relayd: Layer 7 proxy: forward failed

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

relayd: Layer 7 proxy: forward failed

Leo Unglaub-2
Hi,
i am trying to use relayd as an outbound proxy. I am following the
manual page and also the book "Httpd and Relayd Mastery". I did this on
the latest release 6.4 and also on the latest snapshot to make sure this
was not already fixed somewhere. I am on amd64.

My relayd config looks like this:

> # cat /etc/relayd.conf                                                                                                                                                                                                              
> relay "proxy" {
>         listen on 127.0.0.1 port 8080
>         forward to destination
> }
>
> relay "proxy2" {
>         listen on 192.168.0.19 port 9090
>         forward to destination
> }


I use this command to open up a connection from a different host in the
network:

> $ curl -i -x 192.168.0.19:9090 openbsd.org

I used the following command when i am on the same host:

> $ curl -i -x 127.0.0.1:8080 openbsd.org


I get the same error every time:

> # relayd -dvvvvf /etc/relayd.conf
> startup
> pfe: filter init done
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> parent_tls_ticket_rekey: rekeying tickets
> relay_privinit: adding relay proxy
> protocol -1: name default
>         flags: used, relay flags: divert
>         tls session tickets: disabled
>         type: tcp
> relay_privinit: adding relay proxy2
> protocol -1: name default
>         flags: used, relay flags: divert
>         tls session tickets: disabled
>         type: tcp
> init_tables: created 0 tables
> relay_launch: running relay proxy
> relay_launch: running relay proxy
> relay_launch: running relay proxy2
> relay_launch: running relay proxy
> relay_launch: running relay proxy2
> relay_launch: running relay proxy2
> relay_connect: session 1: forward failed: Operation not permitted
> relay_close: sessions inflight decremented, now 0


I used the following addition to the default pf.conf.
> pass in on egress inet proto tcp to port 80 divert-to 127.0.0.1 port 8080



Is this a bug in my setup or a problem with relayd?

I also tryed the entire config from the book "Httpd and Relayd Mastery"
and even when i type it down 1 by 1 i get the same error.

Thanks and greetings
Leo

> # dmesg                                                                                                                                                                                                                            
> OpenBSD 6.4-current (GENERIC) #473: Wed Dec  5 21:55:23 MST 2018
>     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
> real mem = 1056899072 (1007MB)
> avail mem = 1015734272 (968MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (10 entries)
> bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006
> bios0: innotek GmbH VirtualBox
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S5
> acpi0: tables DSDT FACP APIC SSDT
> acpi0: wakeup devices
> acpitimer0 at acpi0: 3579545 Hz, 32 bits
> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: AMD Ryzen 7 1700X Eight-Core Processor, 3400.47 MHz, 17-01-01
> cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,MMXX,FFXSR,RDTSCP,LONG,LAHF,AMCR8,ABM,SSE4A,MASSE,3DNOWP,FSGSBASE,AVX2,RDSEED,CLFLUSHOPT
> cpu0: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache, 16MB 64b/line 16-way L3 cache
> cpu0: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative
> cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative
> cpu0: smt 0, core 0, package 0
> mtrr: CPU supports MTRRs but not enabled by BIOS
> cpu0: apic clock running at 1000MHz
> cpu0: mwait min=64, max=64
> ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 20, 24 pins, remapped
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0: C1(@1 halt!)
> acpipci0 at acpi0 PCI0: 0x00000000 0x00000011 0x00000001
> acpiac0 at acpi0: AC unit online
> acpivideo0 at acpi0: GFX0
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
> pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
> pciide0 at pci0 dev 1 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility
> wd0 at pciide0 channel 0 drive 0: <VBOX HARDDISK>
> wd0: 128-sector PIO, LBA, 16384MB, 33554432 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> atapiscsi0 at pciide0 channel 1 drive 0
> scsibus1 at atapiscsi0: 2 targets
> cd0 at scsibus1 targ 0 lun 0: <VBOX, CD-ROM, 1.0> ATAPI 5/cdrom removable
> cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
> vga1 at pci0 dev 2 function 0 "InnoTek VirtualBox Graphics Adapter" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 1 int 19, address 08:00:27:f2:b6:00
> "InnoTek VirtualBox Guest Service" rev 0x00 at pci0 dev 4 function 0 not configured
> auich0 at pci0 dev 5 function 0 "Intel 82801AA AC97" rev 0x01: apic 1 int 21, ICH
> ac97: codec id 0x83847600 (SigmaTel STAC9700)
> audio0 at auich0
> ohci0 at pci0 dev 6 function 0 "Apple Intrepid USB" rev 0x00: apic 1 int 22, version 1.0
> piixpm0 at pci0 dev 7 function 0 "Intel 82371AB Power" rev 0x08: apic 1 int 23
> iic0 at piixpm0
> isa0 at pcib0
> isadma0 at isa0
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pms0 at pckbc0 (aux slot)
> wsmouse0 at pms0 mux 0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> usb0 at ohci0: USB revision 1.0
> uhub0 at usb0 configuration 1 interface 0 "Apple OHCI root hub" rev 1.00/1.00 addr 1
> vscsi0 at root
> scsibus2 at vscsi0: 256 targets
> softraid0 at root
> scsibus3 at softraid0: 256 targets
> root on wd0a (991f16397ab65078.a) swap on wd0b dump on wd0b

Reply | Threaded
Open this post in threaded view
|

Re: relayd: Layer 7 proxy: forward failed

trondd-2
On Thu, December 6, 2018 12:04 pm, Leo Unglaub wrote:

> Hi,
> i am trying to use relayd as an outbound proxy. I am following the
> manual page and also the book "Httpd and Relayd Mastery". I did this on
> the latest release 6.4 and also on the latest snapshot to make sure this
> was not already fixed somewhere. I am on amd64.
>
> My relayd config looks like this:
>
>> # cat /etc/relayd.conf
>> relay "proxy" {
>>         listen on 127.0.0.1 port 8080
>>         forward to destination
>> }
>>
>> relay "proxy2" {
>>         listen on 192.168.0.19 port 9090
>>         forward to destination
>> }
>
>
> I use this command to open up a connection from a different host in the
> network:
>
>> $ curl -i -x 192.168.0.19:9090 openbsd.org
>
> I used the following command when i am on the same host:
>
>> $ curl -i -x 127.0.0.1:8080 openbsd.org
>

I don't have the time to set this up to test, so just throwing ideas out.

Doesn't this set up a transparent relay?  Should you be configuring a
proxy with curl in this case?  Did you try it without?

>
> I get the same error every time:
>> # relayd -dvvvvf /etc/relayd.conf
>> startup
>> pfe: filter init done
>> socket_rlimit: max open files 1024
>> socket_rlimit: max open files 1024
>> socket_rlimit: max open files 1024
>> socket_rlimit: max open files 1024
>> parent_tls_ticket_rekey: rekeying tickets
>> relay_privinit: adding relay proxy
>> protocol -1: name default
>>         flags: used, relay flags: divert
>>         tls session tickets: disabled
>>         type: tcp
>> relay_privinit: adding relay proxy2
>> protocol -1: name default
>>         flags: used, relay flags: divert
>>         tls session tickets: disabled
>>         type: tcp
>> init_tables: created 0 tables
>> relay_launch: running relay proxy
>> relay_launch: running relay proxy
>> relay_launch: running relay proxy2
>> relay_launch: running relay proxy
>> relay_launch: running relay proxy2
>> relay_launch: running relay proxy2
>> relay_connect: session 1: forward failed: Operation not permitted
>> relay_close: sessions inflight decremented, now 0
>
>
> I used the following addition to the default pf.conf.
>> pass in on egress inet proto tcp to port 80 divert-to 127.0.0.1 port
>> 8080
>

If you're connecting from inside the network, is 'in on egress' the
correct interace here?


>
>
> Is this a bug in my setup or a problem with relayd?
>
> I also tryed the entire config from the book "Httpd and Relayd Mastery"
> and even when i type it down 1 by 1 i get the same error.
>
> Thanks and greetings
> Leo
>