf file to see if there are any errors:%0a%3c %0a%3c [@%0a%3c $ doas relayd -n%0a%3c @]%0a%3c %0a284c259,269%0a%3c !! Common Mistakes%0a---%0a> !!! %0a> %0a> [@%0a> log connection%0a> @]%0a> %0a> '''WARNING''': This may produce a verbose output which can dramatically increase the size of your ''/var/log/daemon'', especially on busy networks. To avoid this, simply have your ''syslogd'' send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a> %0a> In addition to splitting relayd logs to its own file, you may wish to create a new entry in your ''/etc/newsyslog.conf'' to handle log rotation for your relayd.%0a> %0a> !!! Common Mistakes%0a
044
2021-12-17
diff:1636024894:1635959543:=22,35c22,23%0a%3c !! Before You Begin%0a%3c %0a%3c !!! Configure DNS%0a%3c %0a%3c Before you begin, you will want to make sure [[dns/records|DNS records]] are configured properly. You will want to use [[host/usage|host]] to test if your hostnames are resolving properly:%0a%3c %0a%3c [@%0a%3c $ host service1.example.com%0a%3c service1.example.com has address 192.168.1.1%0a%3c service1.example.com has IPv6 address 2001:db8::%0a%3c @]%0a%3c %0a%3c !!! Check Server in Plaintext%0a%3c %0a---%0a> !! Check Server in Plaintext%0a> %0a43,44c31,32%0a%3c !!! httpd must NOT listen on port 443%0a%3c %0a---%0a> !! httpd must NOT listen on port 443%0a> %0a68,69c56,57%0a%3c !!! Request SSL Certs%0a%3c %0a---%0a> !! Request SSL Certs%0a> %0a96,101c84,85%0a%3c Replace @@192.168.1.1@@ and @@2001:db8::@@ with your [[ip/myaddress|real IPv4 and IPv6 address]]. Make sure the IPv4 is [[openbsd/ddos|DDoS-filtered]] if you have that option.%0a%3c %0a%3c Replace @@service1@@ and @@service2@@ with the names of your real services, such as bnc, www, and mail.%0a%3c %0a%3c Do '''NOT''' replace @@127.0.0.1@@. You want relayd to forward its requests to the web server listening on localhost.%0a%3c %0a---%0a> Replace ip4 and ip6 with the actual IPv4 and IPv6 address you want to listen on. Make sure the IPv4 is DDoS-filtered if you have that option.%0a> %0a109,110c93,94%0a%3c tls { keypair service1.example.com }%0a%3c tls { keypair service2.example.com }%0a---%0a> tls { keypair service1.example.com%0a> keypair service2.example.com }%0a120,123c104,105%0a%3c We define the keypair names. Below is a table which shows the order in which relayd searches for them. You will want to replace @@service1.example.com@@ and @@service2.example.com@@ with your real hostnames.%0a%3c %0a%3c The last two lines in relayd.conf forward to the proper service based on the Host HTTP header.%0a%3c %0a---%0a> We then define the keypair names. Here's where relayd searches for them:%0a> %0a125,137c107,113%0a%3c ||! Hostname: service1.example.com ||||||%0a%3c ||! Priority ||! Public Cert ||! Private Key ||%0a%3c || 1 || /etc/ssl/service1.example.com:443.crt || /etc/ssl/private/service1.example.com:443.key ||%0a%3c || 2 || /etc/ssl/service1.example.com.crt || /etc/ssl/private/service1.example.com.key ||%0a%3c %0a%3c || border=1 width=100%25 class="sortable simpletable"%0a%3c ||! Hostname: service2.example.com ||||||%0a%3c ||! Priority ||! Public Cert ||! Private Key ||%0a%3c || 1 || /etc/ssl/service2.example.com:443.crt || /etc/ssl/private/service2.example.com:443.key ||%0a%3c || 2 || /etc/ssl/service2.example.com.crt || /etc/ssl/private/service2.example.com.key ||%0a%3c %0a%3c The next section in relayd.conf indicates what port relayd should listen on, and where to forward:%0a%3c %0a---%0a> ||! Name ||! Public Cert ||! Private Key ||%0a> || name || /etc/ssl/name:443.crt || /etc/ssl/private/name:443.key ||%0a> || service1.example.com || /etc/ssl/service1.example.com:443.crt || /etc/ssl/private/service1.example.com:443.key ||%0a> || service2.example.com || /etc/ssl/service2.example.com:443.crt || /etc/ssl/private/service2.example.com:443.key ||%0a> %0a> The last two lines forward to the proper service based on the Host HTTP header.%0a> %0a153,154c129,130%0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on port 80 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%3c %0a---%0a> We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They handle use the protocol template for https and forward to the proper service on port 80 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a> %0a172,173c148,149%0a%3c tls { keypair service1.example.com }%0a%3c tls { keypair service2.example.com }%0a---%0a> tls { keypair service1.example.com%0a> keypair service2.example.com }%0a177d152%0a%3c %0a194,195c169,170%0a%3c If you have a large number of TLS certs, you will need to increase the maximum number of files that relayd can open. Add this to the bottom of [[openbsd/loginconf|/etc/login.conf]]:%0a%3c %0a---%0a> If you have a large number of TLS certs, you will need to increase the maximum number of files that relayd can open. Add this to the bottom of [[https://man.openbsd.org/login.conf|/etc/login.conf]]:%0a> %0a204,205c179,180%0a%3c Make sure there is no @@login.conf.db@@ database, which would prevent the changes in [[openbsd/loginconf|login.conf]] from being applied:%0a%3c %0a---%0a> Then we must make sure there is no @@login.conf.db@@ database:%0a> %0a212,213d186%0a%3c To start relayd, use [[openbsd/rcctl|rcctl]]:%0a%3c %0a225,230c198,199%0a%3c To test relayd, use [[openssl/http|openssl]].%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c If relayd fails to start, you will see this message:%0a%3c %0a---%0a> To test relayd, we'll use [[openssl/http|openssl]]:%0a> %0a232c201%0a%3c relayd(failed)%0a---%0a> %0a235,236c204,207%0a%3c First, check the conf file to see if there are any errors:%0a%3c %0a---%0a> !! Troubleshooting%0a> %0a> If relayd fails to start, you will see this message:%0a> %0a238c209%0a%3c $ doas relayd -n%0a---%0a> relayd(failed)%0a240a212,217%0a> First, we check the conf file to see if there are any errors:%0a> %0a> [@%0a> $ doas relayd -n%0a> @]%0a> %0a243,245c220,222%0a%3c !!! Sample Errors%0a%3c %0a%3c # @@/etc/relayd.conf:NN: cannot load keypair example.com for relay wwwtls@@\\%0a---%0a> Sample errors:%0a> %0a> # /etc/relayd.conf:NN: cannot load keypair example.com for relay wwwtls\\%0a247c224%0a%3c # @@/etc/relayd.conf:NN: syntax error@@%0a---%0a> # /etc/relayd.conf:NN: syntax error%0a250,251c227,228%0a%3c To turn on debugging, first stop any running instances of relayd, then run it in the foreground:%0a%3c %0a---%0a> To turn on debugging, first stop any running instances of relayd then run it in the foreground:%0a> %0a257,258c234,235%0a%3c @@-d@@ is for debug and @@-v@@ is to increase verbosity.%0a%3c %0a---%0a> -d is for debug and -v is to increase verbosity.%0a> %0a269,271c246,248%0a%3c !!! Common Mistakes%0a%3c %0a%3c # Make sure httpd is '''not''' also listening on port 443. Only one daemon can bind to the same [[tcpip/sockets|socket]] at any time.%0a---%0a> !!! common errors%0a> %0a> # Make sure httpd is not also listening on port 443%0a
047
2021-12-17
diff:1635959543:1628324627:=18,21c18,21%0a%3c Sometimes a server does not provide TLS encryption by default. For example, [[leafnode/install|leafnode]] lacks TLS encryption. It serves all its content as plaintext, exposing users' data to eavesdropping and forgery. When this happens, you can use relayd to provide TLS. This will encrypt connections and protect your users.%0a%3c %0a%3c Another time relayd is useful is when we have two servers that both need to listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[znc/relayd|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve HTTPS content on the same IP address and on the same port, 443. It is not possible, however, to have two servers bind to the same socket. To share the same socket, it is necessary to use relayd with TLS Server Name Indication (SNI).%0a%3c %0a---%0a> Sometimes a server does not provide TLS encryption by default. For example, [[leafnode/install|leafnode]] lacks TLS encryption by default. It serves all its content as plaintext, exposing users' data to eavesdropping. To protect your users, you can use TLS acceleration using relayd.%0a> %0a> Another time we will need relayd is when we have two servers that need to both listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[openbsd/znc|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve HTTPS content on the same IP address and on the same port 443. It is not possible, however, to have two servers bind to the same socket. To share the same socket, it is necessary to use relayd with TLS Server Name Indication (SNI).%0a> %0a26,32c26,28%0a%3c # For webhosting, please see the [[openhttpd/hosting|openhttpd hosting guide]].%0a%3c # For public bouncers, please see the [[znc/chroot|znc chroot guide]].%0a%3c %0a%3c Afterward configuration, you will want to test the setup using the [[telnet/http|telnet]] or [[netcat/http|netcat]] troubleshooting guides. openhttpd usually listens on port 80, and on IRCNow, the convention is to use port 1338 for znc's web server.%0a%3c %0a%3c !! httpd must NOT listen on port 443%0a%3c %0a---%0a> # For providing webhosting, please see the [[openhttpd/hosting|openhttpd hosting guide]]. Afterwards, test the setup using the [[telnet/http|telnet troubleshooting guide]].%0a> # For providing public bouncers, please see the [[znc/chroot|znc chroot guide]]. Afterwards, test the setup using the [[openbsd/netcat|netcat troubleshooting guide]].%0a> %0a58,65c54,57%0a%3c You will need the SSL certs for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]] if you have not already.%0a%3c %0a%3c By default, [[https://man.openbsd.org/relayd|relayd]] searches @@/etc/ssl/name:port.crt@@ and @@/etc/ssl/private/name:port.key@@ for the public/private keypair. If those are not present, it uses @@/etc/ssl/name.crt@@ and @@/etc/ssl/private/name.key@@.%0a%3c %0a%3c If your public cert and private key have different names, you should update [[acme-client/configure|/etc/acme-client.conf]]. It's recommended to use @@/etc/ssl/name.crt@@ and @@/etc/ssl/private/name.key@@, where @@name@@ is replaced with your actual domain name.%0a%3c %0a%3c '''Optional''': If your public cert ends in .fullchain.pem instead of .crt, you can create [[ln/intro|symbolic links]]:%0a%3c %0a---%0a> Make sure you have the SSL certs you need for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]] if you have not already.%0a> %0a> By default, relayd searches @@/etc/ssl/name:port.crt@@ and @@/etc/ssl/name:port.key@@ for the public/private keypair. So, we will create symlinks:%0a> %0a67c59,60%0a%3c $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com.crt%0a---%0a> $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com:443.crt%0a> $ doas ln -s /etc/ssl/private/example.com.key /etc/ssl/private/example.com:443.key%0a69,70d61%0a%3c %0a%3c You will want to replace @@example.com@@ with your real domain. This will allow relayd to detect your public key. However, it is still highly recommended that you change [[acme-client/configure|acme-client.conf]] to create public keys that end with the extension @@.crt@@.%0a
050
2021-12-17
diff:1628324627:1628324504:=87a88%0a> match request header "Host" value "*" forward to %3cwww>%0a142a144%0a> match request header "Host" value "*" forward to %3cservice2>%0a148a151%0a> forward to %3cwww> port 80 check icmp%0a154a158%0a> forward to %3cwww> port 80 check icmp%0a
053
2021-12-17
diff:1628324504:1623735705:=88d87%0a%3c match request header "Host" value "*" forward to %3cwww>%0a144d142%0a%3c match request header "Host" value "*" forward to %3cservice2>%0a151d148%0a%3c forward to %3cwww> port 80 check icmp%0a158d154%0a%3c forward to %3cwww> port 80 check icmp%0a
056
2021-12-17
diff:1623735705:1615027455:=50,51c50,51%0a%3c In the configuration below, we assume you are following the [[openhttpd/hosting|openhttpd hosting guide]] and listening on port 80.%0a%3c %0a---%0a> In the configuration below, we assume you are following the [[openhttpd/hosting|openhttpd hosting guide]] and listening on port 8001.%0a> %0a109,110c109,110%0a%3c forward to %3cservice1> port 80 check icmp%0a%3c forward to %3cservice2> port 80 check icmp%0a---%0a> forward to %3cservice1> port 8001 check icmp%0a> forward to %3cservice2> port 8001 check icmp%0a115,116c115,116%0a%3c forward to %3cservice1> port 80 check icmp%0a%3c forward to %3cservice2> port 80 check icmp%0a---%0a> forward to %3cservice1> port 8001 check icmp%0a> forward to %3cservice2> port 8001 check icmp%0a120,121c120,121%0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They handle use the protocol template for https and forward to the proper service on port 80 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%3c %0a---%0a> We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They handle use the protocol template for https and forward to the proper service on port 8001 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a> %0a147,148c147,148%0a%3c forward to %3cservice1> port 80 check icmp%0a%3c forward to %3cservice2> port 80 check icmp%0a---%0a> forward to %3cservice1> port 8001 check icmp%0a> forward to %3cservice2> port 8001 check icmp%0a153,154c153,154%0a%3c forward to %3cservice1> port 80 check icmp%0a%3c forward to %3cservice2> port 80 check icmp%0a---%0a> forward to %3cservice1> port 8001 check icmp%0a> forward to %3cservice2> port 8001 check icmp%0a243c243%0a%3c # Make sure packet filter is turned on%0a---%0a> # Make sure packet filter is turned on%0a\ No newline at end of file%0a
059
2021-12-17
diff:1615027455:1615027423:=170c170%0a%3c Then we must make sure there is no @@login.conf.db@@ database:%0a---%0a> Then:%0a
062
2021-12-17
diff:1615027423:1614608648:=156,173d155%0a%3c @]%0a%3c %0a%3c !! Login class permissions%0a%3c %0a%3c If you have a large number of TLS certs, you will need to increase the maximum number of files that relayd can open. Add this to the bottom of [[https://man.openbsd.org/login.conf|/etc/login.conf]]:%0a%3c %0a%3c [@%0a%3c relayd:\%0a%3c :openfiles=4096:\%0a%3c :stacksize-cur=96M:\%0a%3c :stacksize-max=96M:\%0a%3c :tc=daemon:%0a%3c @]%0a%3c %0a%3c Then:%0a%3c %0a%3c [@%0a%3c $ doas rm /etc/login.conf.db%0a
065
2021-12-17
diff:1614608648:1614449510:=70,71c70,71%0a%3c table %3cservice1> { 127.0.0.1 }%0a%3c table %3cservice2> { 127.0.0.1 }%0a---%0a> table %3cservice1> { localhost }%0a> table %3cservice2> { localhost }%0a129,130c129,130%0a%3c table %3cservice1> { 127.0.0.1 }%0a%3c table %3cservice2> { 127.0.0.1 }%0a---%0a> table %3cservice1> { localhost }%0a> table %3cservice2> { localhost }%0a
068
2021-12-17
diff:1614449510:1614449226:=171,176c171,172%0a%3c To test relayd, we'll use [[openssl/http|openssl]]:%0a%3c %0a%3c [@%0a%3c %0a%3c @]%0a%3c %0a---%0a> To test relayd:%0a> %0a195,201c191,196%0a%3c # /etc/relayd.conf:NN: cannot load keypair example.com for relay wwwtls\\%0a%3c Check line NN. Your keypair may be missing, have the wrong permissions, or are not labeled correctly.%0a%3c # /etc/relayd.conf:NN: syntax error%0a%3c Check line NN for syntax errors.%0a%3c %0a%3c To turn on debugging, first stop any running instances of relayd then run it in the foreground:%0a%3c %0a---%0a> # /etc/relayd.conf:30: cannot load keypair example.com for relay wwwtls\\%0a> Check line 30. Either your keypair is not specified correctly, or your SSL public and private keys are not labeled correctly.%0a> # /etc/relayd.conf:21: syntax error%0a> Check%0a> %0a> %0a203d197%0a%3c $ doas rcctl stop relayd%0a209,210d202%0a%3c !!! %0a%3c %0a212c204%0a%3c log connection%0a---%0a> /etc/relayd.conf:30: cannot load keypair jrmu.coconut.ircnow.org for relay wwwtls%0a213a206,215%0a> %0a> %0a> !!! relayd doesn't show verbose information%0a> According to [[https://man.openbsd.org/relayd.conf.5|man 5 relayd.conf]], you can add in the following close towards the top of your ''/etc/relayd.conf'',%0a> %0a> [@%0a> log connection%0a> @]%0a> %0a> Then reload/restart your relayd. %0a
071
2021-12-17
diff:1614449226:1614449018:=103,104d102%0a%3c The last two lines forward to the proper service based on the Host HTTP header.%0a%3c %0a120,125d117%0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They handle use the protocol template for https and forward to the proper service on port 8001 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%3c %0a%3c !! Complete relayd.conf%0a%3c %0a%3c Here is the entire [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]] without commentary:%0a%3c %0a170,171d161%0a%3c %0a%3c To test relayd:%0a
077
2021-12-17
diff:1614448903:1614448882:=99c99%0a%3c || name || /etc/ssl/name:443.crt || /etc/ssl/private/name:443.key ||%0a---%0a> || name || /etc/ssl/name:port.crt || /etc/ssl/private/name:port.key ||%0a
080
2021-12-17
diff:1614448882:1614448807:=99d98%0a%3c || name || /etc/ssl/name:port.crt || /etc/ssl/private/name:port.key ||%0a
083
2021-12-17
diff:1614448807:1614448703:=97,98c97%0a%3c || border=1 width=100%25 class="sortable simpletable"%0a%3c ||! Name ||! Public Cert ||! Private Key ||%0a---%0a> || Name || Public Cert || Private Key ||%0a
086
2021-12-17
diff:1614448703:1614448096:=90,99d89%0a%3c %0a%3c Here we define how to handle the http protocol. We add X-Forwarded-For, X-Forwarded-By, and Connection headers to HTTP requests before forwarding it to [[openhttpd/hosting|openhttpd]].%0a%3c %0a%3c We turn on selective acknowledgments and set the maximum queue to 128 connections in the tcp block.%0a%3c %0a%3c We then define the keypair names. Here's where relayd searches for them:%0a%3c %0a%3c || Name || Public Cert || Private Key ||%0a%3c || service1.example.com || /etc/ssl/service1.example.com:443.crt || /etc/ssl/private/service1.example.com:443.key ||%0a%3c || service2.example.com || /etc/ssl/service2.example.com:443.crt || /etc/ssl/private/service2.example.com:443.key ||%0a
089
2021-12-17
diff:1614448096:1614447000:=65,66c65,66%0a%3c Let's create [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]. Here is what we will put, one block at a time:%0a%3c %0a---%0a> First copy the template for [[https://man.openbsd.org/relayd.conf|relayd.conf]] from /etc/examples/:%0a> %0a67a68,73%0a> $ doas cp /etc/examples/relayd.conf /etc/relayd.conf%0a> @]%0a> %0a> Next, edit [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]:%0a> %0a> [@%0a73,77c79%0a%3c @]%0a%3c %0a%3c Replace ip4 and ip6 with the actual IPv4 and IPv6 address you want to listen on. Make sure the IPv4 is DDoS-filtered if you have that option.%0a%3c %0a%3c [@%0a---%0a> %0a89,91d90%0a%3c @]%0a%3c %0a%3c [@%0a105a105,106%0a> !! Starting relayd%0a> %0a107,135c108,109%0a%3c ip4="192.168.1.1"%0a%3c ip6="2001:db8::"%0a%3c table %3cservice1> { localhost }%0a%3c table %3cservice2> { localhost }%0a%3c log connection%0a%3c %0a%3c http protocol https {%0a%3c match request header append "X-Forwarded-For" value "$REMOTE_ADDR"%0a%3c match request header append "X-Forwarded-By" \%0a%3c value "$SERVER_ADDR:$SERVER_PORT"%0a%3c match request header set "Connection" value "close"%0a%3c tcp { sack, backlog 128 }%0a%3c tls { keypair service1.example.com%0a%3c keypair service2.example.com }%0a%3c match request header "Host" value "service1.example.com" forward to %3cservice1>%0a%3c match request header "Host" value "service2.example.com" forward to %3cservice2>%0a%3c }%0a%3c relay wwwtls {%0a%3c listen on $ip4 port 443 tls%0a%3c protocol https%0a%3c forward to %3cservice1> port 8001 check icmp%0a%3c forward to %3cservice2> port 8001 check icmp%0a%3c }%0a%3c relay www6tls {%0a%3c listen on $ip6 port 443 tls%0a%3c protocol https%0a%3c forward to %3cservice1> port 8001 check icmp%0a%3c forward to %3cservice2> port 8001 check icmp%0a%3c }%0a---%0a> $ doas rcctl enable relayd%0a> $ doas rcctl start relayd%0a138,139c112,113%0a%3c !! Starting relayd%0a%3c %0a---%0a> '''WARNING''': Make sure that [[pf/guide|packet filter]] is enabled! relayd will not run if pf is disabled. You can enable it by typing:%0a> %0a141,142c115%0a%3c $ doas rcctl enable relayd%0a%3c $ doas rcctl start relayd%0a---%0a> $ doas pfctl -e%0a145,150d117%0a%3c '''WARNING''': Make sure that [[pf/guide|packet filter]] is enabled! relayd will not run if pf is disabled. You can enable it by typing:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -e%0a%3c @]%0a%3c %0a159c126%0a%3c First, we check the conf file to see if there are any errors:%0a---%0a> First, let's check the conf file to see if there are any errors:%0a
092
2021-12-17
diff:1614447000:1614446907:=115a116,123%0a> @]%0a> %0a> If your httpd is listening on port 443 with TLS, adjust it to another port and without tls. In the prior example where ''%3cwww>'' is to be redirected to port 8080, you should have it set to something like ''listen on 192.168.1.1 port 8080'' instead, in your ''/etc/httpd.conf''. %0a> %0a> Make sure to also reload/restart your httpd once you made adjustments. You can alternatively check to ensure your config file does not contain error prior to reloading/restarting. To do that, you can do,%0a> %0a> [@%0a> # httpd -nf /etc/httpd.conf%0a
095
2021-12-17
diff:1614446907:1614446562:=112,116c112,113%0a%3c '''WARNING''': Make sure that [[pf/guide|packet filter]] is enabled! relayd will not run if pf is disabled. You can enable it by typing:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -e%0a%3c @]%0a---%0a> %0a> '''WARNING''': Make sure that packet filter is enabled! relayd will not run if pf is disabled.%0a
098
2021-12-17
diff:1614446562:1614445897:=20,21c20,21%0a%3c Another time we will need relayd is when we have two servers that need to both listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[openbsd/znc|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve HTTPS content on the same IP address and on the same port 443. It is not possible, however, to have two servers bind to the same socket. To share the same socket, it is necessary to use relayd with TLS Server Name Indication (SNI).%0a%3c %0a---%0a> Another time we will need relayd is when we have two servers that need to both listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[openbsd/znc|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve HTTPS content on the same IP address and on the same port 443. In order to have two servers share the same socket, it is necessary to use relayd.%0a> %0a90a91%0a> %0a91a93%0a> # Run as a SSL/TLS accelerator%0a92a95%0a> listen on $ip6 port 443 tls%0a94,95c97,100%0a%3c forward to %3cservice1> port 8001 check icmp%0a%3c forward to %3cservice2> port 8001 check icmp%0a---%0a> %0a> # Forward to hosts in the table%0a> forward to %3cbnc> port 1338 check icmp%0a> forward to %3cwww> port 8080 check icmp%0a97,102d101%0a%3c relay www6tls {%0a%3c listen on $ip6 port 443 tls%0a%3c protocol https%0a%3c forward to %3cservice1> port 8001 check icmp%0a%3c forward to %3cservice2> port 8001 check icmp%0a%3c }%0a105,106d103%0a%3c !! Starting relayd%0a%3c %0a110a108,114%0a> %0a> %0a> %0a> %0a> Suppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both www.ircnow.org and bnc.ircnow.org need relayd to provide TLS acceleration, but run on separate ports (1338 and 8080).%0a> %0a> %0a
107
2021-12-17
diff:1614445697:1614445376:=76,79c76,79%0a%3c table %3cservice1> { localhost }%0a%3c table %3cservice2> { localhost }%0a%3c log connection%0a%3c %0a---%0a> webhost="127.0.0.1"%0a> %0a> table %3cwww> { $webhost }%0a> table %3cbnc> { $webhost }%0a84a85,86%0a> %0a> # Various TCP options%0a86,89c88,92%0a%3c tls { keypair service1.example.com%0a%3c keypair service2.example.com }%0a%3c match request header "Host" value "service1.example.com" forward to %3cservice1>%0a%3c match request header "Host" value "service2.example.com" forward to %3cservice2>%0a---%0a> %0a> # tls { no tlsv1.0, ciphers HIGH } %0a> # tls no session tickets%0a> match request header "Host" value "bnc.ircnow.org" forward to %3cbnc>%0a> match request header "Host" value "www.ircnow.org" forward to %3cwww>%0a
113
2021-12-17
diff:1614445288:1614445004:=50,60c50,77%0a%3c In the configuration below, we assume you are following the [[openhttpd/hosting|openhttpd hosting guide]] and listening on port 8001.%0a%3c %0a%3c !! Request SSL Certs%0a%3c %0a%3c Make sure you have the SSL certs you need for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]] if you have not already.%0a%3c %0a%3c By default, relayd searches @@/etc/ssl/name:port.crt@@ and @@/etc/ssl/name:port.key@@ for the public/private keypair. So, we will create symlinks:%0a%3c %0a%3c [@%0a%3c $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com:443.crt%0a%3c $ doas ln -s /etc/ssl/private/example.com.key /etc/ssl/private/example.com:443.key%0a---%0a> If a listener on port 443 is present, you will need to modify the server blocks above so that they listen in plaintext on some other port instead of using TLS on port 443. We will change it to listen on port 8001 without TLS and remove the tls block:%0a> %0a> [@%0a> server "example.com" {%0a> listen on * port 8001%0a> location "/pub/*" {%0a> directory auto index%0a> }%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a> }%0a> }%0a> @]%0a> %0a> Restart the [[openhttpd/configure|web server]], then [[telnet/http|test using telnet]] to verify it works:%0a> %0a> [@%0a> $ doas rcctl restart httpd%0a> $ telnet localhost 80%0a> GET /index.html HTTP/1.1%0a> Host: example.com%0a> ...%0a> @]%0a> %0a> !! Request SSL Certs%0a> %0a> Make sure you have the SSL certs you need for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]] if you have not already.%0a
116
2021-12-17
diff:1614445004:1614444783:=26,27c26,27%0a%3c # For providing webhosting, please see the [[openhttpd/hosting|openhttpd hosting guide]]. Afterwards, test the setup using the [[telnet/http|telnet troubleshooting guide]].%0a%3c # For providing public bouncers, please see the [[znc/chroot|znc chroot guide]]. Afterwards, test the setup using the [[openbsd/netcat|netcat troubleshooting guide]].%0a---%0a> # For [[openhttpd/configure|openhttpd]], see the [[telnet/http|telnet troubleshooting guide]].%0a> # For [[znc/chroot|znc]], see the [[openbsd/netcat|netcat troubleshooting guide]].%0a
122
2021-12-17
diff:1614444573:1614335932:=27c27%0a%3c # For [[znc/chroot|znc]], see the [[openbsd/netcat|netcat troubleshooting guide]].%0a---%0a> # For [[znc/install|znc]], see the [[openbsd/netcat|netcat troubleshooting guide]].%0a
125
2021-12-17
diff:1614335932:1614320244:=123,124c123,124%0a%3c forward to %3cbnc> port 1338 check icmp%0a%3c forward to %3cwww> port 8080 check icmp%0a---%0a> forward to %3cbnc> port 1338 mode loadbalance check icmp%0a> forward to %3cwww> port 8080 mode loadbalance check icmp%0a
128
2021-12-17
diff:1614320244:1614320034:=80,81c80%0a%3c $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com:443.crt%0a%3c $ doas ln -s /etc/ssl/private/example.com.key /etc/ssl/private/example.com:443.key%0a---%0a> $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com.crt%0a
131
2021-12-17
diff:1614320034:1614319293:=79,82d78%0a%3c [@%0a%3c $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com.crt%0a%3c @]%0a%3c %0a152,153c148,150%0a%3c If relayd fails to start, you will see this message:%0a%3c %0a---%0a> !!! relayd fails to start%0a> If for whatever reason you fail to start relayd, you can troubleshoot it via making it perform a config test:%0a> %0a155c152%0a%3c relayd(failed)%0a---%0a> # relayd -n%0a158,183c155,159%0a%3c First, let's check the conf file to see if there are any errors:%0a%3c %0a%3c [@%0a%3c $ doas relayd -n%0a%3c @]%0a%3c %0a%3c When properly configured, relayd will say @@configuration OK@@.%0a%3c %0a%3c Sample errors:%0a%3c %0a%3c # /etc/relayd.conf:30: cannot load keypair example.com for relay wwwtls\\%0a%3c Check line 30. Either your keypair is not specified correctly, or your SSL public and private keys are not labeled correctly.%0a%3c # /etc/relayd.conf:21: syntax error%0a%3c Check%0a%3c %0a%3c %0a%3c [@%0a%3c $ doas relayd -dvv%0a%3c @]%0a%3c %0a%3c -d is for debug and -v is to increase verbosity.%0a%3c %0a%3c [@%0a%3c /etc/relayd.conf:30: cannot load keypair jrmu.coconut.ircnow.org for relay wwwtls%0a%3c @]%0a%3c %0a---%0a> If it does not show ''configuration OK'', it will typically indicate which line(s) containing error(s).%0a> %0a> !!! relayd doesn't show verbose information%0a> According to [[https://man.openbsd.org/relayd.conf.5|man 5 relayd.conf]], you can add in the following close towards the top of your ''/etc/relayd.conf'',%0a> %0a
140
2021-12-17
diff:1614316688:1614316568:=81,82c81,82%0a%3c First copy the template for [[https://man.openbsd.org/relayd.conf|relayd.conf]] from /etc/examples/:%0a%3c %0a---%0a> First copy the template relayd.conf from /etc/examples/:%0a> %0a87c87%0a%3c Next, edit [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]:%0a---%0a> Edit [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]:%0a
143
2021-12-17
diff:1614316568:1614316415:=81,87c81,82%0a%3c First copy the template relayd.conf from /etc/examples/:%0a%3c %0a%3c [@%0a%3c $ doas cp /etc/examples/relayd.conf /etc/relayd.conf%0a%3c @]%0a%3c %0a%3c Edit [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]:%0a---%0a> You need to edit ''/etc/relayd.conf'' with the following contents. Alternatively, you can copy a sample config file from ''/etc/examples/relayd.conf'' and adjust it to your needs.%0a> %0a
149
2021-12-17
diff:1614316336:1614316097:=48,50c48,50%0a%3c Notice the line @@listen on * tls port 443@@ and the @@tls {...}@@ block. If httpd is listening on port 443 while relayd is running, the reverse proxy will fail to forward for android, iOS, and other devices!%0a%3c %0a%3c If a listener on port 443 is present, you will need to modify the server blocks above so that they listen in plaintext on some other port instead of using TLS on port 443. We will change it to listen on port 8001 without TLS and remove the tls block:%0a---%0a> If httpd is listening on port 443 while relayd is running, the reverse proxy will fail to forward for android, iOS, and other devices!%0a> %0a> You will need to modify the server blocks above so that they listen in plaintext on some other port instead of using TLS on port 443. We will change it to listen on port 8001 without TLS and remove the tls block:%0a
155
2021-12-17
diff:1614316056:1614315997:=20c20%0a%3c Another time we will need relayd is when we have two servers that need to both listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[openbsd/znc|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve HTTPS content on the same IP address and on the same port 443. In order to have two servers share the same socket, it is necessary to use relayd.%0a---%0a> Another time you will need relayd is when you have two servers that need to both listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[openbsd/znc|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve the same HTTPS content on the same IP address on the same port 443. In order to have two servers share the same socket, it is necessary to use relayd.%0a
158
2021-12-17
diff:1614315997:1614255886:=18c18%0a%3c Sometimes a server does not provide TLS encryption by default. For example, [[leafnode/install|leafnode]] lacks TLS encryption by default. It serves all its content as plaintext, exposing users' data to eavesdropping. To protect your users, you can use TLS acceleration using relayd.%0a---%0a> Sometimes a server does not provide TLS encryption by default. For example, [[leafnode/install|leafnode]] by default lack TLS encryption. It serves all its content as plaintext, exposing all your users' data to eavesdropping. To protect your users, you can use TLS acceleration using relayd.%0a
161
2021-12-17
diff:1614255886:1614255766:=80,81d79%0a%3c You need to edit ''/etc/relayd.conf'' with the following contents. Alternatively, you can copy a sample config file from ''/etc/examples/relayd.conf'' and adjust it to your needs.%0a%3c %0a82a81,89%0a> $ doas rcctl enable relayd%0a> $ doas rcctl start relayd%0a> @]%0a> %0a> %0a> %0a> You need to edit ''/etc/relayd.conf'' with the following contents. Alternatively, you can copy a sample config file from ''/etc/examples/relayd.conf'' and adjust it to your needs.%0a> %0a> [@%0a115,123d121%0a%3c %0a%3c %0a%3c [@%0a%3c $ doas rcctl enable relayd%0a%3c $ doas rcctl start relayd%0a%3c @]%0a%3c %0a%3c %0a%3c %0a
164
2021-12-17
diff:1614255766:1614254767:=78,79c78,79%0a%3c !! Edit relayd.conf%0a%3c %0a---%0a> Next, you'll want to create [[ln/intro|symbolic links]] for each of the TLS certs:%0a> %0a81,82c81,86%0a%3c $ doas rcctl enable relayd%0a%3c $ doas rcctl start relayd%0a---%0a> # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/192.168.1.1:443.crt%0a> # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8::.crt%0a> # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/192.168.1.1:443.key%0a> # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8::.key%0a> # rcctl enable relayd%0a> # rcctl start relayd%0a
167
2021-12-17
diff:1614254767:1614254582:=78c78%0a%3c Next, you'll want to create [[ln/intro|symbolic links]] for each of the TLS certs:%0a---%0a> Next, you'll want to create symbolic links for each of the TLS certs:%0a
170
2021-12-17
diff:1614254582:1614254535:=76,78c76,78%0a%3c Make sure you have the SSL certs you need for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]] if you have not already.%0a%3c %0a%3c Next, you'll want to create symbolic links for each of the TLS certs:%0a---%0a> Make sure you have the SSL certs you need for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]].%0a> %0a> You'll need corresponding TLS certs:%0a
173
2021-12-17
diff:1614254535:1614254472:=48c48%0a%3c If httpd is listening on port 443 while relayd is running, the reverse proxy will fail to forward for android, iOS, and other devices!%0a---%0a> If httpd is listening on port 443 while relayd is running, the reverse proxy will erratically fail to forward for android, iOS, and other devices!%0a
179
2021-12-17
diff:1614254052:1614253988:=75,76d74%0a%3c %0a%3c Make sure you have the SSL certs you need for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]].%0a
182
2021-12-17
diff:1614253988:1614253603:=65,66c65,66%0a%3c Restart the [[openhttpd/configure|web server]], then [[telnet/http|test using telnet]] to verify it works:%0a%3c %0a---%0a> Restart the web server, then test using telnet to verify it works:%0a> %0a69,71c69%0a%3c $ telnet localhost 80%0a%3c GET /index.html HTTP/1.1%0a%3c Host: example.com%0a---%0a> $%0a
185
2021-12-17
diff:1614253603:1614253340:=48,70c48,51%0a%3c If httpd is listening on port 443 while relayd is running, the reverse proxy will erratically fail to forward for android, iOS, and other devices!%0a%3c %0a%3c You will need to modify the server blocks above so that they listen in plaintext on some other port instead of using TLS on port 443. We will change it to listen on port 8001 without TLS and remove the tls block:%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 8001%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c Restart the web server, then test using telnet to verify it works:%0a%3c %0a%3c [@%0a%3c $ doas rcctl restart httpd%0a%3c $%0a%3c @]%0a---%0a> If httpd is listening on port 443 while relayd is running, the reverse proxy will erratically fail for android, iOS, and other devices!%0a> %0a> You will need to modify the server blocks above so that they listen in plaintext on some other port instead of using TLS on port 443.%0a> %0a
188
2021-12-17
diff:1614253340:1614251591:=29,51c29%0a%3c '''WARNING''': If you are using relayd for TLS acceleration for openhttpd, make sure openhttpd does '''not''' have a listener on port 443. Look for blocks like the ones below:%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * tls port 443%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c If httpd is listening on port 443 while relayd is running, the reverse proxy will erratically fail for android, iOS, and other devices!%0a%3c %0a%3c You will need to modify the server blocks above so that they listen in plaintext on some other port instead of using TLS on port 443.%0a%3c %0a---%0a> '''WARNING''': Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!%0a
191
2021-12-17
diff:1614251591:1614251365:=22,30d21%0a%3c !! Check Server in Plaintext%0a%3c %0a%3c Before using relayd, you must make sure your server can serve its content in plaintext. If the server doesn't respond to plaintext requests, relayd won't work, either.%0a%3c %0a%3c # For [[openhttpd/configure|openhttpd]], see the [[telnet/http|telnet troubleshooting guide]].%0a%3c # For [[znc/install|znc]], see the [[openbsd/netcat|netcat troubleshooting guide]].%0a%3c %0a%3c '''WARNING''': Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!%0a%3c %0a33,34c24,25%0a%3c You'll need corresponding TLS certs:%0a%3c %0a---%0a> You need to edit ''/etc/relayd.conf'' with the following contents. Alternatively, you can copy a sample config file from ''/etc/examples/relayd.conf'' and adjust it to your needs.%0a> %0a36,48d26%0a%3c # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/192.168.1.1:443.crt%0a%3c # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8::.crt%0a%3c # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/192.168.1.1:443.key%0a%3c # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8::.key%0a%3c # rcctl enable relayd%0a%3c # rcctl start relayd%0a%3c @]%0a%3c %0a%3c %0a%3c %0a%3c You need to edit ''/etc/relayd.conf'' with the following contents. Alternatively, you can copy a sample config file from ''/etc/examples/relayd.conf'' and adjust it to your needs.%0a%3c %0a%3c [@%0a85c63,74%0a%3c %0a---%0a> You'll need corresponding TLS certs:%0a> %0a> [@%0a> # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/192.168.1.1:443.crt%0a> # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8::.crt%0a> # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/192.168.1.1:443.key%0a> # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8::.key%0a> # rcctl enable relayd%0a> # rcctl start relayd%0a> @]%0a> %0a> '''WARNING''': Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!%0a
194
2021-12-17
diff:1614251365:1614251214:=22,23c22,25%0a%3c !! Request SSL Certs%0a%3c %0a---%0a> Suppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both www.ircnow.org and bnc.ircnow.org need relayd to provide TLS acceleration, but run on separate ports (1338 and 8080).%0a> %0a> !! Howto%0a> %0a59,61d60%0a%3c %0a%3c Suppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both www.ircnow.org and bnc.ircnow.org need relayd to provide TLS acceleration, but run on separate ports (1338 and 8080).%0a%3c %0a
197
2021-12-17
diff:1614251214:1614250956:=20c20%0a%3c Another time you will need relayd is when you have two servers that need to both listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[openbsd/znc|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve the same HTTPS content on the same IP address on the same port 443. In order to have two servers share the same socket, it is necessary to use relayd.%0a---%0a> There is also%0a
203
2021-12-17
diff:1614250536:1614250330:=17,20d16%0a%3c %0a%3c Sometimes a server does not provide TLS encryption by default. For example, [[leafnode/install|leafnode]] by default lack TLS encryption. It serves all its content as plaintext, exposing all your users' data to eavesdropping. To protect your users, you can use TLS acceleration using relayd.%0a%3c %0a%3c There is also%0a
206
2021-12-17
diff:1614250330:1614250113:=4a5,8%0a> Pros:%0a> # Much simpler than haproxy or stunnel%0a> # Tight integration with OpenBSD's [[pf/guide|packet filter]]%0a> %0a10,14d13%0a%3c %0a%3c Pros:%0a%3c # Simpler to configure than haproxy or stunnel%0a%3c # Tight integration with OpenBSD's [[pf/guide|packet filter]]%0a%3c # Secure%0a
212
2021-12-17
diff:1614250076:1614249408:=3,13d2%0a%3c [[https://bsd.plumbing/about.html|relayd]] can provide secure TLS acceleration.%0a%3c %0a%3c Pros:%0a%3c # Much simpler than haproxy or stunnel%0a%3c # Tight integration with OpenBSD's [[pf/guide|packet filter]]%0a%3c %0a%3c Features:%0a%3c # Load balancer%0a%3c # Application layer gateway%0a%3c # Transparent proxy%0a%3c # SSL/TLS gateway%0a
215
2021-12-17
diff:1614249408:1614249312:=1,3d0%0a%3c (:title TLS Acceleration with relayd:)%0a%3c %0a%3c %0a
218
2021-12-17
diff:1614249312:1614249312:=1,94d0%0a%3c Suppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both www.ircnow.org and bnc.ircnow.org need relayd to provide TLS acceleration, but run on separate ports (1338 and 8080).%0a%3c %0a%3c !! Howto%0a%3c %0a%3c You need to edit ''/etc/relayd.conf'' with the following contents. Alternatively, you can copy a sample config file from ''/etc/examples/relayd.conf'' and adjust it to your needs.%0a%3c %0a%3c [@%0a%3c ip4="192.168.1.1"%0a%3c ip6="2001:db8::"%0a%3c webhost="127.0.0.1"%0a%3c %0a%3c table %3cwww> { $webhost }%0a%3c table %3cbnc> { $webhost }%0a%3c http protocol https {%0a%3c match request header append "X-Forwarded-For" value "$REMOTE_ADDR"%0a%3c match request header append "X-Forwarded-By" \%0a%3c value "$SERVER_ADDR:$SERVER_PORT"%0a%3c match request header set "Connection" value "close"%0a%3c %0a%3c # Various TCP options%0a%3c tcp { sack, backlog 128 }%0a%3c %0a%3c # tls { no tlsv1.0, ciphers HIGH } %0a%3c # tls no session tickets%0a%3c match request header "Host" value "bnc.ircnow.org" forward to %3cbnc>%0a%3c match request header "Host" value "www.ircnow.org" forward to %3cwww>%0a%3c }%0a%3c %0a%3c relay wwwtls {%0a%3c # Run as a SSL/TLS accelerator%0a%3c listen on $ip4 port 443 tls%0a%3c listen on $ip6 port 443 tls%0a%3c protocol https%0a%3c %0a%3c # Forward to hosts in the table%0a%3c forward to %3cbnc> port 1338 mode loadbalance check icmp%0a%3c forward to %3cwww> port 8080 mode loadbalance check icmp%0a%3c } %0a%3c @]%0a%3c %0a%3c You'll need corresponding TLS certs:%0a%3c %0a%3c [@%0a%3c # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/192.168.1.1:443.crt%0a%3c # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8::.crt%0a%3c # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/192.168.1.1:443.key%0a%3c # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8::.key%0a%3c # rcctl enable relayd%0a%3c # rcctl start relayd%0a%3c @]%0a%3c %0a%3c '''WARNING''': Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!%0a%3c %0a%3c '''WARNING''': Make sure that packet filter is enabled! relayd will not run if pf is disabled.%0a%3c %0a%3c If your httpd is listening on port 443 with TLS, adjust it to another port and without tls. In the prior example where ''%3cwww>'' is to be redirected to port 8080, you should have it set to something like ''listen on 192.168.1.1 port 8080'' instead, in your ''/etc/httpd.conf''. %0a%3c %0a%3c Make sure to also reload/restart your httpd once you made adjustments. You can alternatively check to ensure your config file does not contain error prior to reloading/restarting. To do that, you can do,%0a%3c %0a%3c [@%0a%3c # httpd -nf /etc/httpd.conf%0a%3c @]%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c !!! relayd fails to start%0a%3c If for whatever reason you fail to start relayd, you can troubleshoot it via making it perform a config test:%0a%3c %0a%3c [@%0a%3c # relayd -n%0a%3c @]%0a%3c %0a%3c If it does not show ''configuration OK'', it will typically indicate which line(s) containing error(s).%0a%3c %0a%3c !!! relayd doesn't show verbose information%0a%3c According to [[https://man.openbsd.org/relayd.conf.5|man 5 relayd.conf]], you can add in the following close towards the top of your ''/etc/relayd.conf'',%0a%3c %0a%3c [@%0a%3c log connection%0a%3c @]%0a%3c %0a%3c Then reload/restart your relayd. %0a%3c %0a%3c '''WARNING''': This may produce a verbose output which can dramatically increase the size of your ''/var/log/daemon'', especially on busy networks. To avoid this, simply have your ''syslogd'' send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a%3c %0a%3c In addition to splitting relayd logs to its own file, you may wish to create a new entry in your ''/etc/newsyslog.conf'' to handle log rotation for your relayd.%0a%3c %0a%3c !!! common errors%0a%3c %0a%3c # Make sure httpd is not also listening on port 443%0a%3c # Make sure both www.ircnow.org and bnc.ircnow.org have real dns records%0a%3c # Make sure nsd is set up properly%0a%3c # Make sure znc is listening on port 1338%0a%3c # Make sure packet filter is turned on%0a\ No newline at end of file%0a