diff options
| author |   reyk <reyk@openbsd.org> | 2014-07-09 16:43:30 +0000 |
|---|---|---|
| committer | reyk <reyk@openbsd.org> | 2014-07-09 16:43:30 +0000 |
| commit | e5af74f7afa8d1858c03a89e6b1b6c4917b0c088 (patch) | |
| tree | de4f4e42ab2dd45fc2410ca0b274622e0430cd0b | |
| parent | Replace the protocol directives for HTTP with a new generic filtering (diff) | |
| download | wireguard-openbsd-e5af74f7afa8d1858c03a89e6b1b6c4917b0c088.tar.xz wireguard-openbsd-e5af74f7afa8d1858c03a89e6b1b6c4917b0c088.zip | |
Update the default relayd.conf with the new filtering grammar.
OK benno@
| -rw-r--r-- | etc/relayd.conf | 34 |
1 files changed, 19 insertions, 15 deletions
diff --git a/etc/relayd.conf b/etc/relayd.conf index cdcadd8474b..65db90dc4ff 100644 --- a/etc/relayd.conf +++ b/etc/relayd.conf @@ -1,4 +1,4 @@ -# $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $ +# $OpenBSD: relayd.conf,v 1.15 2014/07/09 16:43:30 reyk Exp $ # # Macros # @@ -27,7 +27,7 @@ redirect www { listen on $ext_addr port http interface trunk0 # tag every packet that goes thru the rdr rule with RELAYD - tag RELAYD + pftag RELAYD forward to <webhosts> check http "/" code 200 forward to <fallback> check icmp @@ -37,9 +37,10 @@ redirect www { # Relay and protocol for HTTP layer 7 loadbalancing and SSL acceleration # http protocol httpssl { - header append "$REMOTE_ADDR" to "X-Forwarded-For" - header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By" - header change "Connection" to "close" + match request header append "X-Forwarded-For" value "$REMOTE_ADDR" + match request header append "X-Forwarded-By" \ + value "$SERVER_ADDR:$SERVER_PORT" + match request header set "Connection" value "close" # Various TCP performance options tcp { nodelay, sack, socket buffer 65536, backlog 128 } @@ -83,20 +84,23 @@ http protocol httpfilter { return error # Block disallowed sites - label "URL filtered!" - request url filter "www.example.com/" + match request label "URL filtered!" + block request quick url "www.example.com/" value "*" # Block disallowed browsers - label "Please try a <em>different Browser</em>" - header filter "Mozilla/4.0 (compatible; MSIE *" from "User-Agent" + match request label "Please try a <em>different Browser</em>" + block request quick header "User-Agent" \ + value "Mozilla/4.0 (compatible; MSIE *" # Block some well-known Instant Messengers - label "Instant messenger disallowed!" - response header filter "application/x-msn-messenger" from "Content-Type" - response header filter "app/x-hotbar-xip20" from "Content-Type" - response header filter "application/x-icq" from "Content-Type" - response header filter "AIM/HTTP" from "Content-Type" - response header filter "application/x-comet-log" from "Content-Type" + match request label "Instant messenger disallowed!" + block response quick header "Content-Type" \ + value "application/x-msn-messenger" + block response quick header "Content-Type" value "app/x-hotbar-xip20" + block response quick header "Content-Type" value "application/x-icq" + block response quick header "Content-Type" value "AIM/HTTP" + block response quick header "Content-Type" \ + value "application/x-comet-log" } relay httpproxy { |