Re: Sorry for the n00b question but I could use some education on relayd
On Thu, November 2, 2017 2:17 pm, Bryan C. Everly wrote: > Hi misc@, > > I have a use case where I'm using OpenBSD 6.2 as my router/firewall > and there are several websites that sit behind it on separate servers > (let's call them http://one.com, http://two.com and http://three.com > > I'd like to be able to have just a single IP address exposed through > DNS for all three of them (it's a home cablemodem and I only have one > public IP address) and then use something on OpenBSD (pf? relayd?) to > route the traffic to the appropriate private IP address on the LAN > side of the network. > > In looking at the manpage for relayd and relayd.conf, I'm wondering if > I could set up a relay using something like this: > > table { 192.168.1.2 } > table { 192.168.1.3 } > table { 192.168.1.4 } > > redirect "one" { > listen on one.com port 80 > forward to > } > > redirect "two" { > listen on two.com port 80 > forward to > } > > redirect "three" { > listen on three.com port 80 > forward to > } > > I've tried this and even after re-reading the manpage and seeing that > I needed to add the "anchor" bit to my pf.conf I'm still not getting > what I'm looking for. Perhaps I'm using the wrong tool for the job? > > Thanks in advance for any suggestions or knocks on the head! > > Thanks, > Bryan > You can't have multiple redirects on the same IP and port. DNS isn't known at that layer. If you have only one external IP, you have to use a relay and pass...forward to the host based on HOST header value. Somethin like this: ext_addr="xxx.xxx.xxx.xxx" # # Global Options # interval 20 timeout 2000 prefork 5 # # Each table will be mapped to a pf table. # table { 192.168.1.10 } table { 192.168.1.11 } table { 192.168.1.12 } table { 127.0.0.1 } # # Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration # http protocol http { match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" match request header set "Connection" value "close" match request header log "Host" pass request quick header "Host" value "web1.com" forward to pass request quick header "Host" value "web2.com" forward to pass request quick header "Host" value "web3.com" forward to pass quick forward to return error style "body {background: white; color black; }" # Various TCP performance options tcp { nodelay, sack, splice, socket buffer 65536, backlog 128 } } relay www { listen on $ext_addr port 80 protocol http forward to port http check http "/index.html" code 200 forward to port http check http "/index.html" code 200 forward to port http check http "/index.html" code 200 forward to port 8080 check http "/index.html" code 200 }
Re: Sorry for the n00b question but I could use some education on relayd
listen on port -- that means listening on localhost or its NIC, in your case all three listen will use probably your router external LAN NIC IP address. So yes, you will need to use different port numbers -- if you are not going to use one/two/three as load balancing hosts for the same app. In this case you will have one table with three hosts IPs and just one redirect. IMHO! Also relayd beginner like you. On Thu, Nov 2, 2017 at 7:17 PM, Bryan C. Everly wrote: > Hi misc@, > > I have a use case where I'm using OpenBSD 6.2 as my router/firewall > and there are several websites that sit behind it on separate servers > (let's call them http://one.com, http://two.com and http://three.com > > I'd like to be able to have just a single IP address exposed through > DNS for all three of them (it's a home cablemodem and I only have one > public IP address) and then use something on OpenBSD (pf? relayd?) to > route the traffic to the appropriate private IP address on the LAN > side of the network. > > In looking at the manpage for relayd and relayd.conf, I'm wondering if > I could set up a relay using something like this: > > table { 192.168.1.2 } > table { 192.168.1.3 } > table { 192.168.1.4 } > > redirect "one" { > listen on one.com port 80 > forward to > } > > redirect "two" { > listen on two.com port 80 > forward to > } > > redirect "three" { > listen on three.com port 80 > forward to > } > > I've tried this and even after re-reading the manpage and seeing that > I needed to add the "anchor" bit to my pf.conf I'm still not getting > what I'm looking for. Perhaps I'm using the wrong tool for the job? > > Thanks in advance for any suggestions or knocks on the head! > > Thanks, > Bryan >
Sorry for the n00b question but I could use some education on relayd
Hi misc@, I have a use case where I'm using OpenBSD 6.2 as my router/firewall and there are several websites that sit behind it on separate servers (let's call them http://one.com, http://two.com and http://three.com I'd like to be able to have just a single IP address exposed through DNS for all three of them (it's a home cablemodem and I only have one public IP address) and then use something on OpenBSD (pf? relayd?) to route the traffic to the appropriate private IP address on the LAN side of the network. In looking at the manpage for relayd and relayd.conf, I'm wondering if I could set up a relay using something like this: table { 192.168.1.2 } table { 192.168.1.3 } table { 192.168.1.4 } redirect "one" { listen on one.com port 80 forward to } redirect "two" { listen on two.com port 80 forward to } redirect "three" { listen on three.com port 80 forward to } I've tried this and even after re-reading the manpage and seeing that I needed to add the "anchor" bit to my pf.conf I'm still not getting what I'm looking for. Perhaps I'm using the wrong tool for the job? Thanks in advance for any suggestions or knocks on the head! Thanks, Bryan