Text only | Text with Images

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: sardaukar on October 13, 2023, 01:06:54 AM

Title: Help with relayd plugin
Post by: sardaukar on October 13, 2023, 01:06:54 AM
I want to use relayd to forward requests based on domain to either box1 or box2 in my LAN. I tried using HAProxy in the past, but the configuration UI is confusing, so I was looking for alternatives and found relayd - and OPNSense has a plugin for it too, so I tried using it.

Alas, the UI this time is limiting, because I got relayd to work, but had to edit the /usr/local/etc/relayd.conf file by hand. How can I replicate the following config (that works and suits my use case perfectly) on the plugin's UI?

Code Select

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
ext_addr = REDACTED

log state changes
log connection

table <apu2> { 192.168.1.96 }
table <syno> { 192.168.1.12 }

http protocol "www" {
    match header log "Host"
    match header log "X-Forwarded-For"
    match header log "User-Agent"
    match header log "Referer"
   
    match url log
   
    match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
    match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
   
    tcp { nodelay, socket buffer 65536, backlog 100 }

    http websockets

    pass request quick header "Host" value "*.domain1"  forward to <syno>
    pass request quick header "Host" value "*.domain2" forward to <apu2>
 
    block
}

http protocol "wwwtls" {
  match header log "Host"
  match header log "X-Forwarded-For"
  match header log "User-Agent"
  match header log "Referer"
 
  match url log
 
  match header set "X-Forwarded-For" value "$REMOTE_ADDR"
  match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
  match header set "Keep-Alive" value "$TIMEOUT"

  http websockets

  tls keypair domain1
  tls keypair domain2

  tcp { nodelay, socket buffer 65536, backlog 100 }

  match request header set "X-Forwarded-Proto" value "http"

  pass request quick header "Host" value "*.domain1"  forward to <syno>
  pass request quick header "Host" value "*.domain2" forward to <apu2>

  block
}

relay "www" {
  listen on $ext_addr port 80
  protocol "www"
  forward to <apu2> port 80 check tcp
  forward to <syno> port 180 check tcp
}

relay "wwwtls" {
  listen on $ext_addr port 443 tls
  protocol "wwwtls"
  forward to <syno> port 180 check tcp
  forward to <apu2> port 80 check tcp
}
Title: Re: Help with relayd plugin
Post by: sardaukar on October 13, 2023, 03:29:32 AM
I just realized that this config crashes after a while :-\ I think because too many connections stay open. I saw that you can add

Code Select

match response header set "Connection" value "close"


but that kills Websocket connections, so I tag those and then change the header value back. Final (for now :D) version:

Code Select

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
ext_addr = 0.0.0.0

log state changes
log connection

table <apu2> { 192.168.1.96 }
table <syno> { 192.168.1.12 }

http protocol "www" {
  match header log "Host"
  match header log "X-Forwarded-For"
  match header log "User-Agent"
  match header log "Referer"

  match url log

  match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
  match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"

  tcp { nodelay, socket buffer 65536, backlog 100 }

  pass request quick header "Host" value "*.domain1" forward to <syno>
  pass request quick header "Host" value "*.domain2" forward to <apu2>

  return error

  block
}

http protocol "wwwtls" {
  match header log "Host"
  match header log "X-Forwarded-For"
  match header log "User-Agent"
  match header log "Referer"
  match url log

  match header set "X-Forwarded-For" value "$REMOTE_ADDR"
  match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
  match header set "Keep-Alive" value "$TIMEOUT"

  http websockets

  match request header "Connection" value "*Upgrade*" tag "ws"

  tls keypair domain1
  tls keypair domain2

  tcp { nodelay, socket buffer 65536, backlog 100 }

  match request header set "X-Forwarded-Proto" value "http"

  match response header set "Connection" value "close"
  match response tagged "ws" header set "Connection" value "keep-alive, Upgrade"

  pass request quick header "Host" value "*.domain1" forward to <syno>
  pass request quick header "Host" value "*.domain2" forward to <apu2>

  return error
  block
}

relay "www" {
  listen on $ext_addr port 80

  protocol "www"

  forward to <apu2> port 80 check tcp
  forward to <syno> port 180 check tcp
}

relay "wwwtls" {
  listen on $ext_addr port 443 tls

  protocol "wwwtls"

  forward to <apu2> port 80 check tcp
  forward to <syno> port 180 check tcp
}

Text only | Text with Images