Re: relayd(8) relay: redirect based on URL paths

2017-03-06 Thread Maxim Bourmistrov 
table  { 192.168.10.31 }
table  { 192.168.10.78 }

http protocol somename {
tcp { nodelay, sack, backlog 1024 }
match header set "Proxy" value "filtered"
match header set "X-Forwarded-For" value "$REMOTE_ADDR"
match header set "X-Forwarded-By" value "$REMOTE_ADDR:$SERVER_PORT"
match header set "Keep-Alive" value "$TIMEOUT"
match request header remove "Proxy"

match request path "/hello*" forward to 
}

relay somerelay {
   listen on 1.2.3.4 port 80
   protocol somename
   forward to  port 80 mode roundrobin check http "/" code 200
   forward to  port 92 mode roundrobin check tcp
}


Something like this.

But there is a catch with PF in between.
Once client hits http://whatever.org/hello , PF state will be created and if
it tries to reach normal http://whatever.org it WILL BE
redirected to servers housing /hello part.

One way to solve it is to lower tcp.established towards internal machines. In
example above, to :

pass out on { $INT_IF } proto tcp from self to  port 92 keep state
(tcp.established 10)

br
P.S.
In my env. I share file with tables between pf and relayd. eg include
”/etc/pf/tables” in relays.conf .


> 23 feb. 2017 kl. 03:02 skrev Lyndon Nerenberg :
>
> My relayd.conf fu is lame and needs help.  Given the following config:
>
>
> ---8<---8<---
>
> interval 60
> timeout 2000
>
> table  { w1.example.com w2.example.com w3.example.com }
>
> http protocol https {
>
>tcp { nodelay, sack }
>match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
>match request header append "X-Forwarded-By" \
>value "$SERVER_ADDR:$SERVER_PORT"
>match request header set "Connection" value "close"
>
> }
>
> relay web {
>
>listen on 203.0.113.5 port 443 tls
>protocol https
>
>forward with tls to  port https mode loadbalance \
>check https "/" code 200
>
> }
>
> ---8<---8<---
>
> I am trying to figure out how to intercept request paths beginning with
"/xy/"
> so that I can forward them to a different port in the same server pool.
> I.e.:
>
>  https://host.example.com/xy/mumblebarge ->
> https://:/xy/mumblebarge
>
>  https://host.example.com/anything_else  ->
https:///anything_else
>
> It seems this should be possible, but I just can't get my head around
> relayd.conf(5) :-(
>
> --lyndon

Re: relayd(8) relay: redirect based on URL paths

2017-02-22 Thread trondd 
On Wed, February 22, 2017 9:02 pm, Lyndon Nerenberg wrote:
> My relayd.conf fu is lame and needs help.  Given the following config:
>
>
> ---8<---8<---
>
> interval 60
> timeout 2000
>
> table  { w1.example.com w2.example.com w3.example.com }
>
> http protocol https {
>
> tcp { nodelay, sack }
> match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
> match request header append "X-Forwarded-By" \
> value "$SERVER_ADDR:$SERVER_PORT"
> match request header set "Connection" value "close"
>
> }
>
> relay web {
>
> listen on 203.0.113.5 port 443 tls
> protocol https
>
> forward with tls to  port https mode loadbalance \
> check https "/" code 200
>
> }
>
> ---8<---8<---
>
> I am trying to figure out how to intercept request paths beginning with
> "/xy/"
> so that I can forward them to a different port in the same server pool.
> I.e.:
>
>   https://host.example.com/xy/mumblebarge ->
> https://:/xy/mumblebarge
>
>   https://host.example.com/anything_else  ->
> https:///anything_else
>
> It seems this should be possible, but I just can't get my head around
> relayd.conf(5) :-(
>
> --lyndon
>

I have an example at work I can dig up tomorrow, but look at the Filter
Rules.  You need bits like: 'pass request path "/xy" forward to
 '
and probably a catch all 'pass forward to ' for the rest of the
traffic.

You need to specify the two forwards to the two tables in your relay
section.  You need two tables since each will go to a different port and
the forward to filter only knows about the table name.

relayd(8) relay: redirect based on URL paths

2017-02-22 Thread Lyndon Nerenberg 
My relayd.conf fu is lame and needs help.  Given the following config:


---8<---8<---

interval 60
timeout 2000

table  { w1.example.com w2.example.com w3.example.com }

http protocol https {

tcp { nodelay, sack }
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Connection" value "close"

}

relay web {

listen on 203.0.113.5 port 443 tls
protocol https

forward with tls to  port https mode loadbalance \
check https "/" code 200

}

---8<---8<---

I am trying to figure out how to intercept request paths beginning with "/xy/"
so that I can forward them to a different port in the same server pool.
I.e.:

  https://host.example.com/xy/mumblebarge ->
https://:/xy/mumblebarge

  https://host.example.com/anything_else  -> https:///anything_else

It seems this should be possible, but I just can't get my head around
relayd.conf(5) :-(

--lyndon