Blame
Date:
Mon Jan 23 05:00:25 2023 UTC
Message:
Daily backup
01
2023-01-22
jrmu
version=pmwiki-2.2.130 ordered=1 urlencoded=1
02
2023-01-22
jrmu
agent=w3m/0.5.3+git20210102
03
2023-01-22
jrmu
author=jrmu
04
2023-01-22
jrmu
charset=UTF-8
05
2023-01-22
jrmu
csum=
06
2023-01-22
jrmu
ctime=1597226664
07
2023-01-22
jrmu
host=38.87.162.8
08
2023-01-22
jrmu
name=Openbsd.Relayd
09
2023-01-22
jrmu
rev=6
10
2023-01-22
jrmu
targets=
11
2023-01-22
jrmu
text=(:redirect Relayd.Acceleration:)%0aSuppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both www.ircnow.org and bnc.ircnow.org need relayd to provide TLS acceleration, but run on separate ports (1338 and 8080).%0a%0a!! Howto%0a%0aYou need to edit ''/etc/relayd.conf'' with the following contents. Alternatively, you can copy a sample config file from ''/etc/examples/relayd.conf'' and adjust it to your needs.%0a%0a[@%0aip4="192.168.1.1"%0aip6="2001:db8::"%0awebhost="127.0.0.1"%0a%0atable %3cwww> { $webhost }%0atable %3cbnc> { $webhost }%0ahttp protocol https {%0a match request header append "X-Forwarded-For" value "$REMOTE_ADDR"%0a match request header append "X-Forwarded-By" \%0a value "$SERVER_ADDR:$SERVER_PORT"%0a match request header set "Connection" value "close"%0a%0a # Various TCP options%0a tcp { sack, backlog 128 }%0a%0a# tls { no tlsv1.0, ciphers HIGH } %0a# tls no session tickets%0a match request header "Host" value "bnc.ircnow.org" forward to %3cbnc>%0a match request header "Host" value "www.ircnow.org" forward to %3cwww>%0a}%0a%0arelay wwwtls {%0a # Run as a SSL/TLS accelerator%0a listen on $ip4 port 443 tls%0a listen on $ip6 port 443 tls%0a protocol https%0a%0a # Forward to hosts in the table%0a forward to %3cbnc> port 1338 mode loadbalance check icmp%0a forward to %3cwww> port 8080 mode loadbalance check icmp%0a} %0a@]%0a%0aYou'll need corresponding TLS certs:%0a%0a[@%0a# ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/192.168.1.1:443.crt%0a# ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8::.crt%0a# ln -s /etc/ssl/private/example.com.key /etc/ssl/private/192.168.1.1:443.key%0a# ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8::.key%0a# rcctl enable relayd%0a# rcctl start relayd%0a@]%0a%0a'''WARNING''': Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!%0a%0a'''WARNING''': Make sure that packet filter is enabled! relayd will not run if pf is disabled.%0a%0aIf your httpd is listening on port 443 with TLS, adjust it to another port and without tls. In the prior example where ''%3cwww>'' is to be redirected to port 8080, you should have it set to something like ''listen on 192.168.1.1 port 8080'' instead, in your ''/etc/httpd.conf''. %0a%0aMake sure to also reload/restart your httpd once you made adjustments. You can alternatively check to ensure your config file does not contain error prior to reloading/restarting. To do that, you can do,%0a%0a[@%0a# httpd -nf /etc/httpd.conf%0a@]%0a%0a!! Troubleshooting%0a%0a!!! relayd fails to start%0aIf for whatever reason you fail to start relayd, you can troubleshoot it via making it perform a config test:%0a%0a[@%0a# relayd -n%0a@]%0a%0aIf it does not show ''configuration OK'', it will typically indicate which line(s) containing error(s).%0a%0a!!! relayd doesn't show verbose information%0aAccording to [[https://man.openbsd.org/relayd.conf.5|man 5 relayd.conf]], you can add in the following close towards the top of your ''/etc/relayd.conf'',%0a%0a[@%0alog connection%0a@]%0a%0aThen reload/restart your relayd. %0a%0a'''WARNING''': This may produce a verbose output which can dramatically increase the size of your ''/var/log/daemon'', especially on busy networks. To avoid this, simply have your ''syslogd'' send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a%0aIn addition to splitting relayd logs to its own file, you may wish to create a new entry in your ''/etc/newsyslog.conf'' to handle log rotation for your relayd.%0a%0a!!! common errors%0a%0a# Make sure httpd is not also listening on port 443%0a# Make sure both www.ircnow.org and bnc.ircnow.org have real dns records%0a# Make sure nsd is set up properly%0a# Make sure znc is listening on port 1338%0a# Make sure packet filter is turned on%0a
12
2023-01-22
jrmu
time=1626101113
13
2023-01-22
jrmu
author:1626101113=jrmu
14
2023-01-22
jrmu
diff:1626101113:1608386567:=1d0%0a%3c (:redirect Relayd.Acceleration:)%0a95c94%0a%3c # Make sure packet filter is turned on%0a---%0a> # Make sure packet filter is turned on%0a\ No newline at end of file%0a
15
2023-01-22
jrmu
host:1626101113=38.87.162.8
16
2023-01-22
jrmu
author:1608386567=jrmu
17
2023-01-22
jrmu
diff:1608386567:1608364202:=45d44%0a%3c # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8::.crt%0a47d45%0a%3c # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8::.key%0a
18
2023-01-22
jrmu
host:1608386567=125.231.58.78
19
2023-01-22
jrmu
author:1608364202=jrmu
20
2023-01-22
jrmu
diff:1608364202:1600267682:=8,9c8%0a%3c ip4="192.168.1.1"%0a%3c ip6="2001:db8::"%0a---%0a> ext_addr="192.168.1.1"%0a31,32c30%0a%3c listen on $ip4 port 443 tls%0a%3c listen on $ip6 port 443 tls%0a---%0a> listen on $ext_addr port 443 tls%0a
21
2023-01-22
jrmu
host:1608364202=198.251.81.119
22
2023-01-22
jrmu
author:1600267682=jrmu
23
2023-01-22
jrmu
diff:1600267682:1597727479:=89,90c89%0a%3c # Make sure znc is listening on port 1338%0a%3c # Make sure packet filter is turned on%0a\ No newline at end of file%0a---%0a> # Make sure znc is listening on port 1338%0a\ No newline at end of file%0a
24
2023-01-22
jrmu
host:1600267682=38.81.163.143
25
2023-01-22
jrmu
author:1597727479=jrmu
26
2023-01-22
jrmu
diff:1597727479:1597226664:=3,4c3%0a%3c !! Howto%0a%3c %0a---%0a> ===== HOWTO =====%0a6,7c5%0a%3c %0a%3c [@%0a---%0a> %3ccode>%0a37,38c35,36%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a41c39%0a%3c [@%0a---%0a> %3ccode>%0a46,51c44,49%0a%3c @]%0a%3c %0a%3c '''WARNING''': Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!%0a%3c %0a%3c '''WARNING''': Make sure that packet filter is enabled! relayd will not run if pf is disabled.%0a%3c %0a---%0a> %3c/code>%0a> %0a> **WARNING**: Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!%0a> %0a> **WARNING**: Make sure that packet filter is enabled! relayd will not run if pf is disabled.%0a> %0a55,56c53%0a%3c %0a%3c [@%0a---%0a> %3ccode>%0a58,62c55,59%0a%3c @]%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c !!! relayd fails to start%0a---%0a> %3c/code>%0a> %0a> ===== Troubleshooting =====%0a> %0a> ==== relayd fails to start ====%0a64,65c61%0a%3c %0a%3c [@%0a---%0a> %3ccode>%0a67,68c63%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a71c66%0a%3c !!! relayd doesn't show verbose information%0a---%0a> ==== relayd doesn't show verbose information ====%0a73,74c68%0a%3c %0a%3c [@%0a---%0a> %3ccode>%0a76,77c70%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a80,81c73,74%0a%3c '''WARNING''': This may produce a verbose output which can dramatically increase the size of your ''/var/log/daemon'', especially on busy networks. To avoid this, simply have your ''syslogd'' send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a%3c %0a---%0a> **WARNING**: This may produce a verbose output which can dramatically increase the size of your ''/var/log/daemon'', especially on busy networks. To avoid this, simply have your ''syslogd'' send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a> %0a84,89c77,82%0a%3c !!! common errors%0a%3c %0a%3c # Make sure httpd is not also listening on port 443%0a%3c # Make sure both www.ircnow.org and bnc.ircnow.org have real dns records%0a%3c # Make sure nsd is set up properly%0a%3c # Make sure znc is listening on port 1338%0a\ No newline at end of file%0a---%0a> ==== common errors ====%0a> %0a> Make sure httpd is not also listening on port 443%0a> Make sure both www.ircnow.org and bnc.ircnow.org have real dns records%0a> Make sure nsd is set up properly%0a> Make sure znc is listening on port 1338%0a\ No newline at end of file%0a
27
2023-01-22
jrmu
host:1597727479=38.81.163.143
28
2023-01-22
jrmu
author:1597226664=jrmu
29
2023-01-22
jrmu
diff:1597226664:1597226664:=1,82d0%0a%3c Suppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both www.ircnow.org and bnc.ircnow.org need relayd to provide TLS acceleration, but run on separate ports (1338 and 8080).%0a%3c %0a%3c ===== HOWTO =====%0a%3c You need to edit ''/etc/relayd.conf'' with the following contents. Alternatively, you can copy a sample config file from ''/etc/examples/relayd.conf'' and adjust it to your needs.%0a%3c %3ccode>%0a%3c ext_addr="192.168.1.1"%0a%3c webhost="127.0.0.1"%0a%3c %0a%3c table %3cwww> { $webhost }%0a%3c table %3cbnc> { $webhost }%0a%3c http protocol https {%0a%3c match request header append "X-Forwarded-For" value "$REMOTE_ADDR"%0a%3c match request header append "X-Forwarded-By" \%0a%3c value "$SERVER_ADDR:$SERVER_PORT"%0a%3c match request header set "Connection" value "close"%0a%3c %0a%3c # Various TCP options%0a%3c tcp { sack, backlog 128 }%0a%3c %0a%3c # tls { no tlsv1.0, ciphers HIGH } %0a%3c # tls no session tickets%0a%3c match request header "Host" value "bnc.ircnow.org" forward to %3cbnc>%0a%3c match request header "Host" value "www.ircnow.org" forward to %3cwww>%0a%3c }%0a%3c %0a%3c relay wwwtls {%0a%3c # Run as a SSL/TLS accelerator%0a%3c listen on $ext_addr port 443 tls%0a%3c protocol https%0a%3c %0a%3c # Forward to hosts in the table%0a%3c forward to %3cbnc> port 1338 mode loadbalance check icmp%0a%3c forward to %3cwww> port 8080 mode loadbalance check icmp%0a%3c } %0a%3c %3c/code>%0a%3c %0a%3c You'll need corresponding TLS certs:%0a%3c %0a%3c %3ccode>%0a%3c # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/192.168.1.1:443.crt%0a%3c # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/192.168.1.1:443.key%0a%3c # rcctl enable relayd%0a%3c # rcctl start relayd%0a%3c %3c/code>%0a%3c %0a%3c **WARNING**: Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!%0a%3c %0a%3c **WARNING**: Make sure that packet filter is enabled! relayd will not run if pf is disabled.%0a%3c %0a%3c If your httpd is listening on port 443 with TLS, adjust it to another port and without tls. In the prior example where ''%3cwww>'' is to be redirected to port 8080, you should have it set to something like ''listen on 192.168.1.1 port 8080'' instead, in your ''/etc/httpd.conf''. %0a%3c %0a%3c Make sure to also reload/restart your httpd once you made adjustments. You can alternatively check to ensure your config file does not contain error prior to reloading/restarting. To do that, you can do,%0a%3c %3ccode>%0a%3c # httpd -nf /etc/httpd.conf%0a%3c %3c/code>%0a%3c %0a%3c ===== Troubleshooting =====%0a%3c %0a%3c ==== relayd fails to start ====%0a%3c If for whatever reason you fail to start relayd, you can troubleshoot it via making it perform a config test:%0a%3c %3ccode>%0a%3c # relayd -n%0a%3c %3c/code>%0a%3c If it does not show ''configuration OK'', it will typically indicate which line(s) containing error(s).%0a%3c %0a%3c ==== relayd doesn't show verbose information ====%0a%3c According to [[https://man.openbsd.org/relayd.conf.5|man 5 relayd.conf]], you can add in the following close towards the top of your ''/etc/relayd.conf'',%0a%3c %3ccode>%0a%3c log connection%0a%3c %3c/code>%0a%3c Then reload/restart your relayd. %0a%3c %0a%3c **WARNING**: This may produce a verbose output which can dramatically increase the size of your ''/var/log/daemon'', especially on busy networks. To avoid this, simply have your ''syslogd'' send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a%3c %0a%3c In addition to splitting relayd logs to its own file, you may wish to create a new entry in your ''/etc/newsyslog.conf'' to handle log rotation for your relayd.%0a%3c %0a%3c ==== common errors ====%0a%3c %0a%3c Make sure httpd is not also listening on port 443%0a%3c Make sure both www.ircnow.org and bnc.ircnow.org have real dns records%0a%3c Make sure nsd is set up properly%0a%3c Make sure znc is listening on port 1338%0a\ No newline at end of file%0a
30
2023-01-22
jrmu
host:1597226664=38.81.163.143
IRCNow