1

I am creating a website in an OpenBSD vm, and I plan to have different services on it that will be pointed to by their respective subdomains (irc.example.com -> example.com:6697, img.example.com -> example.com:80, etc).

I also plan on img.example.com hosting the images over http for example.com/www.example.com, both of which on port 80/443. Because vmm cannot do nested vm's, my initial plans of containing each subdomain in its own virtual environment and pointing to each with a relayd reverse proxy will not work. I was wondering how I could achieve this functionality without vm's.

Here is a diagram drawing out my intentions:simple diagram of subdomains inside of example.com vm

Paul
  • 3,037
  • 6
  • 27
  • 40
CyberianTraveler
  • 25
  • 4

1 Answers1

0

Without more information it seems the answer is just generally:

The Packet Filter (pf) is what you use to route the packets to each service and based on what you have posted so far, it appears you can use just pf and the web server (httpd), unless there is some other reason you feel you need a reverse proxy.

Simple pf.conf example:

ext_if = "vio0"
ext_srvcs_in = "{ 70, 80, 443, 6697 }"
set skip on lo
# Not mentioned in question, but assuming you want SSH with common adaptive config:
pass in quick on $ext_if proto tcp to port ssh \
    keep state (max-src-conn 15, max-src-conn-rate 5/3, \
    overload <bruteforce> flush global)
pass out quick on $ext_if
block all
pass in on $ext_if proto {tcp, udp} to port $ext_srvcs_in

When you configure your services, they should bind to the ports and pf will route to them. For multiple subdomains on httpd just use multiple server blocks as described in httpd.conf(5). For example:

types { include "/usr/share/misc/mime.types" }

server "example.com" {
        alias "www.example.com"
        listen on * port 80
        listen on * tls port 443
        tls {
                certificate "/etc/ssl/example.com.fullchain.pem"
                key "/etc/ssl/private/example.com.key"
        }
        location "/.well-known/acme-challenge/*" {
                root "/htdocs/example.com"
                request strip 2
        }
        root "/var/www/htdocs/example.com"
        directory index index.htm
}

server "img.example.com" {
        listen on * port 80
        listen on * tls port 443
        tls {
                certificate "/etc/ssl/example.com.fullchain.pem"
                key "/etc/ssl/private/example.com.key"
        }

        location "/.well-known/acme-challenge/*" {
                root "/htdocs/img.example.com
                request strip 2
        }
        root "/var/www/htdocs/img.example.com"
        directory index index.htm
}
Paul
  • 3,037
  • 6
  • 27
  • 40