IRCNow

This is an old revision of the document!


Suppose you want to have relayd act as a reverse proxy for two different domains served on separate ports. In this case, suppose both git.ircnow.org and bnc3.ircnow.org need relayd to provide TLS acceleration, but run on separate ports (6698 and 8080).

ext_addr="192.168.1.1"
webhost="127.0.0.1"

table <git> { $webhost }
table <bnc3> { $webhost }
http protocol https {
        match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
        match request header append "X-Forwarded-By" \
            value "$SERVER_ADDR:$SERVER_PORT"
        match request header set "Connection" value "close"

        # Various TCP options
        tcp { sack, backlog 128 }

#       tls { no tlsv1.0, ciphers HIGH }  
#       tls no session tickets
        match request header "Host" value "bnc3.ircnow.org" forward to <bnc3>
        match request header "Host" value "git.ircnow.org" forward to <git>
}

relay wwwtls {
        # Run as a SSL/TLS accelerator
        listen on $ext_addr port 443 tls
        protocol https

        # Forward to hosts in the table
        forward to <bnc3> port 6669 mode loadbalance check icmp
        forward to <git> port 8080 mode loadbalance check icmp
}                                   

You'll need corresponding TLS certs:

# ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/192.168.1.1:443.crt
# ln -s /etc/ssl/private/example.com.key /etc/ssl/private/192.168.1.1:443.key
# rcctl enable relayd
# rcctl start relayd

WARNING: Do not have httpd listen on port 443, or else the reverse proxy will fail to forward based on hostname for android and iOS devices!