NAME
relayd.conf
—
relay daemon configuration
file
DESCRIPTION
relayd.conf
is the configuration file for
the relay daemon,
relayd(8).
SECTIONS
relayd.conf
is divided into seven main
sections:
- Macros
- User-defined variables may be defined and used later, simplifying the configuration file.
- Global Configuration
- Global settings for relayd(8). Do note that the config file allows global settings to be added after defining tables in the config file, but those tables will use the built-in defaults instead of the global settings below them.
- Tables
- Table definitions describe a list of hosts, in a similar fashion to pf(4) tables. They are used for relay, redirection, and router target selection with the described options and health checking on the host they contain.
- Redirections
- Redirections are translated to pf(4) rdr-to rules for stateful forwarding to a target host from a health-checked table on layer 3.
- Relays
- Relays allow application layer load balancing, SSL acceleration, and general purpose TCP proxying on layer 7.
- Protocols
- Protocols are predefined protocol handlers and settings for relays.
- Routers
- Routers are used to insert routes with health-checked gateways for (WAN) link balancing.
Within the sections, a host address can be specified by IPv4 address, IPv6 address, interface name, interface group, or DNS hostname. If the address is an interface name, relayd(8) will look up the first IPv4 address and any other IPv4 and IPv6 addresses of the specified network interface. A port can be specified by number or name. The port name to number mappings are found in the file /etc/services; see services(5) for details.
The current line can be extended over multiple lines using a backslash (‘\’). Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block.
Argument names not beginning with a letter, digit, or underscore must be quoted.
Additional configuration files can be included with the
include
keyword, for example:
include "/etc/relayd.conf.local"
MACROS
Macros can be defined that will later be expanded in context.
Macro names must start with a letter, digit, or underscore, and may contain
any of those characters. Macro names may not be reserved words (for example,
table
, relay
, or
timeout
). Macros are not expanded inside quotes.
For example:
www1="10.0.0.1" www2="10.0.0.2" table <webhosts> { $www1 $www2 }
GLOBAL CONFIGURATION
Here are the settings that can be set globally:
interval
number- Set the interval in seconds at which the hosts will be checked. The default interval is 10 seconds.
log
(updates
|all
)- Log state notifications after completed host checks. Either only log the
updates
to new states or logall
state notifications, even if the state didn't change. The host state can be up (the health check completed successfully), down (the host is down or didn't match the check criteria), or unknown (the host is disabled or has not been checked yet). prefork
number- When using relays, run the specified number of processes to handle relayed connections. This increases the performance and prevents delays when connecting to a relay. relayd(8) runs 5 relay processes by default and every process will handle all configured relays.
send trap
- Send an SNMP trap when the state of a host changes. relayd(8) will try to connect to snmpd(8) and request it send a trap to the registered trap receivers; see snmpd.conf(5) for more information about the configuration.
timeout
number- Set the global timeout in milliseconds for checks. This can be overridden by the timeout value in the table definitions. The default interval is 200 milliseconds and it must not exceed the global interval. Please note that the default value is optimized for checks within the same collision domain – use a higher timeout, such as 1000 milliseconds, for checks of hosts in other subnets. If this option is to be set, it should be placed before overrides in tables.
TABLES
Tables are used to group a set of hosts as the target for redirections or relays; they will be mapped to a pf(4) table for redirections. Tables may be defined with the following attribute:
disable
- Start the table disabled – no hosts will be checked in this table. The table can be later enabled through relayctl(8).
Each table must contain at least one host address; multiple hosts are separated by newline, comma, or whitespace. Host entries may be defined with the following attributes:
ip ttl
number- Change the default time-to-live value in the IP headers for host checks.
parent
number- The optional parent option inherits the state from a parent host with the
specified identifier. The check will be skipped for this host and copied
from the parent host. This can be used to prevent multiple checks on hosts
with multiple IP addresses for the same service. The host identifiers are
sequentially assigned to the configured hosts starting with 1; it can be
shown with the
relayctl(8)
show summary
commands. priority
number- Change the route priority used when adding a route. If not specified, the kernel will set a priority of 8 (RTP_STATIC). In ordinary use, a fallback route should be added statically with a very high (e.g. 52) priority. Unused in all other modes.
retry
number- The optional retry option adds a tolerance for failed host checks; the check will be retried for number more times before setting the host state to down. If this table is used by a relay, it will also specify the number of retries for outgoing connection attempts.
For example:
table <service> { 192.168.1.1, 192.168.1.2, 192.168.2.3 } table <fallback> disable { 10.1.5.1 retry 2 } redirect "www" { listen on www.example.com port 80 forward to <service> check http "/" code 200 forward to <fallback> check http "/" code 200 }
Tables are used by forward to
directives
in redirections or relays with a set of general options, health-checking
rules, and timings; see the
REDIRECTIONS and
RELAYS sections for more information about
the forward context. Table specific configuration directives are described
below. Multiple options can be appended to forward
to
directives, separated by whitespaces.
The following options will configure the health-checking method for the table, and is mandatory for redirections:
check http
path [host
hostname]code
number- For each host in the table, verify that retrieving the URL
path gives the HTTP return code
number. If hostname is
specified, it is used as the “Host:” header to query a
specific hostname at the target host. To validate the HTTP return code,
use this shell command:
$ echo -n "HEAD <path> HTTP/1.0\r\n\r\n" | \ nc <host> <port> | head -n1
This prints the status header including the actual return code:
HTTP/1.1 200 OK
check https
path [host
hostname]code
number- This has the same effect as above but wraps the HTTP request in SSL.
check http
path [host
hostname]digest
string- For each host in the table, verify that retrieving the URL
path produces non-binary content whose message
digest matches the defined string. The algorithm used is determined by the
string length of the digest argument, either SHA1
(40 characters) or MD5 (32 characters). If hostname
is specified, it is used as the “Host:” header to query a
specific hostname at the target host. The digest does not take the HTTP
headers into account. Do not specify a binary object (such as a graphic)
as the target of the request, as
relayd.conf
expects the data returned to be a string. To compute the digest, use this simple command:$ ftp -o - http://host[:port]/path | sha1
This gives a digest that can be used as-is in a digest statement:
a9993e36476816aba3e25717850c26c9cd0d89d
check https
path [host
hostname]digest
string- This has the same effect as above but wraps the HTTP request in SSL.
check icmp
- Ping hosts in this table to determine whether they are up or not. This method will automatically use ICMP or ICMPV6 depending on the address family of each host.
check script
path- Execute an external program to check the host state. The program will be
executed for each host by specifying the hostname on the command line:
/usr/local/bin/checkload.pl front-www1.private.example.com
relayd(8) expects a positive return value on success and zero on failure. Note that the script will be executed with the privileges of the "_relayd" user and terminated after timeout milliseconds.
check send
dataexpect
pattern [ssl
]- For each host in the table, a TCP connection is established on the port
specified, then data is sent. Incoming data is then
read and is expected to match against pattern using
shell globbing rules. If data is an empty string or
nothing
then nothing is sent on the connection and data is immediately read. This can be useful with protocols that output a banner like SMTP, NNTP, and FTP. If thessl
keyword is present, the transaction will occur in an SSL tunnel. check ssl
- Perform a complete SSL handshake with each host to check their availability.
check tcp
- Use a simple TCP connect to check that hosts are up.
The following general table options are available:
demote
group- Enable the per-table
carp(4) demotion option. This will increment the carp demotion
counter for the specified interface group if all hosts in the table are
down. For more information on interface groups, see the
group
keyword in ifconfig(8). interval
number- Override the global interval and specify one for this table. It must be a multiple of the global interval.
timeout
number- Set the timeout in milliseconds for each host that is checked using TCP as the transport. This will override the global timeout, which is 200 milliseconds by default.
The following options will set the scheduling algorithm to select a host from the specified table:
mode hash
- Balances the outgoing connections across the active hosts based on the hashed name of the relay, the hashed name of the table, and the IP address and port of the relay. Additional input can be fed into the hash by looking at HTTP headers and GET variables; see the PROTOCOLS section below. This mode is only supported by relays.
mode least-states
- Forward each outgoing connection to the active host with the least active pf(4) states. This mode is only supported by redirections.
mode loadbalance
- Balances the outgoing connections across the active hosts based on the hashed name of the relay, the hashed name of the table, the source IP address of the client, and the IP address and port of the relay. This mode is only supported by relays.
mode random
- Distributes the outgoing connections randomly through all active hosts. This mode is only supported by relays.
mode roundrobin
- Distributes the outgoing connections using a round-robin scheduler through all active hosts. This is the default mode and will be used if no option has been specified. This mode is supported by redirections and relays.
mode source-hash
- Balances the outgoing connections across the active hosts based on the hashed name of the redirection or relay, the hashed name of the table, and the source IP address of the client. This mode is only supported by relays.
REDIRECTIONS
Redirections represent a
pf(4)
rdr-to rule. They are used for stateful redirections to the hosts in the
specified tables. pf(4) rewrites the target IP addresses and ports of the
incoming connections, operating on layer 3. The configuration directives
that are valid in the redirect
context are described
below:
disable
- The redirection is initially disabled. It can be later enabled through relayctl(8).
forward to
⟨table⟩ [port
number] options ...- Specify the tables of target hosts to be used; see the
TABLES section above for information
about table options. If the
port
option is not specified, the first port from thelisten on
directive will be used. This directive can be specified twice – the second entry will be used as the backup table if all hosts in the main table are down. At least one entry for the main table is mandatory. listen on
address [ip-proto]port
port [interface
name]- Specify an address and a port to listen on. pf(4) will redirect incoming connections for the specified target to the hosts in the main or backup table. The port argument can optionally specify a port range instead of a single port; the format is min-port:max-port. The optional argument ip-proto can be used to specify an IP protocol like tcp or udp; it defaults to tcp. The rule can be optionally restricted to a given interface name.
route to
⟨table⟩ [port
number] options ...- Like the
forward to
directive, but directly routes the packets to the target host without modifying the target address using a pf(4) route-to rule. This can be used for “direct server return” to force the target host to respond via a different gateway. Note that hosts have to accept sessions for the same address as the gateway, which is typically done by configuring a loopback interface on the host with this address. session timeout
seconds- Specify the inactivity timeout in seconds for established redirections. The default timeout is 600 seconds (10 minutes). The maximum is 2147483647 seconds (68 years).
sticky-address
- This has the same effect as specifying sticky-address for an rdr-to rule in pf.conf(5). It will ensure that multiple connections from the same source are mapped to the same redirection address.
- [
match
]tag
name - Automatically tag packets passing through the
pf(4) rdr-to rule with the name supplied. This allows simpler
filter rules. The optional
match
keyword will change the default rule action from pass in quick to match in to allow further evaluation in the pf ruleset using the tagged name rule option.
RELAYS
Relays will forward traffic between a client and a target server. In contrast to redirections and IP forwarding in the network stack, a relay will accept incoming connections from remote clients as a server, open an outgoing connection to a target host, and forward any traffic between the target host and the remote client, operating on layer 7. A relay is also called an application layer gateway or layer 7 proxy.
The main purpose of a relay is to provide advanced load balancing functionality based on specified protocol characteristics, such as HTTP headers, to provide SSL acceleration and to allow basic handling of the underlying application protocol.
The relay
configuration directives are
described below:
disable
- Start the relay but immediately close any accepted connections.
- [
transparent
]forward
[with ssl
]to
address [port
port] options ... - Specify the address and port of the target host to connect to. If the
port
option is not specified, the port from thelisten on
directive will be used. Use thetransparent
keyword to enable fully-transparent mode; the source address of the client will be retained in this case.The
with ssl
directive enables client-side SSL mode to connect to the remote host. Verification of server certificates can be enabled by setting theca file
option in the protocol section.The following options may be specified for forward directives:
retry
number- The optional host
retry
option will be used as a tolerance for failed host connections; the connection will be retried for number more times. inet
- If the requested destination is an IPv6 address, relayd(8) will forward the connection to an IPv4 address which is determined by the last 4 octets of the original IPv6 destination. For example, if the original IPv6 destination address is 2001:db8:7395:ffff::a01:101, the session is relayed to the IPv4 address 10.1.1.1 (a01:101).
inet6
address-prefix- If the requested destination is an IPv4 address, relayd(8) will forward the connection to an IPv6 address which is determined by setting the last 4 octets of the specified IPv6 address-prefix to the 4 octets of the original IPv4 destination. For example, if the original IPv4 destination address is 10.1.1.1 and the specified address prefix is 2001:db8:7395:ffff::, the session is relayed to the IPv6 address 2001:db8:7395:ffff::a01:101.
forward to
⟨table⟩ [port
port] options ...- Like the previous directive, but connect to a host from the specified table; see the TABLES section above for information about table options. This directive can be specified multiple times – subsequent entries will be used as the backup table if all hosts in the previous table are down. At least one entry for the main table is mandatory.
forward to
destination
options ...- When redirecting connections with a divert-to rule in
pf.conf(5) to a relay listening on localhost, this directive will
look up the real destination address of the intended target host, allowing
the relay to be run as a transparent proxy. If an additional
forward to
directive to a specified address or table is present, it will be used as a backup if the lookup failed. forward to
nat lookup
options ...- Like the previous directive, but for redirections with rdr-to in pf.conf(5).
listen on
address [port
port] [ssl
]- Specify the address and port for the relay to listen on. The relay will
accept incoming connections to the specified address. If the
port
option is not specified, the port from thelisten on
directive will be used.If the
ssl
keyword is present, the relay will accept connections using the encrypted SSL protocol. The relay will attempt to look up a private key in /etc/ssl/private/address:port.key and a public certificate in /etc/ssl/address:port.crt, where address is the specified IP address and port is the specified port that the relay listens on. If these files are not present, the relay will continue to look in /etc/ssl/private/address.key and /etc/ssl/address.crt. See ssl(8) for details about SSL server certificates. protocol
name- Use the specified protocol definition for the relay. The generic TCP protocol options will be used by default; see the PROTOCOLS section below.
session timeout
seconds- Specify the inactivity timeout in seconds for accepted sessions. The default timeout is 600 seconds (10 minutes). The maximum is 2147483647 seconds (68 years).
SSL RELAYS
In addition to plain TCP,
relayd(8) supports the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) cryptographic protocols for authenticated and encrypted
relays. TLS is the successor of the original SSL protocol but the term SSL
can refer to either of the protocols in relayd.conf
.
relayd(8) can operate as an SSL client or server to offer a variety
of options for different use cases related to SSL.
SSL client
- When configuring the relay
forward
statements with thewith ssl
directive, relayd(8) will enable client-side SSL to connect to the remote host. This is commonly used for SSL tunneling and transparent encapsulation of plain TCP connections. See theforward to
description in the RELAYS section for more details. SSL server
- When specifying the
ssl
keyword in the relaylisten
statements, relayd(8) will accept connections from clients as an SSL server. This mode is also known as “SSL acceleration”. See thelisten on
description in the RELAYS section for more details. SSL client and server
- When combining both modes, SSL server and client,
relayd(8) can filter SSL connections as a man-in-the-middle. This
combined mode is also called “SSL inspection”. The
configuration requires additional X.509 certificate settings; see the
ca key
description in the PROTOCOLS section for more details.
When configured for “SSL inspection” mode, relayd(8) will listen for incoming connections which have been diverted to the local socket by PF. Before accepting and negotiating the incoming SSL connection as a server, it will look up the original destination address on the diverted socket, and pre-connect to the target server as an SSL client to obtain the remote SSL certificate. It will update or patch the obtained SSL certificate by replacing the included public key with its local server key because it doesn't have the private key of the remote server certificate. It also updates the X.509 issuer name to the local CA subject name and signs the certificate with its local CA key. This way it keeps all the other X.509 attributes that are already present in the server certificate, including the "green bar" extended validation attributes. Now it finally accepts the SSL connection from the diverted client using the updated certificate and continues to handle the connection and to connect to the remote server.
PROTOCOLS
Protocols are templates defining actions and settings for relays. They allow setting generic TCP options, SSL settings, and actions specific to the selected application layer protocol.
The protocol directive is available for a number of different application layer protocols. There is no generic handler for UDP-based protocols because it is a stateless datagram-based protocol which has to look into the application layer protocol to find any possible state information.
dns protocol
- (UDP) Domain Name System (DNS) protocol. The requested IDs in the DNS header will be used to match the state. relayd(8) replaces these IDs with random values to compensate for predictable values generated by some hosts.
http protocol
- Handle the HyperText Transfer Protocol (HTTP, or "HTTPS" if encapsulated in an SSL tunnel).
- [
tcp
]protocol
- Generic handler for TCP-based protocols. This is the default.
The available configuration directives are described below:
- [direction] [type]
action [
marked
id] [log
] - Define an action for the selected entity. The optional
log
keyword will log the entity name and the value and the optionalmarked
keyword requires that the session has been marked with a given identifier in order to execute the action. The actions are dependent on the underlying applicationprotocol
.
[direction] may be one of:
request
- Handle the data stream from the client to the relay, like HTTP requests. This is the default if the direction directive is omitted.
response
- Handle the data stream from the target host to the relay, like HTTP server replies.
[type] may be one of:
- Look up the entity as a value in the Cookie header when using the
http
protocol. This type is only available with the directionrequest
. header
- Look up the entity in the application protocol headers, like HTTP headers
in
http
mode. path
- Look up the entity as a value in the URL path when using the
http
protocol. This type is only available with the directionrequest
. The key will match the path of the requested URL without the hostname and query and the value will match the complete query, for example:request path filter "/index.html" request path filter "foo=bar*" from "/cgi-bin/t.cgi"
query
- Look up the entity as a query variable in the URL when using the
http
protocol. This type is only available with the directionrequest
, for example:# Will match /cgi-bin/example.pl?foo=bar&ok=yes request query expect "bar" from "foo"
url
- Look up the entity as a URL suffix/prefix expression consisting of a
canonicalized hostname without port or suffix and a path name or prefix
when using the
http
protocol. This type is only available with the directionrequest
, for example:request url filter "example.com/index.html" request url filter "example.com/test.cgi?val=1"
relayd(8) will match the full URL and different possible suffix/prefix combinations by stripping subdomains and path components (up to 5 levels), and the query string. For example, the following lookups will be done for http://www.example.com:81/1/2/3/4/5.html?query=yes:
www.example.com/1/2/3/4/5.html?query=yes www.example.com/1/2/3/4/5.html www.example.com/ www.example.com/1/ www.example.com/1/2/ www.example.com/1/2/3/ example.com/1/2/3/4/5.html?query=yes example.com/1/2/3/4/5.html example.com/ example.com/1/ example.com/1/2/ example.com/1/2/3/
[action] may be one of:
append
valueto
key- Append the specified value to a protocol entity with the selected name.
When using the
http
protocol,key
will indicate a specified HTTP header. If key does not exist in the request, it will be created with the value set to value.The value string may contain predefined macros that will be expanded at runtime:
$REMOTE_ADDR
- The IP address of the connected client.
$REMOTE_PORT
- The TCP source port of the connected client.
$SERVER_ADDR
- The configured IP address of the relay.
$SERVER_PORT
- The configured TCP server port of the relay.
$SERVER_NAME
- The server software name of relayd(8).
$TIMEOUT
- The configured session timeout of the relay.
change
keyto
value- Like the
append
directive above, but change the contents of the specified entity. If key does not exist in the request, it will be created with the value set to value.The value string may contain predefined macros that will be expanded at runtime, as detailed for the
append
directive above. expect
valuefrom
key- Expect an entity key and match against value using shell globbing rules. If the entity is not present or the value doesn't match, the connection will be dropped.
expect
[digest
] key- Expect an entity key with any possible value. This
is the short form of
expect
*from
key.If the
digest
keyword is specified, compare the message digest of the entity against the defined string. The algorithm used is determined by the string length of the key argument, either SHA1 (40 characters) or MD5 (32 characters). To compute the digest, use this simple command:$ echo -n "example.com/path/?args" | sha1
expect file
path- Like the directive above, but load the non-digest keys from an external file with the specified path containing one key per line. Lines will be stripped at the first whitespace or newline character. Any empty lines or lines beginning with a hash mark (‘#’) will be ignored.
filter
valuefrom
key- Like the
expect
..from
directive above, but drop any connections with the specified entity key and a matching value. filter
[digest
] key- Like the
expect
directive above, but drop any connections with the specified entity key and any possible value. This is the short form offilter
*from
key. filter file
path- Like the directive above, but load the non-digest keys from
path. See
expect file
path for more information. hash
key- Feed the value of the selected entity into the load balancing hash to
select the target host. See the
table
keyword in the RELAYS section above. log
key- Log the name and the value of the entity.
log file
path- Like the directive above, but load the keys from
path. See
expect file
path for more information. mark
[valuefrom
] keywith
id- Mark the session with the specified identifier (a positive number between
1 and 65535) if the specified condition matches. Note that the
mark
action does not accept themarked
option (see above). label
string- Add a label to subsequently added actions. The label will be printed as
part of the error message if the
return error
option is set and may contain HTML tags, for example:label "<a href='http://example.com/advisory.pl?id=7359'>\ Advisory provided by example.com</a>" url filter digest 5c1e03f58f8ce0b457474ffb371fd1ef url filter digest 80c1a7b8337462093ef8359c57b4d56a no label
no label
- Do not set a label for subsequently added actions; this is the default.
remove
key- Remove the entity with the selected name.
remove file
path- Like the directive above, but load the keys from
path. See
expect file
path for more information. return error
[option]- Return an error response to the client if an internal operation or the
forward connection to the client failed. By default, the connection will
be silently dropped. The effect of this option depends on the protocol:
HTTP will send an error header and page to the client before closing the
connection. Additional valid options are:
style
string- Specify a Cascading Style Sheet (CSS) to be used for the returned HTTP
error pages, for example:
body { background: #a00000; color: white; }
ssl
option- Set the SSL options and session settings. This is only used if SSL is
enabled in the relay. Valid options are:
ca cert
path- Specify a CA certificate for SSL inspection. For more information, see
the
ca key
option below. ca file
path- This option enables CA verification in SSL client mode. The daemon will load the CA (Certificate Authority) certificates from the specified path to verify the server certificates. OpenBSD provides a default CA bundle in /etc/ssl/cert.pem.
ca key
pathpassword
password- Specify a CA key for SSL inspection. The
password argument will specify the password to
decrypt the CA key (typically an RSA key). This option will enable SSL
inspection if the following conditions are true:
- SSL client mode is enabled by the
listen
directive:listen on ... ssl
. - SSL server mode and divert lookups are enabled by the
forward
directive:forward with ssl to destination
. - The
ca cert
option is specified. - The
ca key
option is specified.
- SSL client mode is enabled by the
ciphers
string- Set the string defining the SSL cipher suite. If not specified, the default value HIGH:!ADH will be used (strong crypto cipher suites without anonymous DH). See the CIPHERS section of openssl(1) for information about SSL cipher suites and preference lists.
session cache
value- Set the maximum size of the SSL session cache. If the
value is zero, the default size defined by the
SSL library will be used. A positive number will set the maximum size
in bytes and the keyword
disable
will disable the SSL session cache. - [
no
]sslv2
- Enable the SSLv2 protocol; disabled by default.
- [
no
]sslv3
- Disable the SSLv3 protocol; enabled by default.
- [
no
]tlsv1
- Disable the TLSv1/SSLv3.1 protocol; enabled by default.
tcp
option- Enable or disable the specified TCP/IP options; see
tcp(4) and ip(4) for more information about the options. Valid options
are:
backlog
number- Set the maximum length the queue of pending connections may grow to.
The backlog option is 10 by default and is limited by the
kern.somaxconn
sysctl(8) variable. ip minttl
number- This option for the underlying IP connection may be used to discard packets with a TTL lower than the specified value. This can be used to implement the Generalized TTL Security Mechanism (GTSM) according to RFC 5082.
ip ttl
number- Change the default time-to-live value in the IP headers.
- [
no
]nodelay
- Enable the TCP NODELAY option for this connection. This is recommended to avoid delays in the relayed data stream, e.g. for SSH connections.
- [
no
]sack
- Use selective acknowledgements for this connection.
socket buffer
number- Set the socket-level buffer size for input and output for this connection. This will affect the TCP window size.
- [
no
]splice
- Use socket splicing for zero-copy data transfer. This option is enabled by default.
ROUTERS
Routers represent routing table entries in the kernel forwarding database, see route(4), and a table of associated gateways. They are used to dynamically insert or remove routes with gateways based on their availability and health-check results. A router can include multiple network statements and a single forward statement with a table of one or more gateways. All entries in a single router directive must match the same address family, either IPv4 or IPv6.
The kernel supports multipath routing when multiple gateways exist to the same destination address. The multipath routing behaviour can be changed globally using the sysctl(8) variables net.inet.ip.multipath and net.inet6.ip6.multipath. With the default setting of 0, the first route selected will be used for subsequent packets to that destination regardless of source. Setting it to 1 will enable load balancing based on the packet source address across gateways; multiple routes with the same priority are used equally. The kernel will also check the link state of the related network interface and try a different route if it is not active.
The configuration directives that are valid in the
routers
context are described below:
forward to
⟨table⟩port
number options ...- Specify the table of target gateways to be used; see the TABLES section above for information about table options. This entry is mandatory and must be specified once.
route
address/
prefix- Specify the network address and prefix length of a route destination that is reachable via the active gateways. This entry must be specified at least once in a router directive.
rtable
id- Add the routes to the kernel routing table with the specified id.
rtlabel
label- Add the routes with the specified label to the kernel routing table.
FILES
- /etc/relayd.conf
- relayd(8) configuration file.
- /etc/services
- Service name database.
- /etc/ssl/address.crt
- /etc/ssl/address:port.crt
- /etc/ssl/private/address.key
- /etc/ssl/private/address:port.key
- Location of the relay SSL server certificates, where address is the configured IP address and port is the configured port number of the relay.
- /etc/ssl/cert.pem
- Default location of the CA bundle that can be used with relayd(8).
EXAMPLES
This configuration file would create a redirection service “www” which load balances four hosts and falls back to one host containing a “sorry page”:
www1=front-www1.private.example.com www2=front-www2.private.example.com www3=front-www3.private.example.com www4=front-www4.private.example.com interval 5 table <phphosts> { $www1, $www2, $www3, $www4 } table <sorryhost> disable { sorryhost.private.example.com } redirect "www" { listen on www.example.com port 8080 interface trunk0 listen on www6.example.com port 80 interface trunk0 tag REDIRECTED forward to <phphosts> port 8080 timeout 300 \ check http "/" digest "630aa3c2f..." forward to <sorryhost> port 8080 timeout 300 check icmp }
It is possible to specify multiple listen directives with different IP protocols in a single redirection configuration:
redirect "dns" { listen on dns.example.com tcp port 53 listen on dns.example.com udp port 53 forward to <dnshosts> port 53 check tcp }
The following configuration would add a relay to forward secure
HTTPS connections to a pool of HTTP webservers using the
loadbalance
mode (SSL acceleration and layer 7 load
balancing). The HTTP protocol definition will add two HTTP headers
containing address information of the client and the server, set the
“Keep-Alive” header value to the configured session timeout,
and include the “sessid” variable in the hash to calculate the
target host:
http protocol "http_ssl" { header append "$REMOTE_ADDR" to "X-Forwarded-For" header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By" header change "Keep-Alive" to "$TIMEOUT" query hash "sessid" cookie hash "sessid" path filter "*command=*" from "/cgi-bin/index.cgi" ssl { sslv2, ciphers "MEDIUM:HIGH" } } relay "sslaccel" { listen on www.example.com port 443 ssl protocol "http_ssl" forward to <phphosts> port 8080 mode loadbalance check tcp }
The second relay example will accept incoming connections to port
2222 and forward them to a remote SSH server. The TCP
nodelay
option will allow a “smooth”
SSH session without delays between keystrokes or displayed output on the
terminal:
protocol "myssh" { tcp { nodelay, socket buffer 65536 } } relay "sshforward" { listen on www.example.com port 2222 protocol "myssh" forward to shell.example.com port 22 }
The following relay example will configure “SSL inspection” as described in the SSL RELAYS section. To start, first generate a new local CA key and certificate:
# openssl req -x509 -days 365 -newkey rsa:2048 \ -keyout /etc/ssl/private/ca.key -out /etc/ssl/ca.crt
An SSL server key and self-signed cert for 127.0.0.1 are also
required; see listen on
in the
RELAYS section for more details about
certificate locations. Configure the packet filter with a matching divert
rule in pf.conf(5):
# Divert incoming HTTPS traffic to relayd pass in on vlan1 inet proto tcp to port 443 \ divert-to localhost port 8443
And finally configure the SSL inspection in
relayd.conf
:
http protocol httpfilter { return error label "Prohibited!" request url filter "social.network.example.com/" # New configuration directives for SSL Interception ssl ca key "/etc/ssl/private/ca.key" password "password123" ssl ca cert "/etc/ssl/ca.crt" } relay sslinspect { listen on 127.0.0.1 port 8443 ssl protocol httpfilter forward with ssl to destination }
The next simple router configuration example can be used to run redundant, health-checked WAN links:
table <gateways> { $gw1 ip ttl 1, $gw2 ip ttl 1 } router "uplinks" { route 0.0.0.0/0 forward to <gateways> check icmp }
SEE ALSO
HISTORY
The relayd.conf
file format, formerly
known as hoststated.conf
, first appeared in
OpenBSD 4.1. It was renamed to
relayd.conf
in OpenBSD
4.3.
AUTHORS
The relayd(8) program was written by Pierre-Yves Ritschard <pyr@openbsd.org> and Reyk Floeter <reyk@openbsd.org>.
CAVEATS
relayd(8) Verification of SSL server certificates is based on a static CA bundle and relayd(8) currently does not support CRLs (Certificate Revocation Lists).