Re: Sorry for the n00b question but I could use some education on relayd
On Thu, November 2, 2017 2:17 pm, Bryan C. Everly wrote:
> Hi misc@,
>
> I have a use case where I'm using OpenBSD 6.2 as my router/firewall
> and there are several websites that sit behind it on separate servers
> (let's call them http://one.com, http://two.com and http://three.com
>
> I'd like to be able to have just a single IP address exposed through
> DNS for all three of them (it's a home cablemodem and I only have one
> public IP address) and then use something on OpenBSD (pf? relayd?) to
> route the traffic to the appropriate private IP address on the LAN
> side of the network.
>
> In looking at the manpage for relayd and relayd.conf, I'm wondering if
> I could set up a relay using something like this:
>
> table { 192.168.1.2 }
> table { 192.168.1.3 }
> table { 192.168.1.4 }
>
> redirect "one" {
> listen on one.com port 80
> forward to
> }
>
> redirect "two" {
> listen on two.com port 80
> forward to
> }
>
> redirect "three" {
> listen on three.com port 80
> forward to
> }
>
> I've tried this and even after re-reading the manpage and seeing that
> I needed to add the "anchor" bit to my pf.conf I'm still not getting
> what I'm looking for. Perhaps I'm using the wrong tool for the job?
>
> Thanks in advance for any suggestions or knocks on the head!
>
> Thanks,
> Bryan
>
You can't have multiple redirects on the same IP and port. DNS isn't
known at that layer.
If you have only one external IP, you have to use a relay and
pass...forward to the host based on HOST header value.
Somethin like this:
ext_addr="xxx.xxx.xxx.xxx"
#
# Global Options
#
interval 20
timeout 2000
prefork 5
#
# Each table will be mapped to a pf table.
#
table { 192.168.1.10 }
table { 192.168.1.11 }
table { 192.168.1.12 }
table { 127.0.0.1 }
#
# Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
#
http protocol http {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Connection" value "close"
match request header log "Host"
pass request quick header "Host" value "web1.com" forward to
pass request quick header "Host" value "web2.com" forward to
pass request quick header "Host" value "web3.com" forward to
pass quick forward to
return error style "body {background: white; color black; }"
# Various TCP performance options
tcp { nodelay, sack, splice, socket buffer 65536, backlog 128 }
}
relay www {
listen on $ext_addr port 80
protocol http
forward to port http check http "/index.html" code 200
forward to port http check http "/index.html" code 200
forward to port http check http "/index.html" code 200
forward to port 8080 check http "/index.html" code 200
}
Re: Sorry for the n00b question but I could use some education on relayd
listen on port -- that means listening on localhost
or its NIC, in your case all three listen will use probably your
router external LAN NIC IP address. So yes, you will need to use
different port numbers -- if you are not going to use one/two/three as
load balancing hosts for the same app. In this case you will have one
table with three hosts IPs and just one redirect.
IMHO! Also relayd beginner like you.
On Thu, Nov 2, 2017 at 7:17 PM, Bryan C. Everly wrote:
> Hi misc@,
>
> I have a use case where I'm using OpenBSD 6.2 as my router/firewall
> and there are several websites that sit behind it on separate servers
> (let's call them http://one.com, http://two.com and http://three.com
>
> I'd like to be able to have just a single IP address exposed through
> DNS for all three of them (it's a home cablemodem and I only have one
> public IP address) and then use something on OpenBSD (pf? relayd?) to
> route the traffic to the appropriate private IP address on the LAN
> side of the network.
>
> In looking at the manpage for relayd and relayd.conf, I'm wondering if
> I could set up a relay using something like this:
>
> table { 192.168.1.2 }
> table { 192.168.1.3 }
> table { 192.168.1.4 }
>
> redirect "one" {
> listen on one.com port 80
> forward to
> }
>
> redirect "two" {
> listen on two.com port 80
> forward to
> }
>
> redirect "three" {
> listen on three.com port 80
> forward to
> }
>
> I've tried this and even after re-reading the manpage and seeing that
> I needed to add the "anchor" bit to my pf.conf I'm still not getting
> what I'm looking for. Perhaps I'm using the wrong tool for the job?
>
> Thanks in advance for any suggestions or knocks on the head!
>
> Thanks,
> Bryan
>
Sorry for the n00b question but I could use some education on relayd
Hi misc@,
I have a use case where I'm using OpenBSD 6.2 as my router/firewall
and there are several websites that sit behind it on separate servers
(let's call them http://one.com, http://two.com and http://three.com
I'd like to be able to have just a single IP address exposed through
DNS for all three of them (it's a home cablemodem and I only have one
public IP address) and then use something on OpenBSD (pf? relayd?) to
route the traffic to the appropriate private IP address on the LAN
side of the network.
In looking at the manpage for relayd and relayd.conf, I'm wondering if
I could set up a relay using something like this:
table { 192.168.1.2 }
table { 192.168.1.3 }
table { 192.168.1.4 }
redirect "one" {
listen on one.com port 80
forward to
}
redirect "two" {
listen on two.com port 80
forward to
}
redirect "three" {
listen on three.com port 80
forward to
}
I've tried this and even after re-reading the manpage and seeing that
I needed to add the "anchor" bit to my pf.conf I'm still not getting
what I'm looking for. Perhaps I'm using the wrong tool for the job?
Thanks in advance for any suggestions or knocks on the head!
Thanks,
Bryan
