Image by Harry Fabel from Pixabay

relayd — Secure Web Front End

Relayd is a free load-balancer, application layer gateway, transparent proxy, and SSL/TLS gateway. It’s safe to say I would avoid placing a web server directly on the internet without placing relayd infront of it. While it may not have all the functionality of competing products (e.g. F5, nginx, haproxy) it has the right balance.

The following relayd.conf is similar to what I use as it achieves these three goals:

  1. Performs connection termination, including TLS.
  2. Updates HTTP request header with client information (e.g. X-Forwarded-For).
  3. Performs basic HTTP security checks.

Tested on:

relayd.conf

As the title states, this is the relayd.conf. The next section will explain some of the configuration lines.

Explaination

The recommended implementation of relayd is to have it listen on 127.0.0.1 and use a rule in pf. The backend web server is using an RFC1918 address.

Helpful to log more information and identify those testing the TLS configuration.

Uncomment this during testing and relayd will return an when it blocks a request. Commented out, or not present, relayd will close the connection by sending a . Appropriate action for all those scanners sending garbage requests.

Lower the HTTP header size as the default is quite generous.

All the necessary ciphers to achieve an A+ on Qualys SSL Server Test.

Enable EDH-based cipher suites.

Add information to the request header regarding the original client request. This is important since connections are being terminated by relayd. By using , it ensures the client can't forge their own value for these headers.

Remove the response header.

Have relayd log additional request fields.

Here we first tag all requests. Since only and requests are allowed, requests using those methods will have their tag changed to . If the request retains , it wasn't using an approved method and will be immediately blocked.

Many scanners submit requests using the destination IP address for the host header and thus should be blocked. An alternative is to redirect all of these requests to a landing page or the main company website. However in this instance they will be blocked. The following will tag a request using an approved hostname with . If the tag doesn't change, the request will be immediately blocked as it will have retained the former tag of . Retagging the block with helps to show where the request was blocked when parsing logs.

The following are quick blocks for requests seeking pages that aren’t hosted on the destination. The following uses and as an example as any request using those file extension will be immediately blocked.

Default block of a request.

Allow requests tagged as .