On Wed, Nov 05, 2025 at 12:32:52PM +0100, Christoph Liebender wrote:
> Hello misc@,
>
> I'm currently trying to migrate my nginx setup to relayd, though, I cannot
> get some things to work properly, and I wonder if that is due to me not
> understanding how to configure it correctly or due to relayd not supporting
> my usecase.
>
> To be precise: I want to run multiple apps behind a reverse proxy. One of
> them is ntfy. With nginx, the config looks like this:
>
> map $http_upgrade $connection_upgrade {
> default upgrade;
> '' close;
> }
>
> location / {
> proxy_pass http://127.0.0.1:8888;
> proxy_http_version 1.1;
>
> proxy_set_header Host $host;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection $connection_upgrade;
>
> proxy_connect_timeout 3m;
> proxy_send_timeout 3m;
> proxy_read_timeout 3m;
>
> client_max_body_size 0;
> }
>
> (This is equivalent to the example configuration in the ntfy docs [1])
>
> relayd takes care of Host, Upgrade and Connection with the http websockets
> option, and X-Forwarded-For is easily added as a header:
>
> table <ntfy> { 127.0.0.1 }
>
> http protocol revproxy {
> tls keypair ...
> tcp { nodelay, sack, socket buffer 65536, backlog 100 }
> http websockets
> return error
>
> match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
>
> ...
>
> pass request quick header "Host" value "ntfy.example" \
> forward to <ntfy>
> }
>
> relay https {
> listen on 0.0.0.0 port 443 tls
> protocol revproxy
> forward to <ntfy> port 8888
> }
>
> But how do I modify the proxy_{connect,send,read}_timeout variables?
> Following relayd.conf(5), I suppose the closest thing to be:
>
> relay https {
> ...
> session timeout 180
> }
>
> But what if I want to leave the session timeout untouched for other
> subdomains (applications) that I am proxying with the same protocol / relay?
>
> table <disco> { 127.0.0.1 }
>
> http protocol revproxy {
> ...
> pass request quick header "Host" value "disco.example" \
> forward to <disco>
> }
>
> relay https {
> listen on 0.0.0.0 port 443 tls
> protocol revproxy
> forward to <ntfy> port 8888 session timeout 180
> forward to <disco> port 9999
> }
>
> Specifying session timeout per forward is unfortunately not an option.
>
> And finally, client_max_body_size? ntfy requires this: "Stream request body
> to backend" is the annotation in their docs.
>
> Talking about disco, a syncthing discovery server [2] is another item on my
> selfhosting bucket list - and I have even less of an idea on how to make
> that work:
>
> server {
> ...
>
> ssl_verify_client optional_no_ca;
>
> location / {
> proxy_pass http://127.0.0.1:9999;
>
> proxy_http_version 1.1;
> proxy_buffering off;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection $http_connection;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Client-Port $remote_port;
> proxy_set_header X-Forwarded-For \
> $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto \
> $http_x_forwarded_proto;
> proxy_set_header X-SSL-Cert $ssl_client_cert;
> }
> }
>
> That is, can relayd even do this client cert logic?
>
> Not to mention... do I really have to copy paste each relay block as soon as
> I want relayd to be listening on multiple addresses? In nginx, one can
> simply say
>
> listen 443 ssl;
> listen [::]:443 ssl;
>
> ... while the equivalent in relayd appears to be ...
>
> relay https4 {
> listen on 0.0.0.0 port 443 tls
> protocol revproxy
> forward to <ntfy> port 8888
> forward to <disco> port 9999
> }
>
> relay https6 {
> listen on :: port 443 tls
> protocol revproxy
> forward to <ntfy> port 8888
> forward to <disco> port 9999
> }
>
> ... this obviously does not scale at all.
>
> - Christoph
>
> [1] https://docs.ntfy.sh/config/#nginxapache2caddy
> [2] https://docs.syncthing.net/users/stdiscosrv.html#nginx
Don't use relayd as a HTTP proxy. It is simply too basic for modern HTTP
needs.
--
:wq Claudio
