OpenBSD relayd as reverse proxy
You are here: Home > Blog > Entries > OpenBSD relayd as reverse proxy

I was using nginx as a reverse proxy in front of my WP blog, but that now has been replaced by OpenBSD's relayd. My setup involves using this program as a reverse proxy blocking all HTML calls but HEAD and GET to my blog consisting of static pages.

The relayd.conf goes something like this:


##
## $OpenBSD: relayd.conf,v 1.3 2014/12/12 10:05:09 reyk
## Modified 4/20/17 by gordon

##
## Macros
##
ext_addr="xxx.xxx.xxx.xxx"
httpd_ip="127.0.0.1"
ext_port="80"
httpd_port="8080"

##
## Global Options
##
# interval 10
# timeout 1000
prefork 3
log all

##
## Tables
##
table <webserver1>: {127.0.0.1}

##
## Redirections
##

##
## Protocols
##

#
# Filtering rules for reverse HTTP proxy
#

http protocol reverseproxy {

#       # TCP performance options 
        tcp {nodelay, sack, socket buffer 65536, backlog 100 }

#       # Return HTTP/HTML error pages
        return error

#       # allow logging of remote client ips to internal web server log
        #match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
        #match request header append "Forwarded" value "$REMOTE_ADDR"
        #match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
#		#These don't work

#       # Change timeout
        match header set "Keep-Alive" value "$TIMEOUT"

#       # Anonymize our webserver's name/type
        match response header set  "Server" value "Microsoft IIS 9 beta 1"

#       # Pass GET and HEAD; drop all other HTTP requests
        pass request quick method "HEAD" forward to >webserver1<
        pass request quick method "GET" forward to >webserver1<
        match request label "HTTP Request Not Allowed"
        block request

        }

##
## Relays
##

#
# Relay for a reverse HTTP proxy
#

relay reverseproxy {
        # listen on external address for http traffic
        listen on $ext_addr port $ext_port

        # apply web filters listed above
        protocol reverseproxy

        # Forward to webserver1 for matches
        forward to >webserver1< port $httpd_port

        }


##
## Routers
##

##
## End of /etc/relayd.conf
##

Appears to work well, but I need to fix the "match request header" stanza to allow more informative logging by the webserver so I can use awstats or other scripts.


Posted by Gordon, No Hair News, Jun. 18, 2017

© nohair.net and the author

For comments, corrections, and addenda, email: gordon[AT]nohair.net

Blog | Entries | Tags | Home