Blame
Date:
Sun Jan 29 05:00:28 2023 UTC
Message:
Daily backup
001
2023-01-22
jrmu
version=pmwiki-2.2.130 ordered=1 urlencoded=1
002
2023-01-22
jrmu
agent=Opera/9.80 (X11; Linux x86_64) Presto/2.12.388 Version/12.16
003
2023-01-22
jrmu
author=Naglfar
004
2023-01-22
jrmu
charset=UTF-8
005
2023-01-22
jrmu
csum=Fix: https forwarding port
006
2023-01-22
jrmu
ctime=1614249312
007
2023-01-22
jrmu
host=92.191.225.58
008
2023-01-22
jrmu
name=Relayd.Acceleration
009
2023-01-22
jrmu
rev=68
010
2023-01-22
jrmu
targets=Pf.Guide,Leafnode.Install,Tcpip.Sockets,Znc.Relayd,Openhttpd.Configure,Dns.Records,Host.Usage,Openhttpd.Hosting,Znc.Chroot,Telnet.Http,Netcat.Http,Acme-client.Configure,Ln.Intro,Ip.Myaddress,Openbsd.Ddos,Openbsd.Loginconf,Openbsd.Rcctl,Openssl.Http,Openbsd.Syslogd
011
2023-01-22
jrmu
text=(:title TLS Acceleration with relayd:)%0a%0a[[https://bsd.plumbing/about.html|relayd]] can provide secure TLS acceleration.%0a%0aFeatures:%0a# Load balancer%0a# Application layer gateway%0a# Transparent proxy%0a# SSL/TLS gateway%0a%0aPros:%0a# Simpler to configure than haproxy or stunnel%0a# Tight integration with OpenBSD's [[pf/guide|packet filter]]%0a# Secure%0a%0a!! Introduction%0a%0aSometimes a server does not provide TLS encryption by default. For example, [[leafnode/install|leafnode]] lacks TLS encryption. It serves all its content as plaintext, exposing users' data to eavesdropping and forgery. When this happens, you can use relayd to provide TLS. This will encrypt connections and protect your users.%0a%0aAnother time relayd is useful is when we have two servers that both need to listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[znc/relayd|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve HTTPS content on the same IP address and on the same port, 443. It is not possible, however, to have two servers bind to the same socket. To share the same socket, it is necessary to use relayd with TLS Server Name Indication (SNI).%0a%0a!! Before You Begin%0a%0a!!! Configure DNS%0a%0aBefore you begin, you will want to make sure [[dns/records|DNS records]] are configured properly. You will want to use [[host/usage|host]] to test if your hostnames are resolving properly:%0a%0a[@%0a$ host service1.example.com%0aservice1.example.com has address 192.168.1.1%0aservice1.example.com has IPv6 address 2001:db8::%0a@]%0a%0a!!! Check Server in Plaintext%0a%0aBefore using relayd, you must make sure your server can serve its content in plaintext. If the server doesn't respond to plaintext requests, relayd won't work, either.%0a%0a# For webhosting, please see the [[openhttpd/hosting|openhttpd hosting guide]].%0a# For public bouncers, please see the [[znc/chroot|znc chroot guide]].%0a%0aAfterward, you will want to test the setup using the [[telnet/http|telnet]] or [[netcat/http|netcat]] troubleshooting guides. openhttpd usually listens on port 80, and on IRCNow, the convention is to use port 1338 for znc's web server.%0a%0a!!! httpd must NOT listen on port 443%0a%0a'''WARNING''': If you are using relayd for TLS acceleration for openhttpd, make sure openhttpd does '''not''' have a listener on port 443. Look for blocks like the ones below:%0a%0a[@%0aserver "example.com" {%0a listen on * tls port 443%0a tls {%0a certificate "/etc/ssl/example.com.fullchain.pem"%0a key "/etc/ssl/private/example.com.key"%0a }%0a location "/pub/*" {%0a directory auto index%0a }%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a}%0a@]%0a%0aNotice the line @@listen on * tls port 443@@ and the @@tls {...}@@ block. If httpd is listening on port 443 while relayd is running, the reverse proxy will fail to forward for android, iOS, and other devices!%0a%0aIn the configuration below, we assume you are following the [[openhttpd/hosting|openhttpd hosting guide]] and listening on port 80.%0a%0a!!! Request SSL Certs%0a%0aYou will need the SSL certs for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]] if you have not already.%0a%0aBy default, [[https://man.openbsd.org/relayd|relayd]] searches @@/etc/ssl/name:port.crt@@ and @@/etc/ssl/private/name:port.key@@ for the public/private keypair. If those are not present, it uses @@/etc/ssl/name.crt@@ and @@/etc/ssl/private/name.key@@.%0a%0aIf your public cert and private key have different names, you should update [[acme-client/configure|/etc/acme-client.conf]]. It's recommended to use @@/etc/ssl/name.crt@@ and @@/etc/ssl/private/name.key@@, where @@name@@ is replaced with your actual domain name.%0a%0a'''Optional''': If you used the template from @@/etc/examples/acme-client.conf@@, your public cert ends in .fullchain.pem instead of .crt. In that case, you can create [[ln/intro|symbolic links]]:%0a%0a[@%0a$ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com.crt%0a@]%0a%0aYou will want to replace @@example.com@@ with your real domain. This will allow relayd to detect your public key. However, it is still highly recommended that you change [[acme-client/configure|acme-client.conf]] to create public keys that end with the extension @@.crt@@.%0a%0a!! Edit relayd.conf%0a%0aLet's create [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]. Here is what we will put, one block at a time:%0a%0a[@%0aip4="192.168.1.1"%0aip6="2001:db8::"%0atable %3cservice1> { 127.0.0.1 }%0atable %3cservice2> { 127.0.0.1 }%0alog connection%0a@]%0a%0aReplace @@192.168.1.1@@ and @@2001:db8::@@ with your [[ip/myaddress|real IPv4 and IPv6 address]]. Make sure the IPv4 is [[openbsd/ddos|DDoS-filtered]] if you have that option.%0a%0aReplace @@service1@@ and @@service2@@ with the names of your real services, such as bnc, www, and mail.%0a%0aDo '''NOT''' replace @@127.0.0.1@@. You want relayd to forward its requests to the web server listening on localhost.%0a%0a[@%0ahttp protocol https {%0a match request header append "X-Forwarded-For" value "$REMOTE_ADDR"%0a match request header append "X-Forwarded-By" \%0a value "$SERVER_ADDR:$SERVER_PORT"%0a match request header set "Connection" value "close"%0a tcp { sack, backlog 128 }%0a tls { keypair service1.example.com }%0a tls { keypair service2.example.com }%0a match request header "Host" value "service1.example.com" forward to %3cservice1>%0a match request header "Host" value "service2.example.com" forward to %3cservice2>%0a}%0a@]%0a%0aHere we define how to handle the http protocol. We add X-Forwarded-For, X-Forwarded-By, and Connection headers to HTTP requests before forwarding it to [[openhttpd/hosting|openhttpd]].%0a%0aWe turn on selective acknowledgments and set the maximum queue to 128 connections in the tcp block.%0a%0aWe define the keypair names. Below is a table which shows the order in which relayd searches for them. Replace @@service1.example.com@@ and @@service2.example.com@@ with your real hostnames.%0a%0aThe last two lines in relayd.conf forward to the proper service based on the Host HTTP header.%0a%0a|| border=1 width=100%25 class="sortable simpletable"%0a||! Hostname: service1.example.com ||||||%0a||! Priority ||! Public Cert ||! Private Key ||%0a|| 1 || /etc/ssl/service1.example.com:443.crt || /etc/ssl/private/service1.example.com:443.key ||%0a|| 2 || /etc/ssl/service1.example.com.crt || /etc/ssl/private/service1.example.com.key ||%0a%0a|| border=1 width=100%25 class="sortable simpletable"%0a||! Hostname: service2.example.com ||||||%0a||! Priority ||! Public Cert ||! Private Key ||%0a|| 1 || /etc/ssl/service2.example.com:443.crt || /etc/ssl/private/service2.example.com:443.key ||%0a|| 2 || /etc/ssl/service2.example.com.crt || /etc/ssl/private/service2.example.com.key ||%0a%0aThe next section in relayd.conf indicates what port relayd should listen on, and where to forward:%0a%0a[@%0arelay wwwtls {%0a listen on $ip4 port 443 tls%0a protocol https%0a forward to %3cservice1> port 443 check icmp%0a forward to %3cservice2> port 443 check icmp%0a}%0arelay www6tls {%0a listen on $ip6 port 443 tls%0a protocol https%0a forward to %3cservice1> port 443 check icmp%0a forward to %3cservice2> port 443 check icmp%0a}%0a@]%0a%0aReplace @@service1@@ and @@service2@@ with the names of your real services.%0a%0aWe create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on port 443 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%0a!! Complete relayd.conf%0a%0aHere is the entire [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]] without commentary:%0a%0aAttach:relayd.conf%0a%0a[@%0aip4="192.168.1.1"%0aip6="2001:db8::"%0atable %3cservice1> { 127.0.0.1 }%0atable %3cservice2> { 127.0.0.1 }%0alog connection%0a%0ahttp protocol https {%0a match request header append "X-Forwarded-For" value "$REMOTE_ADDR"%0a match request header append "X-Forwarded-By" \%0a value "$SERVER_ADDR:$SERVER_PORT"%0a match request header set "Connection" value "close"%0a tcp { sack, backlog 128 }%0a tls { keypair service1.example.com }%0a tls { keypair service2.example.com }%0a match request header "Host" value "service1.example.com" forward to %3cservice1>%0a match request header "Host" value "service2.example.com" forward to %3cservice2>%0a}%0a%0arelay wwwtls {%0a listen on $ip4 port 443 tls%0a protocol https%0a forward to %3cservice1> port 443 check icmp%0a forward to %3cservice2> port 443 check icmp%0a}%0arelay www6tls {%0a listen on $ip6 port 443 tls%0a protocol https%0a forward to %3cservice1> port 443 check icmp%0a forward to %3cservice2> port 443 check icmp%0a}%0a@]%0a%0a!! Login class permissions%0a%0aIf you have a large number of TLS certs, you will need to increase the maximum number of files that relayd can open. Add this to the bottom of [[openbsd/loginconf|/etc/login.conf]]:%0a%0a[@%0arelayd:\%0a :openfiles=4096:\%0a :stacksize-cur=96M:\%0a :stacksize-max=96M:\%0a :tc=daemon:%0a@]%0a%0aMake sure there is no @@login.conf.db@@ database, which would prevent the changes in [[openbsd/loginconf|login.conf]] from being applied:%0a%0a[@%0a$ doas rm /etc/login.conf.db%0a@]%0a%0a!! Starting relayd%0a%0aTo start relayd, use [[openbsd/rcctl|rcctl]]:%0a%0a[@%0a$ doas rcctl enable relayd%0a$ doas rcctl start relayd%0a@]%0a%0a'''WARNING''': Make sure that [[pf/guide|packet filter]] is enabled! relayd will not run if pf is disabled. You can enable it by typing:%0a%0a[@%0a$ doas pfctl -e%0a@]%0a%0aTo test relayd, use [[openssl/http|openssl]].%0a%0a!!! Syslogd%0a%0aThe setting @@log connection@@ produces enormous logs which will quickly fill up @@/var/log/daemon@@. To avoid this, configure [[openbsd/syslogd|syslogd]] to send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a%0aIn addition to splitting relayd logs to its own file, you may wish to create a new entry in your ''/etc/newsyslog.conf'' to handle log rotation for your relayd.%0a%0a!! Configuring syslog%0a%0aAll log messages from relayd should go to [@/var/log/relayd.log@]. To do this, insert these three lines starting at line 3 (at the top) into [@/etc/syslog.conf@]:%0a%0a[@%0a!!relayd%0a*.* /var/log/relayd.log%0a!*%0a@]%0a%0aThis directs all logs from relayd to go straight to /var/log/relayd.log.%0a%0aNext, create the file /var/log/relayd.log and restart syslogd:%0a%0a[@%0a$ doas touch /var/log/relayd.log%0a$ doas rcctl restart syslogd%0a@]%0a%0a!! Troubleshooting%0a%0aIf relayd fails to start, you will see this message:%0a%0a[@%0arelayd(failed)%0a@]%0a%0aFirst, check the conf file to see if there are any errors:%0a%0a[@%0a$ doas relayd -n%0a@]%0a%0aWhen properly configured, relayd will say @@configuration OK@@.%0a%0a!!! Sample Errors%0a%0a# @@/etc/relayd.conf:NN: cannot load keypair example.com for relay wwwtls@@\\%0aCheck line NN. Your keypair may be missing, have the wrong permissions, or are not labeled correctly.%0a# @@/etc/relayd.conf:NN: syntax error@@%0aCheck line NN for syntax errors.%0a%0aTo turn on debugging, first stop any running instances of relayd, then run it in the foreground:%0a%0a[@%0a$ doas rcctl stop relayd%0a$ doas relayd -dvv%0a@]%0a%0a@@-d@@ is for debug and @@-v@@ is to increase verbosity.%0a%0a!! Common Mistakes%0a%0a# Make sure httpd is '''not''' also listening on port 443. Only one daemon can bind to the same [[tcpip/sockets|socket]] at any time.%0a# Make sure [[dns/records|DNS records]] are properly configured; test with [[host/usage|host]]%0a# Make sure znc is listening on port 1338; test with [[netcat/http|netcat]] or [[telnet/http|telnet]]%0a# Make sure [[pf/guide|packet filter]] is turned on%0a
012
2023-01-22
jrmu
time=1644301640
013
2023-01-22
jrmu
title=TLS Acceleration with relayd
014
2023-01-22
jrmu
author:1644301640=Naglfar
015
2023-01-22
jrmu
csum:1644301640=Fix: https forwarding port
016
2023-01-22
jrmu
diff:1644301640:1640690259:=142,143c142,143%0a%3c forward to %3cservice1> port 443 check icmp%0a%3c forward to %3cservice2> port 443 check icmp%0a---%0a> forward to %3cservice1> port 80 check icmp%0a> forward to %3cservice2> port 80 check icmp%0a148,149c148,149%0a%3c forward to %3cservice1> port 443 check icmp%0a%3c forward to %3cservice2> port 443 check icmp%0a---%0a> forward to %3cservice1> port 80 check icmp%0a> forward to %3cservice2> port 80 check icmp%0a155,156c155,156%0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on port 443 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%3c %0a---%0a> We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on port 80 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a> %0a185,186c185,186%0a%3c forward to %3cservice1> port 443 check icmp%0a%3c forward to %3cservice2> port 443 check icmp%0a---%0a> forward to %3cservice1> port 80 check icmp%0a> forward to %3cservice2> port 80 check icmp%0a191,192c191,192%0a%3c forward to %3cservice1> port 443 check icmp%0a%3c forward to %3cservice2> port 443 check icmp%0a---%0a> forward to %3cservice1> port 80 check icmp%0a> forward to %3cservice2> port 80 check icmp%0a
017
2023-01-22
jrmu
host:1644301640=92.191.225.58
018
2023-01-22
jrmu
author:1640690259=Naglfar
019
2023-01-22
jrmu
diff:1640690259:1640688494:=56,59d55%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a
020
2023-01-22
jrmu
host:1640690259=92.191.225.58
021
2023-01-22
jrmu
author:1640688494=Naglfar
022
2023-01-22
jrmu
csum:1640688494=Remove duplicate: Location for acme-challenge already is in Server block 1
023
2023-01-22
jrmu
diff:1640688494:1636212106:=55a56,59%0a> }%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a
024
2023-01-22
jrmu
host:1640688494=92.191.225.58
025
2023-01-22
jrmu
author:1636212106=jrmu
026
2023-01-22
jrmu
diff:1636212106:1636212059:minor=
027
2023-01-22
jrmu
host:1636212106=38.87.162.47
028
2023-01-22
jrmu
author:1636212059=jrmu
029
2023-01-22
jrmu
diff:1636212059:1636038705:minor=41c41%0a%3c Afterward, you will want to test the setup using the [[telnet/http|telnet]] or [[netcat/http|netcat]] troubleshooting guides. openhttpd usually listens on port 80, and on IRCNow, the convention is to use port 1338 for znc's web server.%0a---%0a> Afterward configuration, you will want to test the setup using the [[telnet/http|telnet]] or [[netcat/http|netcat]] troubleshooting guides. openhttpd usually listens on port 80, and on IRCNow, the convention is to use port 1338 for znc's web server.%0a
030
2023-01-22
jrmu
host:1636212059=38.87.162.47
031
2023-01-22
jrmu
author:1636038705=jrmu
032
2023-01-22
jrmu
diff:1636038705:1636038179:=120,121c120,121%0a%3c We define the keypair names. Below is a table which shows the order in which relayd searches for them. Replace @@service1.example.com@@ and @@service2.example.com@@ with your real hostnames.%0a%3c %0a---%0a> We define the keypair names. Below is a table which shows the order in which relayd searches for them. You will want to replace @@service1.example.com@@ and @@service2.example.com@@ with your real hostnames.%0a> %0a153,154d152%0a%3c Replace @@service1@@ and @@service2@@ with the names of your real services.%0a%3c %0a160,161d157%0a%3c %0a%3c Attach:relayd.conf%0a
033
2023-01-22
jrmu
host:1636038705=38.87.162.47
034
2023-01-22
jrmu
author:1636038179=jrmu
035
2023-01-22
jrmu
diff:1636038179:1636035501:=76c76%0a%3c '''Optional''': If you used the template from @@/etc/examples/acme-client.conf@@, your public cert ends in .fullchain.pem instead of .crt. In that case, you can create [[ln/intro|symbolic links]]:%0a---%0a> '''Optional''': If your public cert ends in .fullchain.pem instead of .crt, you can create [[ln/intro|symbolic links]]:%0a
036
2023-01-22
jrmu
host:1636038179=38.87.162.47
037
2023-01-22
jrmu
author:1636035501=jrmu
038
2023-01-22
jrmu
diff:1636035501:1636035305:=287,289c287,290%0a%3c # Make sure [[dns/records|DNS records]] are properly configured; test with [[host/usage|host]]%0a%3c # Make sure znc is listening on port 1338; test with [[netcat/http|netcat]] or [[telnet/http|telnet]]%0a%3c # Make sure [[pf/guide|packet filter]] is turned on%0a---%0a> # Make sure both www.ircnow.org and bnc.ircnow.org have real dns records%0a> # Make sure nsd is set up properly%0a> # Make sure znc is listening on port 1338%0a> # Make sure packet filter is turned on%0a
039
2023-01-22
jrmu
host:1636035501=38.87.162.47
040
2023-01-22
jrmu
author:1636035305=jrmu
041
2023-01-22
jrmu
diff:1636035305:1636024894:=227,236c227,230%0a%3c !!! Syslogd%0a%3c %0a%3c The setting @@log connection@@ produces enormous logs which will quickly fill up @@/var/log/daemon@@. To avoid this, configure [[openbsd/syslogd|syslogd]] to send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a%3c %0a%3c In addition to splitting relayd logs to its own file, you may wish to create a new entry in your ''/etc/newsyslog.conf'' to handle log rotation for your relayd.%0a%3c %0a%3c !! Configuring syslog%0a%3c %0a%3c All log messages from relayd should go to [@/var/log/relayd.log@]. To do this, insert these three lines starting at line 3 (at the top) into [@/etc/syslog.conf@]:%0a%3c %0a---%0a> !! Troubleshooting%0a> %0a> If relayd fails to start, you will see this message:%0a> %0a238,240c232%0a%3c !!relayd%0a%3c *.* /var/log/relayd.log%0a%3c !*%0a---%0a> relayd(failed)%0a243,246c235,236%0a%3c This directs all logs from relayd to go straight to /var/log/relayd.log.%0a%3c %0a%3c Next, create the file /var/log/relayd.log and restart syslogd:%0a%3c %0a---%0a> First, check the conf file to see if there are any errors:%0a> %0a248,249c238%0a%3c $ doas touch /var/log/relayd.log%0a%3c $ doas rcctl restart syslogd%0a---%0a> $ doas relayd -n%0a252,265d240%0a%3c !! Troubleshooting%0a%3c %0a%3c If relayd fails to start, you will see this message:%0a%3c %0a%3c [@%0a%3c relayd(failed)%0a%3c @]%0a%3c %0a%3c First, check the conf file to see if there are any errors:%0a%3c %0a%3c [@%0a%3c $ doas relayd -n%0a%3c @]%0a%3c %0a284c259,269%0a%3c !! Common Mistakes%0a---%0a> !!! %0a> %0a> [@%0a> log connection%0a> @]%0a> %0a> '''WARNING''': This may produce a verbose output which can dramatically increase the size of your ''/var/log/daemon'', especially on busy networks. To avoid this, simply have your ''syslogd'' send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a> %0a> In addition to splitting relayd logs to its own file, you may wish to create a new entry in your ''/etc/newsyslog.conf'' to handle log rotation for your relayd.%0a> %0a> !!! Common Mistakes%0a
042
2023-01-22
jrmu
host:1636035305=38.87.162.47
043
2023-01-22
jrmu
author:1636024894=jrmu
044
2023-01-22
jrmu
diff:1636024894:1635959543:=22,35c22,23%0a%3c !! Before You Begin%0a%3c %0a%3c !!! Configure DNS%0a%3c %0a%3c Before you begin, you will want to make sure [[dns/records|DNS records]] are configured properly. You will want to use [[host/usage|host]] to test if your hostnames are resolving properly:%0a%3c %0a%3c [@%0a%3c $ host service1.example.com%0a%3c service1.example.com has address 192.168.1.1%0a%3c service1.example.com has IPv6 address 2001:db8::%0a%3c @]%0a%3c %0a%3c !!! Check Server in Plaintext%0a%3c %0a---%0a> !! Check Server in Plaintext%0a> %0a43,44c31,32%0a%3c !!! httpd must NOT listen on port 443%0a%3c %0a---%0a> !! httpd must NOT listen on port 443%0a> %0a68,69c56,57%0a%3c !!! Request SSL Certs%0a%3c %0a---%0a> !! Request SSL Certs%0a> %0a96,101c84,85%0a%3c Replace @@192.168.1.1@@ and @@2001:db8::@@ with your [[ip/myaddress|real IPv4 and IPv6 address]]. Make sure the IPv4 is [[openbsd/ddos|DDoS-filtered]] if you have that option.%0a%3c %0a%3c Replace @@service1@@ and @@service2@@ with the names of your real services, such as bnc, www, and mail.%0a%3c %0a%3c Do '''NOT''' replace @@127.0.0.1@@. You want relayd to forward its requests to the web server listening on localhost.%0a%3c %0a---%0a> Replace ip4 and ip6 with the actual IPv4 and IPv6 address you want to listen on. Make sure the IPv4 is DDoS-filtered if you have that option.%0a> %0a109,110c93,94%0a%3c tls { keypair service1.example.com }%0a%3c tls { keypair service2.example.com }%0a---%0a> tls { keypair service1.example.com%0a> keypair service2.example.com }%0a120,123c104,105%0a%3c We define the keypair names. Below is a table which shows the order in which relayd searches for them. You will want to replace @@service1.example.com@@ and @@service2.example.com@@ with your real hostnames.%0a%3c %0a%3c The last two lines in relayd.conf forward to the proper service based on the Host HTTP header.%0a%3c %0a---%0a> We then define the keypair names. Here's where relayd searches for them:%0a> %0a125,137c107,113%0a%3c ||! Hostname: service1.example.com ||||||%0a%3c ||! Priority ||! Public Cert ||! Private Key ||%0a%3c || 1 || /etc/ssl/service1.example.com:443.crt || /etc/ssl/private/service1.example.com:443.key ||%0a%3c || 2 || /etc/ssl/service1.example.com.crt || /etc/ssl/private/service1.example.com.key ||%0a%3c %0a%3c || border=1 width=100%25 class="sortable simpletable"%0a%3c ||! Hostname: service2.example.com ||||||%0a%3c ||! Priority ||! Public Cert ||! Private Key ||%0a%3c || 1 || /etc/ssl/service2.example.com:443.crt || /etc/ssl/private/service2.example.com:443.key ||%0a%3c || 2 || /etc/ssl/service2.example.com.crt || /etc/ssl/private/service2.example.com.key ||%0a%3c %0a%3c The next section in relayd.conf indicates what port relayd should listen on, and where to forward:%0a%3c %0a---%0a> ||! Name ||! Public Cert ||! Private Key ||%0a> || name || /etc/ssl/name:443.crt || /etc/ssl/private/name:443.key ||%0a> || service1.example.com || /etc/ssl/service1.example.com:443.crt || /etc/ssl/private/service1.example.com:443.key ||%0a> || service2.example.com || /etc/ssl/service2.example.com:443.crt || /etc/ssl/private/service2.example.com:443.key ||%0a> %0a> The last two lines forward to the proper service based on the Host HTTP header.%0a> %0a153,154c129,130%0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They use the protocol template for https and forward to the proper service on port 80 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%3c %0a---%0a> We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They handle use the protocol template for https and forward to the proper service on port 80 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a> %0a172,173c148,149%0a%3c tls { keypair service1.example.com }%0a%3c tls { keypair service2.example.com }%0a---%0a> tls { keypair service1.example.com%0a> keypair service2.example.com }%0a177d152%0a%3c %0a194,195c169,170%0a%3c If you have a large number of TLS certs, you will need to increase the maximum number of files that relayd can open. Add this to the bottom of [[openbsd/loginconf|/etc/login.conf]]:%0a%3c %0a---%0a> If you have a large number of TLS certs, you will need to increase the maximum number of files that relayd can open. Add this to the bottom of [[https://man.openbsd.org/login.conf|/etc/login.conf]]:%0a> %0a204,205c179,180%0a%3c Make sure there is no @@login.conf.db@@ database, which would prevent the changes in [[openbsd/loginconf|login.conf]] from being applied:%0a%3c %0a---%0a> Then we must make sure there is no @@login.conf.db@@ database:%0a> %0a212,213d186%0a%3c To start relayd, use [[openbsd/rcctl|rcctl]]:%0a%3c %0a225,230c198,199%0a%3c To test relayd, use [[openssl/http|openssl]].%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c If relayd fails to start, you will see this message:%0a%3c %0a---%0a> To test relayd, we'll use [[openssl/http|openssl]]:%0a> %0a232c201%0a%3c relayd(failed)%0a---%0a> %0a235,236c204,207%0a%3c First, check the conf file to see if there are any errors:%0a%3c %0a---%0a> !! Troubleshooting%0a> %0a> If relayd fails to start, you will see this message:%0a> %0a238c209%0a%3c $ doas relayd -n%0a---%0a> relayd(failed)%0a240a212,217%0a> First, we check the conf file to see if there are any errors:%0a> %0a> [@%0a> $ doas relayd -n%0a> @]%0a> %0a243,245c220,222%0a%3c !!! Sample Errors%0a%3c %0a%3c # @@/etc/relayd.conf:NN: cannot load keypair example.com for relay wwwtls@@\\%0a---%0a> Sample errors:%0a> %0a> # /etc/relayd.conf:NN: cannot load keypair example.com for relay wwwtls\\%0a247c224%0a%3c # @@/etc/relayd.conf:NN: syntax error@@%0a---%0a> # /etc/relayd.conf:NN: syntax error%0a250,251c227,228%0a%3c To turn on debugging, first stop any running instances of relayd, then run it in the foreground:%0a%3c %0a---%0a> To turn on debugging, first stop any running instances of relayd then run it in the foreground:%0a> %0a257,258c234,235%0a%3c @@-d@@ is for debug and @@-v@@ is to increase verbosity.%0a%3c %0a---%0a> -d is for debug and -v is to increase verbosity.%0a> %0a269,271c246,248%0a%3c !!! Common Mistakes%0a%3c %0a%3c # Make sure httpd is '''not''' also listening on port 443. Only one daemon can bind to the same [[tcpip/sockets|socket]] at any time.%0a---%0a> !!! common errors%0a> %0a> # Make sure httpd is not also listening on port 443%0a
045
2023-01-22
jrmu
host:1636024894=38.87.162.47
046
2023-01-22
jrmu
author:1635959543=jrmu
047
2023-01-22
jrmu
diff:1635959543:1628324627:=18,21c18,21%0a%3c Sometimes a server does not provide TLS encryption by default. For example, [[leafnode/install|leafnode]] lacks TLS encryption. It serves all its content as plaintext, exposing users' data to eavesdropping and forgery. When this happens, you can use relayd to provide TLS. This will encrypt connections and protect your users.%0a%3c %0a%3c Another time relayd is useful is when we have two servers that both need to listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[znc/relayd|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve HTTPS content on the same IP address and on the same port, 443. It is not possible, however, to have two servers bind to the same socket. To share the same socket, it is necessary to use relayd with TLS Server Name Indication (SNI).%0a%3c %0a---%0a> Sometimes a server does not provide TLS encryption by default. For example, [[leafnode/install|leafnode]] lacks TLS encryption by default. It serves all its content as plaintext, exposing users' data to eavesdropping. To protect your users, you can use TLS acceleration using relayd.%0a> %0a> Another time we will need relayd is when we have two servers that need to both listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[openbsd/znc|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve HTTPS content on the same IP address and on the same port 443. It is not possible, however, to have two servers bind to the same socket. To share the same socket, it is necessary to use relayd with TLS Server Name Indication (SNI).%0a> %0a26,32c26,28%0a%3c # For webhosting, please see the [[openhttpd/hosting|openhttpd hosting guide]].%0a%3c # For public bouncers, please see the [[znc/chroot|znc chroot guide]].%0a%3c %0a%3c Afterward configuration, you will want to test the setup using the [[telnet/http|telnet]] or [[netcat/http|netcat]] troubleshooting guides. openhttpd usually listens on port 80, and on IRCNow, the convention is to use port 1338 for znc's web server.%0a%3c %0a%3c !! httpd must NOT listen on port 443%0a%3c %0a---%0a> # For providing webhosting, please see the [[openhttpd/hosting|openhttpd hosting guide]]. Afterwards, test the setup using the [[telnet/http|telnet troubleshooting guide]].%0a> # For providing public bouncers, please see the [[znc/chroot|znc chroot guide]]. Afterwards, test the setup using the [[openbsd/netcat|netcat troubleshooting guide]].%0a> %0a58,65c54,57%0a%3c You will need the SSL certs for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]] if you have not already.%0a%3c %0a%3c By default, [[https://man.openbsd.org/relayd|relayd]] searches @@/etc/ssl/name:port.crt@@ and @@/etc/ssl/private/name:port.key@@ for the public/private keypair. If those are not present, it uses @@/etc/ssl/name.crt@@ and @@/etc/ssl/private/name.key@@.%0a%3c %0a%3c If your public cert and private key have different names, you should update [[acme-client/configure|/etc/acme-client.conf]]. It's recommended to use @@/etc/ssl/name.crt@@ and @@/etc/ssl/private/name.key@@, where @@name@@ is replaced with your actual domain name.%0a%3c %0a%3c '''Optional''': If your public cert ends in .fullchain.pem instead of .crt, you can create [[ln/intro|symbolic links]]:%0a%3c %0a---%0a> Make sure you have the SSL certs you need for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]] if you have not already.%0a> %0a> By default, relayd searches @@/etc/ssl/name:port.crt@@ and @@/etc/ssl/name:port.key@@ for the public/private keypair. So, we will create symlinks:%0a> %0a67c59,60%0a%3c $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com.crt%0a---%0a> $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com:443.crt%0a> $ doas ln -s /etc/ssl/private/example.com.key /etc/ssl/private/example.com:443.key%0a69,70d61%0a%3c %0a%3c You will want to replace @@example.com@@ with your real domain. This will allow relayd to detect your public key. However, it is still highly recommended that you change [[acme-client/configure|acme-client.conf]] to create public keys that end with the extension @@.crt@@.%0a
048
2023-01-22
jrmu
host:1635959543=38.87.162.47
049
2023-01-22
jrmu
author:1628324627=jrmu
050
2023-01-22
jrmu
diff:1628324627:1628324504:=87a88%0a> match request header "Host" value "*" forward to %3cwww>%0a142a144%0a> match request header "Host" value "*" forward to %3cservice2>%0a148a151%0a> forward to %3cwww> port 80 check icmp%0a154a158%0a> forward to %3cwww> port 80 check icmp%0a
051
2023-01-22
jrmu
host:1628324627=38.87.162.8
052
2023-01-22
jrmu
author:1628324504=jrmu
053
2023-01-22
jrmu
diff:1628324504:1623735705:=88d87%0a%3c match request header "Host" value "*" forward to %3cwww>%0a144d142%0a%3c match request header "Host" value "*" forward to %3cservice2>%0a151d148%0a%3c forward to %3cwww> port 80 check icmp%0a158d154%0a%3c forward to %3cwww> port 80 check icmp%0a
054
2023-01-22
jrmu
host:1628324504=38.87.162.8
055
2023-01-22
jrmu
author:1623735705=jrmu
056
2023-01-22
jrmu
diff:1623735705:1615027455:=50,51c50,51%0a%3c In the configuration below, we assume you are following the [[openhttpd/hosting|openhttpd hosting guide]] and listening on port 80.%0a%3c %0a---%0a> In the configuration below, we assume you are following the [[openhttpd/hosting|openhttpd hosting guide]] and listening on port 8001.%0a> %0a109,110c109,110%0a%3c forward to %3cservice1> port 80 check icmp%0a%3c forward to %3cservice2> port 80 check icmp%0a---%0a> forward to %3cservice1> port 8001 check icmp%0a> forward to %3cservice2> port 8001 check icmp%0a115,116c115,116%0a%3c forward to %3cservice1> port 80 check icmp%0a%3c forward to %3cservice2> port 80 check icmp%0a---%0a> forward to %3cservice1> port 8001 check icmp%0a> forward to %3cservice2> port 8001 check icmp%0a120,121c120,121%0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They handle use the protocol template for https and forward to the proper service on port 80 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%3c %0a---%0a> We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They handle use the protocol template for https and forward to the proper service on port 8001 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a> %0a147,148c147,148%0a%3c forward to %3cservice1> port 80 check icmp%0a%3c forward to %3cservice2> port 80 check icmp%0a---%0a> forward to %3cservice1> port 8001 check icmp%0a> forward to %3cservice2> port 8001 check icmp%0a153,154c153,154%0a%3c forward to %3cservice1> port 80 check icmp%0a%3c forward to %3cservice2> port 80 check icmp%0a---%0a> forward to %3cservice1> port 8001 check icmp%0a> forward to %3cservice2> port 8001 check icmp%0a243c243%0a%3c # Make sure packet filter is turned on%0a---%0a> # Make sure packet filter is turned on%0a\ No newline at end of file%0a
057
2023-01-22
jrmu
host:1623735705=125.231.25.80
058
2023-01-22
jrmu
author:1615027455=jrmu
059
2023-01-22
jrmu
diff:1615027455:1615027423:=170c170%0a%3c Then we must make sure there is no @@login.conf.db@@ database:%0a---%0a> Then:%0a
060
2023-01-22
jrmu
host:1615027455=198.251.81.119
061
2023-01-22
jrmu
author:1615027423=jrmu
062
2023-01-22
jrmu
diff:1615027423:1614608648:=156,173d155%0a%3c @]%0a%3c %0a%3c !! Login class permissions%0a%3c %0a%3c If you have a large number of TLS certs, you will need to increase the maximum number of files that relayd can open. Add this to the bottom of [[https://man.openbsd.org/login.conf|/etc/login.conf]]:%0a%3c %0a%3c [@%0a%3c relayd:\%0a%3c :openfiles=4096:\%0a%3c :stacksize-cur=96M:\%0a%3c :stacksize-max=96M:\%0a%3c :tc=daemon:%0a%3c @]%0a%3c %0a%3c Then:%0a%3c %0a%3c [@%0a%3c $ doas rm /etc/login.conf.db%0a
063
2023-01-22
jrmu
host:1615027423=198.251.81.119
064
2023-01-22
jrmu
author:1614608648=jrmu
065
2023-01-22
jrmu
diff:1614608648:1614449510:=70,71c70,71%0a%3c table %3cservice1> { 127.0.0.1 }%0a%3c table %3cservice2> { 127.0.0.1 }%0a---%0a> table %3cservice1> { localhost }%0a> table %3cservice2> { localhost }%0a129,130c129,130%0a%3c table %3cservice1> { 127.0.0.1 }%0a%3c table %3cservice2> { 127.0.0.1 }%0a---%0a> table %3cservice1> { localhost }%0a> table %3cservice2> { localhost }%0a
066
2023-01-22
jrmu
host:1614608648=198.251.81.119
067
2023-01-22
jrmu
author:1614449510=jrmu
068
2023-01-22
jrmu
diff:1614449510:1614449226:=171,176c171,172%0a%3c To test relayd, we'll use [[openssl/http|openssl]]:%0a%3c %0a%3c [@%0a%3c %0a%3c @]%0a%3c %0a---%0a> To test relayd:%0a> %0a195,201c191,196%0a%3c # /etc/relayd.conf:NN: cannot load keypair example.com for relay wwwtls\\%0a%3c Check line NN. Your keypair may be missing, have the wrong permissions, or are not labeled correctly.%0a%3c # /etc/relayd.conf:NN: syntax error%0a%3c Check line NN for syntax errors.%0a%3c %0a%3c To turn on debugging, first stop any running instances of relayd then run it in the foreground:%0a%3c %0a---%0a> # /etc/relayd.conf:30: cannot load keypair example.com for relay wwwtls\\%0a> Check line 30. Either your keypair is not specified correctly, or your SSL public and private keys are not labeled correctly.%0a> # /etc/relayd.conf:21: syntax error%0a> Check%0a> %0a> %0a203d197%0a%3c $ doas rcctl stop relayd%0a209,210d202%0a%3c !!! %0a%3c %0a212c204%0a%3c log connection%0a---%0a> /etc/relayd.conf:30: cannot load keypair jrmu.coconut.ircnow.org for relay wwwtls%0a213a206,215%0a> %0a> %0a> !!! relayd doesn't show verbose information%0a> According to [[https://man.openbsd.org/relayd.conf.5|man 5 relayd.conf]], you can add in the following close towards the top of your ''/etc/relayd.conf'',%0a> %0a> [@%0a> log connection%0a> @]%0a> %0a> Then reload/restart your relayd. %0a
069
2023-01-22
jrmu
host:1614449510=198.251.81.119
070
2023-01-22
jrmu
author:1614449226=jrmu
071
2023-01-22
jrmu
diff:1614449226:1614449018:=103,104d102%0a%3c The last two lines forward to the proper service based on the Host HTTP header.%0a%3c %0a120,125d117%0a%3c We create two relays, one for IPv4 and another for IPv6. Both of them listen on port 443 using TLS. They handle use the protocol template for https and forward to the proper service on port 8001 (see the above [[openhttpd/hosting|openhttpd hosting guide]]). Both check ICMP to see if the service is available.%0a%3c %0a%3c !! Complete relayd.conf%0a%3c %0a%3c Here is the entire [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]] without commentary:%0a%3c %0a170,171d161%0a%3c %0a%3c To test relayd:%0a
072
2023-01-22
jrmu
host:1614449226=198.251.81.119
073
2023-01-22
jrmu
author:1614449018=jrmu
074
2023-01-22
jrmu
diff:1614449018:1614448903:=
075
2023-01-22
jrmu
host:1614449018=198.251.81.119
076
2023-01-22
jrmu
author:1614448903=jrmu
077
2023-01-22
jrmu
diff:1614448903:1614448882:=99c99%0a%3c || name || /etc/ssl/name:443.crt || /etc/ssl/private/name:443.key ||%0a---%0a> || name || /etc/ssl/name:port.crt || /etc/ssl/private/name:port.key ||%0a
078
2023-01-22
jrmu
host:1614448903=198.251.81.119
079
2023-01-22
jrmu
author:1614448882=jrmu
080
2023-01-22
jrmu
diff:1614448882:1614448807:=99d98%0a%3c || name || /etc/ssl/name:port.crt || /etc/ssl/private/name:port.key ||%0a
081
2023-01-22
jrmu
host:1614448882=198.251.81.119
082
2023-01-22
jrmu
author:1614448807=jrmu
083
2023-01-22
jrmu
diff:1614448807:1614448703:=97,98c97%0a%3c || border=1 width=100%25 class="sortable simpletable"%0a%3c ||! Name ||! Public Cert ||! Private Key ||%0a---%0a> || Name || Public Cert || Private Key ||%0a
084
2023-01-22
jrmu
host:1614448807=198.251.81.119
085
2023-01-22
jrmu
author:1614448703=jrmu
086
2023-01-22
jrmu
diff:1614448703:1614448096:=90,99d89%0a%3c %0a%3c Here we define how to handle the http protocol. We add X-Forwarded-For, X-Forwarded-By, and Connection headers to HTTP requests before forwarding it to [[openhttpd/hosting|openhttpd]].%0a%3c %0a%3c We turn on selective acknowledgments and set the maximum queue to 128 connections in the tcp block.%0a%3c %0a%3c We then define the keypair names. Here's where relayd searches for them:%0a%3c %0a%3c || Name || Public Cert || Private Key ||%0a%3c || service1.example.com || /etc/ssl/service1.example.com:443.crt || /etc/ssl/private/service1.example.com:443.key ||%0a%3c || service2.example.com || /etc/ssl/service2.example.com:443.crt || /etc/ssl/private/service2.example.com:443.key ||%0a
087
2023-01-22
jrmu
host:1614448703=198.251.81.119
088
2023-01-22
jrmu
author:1614448096=jrmu
089
2023-01-22
jrmu
diff:1614448096:1614447000:=65,66c65,66%0a%3c Let's create [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]. Here is what we will put, one block at a time:%0a%3c %0a---%0a> First copy the template for [[https://man.openbsd.org/relayd.conf|relayd.conf]] from /etc/examples/:%0a> %0a67a68,73%0a> $ doas cp /etc/examples/relayd.conf /etc/relayd.conf%0a> @]%0a> %0a> Next, edit [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]:%0a> %0a> [@%0a73,77c79%0a%3c @]%0a%3c %0a%3c Replace ip4 and ip6 with the actual IPv4 and IPv6 address you want to listen on. Make sure the IPv4 is DDoS-filtered if you have that option.%0a%3c %0a%3c [@%0a---%0a> %0a89,91d90%0a%3c @]%0a%3c %0a%3c [@%0a105a105,106%0a> !! Starting relayd%0a> %0a107,135c108,109%0a%3c ip4="192.168.1.1"%0a%3c ip6="2001:db8::"%0a%3c table %3cservice1> { localhost }%0a%3c table %3cservice2> { localhost }%0a%3c log connection%0a%3c %0a%3c http protocol https {%0a%3c match request header append "X-Forwarded-For" value "$REMOTE_ADDR"%0a%3c match request header append "X-Forwarded-By" \%0a%3c value "$SERVER_ADDR:$SERVER_PORT"%0a%3c match request header set "Connection" value "close"%0a%3c tcp { sack, backlog 128 }%0a%3c tls { keypair service1.example.com%0a%3c keypair service2.example.com }%0a%3c match request header "Host" value "service1.example.com" forward to %3cservice1>%0a%3c match request header "Host" value "service2.example.com" forward to %3cservice2>%0a%3c }%0a%3c relay wwwtls {%0a%3c listen on $ip4 port 443 tls%0a%3c protocol https%0a%3c forward to %3cservice1> port 8001 check icmp%0a%3c forward to %3cservice2> port 8001 check icmp%0a%3c }%0a%3c relay www6tls {%0a%3c listen on $ip6 port 443 tls%0a%3c protocol https%0a%3c forward to %3cservice1> port 8001 check icmp%0a%3c forward to %3cservice2> port 8001 check icmp%0a%3c }%0a---%0a> $ doas rcctl enable relayd%0a> $ doas rcctl start relayd%0a138,139c112,113%0a%3c !! Starting relayd%0a%3c %0a---%0a> '''WARNING''': Make sure that [[pf/guide|packet filter]] is enabled! relayd will not run if pf is disabled. You can enable it by typing:%0a> %0a141,142c115%0a%3c $ doas rcctl enable relayd%0a%3c $ doas rcctl start relayd%0a---%0a> $ doas pfctl -e%0a145,150d117%0a%3c '''WARNING''': Make sure that [[pf/guide|packet filter]] is enabled! relayd will not run if pf is disabled. You can enable it by typing:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -e%0a%3c @]%0a%3c %0a159c126%0a%3c First, we check the conf file to see if there are any errors:%0a---%0a> First, let's check the conf file to see if there are any errors:%0a
090
2023-01-22
jrmu
host:1614448096=198.251.81.119
091
2023-01-22
jrmu
author:1614447000=jrmu
092
2023-01-22
jrmu
diff:1614447000:1614446907:=115a116,123%0a> @]%0a> %0a> If your httpd is listening on port 443 with TLS, adjust it to another port and without tls. In the prior example where ''%3cwww>'' is to be redirected to port 8080, you should have it set to something like ''listen on 192.168.1.1 port 8080'' instead, in your ''/etc/httpd.conf''. %0a> %0a> Make sure to also reload/restart your httpd once you made adjustments. You can alternatively check to ensure your config file does not contain error prior to reloading/restarting. To do that, you can do,%0a> %0a> [@%0a> # httpd -nf /etc/httpd.conf%0a
093
2023-01-22
jrmu
host:1614447000=198.251.81.119
094
2023-01-22
jrmu
author:1614446907=jrmu
095
2023-01-22
jrmu
diff:1614446907:1614446562:=112,116c112,113%0a%3c '''WARNING''': Make sure that [[pf/guide|packet filter]] is enabled! relayd will not run if pf is disabled. You can enable it by typing:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -e%0a%3c @]%0a---%0a> %0a> '''WARNING''': Make sure that packet filter is enabled! relayd will not run if pf is disabled.%0a
096
2023-01-22
jrmu
host:1614446907=198.251.81.119
097
2023-01-22
jrmu
author:1614446562=jrmu
098
2023-01-22
jrmu
diff:1614446562:1614445897:=20,21c20,21%0a%3c Another time we will need relayd is when we have two servers that need to both listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[openbsd/znc|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve HTTPS content on the same IP address and on the same port 443. It is not possible, however, to have two servers bind to the same socket. To share the same socket, it is necessary to use relayd with TLS Server Name Indication (SNI).%0a%3c %0a---%0a> Another time we will need relayd is when we have two servers that need to both listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[openbsd/znc|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve HTTPS content on the same IP address and on the same port 443. In order to have two servers share the same socket, it is necessary to use relayd.%0a> %0a90a91%0a> %0a91a93%0a> # Run as a SSL/TLS accelerator%0a92a95%0a> listen on $ip6 port 443 tls%0a94,95c97,100%0a%3c forward to %3cservice1> port 8001 check icmp%0a%3c forward to %3cservice2> port 8001 check icmp%0a---%0a> %0a> # Forward to hosts in the table%0a> forward to %3cbnc> port 1338 check icmp%0a> forward to %3cwww> port 8080 check icmp%0a97,102d101%0a%3c relay www6tls {%0a%3c listen on $ip6 port 443 tls%0a%3c protocol https%0a%3c forward to %3cservice1> port 8001 check icmp%0a%3c forward to %3cservice2> port 8001 check icmp%0a%3c }%0a105,106d103%0a%3c !! Starting relayd%0a%3c %0a110a108,114%0a> %0a> %0a> %0a> %0a> Suppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both www.ircnow.org and bnc.ircnow.org need relayd to provide TLS acceleration, but run on separate ports (1338 and 8080).%0a> %0a> %0a
099
2023-01-22
jrmu
host:1614446562=198.251.81.119
100
2023-01-22
jrmu
author:1614445897=jrmu
101
2023-01-22
jrmu
diff:1614445897:1614445794:=101c101%0a%3c }%0a---%0a> } %0a
102
2023-01-22
jrmu
host:1614445897=198.251.81.119
103
2023-01-22
jrmu
author:1614445794=jrmu
104
2023-01-22
jrmu
diff:1614445794:1614445697:=
105
2023-01-22
jrmu
host:1614445794=198.251.81.119
106
2023-01-22
jrmu
author:1614445697=jrmu
107
2023-01-22
jrmu
diff:1614445697:1614445376:=76,79c76,79%0a%3c table %3cservice1> { localhost }%0a%3c table %3cservice2> { localhost }%0a%3c log connection%0a%3c %0a---%0a> webhost="127.0.0.1"%0a> %0a> table %3cwww> { $webhost }%0a> table %3cbnc> { $webhost }%0a84a85,86%0a> %0a> # Various TCP options%0a86,89c88,92%0a%3c tls { keypair service1.example.com%0a%3c keypair service2.example.com }%0a%3c match request header "Host" value "service1.example.com" forward to %3cservice1>%0a%3c match request header "Host" value "service2.example.com" forward to %3cservice2>%0a---%0a> %0a> # tls { no tlsv1.0, ciphers HIGH } %0a> # tls no session tickets%0a> match request header "Host" value "bnc.ircnow.org" forward to %3cbnc>%0a> match request header "Host" value "www.ircnow.org" forward to %3cwww>%0a
108
2023-01-22
jrmu
host:1614445697=198.251.81.119
109
2023-01-22
jrmu
author:1614445376=jrmu
110
2023-01-22
jrmu
diff:1614445376:1614445288:=
111
2023-01-22
jrmu
host:1614445376=198.251.81.119
112
2023-01-22
jrmu
author:1614445288=jrmu
113
2023-01-22
jrmu
diff:1614445288:1614445004:=50,60c50,77%0a%3c In the configuration below, we assume you are following the [[openhttpd/hosting|openhttpd hosting guide]] and listening on port 8001.%0a%3c %0a%3c !! Request SSL Certs%0a%3c %0a%3c Make sure you have the SSL certs you need for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]] if you have not already.%0a%3c %0a%3c By default, relayd searches @@/etc/ssl/name:port.crt@@ and @@/etc/ssl/name:port.key@@ for the public/private keypair. So, we will create symlinks:%0a%3c %0a%3c [@%0a%3c $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com:443.crt%0a%3c $ doas ln -s /etc/ssl/private/example.com.key /etc/ssl/private/example.com:443.key%0a---%0a> If a listener on port 443 is present, you will need to modify the server blocks above so that they listen in plaintext on some other port instead of using TLS on port 443. We will change it to listen on port 8001 without TLS and remove the tls block:%0a> %0a> [@%0a> server "example.com" {%0a> listen on * port 8001%0a> location "/pub/*" {%0a> directory auto index%0a> }%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a> }%0a> }%0a> @]%0a> %0a> Restart the [[openhttpd/configure|web server]], then [[telnet/http|test using telnet]] to verify it works:%0a> %0a> [@%0a> $ doas rcctl restart httpd%0a> $ telnet localhost 80%0a> GET /index.html HTTP/1.1%0a> Host: example.com%0a> ...%0a> @]%0a> %0a> !! Request SSL Certs%0a> %0a> Make sure you have the SSL certs you need for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]] if you have not already.%0a
114
2023-01-22
jrmu
host:1614445288=198.251.81.119
115
2023-01-22
jrmu
author:1614445004=jrmu
116
2023-01-22
jrmu
diff:1614445004:1614444783:=26,27c26,27%0a%3c # For providing webhosting, please see the [[openhttpd/hosting|openhttpd hosting guide]]. Afterwards, test the setup using the [[telnet/http|telnet troubleshooting guide]].%0a%3c # For providing public bouncers, please see the [[znc/chroot|znc chroot guide]]. Afterwards, test the setup using the [[openbsd/netcat|netcat troubleshooting guide]].%0a---%0a> # For [[openhttpd/configure|openhttpd]], see the [[telnet/http|telnet troubleshooting guide]].%0a> # For [[znc/chroot|znc]], see the [[openbsd/netcat|netcat troubleshooting guide]].%0a
117
2023-01-22
jrmu
host:1614445004=198.251.81.119
118
2023-01-22
jrmu
author:1614444783=jrmu
119
2023-01-22
jrmu
diff:1614444783:1614444573:=
120
2023-01-22
jrmu
host:1614444783=198.251.81.119
121
2023-01-22
jrmu
author:1614444573=jrmu
122
2023-01-22
jrmu
diff:1614444573:1614335932:=27c27%0a%3c # For [[znc/chroot|znc]], see the [[openbsd/netcat|netcat troubleshooting guide]].%0a---%0a> # For [[znc/install|znc]], see the [[openbsd/netcat|netcat troubleshooting guide]].%0a
123
2023-01-22
jrmu
host:1614444573=198.251.81.119
124
2023-01-22
jrmu
author:1614335932=jrmu
125
2023-01-22
jrmu
diff:1614335932:1614320244:=123,124c123,124%0a%3c forward to %3cbnc> port 1338 check icmp%0a%3c forward to %3cwww> port 8080 check icmp%0a---%0a> forward to %3cbnc> port 1338 mode loadbalance check icmp%0a> forward to %3cwww> port 8080 mode loadbalance check icmp%0a
126
2023-01-22
jrmu
host:1614335932=198.251.81.119
127
2023-01-22
jrmu
author:1614320244=jrmu
128
2023-01-22
jrmu
diff:1614320244:1614320034:=80,81c80%0a%3c $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com:443.crt%0a%3c $ doas ln -s /etc/ssl/private/example.com.key /etc/ssl/private/example.com:443.key%0a---%0a> $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com.crt%0a
129
2023-01-22
jrmu
host:1614320244=198.251.81.119
130
2023-01-22
jrmu
author:1614320034=jrmu
131
2023-01-22
jrmu
diff:1614320034:1614319293:=79,82d78%0a%3c [@%0a%3c $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com.crt%0a%3c @]%0a%3c %0a152,153c148,150%0a%3c If relayd fails to start, you will see this message:%0a%3c %0a---%0a> !!! relayd fails to start%0a> If for whatever reason you fail to start relayd, you can troubleshoot it via making it perform a config test:%0a> %0a155c152%0a%3c relayd(failed)%0a---%0a> # relayd -n%0a158,183c155,159%0a%3c First, let's check the conf file to see if there are any errors:%0a%3c %0a%3c [@%0a%3c $ doas relayd -n%0a%3c @]%0a%3c %0a%3c When properly configured, relayd will say @@configuration OK@@.%0a%3c %0a%3c Sample errors:%0a%3c %0a%3c # /etc/relayd.conf:30: cannot load keypair example.com for relay wwwtls\\%0a%3c Check line 30. Either your keypair is not specified correctly, or your SSL public and private keys are not labeled correctly.%0a%3c # /etc/relayd.conf:21: syntax error%0a%3c Check%0a%3c %0a%3c %0a%3c [@%0a%3c $ doas relayd -dvv%0a%3c @]%0a%3c %0a%3c -d is for debug and -v is to increase verbosity.%0a%3c %0a%3c [@%0a%3c /etc/relayd.conf:30: cannot load keypair jrmu.coconut.ircnow.org for relay wwwtls%0a%3c @]%0a%3c %0a---%0a> If it does not show ''configuration OK'', it will typically indicate which line(s) containing error(s).%0a> %0a> !!! relayd doesn't show verbose information%0a> According to [[https://man.openbsd.org/relayd.conf.5|man 5 relayd.conf]], you can add in the following close towards the top of your ''/etc/relayd.conf'',%0a> %0a
132
2023-01-22
jrmu
host:1614320034=198.251.81.119
133
2023-01-22
jrmu
author:1614319293=jrmu
134
2023-01-22
jrmu
diff:1614319293:1614316768:=121a122%0a> %0a
135
2023-01-22
jrmu
host:1614319293=198.251.81.119
136
2023-01-22
jrmu
author:1614316768=jrmu
137
2023-01-22
jrmu
diff:1614316768:1614316688:=
138
2023-01-22
jrmu
host:1614316768=198.251.81.119
139
2023-01-22
jrmu
author:1614316688=jrmu
140
2023-01-22
jrmu
diff:1614316688:1614316568:=81,82c81,82%0a%3c First copy the template for [[https://man.openbsd.org/relayd.conf|relayd.conf]] from /etc/examples/:%0a%3c %0a---%0a> First copy the template relayd.conf from /etc/examples/:%0a> %0a87c87%0a%3c Next, edit [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]:%0a---%0a> Edit [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]:%0a
141
2023-01-22
jrmu
host:1614316688=198.251.81.119
142
2023-01-22
jrmu
author:1614316568=jrmu
143
2023-01-22
jrmu
diff:1614316568:1614316415:=81,87c81,82%0a%3c First copy the template relayd.conf from /etc/examples/:%0a%3c %0a%3c [@%0a%3c $ doas cp /etc/examples/relayd.conf /etc/relayd.conf%0a%3c @]%0a%3c %0a%3c Edit [[https://man.openbsd.org/relayd.conf|/etc/relayd.conf]]:%0a---%0a> You need to edit ''/etc/relayd.conf'' with the following contents. Alternatively, you can copy a sample config file from ''/etc/examples/relayd.conf'' and adjust it to your needs.%0a> %0a
144
2023-01-22
jrmu
host:1614316568=198.251.81.119
145
2023-01-22
jrmu
author:1614316415=jrmu
146
2023-01-22
jrmu
diff:1614316415:1614316336:=72d71%0a%3c ...%0a
147
2023-01-22
jrmu
host:1614316415=198.251.81.119
148
2023-01-22
jrmu
author:1614316336=jrmu
149
2023-01-22
jrmu
diff:1614316336:1614316097:=48,50c48,50%0a%3c Notice the line @@listen on * tls port 443@@ and the @@tls {...}@@ block. If httpd is listening on port 443 while relayd is running, the reverse proxy will fail to forward for android, iOS, and other devices!%0a%3c %0a%3c If a listener on port 443 is present, you will need to modify the server blocks above so that they listen in plaintext on some other port instead of using TLS on port 443. We will change it to listen on port 8001 without TLS and remove the tls block:%0a---%0a> If httpd is listening on port 443 while relayd is running, the reverse proxy will fail to forward for android, iOS, and other devices!%0a> %0a> You will need to modify the server blocks above so that they listen in plaintext on some other port instead of using TLS on port 443. We will change it to listen on port 8001 without TLS and remove the tls block:%0a
150
2023-01-22
jrmu
host:1614316336=198.251.81.119
151
2023-01-22
jrmu
author:1614316097=jrmu
152
2023-01-22
jrmu
diff:1614316097:1614316056:=
153
2023-01-22
jrmu
host:1614316097=198.251.81.119
154
2023-01-22
jrmu
author:1614316056=jrmu
155
2023-01-22
jrmu
diff:1614316056:1614315997:=20c20%0a%3c Another time we will need relayd is when we have two servers that need to both listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[openbsd/znc|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve HTTPS content on the same IP address and on the same port 443. In order to have two servers share the same socket, it is necessary to use relayd.%0a---%0a> Another time you will need relayd is when you have two servers that need to both listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[openbsd/znc|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve the same HTTPS content on the same IP address on the same port 443. In order to have two servers share the same socket, it is necessary to use relayd.%0a
156
2023-01-22
jrmu
host:1614316056=198.251.81.119
157
2023-01-22
jrmu
author:1614315997=jrmu
158
2023-01-22
jrmu
diff:1614315997:1614255886:=18c18%0a%3c Sometimes a server does not provide TLS encryption by default. For example, [[leafnode/install|leafnode]] lacks TLS encryption by default. It serves all its content as plaintext, exposing users' data to eavesdropping. To protect your users, you can use TLS acceleration using relayd.%0a---%0a> Sometimes a server does not provide TLS encryption by default. For example, [[leafnode/install|leafnode]] by default lack TLS encryption. It serves all its content as plaintext, exposing all your users' data to eavesdropping. To protect your users, you can use TLS acceleration using relayd.%0a
159
2023-01-22
jrmu
host:1614315997=198.251.81.119
160
2023-01-22
jrmu
author:1614255886=jrmu
161
2023-01-22
jrmu
diff:1614255886:1614255766:=80,81d79%0a%3c You need to edit ''/etc/relayd.conf'' with the following contents. Alternatively, you can copy a sample config file from ''/etc/examples/relayd.conf'' and adjust it to your needs.%0a%3c %0a82a81,89%0a> $ doas rcctl enable relayd%0a> $ doas rcctl start relayd%0a> @]%0a> %0a> %0a> %0a> You need to edit ''/etc/relayd.conf'' with the following contents. Alternatively, you can copy a sample config file from ''/etc/examples/relayd.conf'' and adjust it to your needs.%0a> %0a> [@%0a115,123d121%0a%3c %0a%3c %0a%3c [@%0a%3c $ doas rcctl enable relayd%0a%3c $ doas rcctl start relayd%0a%3c @]%0a%3c %0a%3c %0a%3c %0a
162
2023-01-22
jrmu
host:1614255886=198.251.81.119
163
2023-01-22
jrmu
author:1614255766=jrmu
164
2023-01-22
jrmu
diff:1614255766:1614254767:=78,79c78,79%0a%3c !! Edit relayd.conf%0a%3c %0a---%0a> Next, you'll want to create [[ln/intro|symbolic links]] for each of the TLS certs:%0a> %0a81,82c81,86%0a%3c $ doas rcctl enable relayd%0a%3c $ doas rcctl start relayd%0a---%0a> # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/192.168.1.1:443.crt%0a> # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8::.crt%0a> # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/192.168.1.1:443.key%0a> # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8::.key%0a> # rcctl enable relayd%0a> # rcctl start relayd%0a
165
2023-01-22
jrmu
host:1614255766=198.251.81.119
166
2023-01-22
jrmu
author:1614254767=jrmu
167
2023-01-22
jrmu
diff:1614254767:1614254582:=78c78%0a%3c Next, you'll want to create [[ln/intro|symbolic links]] for each of the TLS certs:%0a---%0a> Next, you'll want to create symbolic links for each of the TLS certs:%0a
168
2023-01-22
jrmu
host:1614254767=198.251.81.119
169
2023-01-22
jrmu
author:1614254582=jrmu
170
2023-01-22
jrmu
diff:1614254582:1614254535:=76,78c76,78%0a%3c Make sure you have the SSL certs you need for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]] if you have not already.%0a%3c %0a%3c Next, you'll want to create symbolic links for each of the TLS certs:%0a---%0a> Make sure you have the SSL certs you need for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]].%0a> %0a> You'll need corresponding TLS certs:%0a
171
2023-01-22
jrmu
host:1614254582=198.251.81.119
172
2023-01-22
jrmu
author:1614254535=jrmu
173
2023-01-22
jrmu
diff:1614254535:1614254472:=48c48%0a%3c If httpd is listening on port 443 while relayd is running, the reverse proxy will fail to forward for android, iOS, and other devices!%0a---%0a> If httpd is listening on port 443 while relayd is running, the reverse proxy will erratically fail to forward for android, iOS, and other devices!%0a
174
2023-01-22
jrmu
host:1614254535=198.251.81.119
175
2023-01-22
jrmu
author:1614254472=jrmu
176
2023-01-22
jrmu
diff:1614254472:1614254052:=
177
2023-01-22
jrmu
host:1614254472=198.251.81.119
178
2023-01-22
jrmu
author:1614254052=jrmu
179
2023-01-22
jrmu
diff:1614254052:1614253988:=75,76d74%0a%3c %0a%3c Make sure you have the SSL certs you need for the domains you want to provide TLS acceleration for. Request them using [[acme-client/configure|acme-client]].%0a
180
2023-01-22
jrmu
host:1614254052=198.251.81.119
181
2023-01-22
jrmu
author:1614253988=jrmu
182
2023-01-22
jrmu
diff:1614253988:1614253603:=65,66c65,66%0a%3c Restart the [[openhttpd/configure|web server]], then [[telnet/http|test using telnet]] to verify it works:%0a%3c %0a---%0a> Restart the web server, then test using telnet to verify it works:%0a> %0a69,71c69%0a%3c $ telnet localhost 80%0a%3c GET /index.html HTTP/1.1%0a%3c Host: example.com%0a---%0a> $%0a
183
2023-01-22
jrmu
host:1614253988=198.251.81.119
184
2023-01-22
jrmu
author:1614253603=jrmu
185
2023-01-22
jrmu
diff:1614253603:1614253340:=48,70c48,51%0a%3c If httpd is listening on port 443 while relayd is running, the reverse proxy will erratically fail to forward for android, iOS, and other devices!%0a%3c %0a%3c You will need to modify the server blocks above so that they listen in plaintext on some other port instead of using TLS on port 443. We will change it to listen on port 8001 without TLS and remove the tls block:%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 8001%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c Restart the web server, then test using telnet to verify it works:%0a%3c %0a%3c [@%0a%3c $ doas rcctl restart httpd%0a%3c $%0a%3c @]%0a---%0a> If httpd is listening on port 443 while relayd is running, the reverse proxy will erratically fail for android, iOS, and other devices!%0a> %0a> You will need to modify the server blocks above so that they listen in plaintext on some other port instead of using TLS on port 443.%0a> %0a
186
2023-01-22
jrmu
host:1614253603=198.251.81.119
187
2023-01-22
jrmu
author:1614253340=jrmu
188
2023-01-22
jrmu
diff:1614253340:1614251591:=29,51c29%0a%3c '''WARNING''': If you are using relayd for TLS acceleration for openhttpd, make sure openhttpd does '''not''' have a listener on port 443. Look for blocks like the ones below:%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * tls port 443%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c If httpd is listening on port 443 while relayd is running, the reverse proxy will erratically fail for android, iOS, and other devices!%0a%3c %0a%3c You will need to modify the server blocks above so that they listen in plaintext on some other port instead of using TLS on port 443.%0a%3c %0a---%0a> '''WARNING''': Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!%0a
189
2023-01-22
jrmu
host:1614253340=198.251.81.119
190
2023-01-22
jrmu
author:1614251591=jrmu
191
2023-01-22
jrmu
diff:1614251591:1614251365:=22,30d21%0a%3c !! Check Server in Plaintext%0a%3c %0a%3c Before using relayd, you must make sure your server can serve its content in plaintext. If the server doesn't respond to plaintext requests, relayd won't work, either.%0a%3c %0a%3c # For [[openhttpd/configure|openhttpd]], see the [[telnet/http|telnet troubleshooting guide]].%0a%3c # For [[znc/install|znc]], see the [[openbsd/netcat|netcat troubleshooting guide]].%0a%3c %0a%3c '''WARNING''': Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!%0a%3c %0a33,34c24,25%0a%3c You'll need corresponding TLS certs:%0a%3c %0a---%0a> You need to edit ''/etc/relayd.conf'' with the following contents. Alternatively, you can copy a sample config file from ''/etc/examples/relayd.conf'' and adjust it to your needs.%0a> %0a36,48d26%0a%3c # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/192.168.1.1:443.crt%0a%3c # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8::.crt%0a%3c # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/192.168.1.1:443.key%0a%3c # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8::.key%0a%3c # rcctl enable relayd%0a%3c # rcctl start relayd%0a%3c @]%0a%3c %0a%3c %0a%3c %0a%3c You need to edit ''/etc/relayd.conf'' with the following contents. Alternatively, you can copy a sample config file from ''/etc/examples/relayd.conf'' and adjust it to your needs.%0a%3c %0a%3c [@%0a85c63,74%0a%3c %0a---%0a> You'll need corresponding TLS certs:%0a> %0a> [@%0a> # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/192.168.1.1:443.crt%0a> # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8::.crt%0a> # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/192.168.1.1:443.key%0a> # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8::.key%0a> # rcctl enable relayd%0a> # rcctl start relayd%0a> @]%0a> %0a> '''WARNING''': Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!%0a
192
2023-01-22
jrmu
host:1614251591=198.251.81.119
193
2023-01-22
jrmu
author:1614251365=jrmu
194
2023-01-22
jrmu
diff:1614251365:1614251214:=22,23c22,25%0a%3c !! Request SSL Certs%0a%3c %0a---%0a> Suppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both www.ircnow.org and bnc.ircnow.org need relayd to provide TLS acceleration, but run on separate ports (1338 and 8080).%0a> %0a> !! Howto%0a> %0a59,61d60%0a%3c %0a%3c Suppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both www.ircnow.org and bnc.ircnow.org need relayd to provide TLS acceleration, but run on separate ports (1338 and 8080).%0a%3c %0a
195
2023-01-22
jrmu
host:1614251365=198.251.81.119
196
2023-01-22
jrmu
author:1614251214=jrmu
197
2023-01-22
jrmu
diff:1614251214:1614250956:=20c20%0a%3c Another time you will need relayd is when you have two servers that need to both listen on the same [[tcpip/sockets|socket]] (the same IP address and port). For example, the [[openbsd/znc|znc web panel]] and [[openhttpd/configure|openhttpd]] both normally serve the same HTTPS content on the same IP address on the same port 443. In order to have two servers share the same socket, it is necessary to use relayd.%0a---%0a> There is also%0a
198
2023-01-22
jrmu
host:1614251214=198.251.81.119
199
2023-01-22
jrmu
author:1614250956=jrmu
200
2023-01-22
jrmu
diff:1614250956:1614250536:=
201
2023-01-22
jrmu
host:1614250956=198.251.81.119
202
2023-01-22
jrmu
author:1614250536=jrmu
203
2023-01-22
jrmu
diff:1614250536:1614250330:=17,20d16%0a%3c %0a%3c Sometimes a server does not provide TLS encryption by default. For example, [[leafnode/install|leafnode]] by default lack TLS encryption. It serves all its content as plaintext, exposing all your users' data to eavesdropping. To protect your users, you can use TLS acceleration using relayd.%0a%3c %0a%3c There is also%0a
204
2023-01-22
jrmu
host:1614250536=198.251.81.119
205
2023-01-22
jrmu
author:1614250330=jrmu
206
2023-01-22
jrmu
diff:1614250330:1614250113:=4a5,8%0a> Pros:%0a> # Much simpler than haproxy or stunnel%0a> # Tight integration with OpenBSD's [[pf/guide|packet filter]]%0a> %0a10,14d13%0a%3c %0a%3c Pros:%0a%3c # Simpler to configure than haproxy or stunnel%0a%3c # Tight integration with OpenBSD's [[pf/guide|packet filter]]%0a%3c # Secure%0a
207
2023-01-22
jrmu
host:1614250330=198.251.81.119
208
2023-01-22
jrmu
author:1614250113=jrmu
209
2023-01-22
jrmu
diff:1614250113:1614250076:=14,15d13%0a%3c %0a%3c !! Introduction%0a
210
2023-01-22
jrmu
host:1614250113=198.251.81.119
211
2023-01-22
jrmu
author:1614250076=jrmu
212
2023-01-22
jrmu
diff:1614250076:1614249408:=3,13d2%0a%3c [[https://bsd.plumbing/about.html|relayd]] can provide secure TLS acceleration.%0a%3c %0a%3c Pros:%0a%3c # Much simpler than haproxy or stunnel%0a%3c # Tight integration with OpenBSD's [[pf/guide|packet filter]]%0a%3c %0a%3c Features:%0a%3c # Load balancer%0a%3c # Application layer gateway%0a%3c # Transparent proxy%0a%3c # SSL/TLS gateway%0a
213
2023-01-22
jrmu
host:1614250076=198.251.81.119
214
2023-01-22
jrmu
author:1614249408=jrmu
215
2023-01-22
jrmu
diff:1614249408:1614249312:=1,3d0%0a%3c (:title TLS Acceleration with relayd:)%0a%3c %0a%3c %0a
216
2023-01-22
jrmu
host:1614249408=198.251.81.119
217
2023-01-22
jrmu
author:1614249312=jrmu
218
2023-01-22
jrmu
diff:1614249312:1614249312:=1,94d0%0a%3c Suppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both www.ircnow.org and bnc.ircnow.org need relayd to provide TLS acceleration, but run on separate ports (1338 and 8080).%0a%3c %0a%3c !! Howto%0a%3c %0a%3c You need to edit ''/etc/relayd.conf'' with the following contents. Alternatively, you can copy a sample config file from ''/etc/examples/relayd.conf'' and adjust it to your needs.%0a%3c %0a%3c [@%0a%3c ip4="192.168.1.1"%0a%3c ip6="2001:db8::"%0a%3c webhost="127.0.0.1"%0a%3c %0a%3c table %3cwww> { $webhost }%0a%3c table %3cbnc> { $webhost }%0a%3c http protocol https {%0a%3c match request header append "X-Forwarded-For" value "$REMOTE_ADDR"%0a%3c match request header append "X-Forwarded-By" \%0a%3c value "$SERVER_ADDR:$SERVER_PORT"%0a%3c match request header set "Connection" value "close"%0a%3c %0a%3c # Various TCP options%0a%3c tcp { sack, backlog 128 }%0a%3c %0a%3c # tls { no tlsv1.0, ciphers HIGH } %0a%3c # tls no session tickets%0a%3c match request header "Host" value "bnc.ircnow.org" forward to %3cbnc>%0a%3c match request header "Host" value "www.ircnow.org" forward to %3cwww>%0a%3c }%0a%3c %0a%3c relay wwwtls {%0a%3c # Run as a SSL/TLS accelerator%0a%3c listen on $ip4 port 443 tls%0a%3c listen on $ip6 port 443 tls%0a%3c protocol https%0a%3c %0a%3c # Forward to hosts in the table%0a%3c forward to %3cbnc> port 1338 mode loadbalance check icmp%0a%3c forward to %3cwww> port 8080 mode loadbalance check icmp%0a%3c } %0a%3c @]%0a%3c %0a%3c You'll need corresponding TLS certs:%0a%3c %0a%3c [@%0a%3c # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/192.168.1.1:443.crt%0a%3c # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8::.crt%0a%3c # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/192.168.1.1:443.key%0a%3c # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8::.key%0a%3c # rcctl enable relayd%0a%3c # rcctl start relayd%0a%3c @]%0a%3c %0a%3c '''WARNING''': Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!%0a%3c %0a%3c '''WARNING''': Make sure that packet filter is enabled! relayd will not run if pf is disabled.%0a%3c %0a%3c If your httpd is listening on port 443 with TLS, adjust it to another port and without tls. In the prior example where ''%3cwww>'' is to be redirected to port 8080, you should have it set to something like ''listen on 192.168.1.1 port 8080'' instead, in your ''/etc/httpd.conf''. %0a%3c %0a%3c Make sure to also reload/restart your httpd once you made adjustments. You can alternatively check to ensure your config file does not contain error prior to reloading/restarting. To do that, you can do,%0a%3c %0a%3c [@%0a%3c # httpd -nf /etc/httpd.conf%0a%3c @]%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c !!! relayd fails to start%0a%3c If for whatever reason you fail to start relayd, you can troubleshoot it via making it perform a config test:%0a%3c %0a%3c [@%0a%3c # relayd -n%0a%3c @]%0a%3c %0a%3c If it does not show ''configuration OK'', it will typically indicate which line(s) containing error(s).%0a%3c %0a%3c !!! relayd doesn't show verbose information%0a%3c According to [[https://man.openbsd.org/relayd.conf.5|man 5 relayd.conf]], you can add in the following close towards the top of your ''/etc/relayd.conf'',%0a%3c %0a%3c [@%0a%3c log connection%0a%3c @]%0a%3c %0a%3c Then reload/restart your relayd. %0a%3c %0a%3c '''WARNING''': This may produce a verbose output which can dramatically increase the size of your ''/var/log/daemon'', especially on busy networks. To avoid this, simply have your ''syslogd'' send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a%3c %0a%3c In addition to splitting relayd logs to its own file, you may wish to create a new entry in your ''/etc/newsyslog.conf'' to handle log rotation for your relayd.%0a%3c %0a%3c !!! common errors%0a%3c %0a%3c # Make sure httpd is not also listening on port 443%0a%3c # Make sure both www.ircnow.org and bnc.ircnow.org have real dns records%0a%3c # Make sure nsd is set up properly%0a%3c # Make sure znc is listening on port 1338%0a%3c # Make sure packet filter is turned on%0a\ No newline at end of file%0a
219
2023-01-22
jrmu
host:1614249312=198.251.81.119
IRCNow