Hi All, Since OpenBSD 6.2, just confirmed this in the latest snapshot (GENERIC.MP#305) as well, for some reason relayd stops processing traffic and starts flooding the log file with the following message:
Dec 23 11:19:11 lb2 relayd[22515]: rsae_send_imsg: poll timeout Dec 23 11:19:12 lb2 relayd[52110]: rsae_send_imsg: poll timeout Dec 23 11:19:12 lb2 relayd[69641]: rsae_send_imsg: poll timeout Dec 23 11:19:12 lb2 relayd[22515]: rsae_send_imsg: poll timeout [snip] Dec 23 11:19:17 lb2 relayd[69641]: rsae_send_imsg: poll timeout Dec 23 11:19:18 lb2 relayd[22515]: rsae_send_imsg: poll timeout Dec 23 11:19:18 lb2 relayd[52110]: rsae_send_imsg: poll timeout Dec 23 11:19:18 lb2 relayd[69641]: rsae_send_imsg: poll timeout ...etc... Restarting the daemon "fixes" the problem. Not sure how to trouble shoot this but I am able to reproduce this consistently by pointing SSLLabs towards relayd. Would be great to get some pointers. Anonymised config below: # relayd.conf local_v4 = "xxx" local_v6 = "xxx" table <localhost> { 127.0.0.1 } www1_addr_v4 = "xxx" www1_addr_v6 = "xxx" table <www1hosts> { xxx } www3_addr_v4 = "xxx" www3_addr_v6 = "xxx" table <www3hosts> { xxx } cust1_addr_v4 = "xxx" cust1_addr_v6 = "xxx" cust2_addr_v4 = "xxx" cust3_addr_v4 = "xxx" cust4_addr_v4 = "xxx" table <cust_3hosts> { xxx } table <cust_3hosts_fallback> { xxx } table <cust4_hosts> { xxx } cust5_addr_v4 = "xxx" table <cust5_hosts> { xxx } http protocol httpfilter_default { match request header remove "Proxy" match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match response header set "Server" value "Sever" match response header set "X-Powered-By" value "Power" tcp { no splice } } http protocol httpsfilter_default { match request header remove "Proxy" match request header set "X-ClientIP" value "$REMOTE_ADDR" match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match response header set "Strict-Transport-Security" value "max-age=31536000" match response header set "Server" value "Sever" match response header set "X-Powered-By" value "Power" match request quick header "Host" value "images.webcam.nl" forward to <imageshosts> tcp { no splice } tls { no client-renegotiation } } http protocol httpfilter { match request header remove "Proxy" match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match response header set "Content-Security-Policy" value "default-src high5.nl; script-src https://high5.nl http://www.w3.org/; style-src 'self' 'unsafe-inline'; img-src 'self'" match response header set "Server" value "Sever" match response header set "X-Powered-By" value "Power" match response header set "X-Frame-Options" value "SAMEORIGIN" match response header set "X-Xss-Protection" value "1; mode=block" match response header set "X-Content-Type-Options" value "nosniff" match request quick header "Host" value "*xxx*" forward to <www1hosts> match request quick header "Host" value "*xxx*" forward to <www1hosts> tcp { no splice } } http protocol httpsfilter { return error match request header remove "Proxy" match request header set "X-ClientIP" value "$REMOTE_ADDR" match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match response header set "Strict-Transport-Security" value "max-age=31536000" match response header set "Content-Security-Policy" value "default-src high5.nl; script-src https://high5.nl http://www.w3.org/; style-src 'self' 'unsafe-inline'; img-src 'self'" match response header set "Server" value "Sever" match response header set "X-Powered-By" value "Power" match response header set "X-Frame-Options" value "SAMEORIGIN" match response header set "X-Xss-Protection" value "1; mode=block" match response header set "X-Content-Type-Options" value "nosniff" tcp { no splice } tls { no client-renegotiation } } relay default { listen on $local_v4 port 80 listen on $local_v6 port 80 protocol httpfilter_default forward to <localhost> port 8080 } relay default_redirect { listen on $cust2_addr_v4 port 80 listen on $cust3_addr_v4 port 80 listen on $cust4_addr_v4 port 80 listen on $cust5_addr_v4 port 80 listen on $cust1_addr_v4 port 80 listen on $cust1_addr_v6 port 80 protocol httpfilter_default forward to <localhost> port 8081 } relay default_redirect_tls { listen on $cust4_addr_v4 port 443 tls protocol httpsfilter_default forward to <localhost> port 8081 } relay www1 { listen on $www1_addr_v4 port 80 listen on $www1_addr_v6 port 80 protocol httpfilter forward to <localhost> port 8081 forward to <www1hosts> port 80 } relay www1_tls { listen on $www1_addr_v4 port 443 tls listen on $www1_addr_v6 port 443 tls protocol httpsfilter forward to <www1hosts> port 80 mode roundrobin check http "/" host www1 code 200 #forward to <comic> port 80 } relay www3 { listen on $www3_addr_v4 port 80 listen on $www3_addr_v6 port 80 forward to <www3hosts> port 80 } relay www3_tls { listen on $www3_addr_v4 port 443 tls listen on $www3_addr_v6 port 443 tls forward with tls to <www3hosts> port 443 } relay cust2_tls { listen on $cust2_addr_v4 port 443 tls protocol httpsfilter_default forward to <cust2_hosts> port 80 check http "/" host cust2 code 200 forward to <cust2_hosts_fallback> port 80 check http "/" host cust2 code 200 forward to <cust4_hosts> port 80 } relay cust3_tls { listen on $cust3_addr_v4 port 443 tls protocol httpsfilter_default forward to <cust3_hosts> port 80 check http "/" host cust3 code 200 forward to <cust3_hosts_fallback> port 80 check http "/" host cust3 code 200 } relay cust5_tls { listen on $cust5_addr_v4 port 443 tls protocol httpsfilter_default forward to <cust5_hosts> port 80 } Mischa