Halaman

Rabu, 05 Januari 2011

Relaying or redirecting access to another IP/Port

I have a machine with two cards: xl0 (192.168.168.168 and it's alias 10.10.10.10)
xl1 (222.xx.xx.xx). They would serve an internal and external connection respectively to a web server named test.fer.com. Every web access from internet will be passed to xl1, and xl0 for intranet use, and the real web server run on another machine (10.10.10.11) will serve any request.

For this configuration to work, a port must be listening on www port. I have use Apache and applied virtual host, it works fine.

I would try another way, using relayd on OpenBSD 4.7.
relayd is a daemon to relay and dynamically redirect incoming connections to a target host. Its main purposes are to run as a load-balancer, application layer gateway, or transparent proxy.

The daemon is able to monitor groups of hosts for availability, which is determined by checking for a specific service common to a host group. When availability is confirmed, layer 3 and/or layer 7 forwarding services are set up by relayd.

Layer 3 redirection happens at the packet level; to configure it, relayd communicates with pf.
To allow relayd to properly set up pfrules, the following line is required in the filter section of pf.conf:

anchor "relayd/*"

Layer 7 relaying happens at the application level and is handled by relayd itself.
Various application level filtering and protocol-specific-balancing options are available for relays.

Here an example of relayd.conf or relay daemon configuration file
#
# Macros
relayd_lokal="10.10.10.10"
relayd_lokal_int="xl0"
relayd_ip="222.xx.xx.xx"
relayd_port ="80"
relayd_int="xl1"
mywebserver ="10.10.10.11"

table { $mywebserver }
serverku_port="80"

# Global Options
interval 10
timeout 1000
prefork 5

log updates

redirect anchor_name {
listen on $relayd_ip port $relayd_port interface $relayd_int
# tag every packet that goes thru the rdr rule with RELAYD
tag RELAYD
sticky-address
forward to port $serverku_port mode roundrobin check tcp
}


http protocol "www_service" {
tcp { nodelay, socket buffer 65536 }
header append "$REMOTE_ADDR" to "X-Forwarded-For"
header append "$SERVER_ADDR:$SEVER_PORT" to "X-Forwarded-By"
}

relay "www_forwarder" {
listen on $relayd_lokal port $relayd_port
protocol "www_service"
forward to $mywebserver port $serverku_port
}


Remind that in pf.conf to put rule something like this:
pass in log on $ext_if inet proto tcp from any to $mywebserver port 80 flags S/SA synproxy state tagged RELAYD
Posted by at
Labels:

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)