Page content

another component of OpenBSD is relayd. it’s an integrated Loadbalancer & Proxy Service, like F5, Nginx and Others. But just like other BSD Services, straight, simple and easy to use … wanna see … ?

Setup 4 VM’s, one Loadbalancer and 3 Webserver. The Webserver should server the same content, while the Loadbalancer checks if a Webserver is running and redirects traffic to the host or not.

the configuration on the loadbalancer is simple like that:

create relayd.conf

cat << 'EOF' > /etc/relayd.conf

# Loadbalancer IP (VIP)

# Webserver IP (RIP)

# Global Options
interval 5
timeout 1000
prefork 5

# Each table will be mapped to a pf table.
table <webhosts> { $web1 $web2 $web3 }

# Relayd acts as L7 Proxy, terminates the Session from the Client and create a new Session to the Webserver
relay www {

	listen on $ext_addr port 80

	forward to <webhosts> check http "/" code 200
	#forward to <webhosts> mode hash check http "/" code 200
	#forward to <webhosts> mode loadbalance check http "/" code 200


chown root:wheel /etc/relayd.conf
chmod 700 /etc/relayd.conf

enable and start service

rcctl enable relayd
relayd -n && rcctl start relayd

update pf.conf

the PaketFilter also needs to know that a Relayd exists. Just add the following Line (Relayd …) and you’re done.


set block-policy drop
set limit states 500000
set state-defaults pflow
set skip on { lo0 enc0 }

# Normalize Traffic
match inet  scrub (no-df max-mss 1380)
match inet6 scrub (max-mss 1360)

# Block all
block log

# Relayd
anchor "relayd/*"

# Allow all In / Out
pass log quick

Basic Commands

root@puffy310 ~# relayctl show sum
Id  	Type    	Name                    	Avlblty	Status
1   	relay   	www                     	       	active
1   	table   	webhosts:80             	       	empty
1   	host          	15.54% 	down
2   	host          	16.06% 	down
3   	host          	16.58% 	down

this is a basic example with a Webserver running on Port 80. You should enable HTTPS with Let’s encrypt, distribute the Certificate to the Webserver and adapt the Configuration for HTTPS.

Any Comments ?

sha256: 16a8f8292341ba6e914c89e175ffc47ee34fe1255c0f2c4e293eeeb32ce64648