IRCNow

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
openbsd:net:relayd [2019/12/09 11:38]
jrmu
openbsd:net:relayd [2020/08/12 00:49] (current)
jrmu
Line 1: Line 1:
-Suppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both git.ircnow.org and bnc3.ircnow.org need relayd to provide TLS acceleration,​ but run on separate ports (6698 and 8080).+Suppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both www.ircnow.org and bnc.ircnow.org need relayd to provide TLS acceleration,​ but run on separate ports (1338 and 8080).
  
 +===== HOWTO =====
 +You need to edit ''/​etc/​relayd.conf''​ with the following contents. Alternatively,​ you can copy a sample config file from ''/​etc/​examples/​relayd.conf''​ and adjust it to your needs.
 <​code>​ <​code>​
 ext_addr="​192.168.1.1"​ ext_addr="​192.168.1.1"​
 webhost="​127.0.0.1"​ webhost="​127.0.0.1"​
  
-table <git> { $webhost } +table <www> { $webhost } 
-table <bnc3> { $webhost }+table <bnc> { $webhost }
 http protocol https { http protocol https {
         match request header append "​X-Forwarded-For"​ value "​$REMOTE_ADDR"​         match request header append "​X-Forwarded-For"​ value "​$REMOTE_ADDR"​
Line 18: Line 20:
 #       tls { no tlsv1.0, ciphers HIGH }  ​ #       tls { no tlsv1.0, ciphers HIGH }  ​
 #       tls no session tickets #       tls no session tickets
-        match request header "​Host"​ value "bnc3.ircnow.org"​ forward to <bnc3+        match request header "​Host"​ value "bnc.ircnow.org"​ forward to <bnc
-        match request header "​Host"​ value "git.ircnow.org"​ forward to <git>+        match request header "​Host"​ value "www.ircnow.org"​ forward to <www>
 } }
  
Line 28: Line 30:
  
         # Forward to hosts in the table         # Forward to hosts in the table
-        forward to <bnc3> port 6669 mode loadbalance check icmp +        forward to <bnc> port 1338 mode loadbalance check icmp 
-        forward to <git> port 8080 mode loadbalance check icmp+        forward to <www> port 8080 mode loadbalance check icmp
 }                                    }                                   
 </​code>​ </​code>​
Line 36: Line 38:
  
 <​code>​ <​code>​
-# ln -s /etc/ssl/bnc3.ircnow.org.fullchain.pem /​etc/​ssl/​192.168.1.1:​443.crt +# ln -s /etc/ssl/example.com.fullchain.pem /​etc/​ssl/​192.168.1.1:​443.crt 
-# ln -s /​etc/​ssl/​private/​bnc3.ircnow.org.key /​etc/​ssl/​private/​192.168.1.1:​443.key+# ln -s /​etc/​ssl/​private/​example.com.key /​etc/​ssl/​private/​192.168.1.1:​443.key
 # rcctl enable relayd # rcctl enable relayd
 # rcctl start relayd # rcctl start relayd
Line 43: Line 45:
  
 **WARNING**:​ Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices! **WARNING**:​ Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!
 +
 +**WARNING**:​ Make sure that packet filter is enabled! relayd will not run if pf is disabled.
 +
 +If your httpd is listening on port 443 with TLS, adjust it to another port and without tls. In the prior example where ''<​www>''​ is to be redirected to port 8080, you should have it set to something like ''​listen on 192.168.1.1 port 8080''​ instead, in your ''/​etc/​httpd.conf''​. ​
 +
 +Make sure to also reload/​restart your httpd once you made adjustments. You can alternatively check to ensure your config file does not contain error prior to reloading/​restarting. To do that, you can do,
 +<​code>​
 +# httpd -nf /​etc/​httpd.conf
 +</​code>​
 +
 +===== Troubleshooting =====
 +
 +==== relayd fails to start ====
 +If for whatever reason you fail to start relayd, you can troubleshoot it via making it perform a config test:
 +<​code>​
 +# relayd -n
 +</​code>​
 +If it does not show ''​configuration OK'',​ it will typically indicate which line(s) containing error(s).
 +
 +==== relayd doesn'​t show verbose information ====
 +According to [[https://​man.openbsd.org/​relayd.conf.5|man 5 relayd.conf]],​ you can add in the following close towards the top of your ''/​etc/​relayd.conf'',​
 +<​code>​
 +log connection
 +</​code>​
 +Then reload/​restart your relayd. ​
 +
 +**WARNING**:​ This may produce a verbose output which can dramatically increase the size of your ''/​var/​log/​daemon'',​ especially on busy networks. To avoid this, simply have your ''​syslogd''​ send all relayd messages into its own file. To that, see [[http://​openbsd-archive.7691.n7.nabble.com/​relayd-log-file-td76656.html|here]].
 +
 +In addition to splitting relayd logs to its own file, you may wish to create a new entry in your ''/​etc/​newsyslog.conf''​ to handle log rotation for your relayd.
 +
 +==== common errors ====
 +
 +Make sure httpd is not also listening on port 443
 +Make sure both www.ircnow.org and bnc.ircnow.org have real dns records
 +Make sure nsd is set up properly
 +Make sure znc is listening on port 1338