While running a relayd service for a multi-domain instance
recently I quickly came into an issue with relayd routing.

relayd(8) is the relay daemon in OpenBSD.

I run two local services that I front with relayd:

* service A
* service B

These two I define in relayd.conf(5):

    ext_addr="<SOME-IP>"
    honk_port="31337"
    inks_port="31338"
    table <serviceA> { 127.0.0.1 }
    table <serviceB> { 127.0.0.1 }

To make sure relayd logs sufficiently for traceability I apply the
following options:

    log state changes
	log connection

The next part of my relayd.conf is creating a configuration for
the relay service ("protocols are templates defining settings and rules for relays"):

    http protocol https { }

For the service definition I make sure to add the remote address
and local address:

      match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
      match request header append "X-Forwarded-By" \
        value "$SERVER_ADDR:$SERVER_PORT"

A further important logging configuration comes next, and I make
sure my relay logs the host, X-Forwarded-For, User-Agent, 
Referer and url:
    
    match header log "Host"
    match header log "X-Forwarded-For"
    match header log "User-Agent"
    match header log "Referer"
    match url log

For performance [1]:

    tcp { nodelay, sack, socket buffer 65536, backlog 100 }

Next I disable vulnerable ciphers:

    tls no tlsv1.0
    tls no tlsv1.1
    tls tlsv1.2

Sadly tlsv1.3 is still in -current, so we will have to wait for
that.

I configure keys like follows:

    tls ca cert "/etc/ssl/cert.pem"
    tls keypair serviceA.domain
    tls keypair serviceB.domain

Finally we use the tables defined initially to route traffic to
the right internal service:

    match request header "Host" value "serviceA.domain" forward to <serviceA>
    match request header "Host" value "serviceB.domain" forward to <serviceB>

And that is it for the service definition.

In addition we define the relay ("relays will forward traffic
between a client and a target server") like follows. The "protocol
https" is the junction between the two parts of the config.

    relay https_relay {
      listen on $ext_addr port https tls
      protocol https
      
      forward to <honk> port $honk_port check tcp
      forward to <inks> port $inks_port check tcp
    }

The whole config:

ext_addr="159.100.245.242"
honk_port="31337"
inks_port="31338"
table <honk> { 127.0.0.1 }
table <inks> { 127.0.0.1 }

log state changes
log connection

http protocol https {
  match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
  match request header append "X-Forwarded-By" \
    value "$SERVER_ADDR:$SERVER_PORT"
  match request header set "Connection" value "close"

  match header log "Host"
  match header log "X-Forwarded-For"
  match header log "User-Agent"
  match header log "Referer"
  match url log

  tcp { nodelay, socket buffer 65536, backlog 100 }

  tls no tlsv1.0
  tls no tlsv1.1
  tls tlsv1.2
  tls ca cert "/etc/ssl/cert.pem"
  
  tls keypair cybsec.network
  tls keypair inks.cybsec.network
  
  match request header "Host" value "cybsec.network" forward to <honk>
  match request header "Host" value "inks.cybsec.network" forward to <inks> 
}

relay https_relay {
  listen on $ext_addr port https tls
  protocol https

  forward to <honk> port $honk_port check tcp
  forward to <inks> port $inks_port check tcp
}


[1] https://calomel.org/relayd.html