Relayd

Page content

another component of OpenBSD is relayd. it’s an integrated Loadbalancer & Proxy Service, like F5, Nginx and Others. But just like other BSD Services, straight, simple and easy to use … wanna see … ?

Setup 4 VM’s, one Loadbalancer and 3 Webserver. The Webserver should server the same content, while the Loadbalancer checks if a Webserver is running and redirects traffic to the host or not.

the configuration on the loadbalancer is simple like that:

create relayd.conf

cat <<'EOF'> /etc/relayd.conf

#
# Loadbalancer IP (VIP)
#
ext_addr="192.168.109.10"

#
# Webserver IP (RIP)
#
web1="192.168.109.11"
web2="192.168.109.12"
web3="192.168.109.13"

#
# Global Options
#
interval 5
timeout 1000
prefork 5

#
# Each table will be mapped to a pf table.
#
table <webhosts> { $web1 $web2 $web3 }

#
# Relayd acts as L7 Proxy, terminates the Session from the Client and create a new Session to the Webserver
#
relay www {

	listen on $ext_addr port 80

	forward to <webhosts> check http "/" code 200
	#forward to <webhosts> mode hash check http "/" code 200
	#forward to <webhosts> mode loadbalance check http "/" code 200

}
EOF

chown root:wheel /etc/relayd.conf
chmod 700 /etc/relayd.conf

enable and start service

rcctl enable relayd
relayd -n && rcctl start relayd

update pf.conf

the PaketFilter also needs to know that a Relayd exists. Just add the following Line (Relayd …) and you’re done.

### DEFAULT SETTINGS ###

set block-policy drop
set limit states 500000
set state-defaults pflow
set skip on { lo0 enc0 }

# Normalize Traffic
match inet  scrub (no-df max-mss 1380)
match inet6 scrub (max-mss 1360)

# Block all
block log

# Relayd
anchor "relayd/*"

# Allow all In / Out
pass log quick

Basic Commands

root@puffy310 ~# relayctl show sum
Id  	Type    	Name                    	Avlblty	Status
1   	relay   	www                     	       	active
1   	table   	webhosts:80             	       	empty
1   	host    	192.168.110.11          	15.54% 	down
2   	host    	192.168.109.12          	16.06% 	down
3   	host    	192.168.110.13          	16.58% 	down

this is a basic example with a Webserver running on Port 80. You should enable HTTPS with Let’s encrypt, distribute the Certificate to the Webserver and adapt the Configuration for HTTPS.

sha256: 5976553d2f527ee8810851d220dceee5dd2cd30fd86ca54fe0541db0c2d6f236