(:redirect Relayd.Acceleration:)
Suppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both www.ircnow.org and bnc.ircnow.org need relayd to provide TLS acceleration, but run on separate ports (1338 and 8080).
Howto
You need to edit /etc/relayd.conf with the following contents. Alternatively, you can copy a sample config file from /etc/examples/relayd.conf and adjust it to your needs.
ip4="192.168.1.1"
ip6="2001:db8::"
webhost="127.0.0.1"
table <www> { $webhost }
table <bnc> { $webhost }
http protocol https {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Connection" value "close"
# Various TCP options
tcp { sack, backlog 128 }
# tls { no tlsv1.0, ciphers HIGH }
# tls no session tickets
match request header "Host" value "bnc.ircnow.org" forward to <bnc>
match request header "Host" value "www.ircnow.org" forward to <www>
}
relay wwwtls {
# Run as a SSL/TLS accelerator
listen on $ip4 port 443 tls
listen on $ip6 port 443 tls
protocol https
# Forward to hosts in the table
forward to <bnc> port 1338 mode loadbalance check icmp
forward to <www> port 8080 mode loadbalance check icmp
}
You'll need corresponding TLS certs:
# ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/192.168.1.1:443.crt
# ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8::.crt
# ln -s /etc/ssl/private/example.com.key /etc/ssl/private/192.168.1.1:443.key
# ln -s /etc/ssl/private/example.com.key /etc/ssl/private/2001:db8::.key
# rcctl enable relayd
# rcctl start relayd
WARNING: Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!
WARNING: Make sure that packet filter is enabled# relayd will not run if pf is disabled.
If your httpd is listening on port 443 with TLS, adjust it to another port and without tls. In the prior example where is to be redirected to port 8080, you should have it set to something like listen on 192.168.1.1 port 8080 instead, in your /etc/httpd.conf.
Make sure to also reload/restart your httpd once you made adjustments. You can alternatively check to ensure your config file does not contain error prior to reloading/restarting. To do that, you can do,
# httpd -nf /etc/httpd.conf
Troubleshooting
relayd fails to start
If for whatever reason you fail to start relayd, you can troubleshoot it via making it perform a config test:
# relayd -n
If it does not show configuration OK, it will typically indicate which line(s) containing error(s).
relayd doesn't show verbose information
According to man 5 relayd.conf, you can add in the following close towards the top of your /etc/relayd.conf,
log connection
Then reload/restart your relayd.
WARNING: This may produce a verbose output which can dramatically increase the size of your /var/log/daemon, especially on busy networks. To avoid this, simply have your syslogd send all relayd messages into its own file. To that, see here.
In addition to splitting relayd logs to its own file, you may wish to create a new entry in your /etc/newsyslog.conf to handle log rotation for your relayd.
common errors
Make sure httpd is not also listening on port 443
Make sure both www.ircnow.org and bnc.ircnow.org have real dns records
Make sure nsd is set up properly
Make sure znc is listening on port 1338
Make sure packet filter is turned on