From 7c7cb59da804eca1f8c2549714a2a7ad7aa23d4d Mon Sep 17 00:00:00 2001 From: reyk <> Date: Wed, 9 Jul 2014 16:43:30 +0000 Subject: [PATCH] Update the default relayd.conf with the new filtering grammar. OK benno@ --- src/etc/relayd.conf | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/src/etc/relayd.conf b/src/etc/relayd.conf index cdcadd84..65db90dc 100644 --- a/src/etc/relayd.conf +++ b/src/etc/relayd.conf @@ -1,4 +1,4 @@ -# $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $ +# $OpenBSD: relayd.conf,v 1.15 2014/07/09 16:43:30 reyk Exp $ # # Macros # @@ -27,7 +27,7 @@ redirect www { listen on $ext_addr port http interface trunk0 # tag every packet that goes thru the rdr rule with RELAYD - tag RELAYD + pftag RELAYD forward to check http "/" code 200 forward to check icmp @@ -37,9 +37,10 @@ redirect www { # Relay and protocol for HTTP layer 7 loadbalancing and SSL acceleration # http protocol httpssl { - header append "$REMOTE_ADDR" to "X-Forwarded-For" - header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By" - header change "Connection" to "close" + match request header append "X-Forwarded-For" value "$REMOTE_ADDR" + match request header append "X-Forwarded-By" \ + value "$SERVER_ADDR:$SERVER_PORT" + match request header set "Connection" value "close" # Various TCP performance options tcp { nodelay, sack, socket buffer 65536, backlog 128 } @@ -83,20 +84,23 @@ http protocol httpfilter { return error # Block disallowed sites - label "URL filtered!" - request url filter "www.example.com/" + match request label "URL filtered!" + block request quick url "www.example.com/" value "*" # Block disallowed browsers - label "Please try a different Browser" - header filter "Mozilla/4.0 (compatible; MSIE *" from "User-Agent" + match request label "Please try a different Browser" + block request quick header "User-Agent" \ + value "Mozilla/4.0 (compatible; MSIE *" # Block some well-known Instant Messengers - label "Instant messenger disallowed!" - response header filter "application/x-msn-messenger" from "Content-Type" - response header filter "app/x-hotbar-xip20" from "Content-Type" - response header filter "application/x-icq" from "Content-Type" - response header filter "AIM/HTTP" from "Content-Type" - response header filter "application/x-comet-log" from "Content-Type" + match request label "Instant messenger disallowed!" + block response quick header "Content-Type" \ + value "application/x-msn-messenger" + block response quick header "Content-Type" value "app/x-hotbar-xip20" + block response quick header "Content-Type" value "application/x-icq" + block response quick header "Content-Type" value "AIM/HTTP" + block response quick header "Content-Type" \ + value "application/x-comet-log" } relay httpproxy {