Relayd

Suppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both www.ircnow.org and bnc.ircnow.org need relayd to provide TLS acceleration, but run on separate ports (1338 and 8080).

Howto

You need to edit /etc/relayd.conf with the following contents. Alternatively, you can copy a sample config file from /etc/examples/relayd.conf and adjust it to your needs.

ip4="192.168.1.1"
ip6="2001:db8::"
webhost="127.0.0.1"

table <www> { $webhost }
table <bnc> { $webhost }
http protocol https {
        match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
        match request header append "X-Forwarded-By" \
            value "$SERVER_ADDR:$SERVER_PORT"
        match request header set "Connection" value "close"

        # Various TCP options
        tcp { sack, backlog 128 }

#       tls { no tlsv1.0, ciphers HIGH }  
#       tls no session tickets
        match request header "Host" value "bnc.ircnow.org" forward to <bnc>
        match request header "Host" value "www.ircnow.org" forward to <www>
}

relay wwwtls {
        # Run as a SSL/TLS accelerator
        listen on $ip4 port 443 tls
        listen on $ip6 port 443 tls
        protocol https

        # Forward to hosts in the table
        forward to <bnc> port 1338 mode loadbalance check icmp
        forward to <www> port 8080 mode loadbalance check icmp
}                                   

You'll need corresponding TLS certs:

# ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/192.168.1.1:443.crt
# ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8::.crt
# ln -s /etc/ssl/private/example.com.key /etc/ssl/private/192.168.1.1:443.key
# ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8::.key
# rcctl enable relayd
# rcctl start relayd

WARNING: Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!

WARNING: Make sure that packet filter is enabled! relayd will not run if pf is disabled.

If your httpd is listening on port 443 with TLS, adjust it to another port and without tls. In the prior example where <www> is to be redirected to port 8080, you should have it set to something like listen on 192.168.1.1 port 8080 instead, in your /etc/httpd.conf.

Make sure to also reload/restart your httpd once you made adjustments. You can alternatively check to ensure your config file does not contain error prior to reloading/restarting. To do that, you can do,

# httpd -nf /etc/httpd.conf

Troubleshooting

relayd fails to start

If for whatever reason you fail to start relayd, you can troubleshoot it via making it perform a config test:

# relayd -n

If it does not show configuration OK, it will typically indicate which line(s) containing error(s).

relayd doesn't show verbose information

According to man 5 relayd.conf, you can add in the following close towards the top of your /etc/relayd.conf,

log connection

Then reload/restart your relayd.

WARNING: This may produce a verbose output which can dramatically increase the size of your /var/log/daemon, especially on busy networks. To avoid this, simply have your syslogd send all relayd messages into its own file. To that, see here.

In addition to splitting relayd logs to its own file, you may wish to create a new entry in your /etc/newsyslog.conf to handle log rotation for your relayd.

common errors

  1. Make sure httpd is not also listening on port 443
  2. Make sure both www.ircnow.org and bnc.ircnow.org have real dns records
  3. Make sure nsd is set up properly
  4. Make sure znc is listening on port 1338
  5. Make sure packet filter is turned on