[relayd] transparent don't work

Fri, 21 Sep 2018 13:58:56 -0700 

I found a partial solution to my problem.
With the following configuration, the source client IP is correctly printed by a
php script (getip.php), but not in httpd logs.

Does anyone has an example with "transparent forward" please ?

relayd.conf : 

        http protocol "http" {
                tcp { nodelay, sack, socket buffer 65536, backlog 100 }
                include "/etc/relayd.proxy.conf"
                pass
        }

        http protocol "https" {
                tcp { nodelay, sack, socket buffer 65536, backlog 100 }
                include "/etc/relayd.proxy.conf"
                tls { \
                        cipher-server-preference,\
                        no tlsv1.0\
                }
                pass

        }
        relay "www" {
                listen on 127.0.0.1 port 8080
                protocol "http"
                forward to destination
        }

        relay "wwwtls" {
                listen on 127.0.0.1 port 8443 tls
                protocol "https"
                forward with tls to destination
        }

/etc/relayd.proxy.conf: 

        return error
        match header set "X-Forwarded-For" value "$REMOTE_ADDR"
        match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
        match header set "Keep-Alive" value "$TIMEOUT"
        match query hash "sessid"

        match request header remove "Proxy"
        match response header set "Cache-Control" value "max-age=1814400"
        match response header set "X-Xss-Protection" value "1; mode=block"
        match response header set "Frame-Options" value "SAMEORIGIN"
        match response header set "X-Frame-Options" value "SAMEORIGIN"
        match response header set "X-Robots-Tag" value "index,nofollow"
        match response header set "X-Powered-By" value "Powered with 
electricity on OpenBSD"
        match response header set "X-Permitted-Cross-Domain-Policies" value 
"none"
        match response header set "X-Download-Options" value "noopen"
        match response header set "X-Content-Type-Options" value "nosniff"

~                                                                               
                                                                                
                                            
~                                                 
/etc/pf.conf: 

        ...
        pass in quick on $ext_if proto tcp to port www divert-to 127.0.0.1 port 
8080 flags S/SA modulate state
        pass in quick on $ext_if proto tcp to port https divert-to 127.0.0.1 
port 8443 flags S/SA modulate state

        # tout ouvert en sortie
        pass out on $ext_if proto { tcp udp icmp ipv6-icmp } all modulate state 



/etc/httpd.conf: 

        listen on * port 80
        listen on * tls port 443
        hsts preload
        tls {
                        certificate 
"/etc/ssl/acme/yeuxdelibad.net-fullchain.pem"
                        key         
"/etc/ssl/acme/private/yeuxdelibad.net-privkey.pem"
                        ticket lifetime default
        }
        ...

getip.php:

        <?php
        header('Cache-Control: public, max-age=3600');
        if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
                $ip = $_SERVER['HTTP_CLIENT_IP'];
    } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
        } else {
            $ip = $_SERVER['REMOTE_ADDR'];
            }
            echo $ip ;

Reply via email to