thoughts/data/relayd-multidomain.md

135 lines
3.4 KiB
Markdown
Raw Normal View History

2024-08-05 20:24:56 +02:00
While running a relayd service for a multi-domain instance
recently I quickly came into an issue with relayd routing.
relayd(8) is the relay daemon in OpenBSD.
I run two local services that I front with relayd:
* service A
* service B
These two I define in relayd.conf(5):
ext_addr="<SOME-IP>"
honk_port="31337"
inks_port="31338"
table <serviceA> { 127.0.0.1 }
table <serviceB> { 127.0.0.1 }
To make sure relayd logs sufficiently for traceability I apply the
following options:
log state changes
log connection
The next part of my relayd.conf is creating a configuration for
the relay service ("protocols are templates defining settings and rules for relays"):
http protocol https { }
For the service definition I make sure to add the remote address
and local address:
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
A further important logging configuration comes next, and I make
sure my relay logs the host, X-Forwarded-For, User-Agent,
Referer and url:
match header log "Host"
match header log "X-Forwarded-For"
match header log "User-Agent"
match header log "Referer"
match url log
For performance [1]:
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
Next I disable vulnerable ciphers:
tls no tlsv1.0
tls no tlsv1.1
tls tlsv1.2
Sadly tlsv1.3 is still in -current, so we will have to wait for
that.
I configure keys like follows:
tls ca cert "/etc/ssl/cert.pem"
tls keypair serviceA.domain
tls keypair serviceB.domain
Finally we use the tables defined initially to route traffic to
the right internal service:
match request header "Host" value "serviceA.domain" forward to <serviceA>
match request header "Host" value "serviceB.domain" forward to <serviceB>
And that is it for the service definition.
In addition we define the relay ("relays will forward traffic
between a client and a target server") like follows. The "protocol
https" is the junction between the two parts of the config.
relay https_relay {
listen on $ext_addr port https tls
protocol https
forward to <honk> port $honk_port check tcp
forward to <inks> port $inks_port check tcp
}
The whole config:
ext_addr="159.100.245.242"
honk_port="31337"
inks_port="31338"
table <honk> { 127.0.0.1 }
table <inks> { 127.0.0.1 }
log state changes
log connection
http protocol https {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Connection" value "close"
match header log "Host"
match header log "X-Forwarded-For"
match header log "User-Agent"
match header log "Referer"
match url log
tcp { nodelay, socket buffer 65536, backlog 100 }
tls no tlsv1.0
tls no tlsv1.1
tls tlsv1.2
tls ca cert "/etc/ssl/cert.pem"
tls keypair cybsec.network
tls keypair inks.cybsec.network
match request header "Host" value "cybsec.network" forward to <honk>
match request header "Host" value "inks.cybsec.network" forward to <inks>
}
relay https_relay {
listen on $ext_addr port https tls
protocol https
forward to <honk> port $honk_port check tcp
forward to <inks> port $inks_port check tcp
}
[1] https://calomel.org/relayd.html