OpenBSD-4.6/usr.sbin/relayd/relayd.conf.5

.\"	$OpenBSD: relayd.conf.5,v 1.107 2009/06/02 20:22:30 jmc Exp $
.\"
.\" Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org>
.\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: June 2 2009 $
.Dt RELAYD.CONF 5
.Os
.Sh NAME
.Nm relayd.conf
.Nd relay daemon configuration file
.Sh DESCRIPTION
.Nm
is the configuration file for the relay daemon,
.Xr relayd 8 .
.Sh SECTIONS
.Nm
is divided into six main sections:
.Bl -tag -width xxxx
.It Sy Macros
User-defined variables may be defined and used later, simplifying the
configuration file.
.It Sy Global Configuration
Global settings for
.Xr relayd 8 .
Do note that the config file allows global settings to be added after
defining tables in the config file, but those tables will use the
built-in defaults instead of the global settings below them.
.It Sy Tables
Table definitions describe a list of hosts,
in a similar fashion to
.Xr pf 4
tables.
They are used for relay and redirection target selection with the
described options and health checking on the host they contain.
.It Sy Redirections
Redirections are translated to
.Xr pf 4
rdr rules for stateful forwarding to a target host from a
health-checked table on layer 3.
.It Sy Relays
Relays allow application layer load balancing, SSL acceleration, and
general purpose TCP proxying on layer 7.
.It Sy Protocols
Protocols are predefined protocol handlers and settings for relays.
.El
.Pp
Within the sections,
a host
.Ar address
can be specified by IPv4 address, IPv6 address, or DNS hostname.
A
.Ar port
can be specified by number or name.
The port name to number mappings are found in the file
.Pa /etc/services ;
see
.Xr services 5
for details.
.Pp
Comments can be put anywhere in the file using a hash mark
.Pq Sq # ,
and extend to the end of the current line.
.Pp
Additional configuration files can be included with the
.Ic include
keyword, for example:
.Bd -literal -offset indent
include "/etc/relayd.conf.local"
.Ed
.Sh MACROS
Macros can be defined that will later be expanded in context.
Macro names must start with a letter, and may contain letters, digits,
and underscores.
Macro names may not be reserved words (for example,
.Ic table ,
.Ic relay ,
or
.Ic timeout ) .
Macros are not expanded inside quotes.
.Pp
For example:
.Bd -literal -offset indent
www1="10.0.0.1"
www2="10.0.0.2"
table \*(Ltwebhosts\*(Gt {
	$www1
	$www2
}
.Ed
.Sh GLOBAL CONFIGURATION
Here are the settings that can be set globally:
.Bl -tag -width Ds
.It Ic demote Ar group
Enable the global
.Xr carp 4
demotion option, resetting the carp demotion counter for the
specified interface group to zero on startup and to 128 on shutdown of
the daemon.
For more information on interface groups,
see the
.Ic group
keyword in
.Xr ifconfig 8 .
.It Ic interval Ar number
Set the interval in seconds at which the hosts will be checked.
The default interval is 10 seconds.
.It Xo
.Ic log
.Pq Ic updates Ns \&| Ns Ic all
.Xc
Log state notifications after completed host checks.
Either only log the
.Ic updates
to new states or log
.Ic all
state notifications, even if the state didn't change.
The host state can be
.Ar up
(the health check completed successfully),
.Ar down
(the host is down or didn't match the check criteria),
or
.Ar unknown
(the host is disabled or has not been checked yet).
.It Ic prefork Ar number
When using relays, run the specified number of processes to handle
relayed connections.
This increases the performance and prevents delays when connecting
to a relay.
.Xr relayd 8
runs 5 relay processes by default and every process will handle
all configured relays.
.It Ic send trap
Send an SNMP trap when the state of a host changes.
.Xr relayd 8
will try to connect to
.Xr snmpd 8
and request it send a trap to the registered trap receivers;
see
.Xr snmpd.conf 5
for more information about the configuration.
.It Ic timeout Ar number
Set the global timeout in milliseconds for checks.
This can be overridden by the timeout value in the table definitions.
The default interval is 200 milliseconds and it must not exceed the
global interval.
Please note that the default value is optimized for checks within the
same collision domain \(en use a higher timeout, such as 1000 milliseconds,
for checks of hosts in other subnets.
If this option is to be set, it should be placed before overrides in tables.
.El
.Sh TABLES
Tables are used to group a set of hosts as the target for redirections
or relays; they will be mapped to a
.Xr pf 4
table for redirections.
Tables may be defined with the following attribute:
.Bl -tag -width disable
.It Ic disable
Start the table disabled \(en no hosts will be checked in this table.
The table can be later enabled through
.Xr relayctl 8 .
.Pp
.El
Each table must contain at least one host;
multiple hosts are separated by newline, comma, or whitespace.
Host entries may be defined with the following attributes:
.Bl -tag -width retry
.It Ic retry Ar number
The optional retry option adds a tolerance for failed host checks;
the check will be retried for
.Ar number
more times before setting the host state to down.
If this table is used by a relay, it will also specify the number of
retries for outgoing connection attempts.
.It Ic parent Ar number
The optional parent option inherits the state from a parent
host with the specified identifier.
The check will be skipped for this host and copied from the parent host.
This can be used to prevent multiple checks on hosts with multiple IP
addresses for the same service.
The host identifiers are sequentially assigned to the configured hosts
starting with 1; it can be shown with the
.Xr relayctl 8
.Ic show summary
commands.
.El
.Pp
For example:
.Bd -literal -offset indent
table \*(Ltservice\*(Gt { 192.168.1.1, 192.168.1.2, 192.168.2.3 }
table \*(Ltfallback\*(Gt disable { 10.1.5.1 retry 2 }

redirect "www" {
	listen on www.example.com port 80
	forward to \*(Ltservice\*(Gt check http "/" code 200
	forward to \*(Ltfallback\*(Gt check http "/" code 200
}
.Ed
.Pp
Tables are used by
.Ic forward to
directives in redirections or relays with a set of general options,
health-checking rules, and timings;
see the
.Sx REDIRECTIONS
and
.Sx RELAYS
sections for more information about the forward context.
Table specific configuration directives are described below.
Multiple options can be appended to
.Ic forward to
directives, separated by whitespaces.
.Pp
The following options will configure the health-checking method for
the table, and is mandatory for redirections:
.Bl -tag -width Ds
.It Xo
.Ic check http Ar path
.Op Ic host Ar hostname
.Ic code Ar number
.Xc
For each host in the table, verify that retrieving the URL
.Ar path
gives the HTTP return code
.Ar number .
If
.Ar hostname
is specified, it is used as the
.Dq Host:
header to query a specific hostname at the target host.
To validate the HTTP return code, use this shell command:
.Bd -literal -offset indent
$ echo -n "HEAD <path> HTTP/1.0\er\en\er\en" | \e
	nc <host> <port> | head -n1
.Ed
.Pp
This prints the status header including the actual return code:
.Bd -literal -offset indent
HTTP/1.1 200 OK
.Ed
.It Xo
.Ic check https Ar path
.Op Ic host Ar hostname
.Ic code Ar number
.Xc
This has the same effect as above but wraps the HTTP request in SSL.
.It Xo
.Ic check http Ar path
.Op Ic host Ar hostname
.Ic digest Ar string
.Xc
For each host in the table, verify that retrieving the URL
.Ar path
produces non-binary content whose message digest matches the defined string.
The algorithm used is determined by the string length of the
.Ar digest
argument, either SHA1 (40 characters) or MD5 (32 characters).
If
.Ar hostname
is specified, it is used as the
.Dq Host:
header to query a specific hostname at the target host.
The digest does not take the HTTP headers into account.
Do not specify a binary object (such as a graphic) as the target of the
request, as
.Nm
expects the data returned to be a string.
To compute the digest, use this simple command:
.Bd -literal -offset indent
$ ftp -o - http://host[:port]/path | sha1
.Ed
.Pp
This gives a digest that can be used as-is in a digest statement:
.Bd -literal -offset indent
a9993e36476816aba3e25717850c26c9cd0d89d
.Ed
.It Xo
.Ic check https Ar path
.Op Ic host Ar hostname
.Ic digest Ar string
.Xc
This has the same effect as above but wraps the HTTP request in SSL.
.It Ic check icmp
Ping hosts in this table to determine whether they are up or not.
This method will automatically use ICMP or ICMPV6 depending on the
address family of each host.
.It Ic check script Ar path
Execute an external program to check the host state.
The program will be executed for each host by specifying the hostname
on the command line:
.Bd -literal -offset indent
/usr/local/bin/checkload.pl front-www1.private.example.com
.Ed
.Pp
.Xr relayd 8
expects a positive return value on success and zero on failure.
Note that the script will be executed with the privileges of the
.Qq _relayd
user and terminated after
.Ar timeout
milliseconds.
.It Xo
.Ic check send
.Ar data
.Ic expect
.Ar pattern
.Op Ic ssl
.Xc
For each host in the table, a TCP connection is established on the
port specified, then
.Ar data
is sent.
Incoming data is then read and is expected to match against
.Ar pattern
using shell globbing rules.
If
.Ar data
is an empty string or
.Ic nothing
then nothing is sent on the connection and data is immediately
read.
This can be useful with protocols that output a banner like
SMTP, NNTP, and FTP.
If the
.Ic ssl
keyword is present,
the transaction will occur in an SSL tunnel.
.It Ic check ssl
Perform a complete SSL handshake with each host to check their availability.
.It Ic check tcp
Use a simple TCP connect to check that hosts are up.
.El
.Pp
The following general table options are available:
.Bl -tag -width Ds
.It Ic demote Ar group
Enable the per-table
.Xr carp 4
demotion option.
This will increment the carp demotion counter for the
specified interface group if all hosts in the table are down.
For more information on interface groups,
see the
.Ic group
keyword in
.Xr ifconfig 8 .
.It Ic interval Ar number
Override the global interval and specify one for this table.
It must be a multiple of the global interval.
.It Ic timeout Ar number
Set the timeout in milliseconds for each host that is checked using
TCP as the transport.
This will override the global timeout, which is 200 milliseconds by default.
.El
.Pp
The following options will set the scheduling algorithm to select a
host from the specified table:
.Bl -tag -width Ds
.It Ic mode hash
Balances the outgoing connections across the active hosts based on the
hashed name of the table.
Additional input can be fed into the hash by looking at HTTP
headers and GET variables; see the
.Sx PROTOCOLS
section below.
This mode is only supported by relays.
.It Ic mode loadbalance
Balances the outgoing connections across the active hosts based on the
hashed name of the table, the source and destination addresses,
and the corresponding ports.
This mode is only supported by relays.
.It Ic mode roundrobin
Distributes the outgoing connections using a round-robin scheduler
through all active hosts.
This is the default mode and will be used if no option has been specified.
This mode is supported by redirections and relays.
.El
.Sh REDIRECTIONS
Redirections represent a
.Xr pf 4
rdr rule.
They are used for stateful redirections to the hosts in the specified
tables.
.Xr pf 4
rewrites the target IP addresses and ports of the incoming
connections, operating on layer 3.
The configuration directives that are valid in the
.Ic redirect
context are described below:
.Bl -tag -width Ds
.It Ic disable
The redirection is initially disabled.
It can be later enabled through
.Xr relayctl 8 .
.It Xo
.Ic forward to
.Aq Ar table
.Op Ic port Ar number
.Ar options ...
.Xc
Specify the tables of target hosts to be used; see the
.Sx TABLES
section above for information about table options.
If the
.Ic port
option is not specified, the first port from the
.Ic listen on
directive will be used.
This directive can be specified twice \(en the second entry will be used
as the backup table if all hosts in the main table are down.
At least one entry for the main table is mandatory.
.It Xo
.Ic listen on Ar address
.Op ip-proto
.Ic port Ar port
.Op Ic interface Ar name
.Xc
Specify an
.Ar address
and a
.Ar port
to listen on.
.Xr pf 4
will redirect incoming connections for the specified target to the
hosts in the main or backup table.
The
.Ar port
argument can optionally specify a port range instead of a single port;
the format is
.Ar min-port : Ns Ar max-port .
The optional argument
.Ar ip-proto
can be used to specify an IP protocol like
.Ar tcp
or
.Ar udp ;
it defaults to
.Ar tcp .
The rdr rule can be optionally restricted to a given interface name.
.It Xo
.Ic route to
.Aq Ar table
.Op Ic port Ar number
.Ar options ...
.Xc
Like the
.Ic forward to
directive, but directly routes the packets to the target host without
modifying the target address.
This can be used for
.Dq direct server return
to force the target host to respond via a different gateway.
Note that hosts have to accept sessions for the same address as
the gateway, which is typically done by configuring a loopback
interface on the host with this address.
.It Ic session timeout Ar seconds
Specify the inactivity timeout in seconds for established redirections.
The default timeout is 600 seconds (10 minutes).
.It Ic sticky-address
This has the same effect as specifying sticky-address
for an rdr rule in
.Xr pf.conf 5 .
It will ensure that multiple connections from the same source are
mapped to the same redirection address.
.It Ic tag Ar name
Automatically tag packets passing through the
.Xr pf 4
rdr rule with the name supplied.
This allows simpler filter rules.
.El
.Sh RELAYS
Relays will forward traffic between a client and a target server.
In contrast to redirections and IP forwarding in the network stack, a
relay will accept incoming connections from remote clients as a
server, open an outgoing connection to a target host, and forward
any traffic between the target host and the remote client,
operating on layer 7.
A relay is also called an application layer gateway or layer 7 proxy.
.Pp
The main purpose of a relay is to provide advanced load balancing
functionality based on specified protocol characteristics, such as
HTTP headers, to provide SSL acceleration and to allow
basic handling of the underlying application protocol.
.Pp
The
.Ic relay
configuration directives are described below:
.Bl -tag -width Ds
.It Ic disable
Start the relay but immediately close any accepted connections.
.It Xo
.Op Ic transparent
.Ic forward
.Op Ic with ssl
.Ic to
.Ar address
.Op Ic port Ar port
.Ar options ...
.Xc
Specify the address and port of the target host to connect to.
If the
.Ic port
option is not specified, the port from the
.Ic listen on
directive will be used.
Use the
.Ic transparent
keyword to enable fully-transparent mode; the source address of the
client will be retained in this case.
.Pp
The
.Ic with ssl
directive enables client-side SSL mode to connect to the remote host.
Verification of server certificates can be enabled by setting the
.Ic ca file
option in the protocol section.
.Pp
The following options may be specified for forward directives:
.Pp
.Bl -tag -width Ds
.It Ic retry Ar number
The optional host
.Ic retry
option will be used as a tolerance for failed
host connections; the connection will be retried for
.Ar number
more times.
.It Ic inet
If the requested destination is an IPv6 address,
.Xr relayd 8
will forward the connection to an IPv4 address which is determined by
the last 4 octets of the original IPv6 destination.
For example, if the original IPv6 destination address is
2001:db8:7395:ffff::a01:101, the session is relayed to the IPv4
address 10.1.1.1 (a01:101).
.It Ic inet6 Ar address-prefix
If the requested destination is an IPv4 address,
.Xr relayd 8
will forward the connection to an IPv6 address which is determined by
setting the last 4 octets of the specified IPv6
.Ar address-prefix
to the 4 octets of the original IPv4 destination.
For example, if the original IPv4 destination address is 10.1.1.1 and
the specified address prefix is 2001:db8:7395:ffff::, the session is
relayed to the IPv6 address 2001:db8:7395:ffff::a01:101.
.El
.It Xo
.Ic forward to
.Aq Ar table
.Op Ic port Ar port
.Ar options ...
.Xc
Like the previous directive, but connect to a host from the specified
table; see the
.Sx TABLES
section above for information about table options.
.It Xo
.Ic forward to
.Ic nat lookup
.Ar options ...
.Xc
When redirecting connections with an
.Ar rdr
rule in
.Xr pf.conf 5
to a relay listening on localhost, this directive will
look up the real destination address of the intended target host,
allowing the relay to be run as a transparent proxy.
If an additional
.Ic forward to
directive to a specified address or table is present,
it will be used as a backup if the NAT lookup failed.
.It Xo
.Ic listen on Ar address
.Op Ic port Ar port
.Op Ic ssl
.Xc
Specify the address and port for the relay to listen on.
The relay will accept incoming connections to the specified address.
If the
.Ic port
option is not specified, the port from the
.Ic listen on
directive will be used.
.Pp
If the
.Ic ssl
keyword is present, the relay will accept connections using the
encrypted SSL protocol.
The relay will look up a private key in
.Pa /etc/ssl/private/address.key
and a public certificate in
.Pa /etc/ssl/address.crt ,
where
.Ar address
is the specified IP address of the relay to listen on.
See
.Xr ssl 8
for details about SSL server certificates.
.It Ic protocol Ar name
Use the specified protocol definition for the relay.
The generic TCP protocol options will be used by default;
see the
.Sx PROTOCOLS
section below.
.It Ic session timeout Ar seconds
Specify the inactivity timeout in seconds for accepted sessions.
The default timeout is 600 seconds (10 minutes).
.El
.Sh PROTOCOLS
Protocols are templates defining actions and settings for relays.
They allow setting generic TCP options, SSL settings, and actions
specific to the selected application layer protocol.
.Pp
The protocol directive is available for a number of different
application layer protocols.
There is no generic handler for UDP-based protocols because it is a
stateless datagram-based protocol which has to look into the
application layer protocol to find any possible state information.
.Bl -tag -width Ds
.It Ic dns protocol
(UDP)
Domain Name System (DNS) protocol.
The requested IDs in the DNS header will be used to match the state.
.Xr relayd 8
replaces these IDs with random values to compensate for
predictable values generated by some hosts.
.It Ic http protocol
Handle the Hypertext Transfer Protocol
(HTTP, or "HTTPS" if encapsulated in an SSL tunnel).
.It Xo
.Op Ic tcp
.Ic protocol
.Xc
Generic handler for TCP-based protocols.
This is the default.
.El
.Pp
The available configuration directives are described below:
.Bl -tag -width Ds
.It Xo
.Op Ar direction
.Op Ar type
.Ar action
.Op Ic marked Ar id
.Op Ic log
.Xc
Define an action for the selected entity.
The optional
.Ic log
keyword will log the entity name and the value and
the optional
.Ic marked
keyword requires that the session has been marked with a given
identifier in order to execute the action.
The actions are dependent on the underlying application
.Ic protocol .
.El
.Pp
.Bq Ar direction
may be one of:
.Bl -tag -width Ds
.It Ic request
Handle the data stream from the client to the relay, like HTTP
requests.
This is the default if the
.Ar direction
directive is omitted.
.It Ic response
Handle the data stream from the target host to the relay, like
HTTP server replies.
.El
.Pp
.Bq Ar type
may be one of:
.Bl -tag -width Ds
.It Ic cookie
Look up the entity as a value in the Cookie header when using the
.Ic http
protocol.
This type is only available with the direction
.Ic request .
.It Ic header
Look up the entity in the application protocol headers, like HTTP
headers in
.Ic http
mode.
.It Ic path
Look up the entity as a value in the URL path when using the
.Ic http
protocol.
This type is only available with the direction
.Ic request .
The
.Ar key
will match the path of the requested URL without the hostname
and query and the value will match the complete query,
for example:
.Bd -literal -offset indent
request path filter "/index.html"
request path filter "foo=bar*" from "/cgi-bin/t.cgi"
.Ed
.It Ic query
Look up the entity as a query variable in the URL when using the
.Ic http
protocol.
This type is only available with the direction
.Ic request ,
for example:
.Bd -literal -offset indent
# Will match /cgi-bin/example.pl?foo=bar&ok=yes
request query expect "bar" from "foo"
.Ed
.It Ic url
Look up the entity as a URL suffix/prefix expression consisting of a
canonicalized hostname without port or suffix and a path name or
prefix when using the
.Ic http
protocol.
This type is only available with the direction
.Ic request ,
for example:
.Bd -literal -offset indent
request url filter "example.com/index.html"
request url filter "example.com/test.cgi?val=1"
.Ed
.Pp
.Xr relayd 8
will match the full URL and different possible suffix/prefix
combinations by stripping subdomains and path components (up to 5
levels), and the query string.
For example, the following
lookups will be done for
.Ar http://www.example.com:81/1/2/3/4/5.html?query=yes :
.Bd -literal -offset indent
www.example.com/1/2/3/4/5.html?query=yes
www.example.com/1/2/3/4/5.html
www.example.com/
www.example.com/1/
www.example.com/1/2/
www.example.com/1/2/3/
example.com/1/2/3/4/5.html?query=yes
example.com/1/2/3/4/5.html
example.com/
example.com/1/
example.com/1/2/
example.com/1/2/3/
.Ed
.El
.Pp
.Bq Ar action
may be one of:
.Bl -tag -width Ds
.It Ic append Ar value Ic to Ar key
Append the specified value to a protocol entity with the selected name.
When using the
.Ic http
protocol,
.Ic key
will indicate a specified HTTP header.
If
.Ar key
does not exist in the request, it will be created with the value
set to
.Ar value .
.Pp
The
.Ar value
string
may contain predefined macros that will be expanded at runtime:
.Pp
.Bl -tag -width $SERVER_ADDR -offset indent -compact
.It Ic $REMOTE_ADDR
The IP address of the connected client.
.It Ic $REMOTE_PORT
The TCP source port of the connected client.
.It Ic $SERVER_ADDR
The configured IP address of the relay.
.It Ic $SERVER_PORT
The configured TCP server port of the relay.
.It Ic $SERVER_NAME
The server software name of
.Xr relayd 8 .
.It Ic $TIMEOUT
The configured session timeout of the relay.
.El
.It Ic change Ar key Ic to Ar value
Like the
.Ic append
directive above, but change the contents of the specified entity.
If
.Ar key
does not exist in the request, it will be created with the value
set to
.Ar value .
.Pp
The
.Ar value
string
may contain predefined macros that will be expanded at runtime,
as detailed for the
.Ic append
directive above.
.It Ic expect Ar value Ic from Ar key
Expect an entity
.Ar key
and match against
.Ar value
using shell globbing rules.
If the entity is not present or the value doesn't match, the connection
will be dropped.
.It Xo
.Ic expect
.Op Ic digest
.Ar key
.Xc
Expect an entity
.Ar key
with any possible value.
This is the short form of
.Ic expect Ar * Ic from Ar key .
.Pp
If the
.Ic digest
keyword is specified,
compare the message digest of the entity against the defined string.
The algorithm used is determined by the string length of the
.Ar key
argument, either SHA1 (40 characters) or MD5 (32 characters).
To compute the digest, use this simple command:
.Bd -literal -offset indent
$ echo -n "example.com/path/?args" | sha1
.Ed
.It Ic expect file Ar path
Like the directive above, but load the non-digest keys from an
external file with the specified
.Ar path
containing one key per line.
Lines will be stripped at the first whitespace or newline character.
Any empty lines or lines beginning with a hash mark
.Pq Sq #
will be ignored.
.It Ic filter Ar value Ic from Ar key
Like the
.Ic expect Ar .. Ic from
directive above, but drop any connections with the specified entity
.Ar key
and a matching
.Ar value .
.It Xo
.Ic filter
.Op Ic digest
.Ar key
.Xc
Like the
.Ic expect
directive above, but drop any connections with the specified entity
.Ar key
and any possible value.
This is the short form of
.Ic filter Ar * Ic from Ar key .
.It Ic filter file Ar path
Like the directive above, but load the non-digest keys from
.Ar path .
See
.Ic expect file Ar path
for more information.
.It Ic hash Ar key
Feed the value of the selected entity into the load balancing hash to
select the target host.
See the
.Ic table
keyword in the
.Sx RELAYS
section above.
.It Ic log Ar key
Log the name and the value of the entity.
.It Ic log file Ar path
Like the directive above, but load the keys from
.Ar path .
See
.Ic expect file Ar path
for more information.
.It Xo
.Ic mark
.Op Ar value Ic from
.Ar key Ic with Ar id
.Xc
Mark the session with the specified identifier (a positive number
between 1 and 65535) if the specified condition matches.
Note that the
.Ic mark
action does not accept the
.Ic marked
option (see above).
.It Ic label Ar string
Add a label to subsequently added actions.
The label will be printed as part of the error message if the
.Ic return error
option is set and may contain HTML tags, for example:
.Bd -literal -offset indent
label "\*(Lta href='http://example.com/advisory.pl?id=7359'\*(Gt\e
	Advisory provided by example.com\*(Lt/a\*(Gt"
url filter digest 5c1e03f58f8ce0b457474ffb371fd1ef
url filter digest 80c1a7b8337462093ef8359c57b4d56a
no label
.Ed
.It Ic no label
Do not set a label for subsequently added actions; this is the default.
.It Ic remove Ar key
Remove the entity with the selected name.
.It Ic remove file Ar path
Like the directive above, but load the keys from
.Ar path .
See
.Ic expect file Ar path
for more information.
.It Ic return error Op Ar option
Return an error response to the client if an internal operation or the
forward connection to the client failed.
By default, the connection will be silently dropped.
The effect of this option depends on the protocol: HTTP will send an
error header and page to the client before closing the connection.
Additional valid options are:
.Bl -tag -width Ds
.It Ic style Ar string
Specify a Cascading Style Sheet (CSS) to be used for the returned
HTTP error pages, for example:
.Bd -literal -offset indent
body { background: #a00000; color: white; }
.Ed
.El
.It Ic ssl Ar option
Set the SSL options and session settings.
This is only used if SSL is enabled in the relay.
Valid options are:
.Bl -tag -width Ds
.It Ic ca file Ar path
This option enables CA verification in SSL client mode.
The daemon will load the CA (Certificate Authority) certificates from
the specified path to verify the server certificates.
.Ox
provides a default CA bundle in
.Pa /etc/ssl/cert.pem .
.It Ic ciphers Ar string
Set the string defining the SSL cipher suite.
If not specified, the default value
.Ar HIGH:!ADH
will be used (strong crypto cipher suites without anonymous DH).
See the
.Sx CIPHERS
section of
.Xr openssl 1
for information about SSL cipher suites and preference lists.
.It Ic session cache Ar value
Set the maximum size of the SSL session cache.
If the
.Ar value
is zero, the default size defined by the SSL library will be used.
A positive number will set the maximum size in bytes and the keyword
.Ic disable
will disable the SSL session cache.
.It Xo
.Op Ic no
.Ic sslv2
.Xc
Enable the SSLv2 protocol;
disabled by default.
.It Xo
.Op Ic no
.Ic sslv3
.Xc
Disable the SSLv3 protocol;
enabled by default.
.It Xo
.Op Ic no
.Ic tlsv1
.Xc
Disable the TLSv1/SSLv3.1 protocol;
enabled by default.
.El
.It Ic tcp Ar option
Enable or disable the specified TCP/IP options; see
.Xr tcp 4
and
.Xr ip 4
for more information about the options.
Valid options are:
.Bl -tag -width Ds
.It Ic backlog Ar number
Set the maximum length the queue of pending connections may grow to.
The backlog option is 10 by default and is limited by the
.Ic kern.somaxconn
.Xr sysctl 8
variable.
.It Ic ip minttl Ar number
This option for the underlying IP connection may be used to discard packets
with a TTL lower than the specified value.
This can be used to implement the
.Ar Generalized TTL Security Mechanism (GTSM)
according to RFC 3682.
.It Ic ip ttl
Change the default time-to-live value in the IP headers.
.It Xo
.Op Ic no
.Ic nodelay
.Xc
Enable the TCP NODELAY option for this connection.
This is recommended to avoid delays in the relayed data stream,
e.g. for SSH connections.
.It Xo
.Op Ic no
.Ic sack
.Xc
Use selective acknowledgements for this connection.
.It Ic socket buffer Ar number
Set the socket-level buffer size for input and output for this
connection.
This will affect the TCP window size.
.El
.El
.Sh FILES
.Bl -tag -width "/etc/ssl/private/address.keyXX" -compact
.It Pa /etc/relayd.conf
.Xr relayd 8
configuration file.
.Pp
.It Pa /etc/services
Service name database.
.Pp
.It Pa /etc/ssl/address.crt
.It Pa /etc/ssl/private/address.key
Location of the relay SSL server certificates, where
.Ar address
is the configured IP address of the relay.
.It Pa /etc/ssl/cert.pem
Default location of the CA bundle that can be used with
.Xr relayd 8 .
.El
.Sh EXAMPLES
This configuration file would create a redirection service
.Dq www
which load balances four hosts
and falls back to one host containing a
.Dq sorry page :
.Bd -literal -offset indent
www1=front-www1.private.example.com
www2=front-www2.private.example.com
www3=front-www3.private.example.com
www4=front-www4.private.example.com

interval 5

table \*(Ltphphosts\*(Gt { $www1, $www2, $www3, $www4 }
table \*(Ltsorryhost\*(Gt disable { sorryhost.private.example.com }

redirect "www" {
	listen on www.example.com port 8080 interface trunk0
	listen on www6.example.com port 80 interface trunk0

	tag REDIRECTED

	forward to \*(Ltphphosts\*(Gt port 8080 timeout 300 \e
		check http "/" digest "630aa3c2f..."
	forward to \*(Ltsorryhost\*(Gt port 8080 timeout 300 check icmp
}
.Ed
.Pp
It is possible to specify multiple listen directives with different IP
protocols in a single redirection configuration:
.Bd -literal -offset indent
redirect "dns" {
	listen on dns.example.com tcp port 53
	listen on dns.example.com udp port 53

	forward to \*(Ltdnshosts\*(Gt port 53 check tcp
}
.Ed
.Pp
The following configuration would add a relay to forward
secure HTTPS connections to a pool of HTTP webservers
using the
.Ic loadbalance
mode (SSL acceleration and layer 7 load balancing).
The HTTP protocol definition will add two HTTP headers containing
address information of the client and the server, set the
.Dq Keep-Alive
header value to the configured session timeout,
and include the
.Dq sessid
variable in the hash to calculate the target host:
.Bd -literal -offset indent
http protocol "http_ssl" {
	header append "$REMOTE_ADDR" to "X-Forwarded-For"
	header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
	header change "Keep-Alive" to "$TIMEOUT"
	query hash "sessid"
	cookie hash "sessid"
	path filter "*command=*" from "/cgi-bin/index.cgi"

	ssl { sslv2, ciphers "MEDIUM:HIGH" }
}

relay "sslaccel" {
	listen on www.example.com port 443 ssl
	protocol "http_ssl"
	forward to \*(Ltphphosts\*(Gt port 8080 mode loadbalance check tcp
}
.Ed
.Pp
The second relay example will accept incoming connections to port
2222 and forward them to a remote SSH server.
The TCP
.Ic nodelay
option will allow a
.Dq smooth
SSH session without delays between keystrokes or displayed output on
the terminal:
.Bd -literal -offset indent
protocol "myssh" {
        tcp { nodelay, socket buffer 65536 }
}

relay "sshforward" {
        listen on www.example.com port 2222
	protocol "myssh"
	forward to shell.example.com port 22
}
.Ed
.Sh SEE ALSO
.Xr relayctl 8 ,
.Xr relayd 8 ,
.Xr snmpd 8 ,
.Xr ssl 8
.Sh HISTORY
The
.Nm
file format, formerly known as
.Ic hoststated.conf ,
first appeared in
.Ox 4.1 .
It was renamed to
.Nm
in
.Ox 4.3 .
.Sh AUTHORS
.An -nosplit
The
.Xr relayd 8
program was written by
.An Pierre-Yves Ritschard Aq pyr@openbsd.org
and
.An Reyk Floeter Aq reyk@openbsd.org .
.Sh CAVEATS
.Xr relayd 8
Verification of SSL server certificates is based on a static CA bundle
and
.Xr relayd 8
currently does not support CRLs (Certificate Revocation Lists).