relayd relay stability

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

relayd relay stability

Keith-125
Hi,
         Since upgrading one of our OpenBSD firewalls on Monday last
week we have been having serious stability issues with relayd as its
been randomly exiting after only a few hours of being started.  We were
in the same situation a few years ago when we did a previous upgrade of
OBSD and at that time I think we reverted some of the servers to a
previous build of OBSD,  I think we also committed out some parts of our
relayd.conf file until things became stable and we left it like that
till we upgraded last week.

I've got a feeling that the crashes are related to the only "relay" that
we have called "http_forwarder" and to the protocol we've called "http"
where we add the X-Forwarded header.  Previous to the recent upgrade the
"match header append "X-Forwarded-For"..." line had been commented out
and I am assuming that that was the reason that it had been stable.

After the first or second crash last week I think we removed the "http"
protocol from our relayd.conf and that made things stable again but we
need to get the X-Forwarded-For header working so I re enabled it again
today along with some minor other edits but relayd has died again...

After searching around I found this but am not sure if it's related to
our issue.... http://permalink.gmane.org/gmane.os.openbsd.misc/220963

If anyone can help it would be appreciated as I am unsure how or what to
do next.

Thanks,

Keith

I left relayd running in the foreground with verbose enabled and below
are the last few log lines.

relay http_forwarder, session 8734 (440 active), 0, XX.XX.XX.174 -> :0,
no method (406 Not Acceptable), POST
ca exiting, pid 26811
ca exiting, pid 17254
pfe exiting, pid 26999
ca exiting, pid 29382
ca exiting, pid 7976
ca exiting, pid 24659
hce exiting, pid 16102
relay exiting, pid 9783
relay exiting, pid 19514
relay exiting, pid 12042
relay exiting, pid 13716
parent terminating, pid 29733

Our relayd.conf file....

Interval 60
timeout 8000
prefork 5
log updates

table <web_hosts>    { 192.168.XX.aa, 192.168.XX.bb }

http protocol "http" {
   match header append "X-Forwarded-For" value "$REMOTE_ADDR"
   return error
}

redirect "http_Main" {
   listen on 192.168.xx.2 port  80 interface vlanXX
   listen on 192.168.xx.3 port  80 interface vlanXX
   match pftag http_Main
   forward to <web_hosts>  port  82 check http "/" code 200
}

redirect "https_Main" {
   listen on 192.168.xx.2 port 443 interface vlanXX
   match pftag https_Main
   forward to <web_hosts>  port 443 check tcp
}

redirect "https_Other" {
   listen on 192.168.xx.3 port 443 interface vlanXX
   match pftag https_NN_Only
   forward to <web_hosts>  port 445 check tcp
}

relay "http_forwarder" {
   listen on 127.0.0.1 port 8080
   protocol "http"
   forward to <web_hosts> port 82 mode loadbalance check http "/" code 200
}

relay "SSL_Generic" {
   listen on 127.0.0.1 port 9441
   forward to <web_hosts> port  443 mode loadbalance check tcp
}

relay "SSL_Other" {
   listen on 127.0.0.1 port 9444
   forward to <web_hosts> port 445 mode loadbalance check tcp
}

Reply | Threaded
Open this post in threaded view
|

Re: relayd relay stability

Sebastian Benoit
Hi Keith,

please update relayd to the version from current and see if this fixes your
problems. quite a few bugs were fixed since 5.7 release.

/Benno

Keith([hidden email]) on 2015.07.20 23:55:43 +0100:

> Hi,
>         Since upgrading one of our OpenBSD firewalls on Monday last
> week we have been having serious stability issues with relayd as its
> been randomly exiting after only a few hours of being started.  We were
> in the same situation a few years ago when we did a previous upgrade of
> OBSD and at that time I think we reverted some of the servers to a
> previous build of OBSD,  I think we also committed out some parts of our
> relayd.conf file until things became stable and we left it like that
> till we upgraded last week.
>
> I've got a feeling that the crashes are related to the only "relay" that
> we have called "http_forwarder" and to the protocol we've called "http"
> where we add the X-Forwarded header.  Previous to the recent upgrade the
> "match header append "X-Forwarded-For"..." line had been commented out
> and I am assuming that that was the reason that it had been stable.
>
> After the first or second crash last week I think we removed the "http"
> protocol from our relayd.conf and that made things stable again but we
> need to get the X-Forwarded-For header working so I re enabled it again
> today along with some minor other edits but relayd has died again...
>
> After searching around I found this but am not sure if it's related to
> our issue.... http://permalink.gmane.org/gmane.os.openbsd.misc/220963
>
> If anyone can help it would be appreciated as I am unsure how or what to
> do next.
>
> Thanks,
>
> Keith
>
> I left relayd running in the foreground with verbose enabled and below
> are the last few log lines.
>
> relay http_forwarder, session 8734 (440 active), 0, XX.XX.XX.174 -> :0,
> no method (406 Not Acceptable), POST
> ca exiting, pid 26811
> ca exiting, pid 17254
> pfe exiting, pid 26999
> ca exiting, pid 29382
> ca exiting, pid 7976
> ca exiting, pid 24659
> hce exiting, pid 16102
> relay exiting, pid 9783
> relay exiting, pid 19514
> relay exiting, pid 12042
> relay exiting, pid 13716
> parent terminating, pid 29733
>
> Our relayd.conf file....
>
> Interval 60
> timeout 8000
> prefork 5
> log updates
>
> table <web_hosts>    { 192.168.XX.aa, 192.168.XX.bb }
>
> http protocol "http" {
>   match header append "X-Forwarded-For" value "$REMOTE_ADDR"
>   return error
> }
>
> redirect "http_Main" {
>   listen on 192.168.xx.2 port  80 interface vlanXX
>   listen on 192.168.xx.3 port  80 interface vlanXX
>   match pftag http_Main
>   forward to <web_hosts>  port  82 check http "/" code 200
> }
>
> redirect "https_Main" {
>   listen on 192.168.xx.2 port 443 interface vlanXX
>   match pftag https_Main
>   forward to <web_hosts>  port 443 check tcp
> }
>
> redirect "https_Other" {
>   listen on 192.168.xx.3 port 443 interface vlanXX
>   match pftag https_NN_Only
>   forward to <web_hosts>  port 445 check tcp
> }
>
> relay "http_forwarder" {
>   listen on 127.0.0.1 port 8080
>   protocol "http"
>   forward to <web_hosts> port 82 mode loadbalance check http "/" code 200
> }
>
> relay "SSL_Generic" {
>   listen on 127.0.0.1 port 9441
>   forward to <web_hosts> port  443 mode loadbalance check tcp
> }
>
> relay "SSL_Other" {
>   listen on 127.0.0.1 port 9444
>   forward to <web_hosts> port 445 mode loadbalance check tcp
> }
>

--

Reply | Threaded
Open this post in threaded view
|

Re: relayd relay stability

Keith-125
In reply to this post by Keith-125
Hi, I am having some trouble building relayd. I've got down to the "make"
part where it fails as you can see below. Do you know what I'm doing wrong ?

I downloaded the src.tar.gz file....
tar xzf ../src.tar.gz

export CVSROOT=[hidden email]:/cvs
cvs up -AC
cvs server: Updating .
P agentx.c
P ca.c
P config.c
P control.c
P http.h
P parse.y
P pfe.c
P relay.c
P relay_http.c
P relayd.c
P relayd.conf.5
P relayd.h
P ssl.c
# make obj
/usr/src/usr.sbin/relayd/obj -> /usr/obj/usr.sbin/relayd
# make
make: don't know how to make /usr/lib/crt0.o (prerequisite of: relayd)
Stop in /usr/src/usr.sbin/relayd

Thanks
Keith.


On Tue, Jul 21, 2015 at 5:08 AM, Sebastian Benoit <[hidden email]>
wrote:

>
> Hi,
>
> here is how to update relayd to current:
>
> (your user account has to be in group wsrc)
>
> $ cd /usr
> $ cvs -qd [hidden email]:/cvs get -rOPENBSD_5_7 -P src
> $ cd src/usr.sbin/relayd
> $ cvs up -AC
> $ make obj
> $ make
> $ sudo cp /usr/sbin/relayd /usr/sbin/relayd.orig
> $ sudo make install
>
> restart relayd and see if its better.
>
> /Benno
>
> Keith([hidden email]) on 2015.07.20 23:55:43 +0100:
> > Hi,
> >         Since upgrading one of our OpenBSD firewalls on Monday last
> > week we have been having serious stability issues with relayd as its
> > been randomly exiting after only a few hours of being started.  We were
> > in the same situation a few years ago when we did a previous upgrade of
> > OBSD and at that time I think we reverted some of the servers to a
> > previous build of OBSD,  I think we also committed out some parts of our
> > relayd.conf file until things became stable and we left it like that
> > till we upgraded last week.
> >
> > I've got a feeling that the crashes are related to the only "relay" that
> > we have called "http_forwarder" and to the protocol we've called "http"
> > where we add the X-Forwarded header.  Previous to the recent upgrade the
> > "match header append "X-Forwarded-For"..." line had been commented out
> > and I am assuming that that was the reason that it had been stable.
> >
> > After the first or second crash last week I think we removed the "http"
> > protocol from our relayd.conf and that made things stable again but we
> > need to get the X-Forwarded-For header working so I re enabled it again
> > today along with some minor other edits but relayd has died again...
> >
> > After searching around I found this but am not sure if it's related to
> > our issue.... http://permalink.gmane.org/gmane.os.openbsd.misc/220963
> >
> > If anyone can help it would be appreciated as I am unsure how or what to
> > do next.
> >
> > Thanks,
> >
> > Keith
> >
> > I left relayd running in the foreground with verbose enabled and below
> > are the last few log lines.
> >
> > relay http_forwarder, session 8734 (440 active), 0, XX.XX.XX.174 -> :0,
> > no method (406 Not Acceptable), POST
> > ca exiting, pid 26811
> > ca exiting, pid 17254
> > pfe exiting, pid 26999
> > ca exiting, pid 29382
> > ca exiting, pid 7976
> > ca exiting, pid 24659
> > hce exiting, pid 16102
> > relay exiting, pid 9783
> > relay exiting, pid 19514
> > relay exiting, pid 12042
> > relay exiting, pid 13716
> > parent terminating, pid 29733
> >
> > Our relayd.conf file....
> >
> > Interval 60
> > timeout 8000
> > prefork 5
> > log updates
> >
> > table <web_hosts>    { 192.168.XX.aa, 192.168.XX.bb }
> >
> > http protocol "http" {
> >   match header append "X-Forwarded-For" value "$REMOTE_ADDR"
> >   return error
> > }
> >
> > redirect "http_Main" {
> >   listen on 192.168.xx.2 port  80 interface vlanXX
> >   listen on 192.168.xx.3 port  80 interface vlanXX
> >   match pftag http_Main
> >   forward to <web_hosts>  port  82 check http "/" code 200
> > }
> >
> > redirect "https_Main" {
> >   listen on 192.168.xx.2 port 443 interface vlanXX
> >   match pftag https_Main
> >   forward to <web_hosts>  port 443 check tcp
> > }
> >
> > redirect "https_Other" {
> >   listen on 192.168.xx.3 port 443 interface vlanXX
> >   match pftag https_NN_Only
> >   forward to <web_hosts>  port 445 check tcp
> > }
> >
> > relay "http_forwarder" {
> >   listen on 127.0.0.1 port 8080
> >   protocol "http"
> >   forward to <web_hosts> port 82 mode loadbalance check http "/" code 200
> > }
> >
> > relay "SSL_Generic" {
> >   listen on 127.0.0.1 port 9441
> >   forward to <web_hosts> port  443 mode loadbalance check tcp
> > }
> >
> > relay "SSL_Other" {
> >   listen on 127.0.0.1 port 9444
> >   forward to <web_hosts> port 445 mode loadbalance check tcp
> > }
> >
>
> --

Reply | Threaded
Open this post in threaded view
|

Re: relayd relay stability

Stuart Henderson
On 2015-07-21, keith scott <[hidden email]> wrote:
> Hi, I am having some trouble building relayd. I've got down to the "make"
> part where it fails as you can see below. Do you know what I'm doing wrong ?

I suspect you perhaps didn't install the comp57.tgz set, if that's likely
you can add it to the running system if you like:

# cd /tmp
# ftp http://ftp.fr.openbsd.org/pub/OpenBSD/5.7/amd64/{SHA256.sig,comp57.tgz}
# signify -C -p /etc/signify/openbsd-57-base.pub -x SHA256.sig comp57.tgz &&
(cd /; tar xzpvf tmp/comp57.tgz)