1 aa513bf8 2023-01-22 jrmu version=pmwiki-2.2.130 ordered=1 urlencoded=1
2 aa513bf8 2023-01-22 jrmu agent=w3m/0.5.3+git20210102
4 aa513bf8 2023-01-22 jrmu charset=UTF-8
6 aa513bf8 2023-01-22 jrmu ctime=1597226664
7 aa513bf8 2023-01-22 jrmu host=38.87.162.8
8 aa513bf8 2023-01-22 jrmu name=Openbsd.Relayd
11 aa513bf8 2023-01-22 jrmu text=(:redirect Relayd.Acceleration:)%0aSuppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both www.ircnow.org and bnc.ircnow.org need relayd to provide TLS acceleration, but run on separate ports (1338 and 8080).%0a%0a!! Howto%0a%0aYou need to edit ''/etc/relayd.conf'' with the following contents. Alternatively, you can copy a sample config file from ''/etc/examples/relayd.conf'' and adjust it to your needs.%0a%0a[@%0aip4="192.168.1.1"%0aip6="2001:db8::"%0awebhost="127.0.0.1"%0a%0atable %3cwww> { $webhost }%0atable %3cbnc> { $webhost }%0ahttp protocol https {%0a match request header append "X-Forwarded-For" value "$REMOTE_ADDR"%0a match request header append "X-Forwarded-By" \%0a value "$SERVER_ADDR:$SERVER_PORT"%0a match request header set "Connection" value "close"%0a%0a # Various TCP options%0a tcp { sack, backlog 128 }%0a%0a# tls { no tlsv1.0, ciphers HIGH } %0a# tls no session tickets%0a match request header "Host" value "bnc.ircnow.org" forward to %3cbnc>%0a match request header "Host" value "www.ircnow.org" forward to %3cwww>%0a}%0a%0arelay wwwtls {%0a # Run as a SSL/TLS accelerator%0a listen on $ip4 port 443 tls%0a listen on $ip6 port 443 tls%0a protocol https%0a%0a # Forward to hosts in the table%0a forward to %3cbnc> port 1338 mode loadbalance check icmp%0a forward to %3cwww> port 8080 mode loadbalance check icmp%0a} %0a@]%0a%0aYou'll need corresponding TLS certs:%0a%0a[@%0a# ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/192.168.1.1:443.crt%0a# ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8::.crt%0a# ln -s /etc/ssl/private/example.com.key /etc/ssl/private/192.168.1.1:443.key%0a# ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8::.key%0a# rcctl enable relayd%0a# rcctl start relayd%0a@]%0a%0a'''WARNING''': Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!%0a%0a'''WARNING''': Make sure that packet filter is enabled! relayd will not run if pf is disabled.%0a%0aIf your httpd is listening on port 443 with TLS, adjust it to another port and without tls. In the prior example where ''%3cwww>'' is to be redirected to port 8080, you should have it set to something like ''listen on 192.168.1.1 port 8080'' instead, in your ''/etc/httpd.conf''. %0a%0aMake sure to also reload/restart your httpd once you made adjustments. You can alternatively check to ensure your config file does not contain error prior to reloading/restarting. To do that, you can do,%0a%0a[@%0a# httpd -nf /etc/httpd.conf%0a@]%0a%0a!! Troubleshooting%0a%0a!!! relayd fails to start%0aIf for whatever reason you fail to start relayd, you can troubleshoot it via making it perform a config test:%0a%0a[@%0a# relayd -n%0a@]%0a%0aIf it does not show ''configuration OK'', it will typically indicate which line(s) containing error(s).%0a%0a!!! relayd doesn't show verbose information%0aAccording to [[https://man.openbsd.org/relayd.conf.5|man 5 relayd.conf]], you can add in the following close towards the top of your ''/etc/relayd.conf'',%0a%0a[@%0alog connection%0a@]%0a%0aThen reload/restart your relayd. %0a%0a'''WARNING''': This may produce a verbose output which can dramatically increase the size of your ''/var/log/daemon'', especially on busy networks. To avoid this, simply have your ''syslogd'' send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a%0aIn addition to splitting relayd logs to its own file, you may wish to create a new entry in your ''/etc/newsyslog.conf'' to handle log rotation for your relayd.%0a%0a!!! common errors%0a%0a# Make sure httpd is not also listening on port 443%0a# Make sure both www.ircnow.org and bnc.ircnow.org have real dns records%0a# Make sure nsd is set up properly%0a# Make sure znc is listening on port 1338%0a# Make sure packet filter is turned on%0a
12 aa513bf8 2023-01-22 jrmu time=1626101113
13 aa513bf8 2023-01-22 jrmu author:1626101113=jrmu
14 aa513bf8 2023-01-22 jrmu diff:1626101113:1608386567:=1d0%0a%3c (:redirect Relayd.Acceleration:)%0a95c94%0a%3c # Make sure packet filter is turned on%0a---%0a> # Make sure packet filter is turned on%0a\ No newline at end of file%0a
15 aa513bf8 2023-01-22 jrmu host:1626101113=38.87.162.8
16 aa513bf8 2023-01-22 jrmu author:1608386567=jrmu
17 aa513bf8 2023-01-22 jrmu diff:1608386567:1608364202:=45d44%0a%3c # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8::.crt%0a47d45%0a%3c # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8::.key%0a
18 aa513bf8 2023-01-22 jrmu host:1608386567=125.231.58.78
19 aa513bf8 2023-01-22 jrmu author:1608364202=jrmu
20 aa513bf8 2023-01-22 jrmu diff:1608364202:1600267682:=8,9c8%0a%3c ip4="192.168.1.1"%0a%3c ip6="2001:db8::"%0a---%0a> ext_addr="192.168.1.1"%0a31,32c30%0a%3c listen on $ip4 port 443 tls%0a%3c listen on $ip6 port 443 tls%0a---%0a> listen on $ext_addr port 443 tls%0a
21 aa513bf8 2023-01-22 jrmu host:1608364202=198.251.81.119
22 aa513bf8 2023-01-22 jrmu author:1600267682=jrmu
23 aa513bf8 2023-01-22 jrmu diff:1600267682:1597727479:=89,90c89%0a%3c # Make sure znc is listening on port 1338%0a%3c # Make sure packet filter is turned on%0a\ No newline at end of file%0a---%0a> # Make sure znc is listening on port 1338%0a\ No newline at end of file%0a
24 aa513bf8 2023-01-22 jrmu host:1600267682=38.81.163.143
25 aa513bf8 2023-01-22 jrmu author:1597727479=jrmu
26 aa513bf8 2023-01-22 jrmu diff:1597727479:1597226664:=3,4c3%0a%3c !! Howto%0a%3c %0a---%0a> ===== HOWTO =====%0a6,7c5%0a%3c %0a%3c [@%0a---%0a> %3ccode>%0a37,38c35,36%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a41c39%0a%3c [@%0a---%0a> %3ccode>%0a46,51c44,49%0a%3c @]%0a%3c %0a%3c '''WARNING''': Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!%0a%3c %0a%3c '''WARNING''': Make sure that packet filter is enabled! relayd will not run if pf is disabled.%0a%3c %0a---%0a> %3c/code>%0a> %0a> **WARNING**: Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!%0a> %0a> **WARNING**: Make sure that packet filter is enabled! relayd will not run if pf is disabled.%0a> %0a55,56c53%0a%3c %0a%3c [@%0a---%0a> %3ccode>%0a58,62c55,59%0a%3c @]%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c !!! relayd fails to start%0a---%0a> %3c/code>%0a> %0a> ===== Troubleshooting =====%0a> %0a> ==== relayd fails to start ====%0a64,65c61%0a%3c %0a%3c [@%0a---%0a> %3ccode>%0a67,68c63%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a71c66%0a%3c !!! relayd doesn't show verbose information%0a---%0a> ==== relayd doesn't show verbose information ====%0a73,74c68%0a%3c %0a%3c [@%0a---%0a> %3ccode>%0a76,77c70%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a80,81c73,74%0a%3c '''WARNING''': This may produce a verbose output which can dramatically increase the size of your ''/var/log/daemon'', especially on busy networks. To avoid this, simply have your ''syslogd'' send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a%3c %0a---%0a> **WARNING**: This may produce a verbose output which can dramatically increase the size of your ''/var/log/daemon'', especially on busy networks. To avoid this, simply have your ''syslogd'' send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a> %0a84,89c77,82%0a%3c !!! common errors%0a%3c %0a%3c # Make sure httpd is not also listening on port 443%0a%3c # Make sure both www.ircnow.org and bnc.ircnow.org have real dns records%0a%3c # Make sure nsd is set up properly%0a%3c # Make sure znc is listening on port 1338%0a\ No newline at end of file%0a---%0a> ==== common errors ====%0a> %0a> Make sure httpd is not also listening on port 443%0a> Make sure both www.ircnow.org and bnc.ircnow.org have real dns records%0a> Make sure nsd is set up properly%0a> Make sure znc is listening on port 1338%0a\ No newline at end of file%0a
27 aa513bf8 2023-01-22 jrmu host:1597727479=38.81.163.143
28 aa513bf8 2023-01-22 jrmu author:1597226664=jrmu
29 aa513bf8 2023-01-22 jrmu diff:1597226664:1597226664:=1,82d0%0a%3c Suppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both www.ircnow.org and bnc.ircnow.org need relayd to provide TLS acceleration, but run on separate ports (1338 and 8080).%0a%3c %0a%3c ===== HOWTO =====%0a%3c You need to edit ''/etc/relayd.conf'' with the following contents. Alternatively, you can copy a sample config file from ''/etc/examples/relayd.conf'' and adjust it to your needs.%0a%3c %3ccode>%0a%3c ext_addr="192.168.1.1"%0a%3c webhost="127.0.0.1"%0a%3c %0a%3c table %3cwww> { $webhost }%0a%3c table %3cbnc> { $webhost }%0a%3c http protocol https {%0a%3c match request header append "X-Forwarded-For" value "$REMOTE_ADDR"%0a%3c match request header append "X-Forwarded-By" \%0a%3c value "$SERVER_ADDR:$SERVER_PORT"%0a%3c match request header set "Connection" value "close"%0a%3c %0a%3c # Various TCP options%0a%3c tcp { sack, backlog 128 }%0a%3c %0a%3c # tls { no tlsv1.0, ciphers HIGH } %0a%3c # tls no session tickets%0a%3c match request header "Host" value "bnc.ircnow.org" forward to %3cbnc>%0a%3c match request header "Host" value "www.ircnow.org" forward to %3cwww>%0a%3c }%0a%3c %0a%3c relay wwwtls {%0a%3c # Run as a SSL/TLS accelerator%0a%3c listen on $ext_addr port 443 tls%0a%3c protocol https%0a%3c %0a%3c # Forward to hosts in the table%0a%3c forward to %3cbnc> port 1338 mode loadbalance check icmp%0a%3c forward to %3cwww> port 8080 mode loadbalance check icmp%0a%3c } %0a%3c %3c/code>%0a%3c %0a%3c You'll need corresponding TLS certs:%0a%3c %0a%3c %3ccode>%0a%3c # ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/192.168.1.1:443.crt%0a%3c # ln -s /etc/ssl/private/example.com.key /etc/ssl/private/192.168.1.1:443.key%0a%3c # rcctl enable relayd%0a%3c # rcctl start relayd%0a%3c %3c/code>%0a%3c %0a%3c **WARNING**: Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!%0a%3c %0a%3c **WARNING**: Make sure that packet filter is enabled! relayd will not run if pf is disabled.%0a%3c %0a%3c If your httpd is listening on port 443 with TLS, adjust it to another port and without tls. In the prior example where ''%3cwww>'' is to be redirected to port 8080, you should have it set to something like ''listen on 192.168.1.1 port 8080'' instead, in your ''/etc/httpd.conf''. %0a%3c %0a%3c Make sure to also reload/restart your httpd once you made adjustments. You can alternatively check to ensure your config file does not contain error prior to reloading/restarting. To do that, you can do,%0a%3c %3ccode>%0a%3c # httpd -nf /etc/httpd.conf%0a%3c %3c/code>%0a%3c %0a%3c ===== Troubleshooting =====%0a%3c %0a%3c ==== relayd fails to start ====%0a%3c If for whatever reason you fail to start relayd, you can troubleshoot it via making it perform a config test:%0a%3c %3ccode>%0a%3c # relayd -n%0a%3c %3c/code>%0a%3c If it does not show ''configuration OK'', it will typically indicate which line(s) containing error(s).%0a%3c %0a%3c ==== relayd doesn't show verbose information ====%0a%3c According to [[https://man.openbsd.org/relayd.conf.5|man 5 relayd.conf]], you can add in the following close towards the top of your ''/etc/relayd.conf'',%0a%3c %3ccode>%0a%3c log connection%0a%3c %3c/code>%0a%3c Then reload/restart your relayd. %0a%3c %0a%3c **WARNING**: This may produce a verbose output which can dramatically increase the size of your ''/var/log/daemon'', especially on busy networks. To avoid this, simply have your ''syslogd'' send all relayd messages into its own file. To that, see [[http://openbsd-archive.7691.n7.nabble.com/relayd-log-file-td76656.html|here]].%0a%3c %0a%3c In addition to splitting relayd logs to its own file, you may wish to create a new entry in your ''/etc/newsyslog.conf'' to handle log rotation for your relayd.%0a%3c %0a%3c ==== common errors ====%0a%3c %0a%3c Make sure httpd is not also listening on port 443%0a%3c Make sure both www.ircnow.org and bnc.ircnow.org have real dns records%0a%3c Make sure nsd is set up properly%0a%3c Make sure znc is listening on port 1338%0a\ No newline at end of file%0a
30 aa513bf8 2023-01-22 jrmu host:1597226664=38.81.163.143
