relayd(8) relay: redirect based on URL paths

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

relayd(8) relay: redirect based on URL paths

Lyndon Nerenberg (VE6BBM/VE7TFX)
My relayd.conf fu is lame and needs help.  Given the following config:


---8<---8<---

interval 60
timeout 2000

table <webhosts> { w1.example.com w2.example.com w3.example.com }

http protocol https {

        tcp { nodelay, sack }
        match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
        match request header append "X-Forwarded-By" \
                value "$SERVER_ADDR:$SERVER_PORT"
        match request header set "Connection" value "close"

}

relay web {

        listen on 203.0.113.5 port 443 tls
        protocol https

        forward with tls to <webhosts> port https mode loadbalance \
                check https "/" code 200

}

---8<---8<---

I am trying to figure out how to intercept request paths beginning with "/xy/"
so that I can forward them to a different port in the same server pool.
I.e.:

  https://host.example.com/xy/mumblebarge ->
https://<webhosts>:5555/xy/mumblebarge

  https://host.example.com/anything_else  -> https://<webhosts>/anything_else

It seems this should be possible, but I just can't get my head around
relayd.conf(5) :-(

--lyndon

Reply | Threaded
Open this post in threaded view
|

Re: relayd(8) relay: redirect based on URL paths

trondd-2
On Wed, February 22, 2017 9:02 pm, Lyndon Nerenberg wrote:

> My relayd.conf fu is lame and needs help.  Given the following config:
>
>
> ---8<---8<---
>
> interval 60
> timeout 2000
>
> table <webhosts> { w1.example.com w2.example.com w3.example.com }
>
> http protocol https {
>
>         tcp { nodelay, sack }
>         match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
>         match request header append "X-Forwarded-By" \
>                 value "$SERVER_ADDR:$SERVER_PORT"
>         match request header set "Connection" value "close"
>
> }
>
> relay web {
>
>         listen on 203.0.113.5 port 443 tls
>         protocol https
>
>         forward with tls to <webhosts> port https mode loadbalance \
>                 check https "/" code 200
>
> }
>
> ---8<---8<---
>
> I am trying to figure out how to intercept request paths beginning with
> "/xy/"
> so that I can forward them to a different port in the same server pool.
> I.e.:
>
>   https://host.example.com/xy/mumblebarge ->
> https://<webhosts>:5555/xy/mumblebarge
>
>   https://host.example.com/anything_else  ->
> https://<webhosts>/anything_else
>
> It seems this should be possible, but I just can't get my head around
> relayd.conf(5) :-(
>
> --lyndon
>

I have an example at work I can dig up tomorrow, but look at the Filter
Rules.  You need bits like: 'pass request path "/xy" forward to
<webhosts-xy> '
and probably a catch all 'pass forward to <webhosts>' for the rest of the
traffic.

You need to specify the two forwards to the two tables in your relay
section.  You need two tables since each will go to a different port and
the forward to filter only knows about the table name.

Reply | Threaded
Open this post in threaded view
|

Re: relayd(8) relay: redirect based on URL paths

Maxim Bourmistrov-5
In reply to this post by Lyndon Nerenberg (VE6BBM/VE7TFX)
table <webpool> { 192.168.10.31 }
table <rdrpool> { 192.168.10.78 }

http protocol somename {
        tcp { nodelay, sack, backlog 1024 }
        match header set "Proxy" value "filtered"
        match header set "X-Forwarded-For" value "$REMOTE_ADDR"
        match header set "X-Forwarded-By" value "$REMOTE_ADDR:$SERVER_PORT"
        match header set "Keep-Alive" value "$TIMEOUT"
        match request header remove "Proxy"

        match request path "/hello*" forward to <rdrpool>
}

relay somerelay {
       listen on 1.2.3.4 port 80
       protocol somename
       forward to <webpool> port 80 mode roundrobin check http "/" code 200
       forward to <rdrpool> port 92 mode roundrobin check tcp
}


Something like this.

But there is a catch with PF in between.
Once client hits http://whatever.org/hello , PF state will be created and if
it tries to reach normal http://whatever.org it WILL BE
redirected to servers housing /hello part.

One way to solve it is to lower tcp.established towards internal machines. In
example above, to <rdrpool>:

pass out on { $INT_IF } proto tcp from self to <rdrpool> port 92 keep state
(tcp.established 10)

br
P.S.
In my env. I share file with tables between pf and relayd. eg include
”/etc/pf/tables” in relays.conf .


> 23 feb. 2017 kl. 03:02 skrev Lyndon Nerenberg <[hidden email]>:
>
> My relayd.conf fu is lame and needs help.  Given the following config:
>
>
> ---8<---8<---
>
> interval 60
> timeout 2000
>
> table <webhosts> { w1.example.com w2.example.com w3.example.com }
>
> http protocol https {
>
>        tcp { nodelay, sack }
>        match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
>        match request header append "X-Forwarded-By" \
>                value "$SERVER_ADDR:$SERVER_PORT"
>        match request header set "Connection" value "close"
>
> }
>
> relay web {
>
>        listen on 203.0.113.5 port 443 tls
>        protocol https
>
>        forward with tls to <webhosts> port https mode loadbalance \
>                check https "/" code 200
>
> }
>
> ---8<---8<---
>
> I am trying to figure out how to intercept request paths beginning with
"/xy/"
> so that I can forward them to a different port in the same server pool.
> I.e.:
>
>  https://host.example.com/xy/mumblebarge ->
> https://<webhosts>:5555/xy/mumblebarge
>
>  https://host.example.com/anything_else  ->
https://<webhosts>/anything_else
>
> It seems this should be possible, but I just can't get my head around
> relayd.conf(5) :-(
>
> --lyndon