Image by Harry Fabel from Pixabay

relayd — Secure Web Front End

  1. Performs connection termination, including TLS.
  2. Updates HTTP request header with client information (e.g. X-Forwarded-For).
  3. Performs basic HTTP security checks.

relayd.conf

ext_addr = “1.1.1.1”
web_srvr = “10.1.1.10”
log state changes
log connection
http protocol httpFilter {
#return error
http headerlen 4096
match request header set “X-Forwarded-For” value “$REMOTE_ADDR”
match request header set “X-Forwarded-SPort” value “$REMOTE_PORT”
match request header set “X-Forwarded-DPort” value “$SERVER_PORT”
match response header remove “Server” value “*”
match header log “Host”
match header log “X-Forwarded-For”
match header log “User-Agent”
match header log “X-Req-Status”
match url log
match request tag “BAD_METHOD” match request method GET tag “OK_METH”
match request method HEAD tag “OK_METH”
block request quick tagged “BAD_METHOD” match request header “Host” value “domain.com” tag “OK_REQ”
match request header “Host” value “www.domain.com" tag “OK_REQ”
match request header “Host” value “another.domain.com” tag “OK_REQ”
block request quick tagged “OK_METH” tag “BAD_HH” block request quick path “*.php” tag NO_PHP
block request quick path “*.cgi” tag NO_CGI
block request quick path “*.js” tag NO_JS
block request quick path “*.asp” tag NO_ASP
block tag “BAD_REQ” pass request tagged “OK_REQ”
}
http protocol httpsFilter {
#return error
http headerlen 4096
tls ciphers “ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256”
tls edh match request header set “X-Forwarded-For” value “$REMOTE_ADDR”
match request header set “X-Forwarded-SPort” value “$REMOTE_PORT”
match request header set “X-Forwarded-DPort” value “$SERVER_PORT”
match response header remove “Server” value “*”
match header log “Host”
match header log “X-Forwarded-For”
match header log “User-Agent”
match header log “X-Req-Status”
match url log
match response header set “Strict-Transport-Security” value “max-age=63072000; includeSubdomains; preload” match request tag “BAD_METHOD” match request method GET tag “OK_METH”
match request method HEAD tag “OK_METH”
block request quick tagged “BAD_METHOD” match request header “Host” value “domain.com” tag “OK_REQ”
match request header “Host” value “www.domain.com" tag “OK_REQ”
match request header “Host” value “another.domain.com” tag “OK_REQ”
block request quick tagged “OK_METH” tag “BAD_HH” block request quick path “*.php” tag NO_PHP
block request quick path “*.cgi” tag NO_CGI
block request quick path “*.js” tag NO_JS
block request quick path “*.asp” tag NO_ASP
block tag “BAD_REQ” pass request tagged “OK_REQ”
}
relay www {
listen on $ext_addr port 80
protocol httpFilter
forward to $web_srvr port 80
}
relay wwwssl {
listen on $ext_addr port 443 tls
protocol httpsFilter
forward to $web_srvr port 80
}

Explaination

ext_addr = "127.0.0.1"
web_srvr = "10.1.1.10"
log state changes
log connection
#return error
http headerlen 4096
tls ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256"
tls edh
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"  match request header set "X-Forwarded-SPort" value "$REMOTE_PORT"  match request header set "X-Forwarded-DPort" value "$SERVER_PORT"
match response header remove "Server" value "*"
match header log "Host"
match header log "X-Forwarded-For"
match header log "User-Agent"
match url log
match request tag "BAD_METHOD"
match request method GET tag "OK_METH"
match request method HEAD tag "OK_METH"
block request quick tagged "BAD_METHOD"
match request header "Host" value "domain.com" tag "OK_REQ"
match request header "Host" value "www.domain.com" tag "OK_REQ"
match request header "Host" value "another.domain.com" tag "OK_REQ"
block request quick tagged "OK_METH" tag "BAD_HH"
block request quick path "*.php" tag NO_PHP
block request quick path "*.asp" tag NO_ASP
block tag "BAD_REQ"
pass request tagged "OK_REQ"

 by the author.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store