This is most likely a result of increased sanity checks for headers
done last autumn.
Does anything show in debug logs? (relayd -dv)
On 2024/04/09 01:02, Ollie Strickland wrote:
> bugs@ - post upgrade to 7.5, I have lost websockets functionality via relayd
> for app Vaultwarden. Websockets is used in package - vaultwarden-1.30.5 - in
> an advanced feature that pushes data to client browsers and mobile apps in
> real time.
>
> Note - the application has basic functionality without websockets via polling
> of the server, so at a cursory glance the app appears to work fine. So, use
> step (6) to test websockets.
>
> Steps to reproduce:
> 1 - pkg_add vaultwarden-1.30.5
> 2 - rcctl enable vaultwarden && rcctl start vaultwarden
> 3 - configure relayd with below config
> 4 - point web browser to the host and register for a new vaultwarden user
> account
> 5 - open a second browser session incognito / private
> 6 - in the first browser, create a new secure note - when websockets is
> working the data should show up in near real time in the other browser
> 7 - watch WS activity in the dev console, and note that although the WS
> session is established successfully, no payload data is ever received from
> the server - this set of screenshots shows proper operation without relayd in
> the first screenshot, and then failure of WS with relayd in the second
> screenshot - https://imgur.com/a/msvyXbX
> 8 - note that if you turn relayd off and use pf to send inbound web traffic
> to Vaultwarden's Rocket server on port 8000, then websockets works
>
> Ollie Strickland
> -
>
> relayd.conf:
> -
> table { 127.0.0.1 }
>
> # protocol definition for vaultwarden with tls
> http protocol vaultwarden-https {
>
> # forward connections to vaultwarden rocket
> match request path "/*" forward to
>
> # add headers vaultwarden may need
> match request header append "Host" value "$HOST"
> match request header append "X-Real-IP" value "$REMOTE_ADDR"
> match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
> match request header append "X-Forwarded-By" value
> "$SERVER_ADDR:$SERVER_PORT"
> match request header append "CF-Connecting-IP" value "$REMOTE_ADDR"
>
> # various TCP options
> tcp { nodelay, sack, backlog 128 }
>
> # tls config
> tls keypair vault.example.com
> tls { no tlsv1.0, ciphers HIGH }
>
> # allow websockets
> http websockets
> }
>
> # relay definition for vaultwarden - forward inbound 443 tls on the egress
> interface to rocket on default port 8000
> relay vaultwarden-https-relay {
> listen on egress port 443 tls
> protocol vaultwarden-https
> forward to port 8000
> }
> -
>
> dmesg:
> -
> OpenBSD 7.4 (GENERIC.MP) #3: Wed Feb 28 06:23:33 MST 2024
>
> r...@syspatch-74-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 4278042624 (4079MB)
> avail mem = 4128661504 (3937MB)
> random: good seed from bootblocks
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0
> acpi0 at bios0: ACPI 3.0
> acpi0: sleep states S3 S4 S5
> acpi0: tables DSDT FACP APIC HPET MCFG WAET
> acpi0: wakeup devices
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: AMD EPYC-Milan Processor, 3250.37 MHz, 19-01-01
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,AMCR8,ABM,SSE4A,MASSE,OSVW,TOPEXT,CPCTR,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,CLFLUSHOPT,CLWB,SHA,UMIP,PKU,IBRS,IBPB,SSBD,IBPB,IBRS,STIBP,SSBD,XSAVEOPT,XSAVES
> cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 512KB
> 64b/line 8-way L2 cache, 32MB 64b/line 16-way L3 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 1000MHz
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: AMD EPYC-Milan Processor, 3250.49 MHz, 19-01-01
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,AMCR8,ABM,SSE4A,MASSE,OSVW,TOPEXT,CPCTR,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,CLFLUSHOPT,CLWB,SHA,UMIP,PKU,IBRS,IBPB,SSBD,IBPB,IBRS,STIBP,SSBD,XSAVEOPT,XSAVES
> cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 512KB
> 64b/line 8-way L2 cache, 32MB 64b/line 16-way L3 cache
> cpu1: smt 1, core 0, package 0
> ioapic0 at mainbus0: apid 0 pa 0xfec0, version 11, 24 pins
>