On Sat, Dec 23, 2017 at 11:40:57AM +0100, Mischa wrote: > Hi All, > > Since OpenBSD 6.2, just confirmed this in the latest snapshot > (GENERIC.MP#305) as well, for some reason relayd stops processing traffic and > starts flooding the log file with the following message: > > Dec 23 11:19:11 lb2 relayd[22515]: rsae_send_imsg: poll timeout > Dec 23 11:19:12 lb2 relayd[52110]: rsae_send_imsg: poll timeout > Dec 23 11:19:12 lb2 relayd[69641]: rsae_send_imsg: poll timeout > Dec 23 11:19:12 lb2 relayd[22515]: rsae_send_imsg: poll timeout > [snip] > Dec 23 11:19:17 lb2 relayd[69641]: rsae_send_imsg: poll timeout > Dec 23 11:19:18 lb2 relayd[22515]: rsae_send_imsg: poll timeout > Dec 23 11:19:18 lb2 relayd[52110]: rsae_send_imsg: poll timeout > Dec 23 11:19:18 lb2 relayd[69641]: rsae_send_imsg: poll timeout > ...etc... > > Restarting the daemon "fixes" the problem. > Not sure how to trouble shoot this but I am able to reproduce this > consistently by pointing SSLLabs towards relayd. > Would be great to get some pointers. >
I have seen this as well on our production systems. This is a problem in the privsep part of the TLS code. I could not do more testing yet but my assumption is that a new option / feature is freaking this code out. -- :wq Claudio > Anonymised config below: > # relayd.conf > local_v4 = "xxx" > local_v6 = "xxx" > table <localhost> { 127.0.0.1 } > > www1_addr_v4 = "xxx" > www1_addr_v6 = "xxx" > table <www1hosts> { xxx } > > www3_addr_v4 = "xxx" > www3_addr_v6 = "xxx" > table <www3hosts> { xxx } > > cust1_addr_v4 = "xxx" > cust1_addr_v6 = "xxx" > > cust2_addr_v4 = "xxx" > cust3_addr_v4 = "xxx" > cust4_addr_v4 = "xxx" > table <cust_3hosts> { xxx } > table <cust_3hosts_fallback> { xxx } > table <cust4_hosts> { xxx } > > cust5_addr_v4 = "xxx" > table <cust5_hosts> { xxx } > > http protocol httpfilter_default { > match request header remove "Proxy" > match request header append "X-Forwarded-For" value "$REMOTE_ADDR" > match request header append "X-Forwarded-By" value > "$SERVER_ADDR:$SERVER_PORT" > match response header set "Server" value "Sever" > match response header set "X-Powered-By" value "Power" > tcp { no splice } > } > http protocol httpsfilter_default { > match request header remove "Proxy" > match request header set "X-ClientIP" value "$REMOTE_ADDR" > match request header append "X-Forwarded-For" value "$REMOTE_ADDR" > match request header append "X-Forwarded-By" value > "$SERVER_ADDR:$SERVER_PORT" > match response header set "Strict-Transport-Security" value > "max-age=31536000" > match response header set "Server" value "Sever" > match response header set "X-Powered-By" value "Power" > match request quick header "Host" value "images.webcam.nl" forward to > <imageshosts> > tcp { no splice } > tls { no client-renegotiation } > } > > http protocol httpfilter { > match request header remove "Proxy" > match request header append "X-Forwarded-For" value "$REMOTE_ADDR" > match request header append "X-Forwarded-By" value > "$SERVER_ADDR:$SERVER_PORT" > match response header set "Content-Security-Policy" value > "default-src high5.nl; script-src https://high5.nl http://www.w3.org/; > style-src 'self' 'unsafe-inline'; img-src 'self'" > match response header set "Server" value "Sever" > match response header set "X-Powered-By" value "Power" > match response header set "X-Frame-Options" value "SAMEORIGIN" > match response header set "X-Xss-Protection" value "1; mode=block" > match response header set "X-Content-Type-Options" value "nosniff" > match request quick header "Host" value "*xxx*" forward to <www1hosts> > match request quick header "Host" value "*xxx*" forward to <www1hosts> > tcp { no splice } > } > http protocol httpsfilter { > return error > match request header remove "Proxy" > match request header set "X-ClientIP" value "$REMOTE_ADDR" > match request header append "X-Forwarded-For" value "$REMOTE_ADDR" > match request header append "X-Forwarded-By" value > "$SERVER_ADDR:$SERVER_PORT" > match response header set "Strict-Transport-Security" value > "max-age=31536000" > match response header set "Content-Security-Policy" value > "default-src high5.nl; script-src https://high5.nl http://www.w3.org/; > style-src 'self' 'unsafe-inline'; img-src 'self'" > match response header set "Server" value "Sever" > match response header set "X-Powered-By" value "Power" > match response header set "X-Frame-Options" value "SAMEORIGIN" > match response header set "X-Xss-Protection" value "1; mode=block" > match response header set "X-Content-Type-Options" value "nosniff" > tcp { no splice } > tls { no client-renegotiation } > } > relay default { > listen on $local_v4 port 80 > listen on $local_v6 port 80 > protocol httpfilter_default > forward to <localhost> port 8080 > } > relay default_redirect { > listen on $cust2_addr_v4 port 80 > listen on $cust3_addr_v4 port 80 > listen on $cust4_addr_v4 port 80 > listen on $cust5_addr_v4 port 80 > listen on $cust1_addr_v4 port 80 > listen on $cust1_addr_v6 port 80 > protocol httpfilter_default > forward to <localhost> port 8081 > } > relay default_redirect_tls { > listen on $cust4_addr_v4 port 443 tls > protocol httpsfilter_default > forward to <localhost> port 8081 > } > relay www1 { > listen on $www1_addr_v4 port 80 > listen on $www1_addr_v6 port 80 > protocol httpfilter > forward to <localhost> port 8081 > forward to <www1hosts> port 80 > } > relay www1_tls { > listen on $www1_addr_v4 port 443 tls > listen on $www1_addr_v6 port 443 tls > protocol httpsfilter > forward to <www1hosts> port 80 mode roundrobin check http "/" host > www1 code 200 > #forward to <comic> port 80 > } > relay www3 { > listen on $www3_addr_v4 port 80 > listen on $www3_addr_v6 port 80 > forward to <www3hosts> port 80 > } > relay www3_tls { > listen on $www3_addr_v4 port 443 tls > listen on $www3_addr_v6 port 443 tls > forward with tls to <www3hosts> port 443 > } > relay cust2_tls { > listen on $cust2_addr_v4 port 443 tls > protocol httpsfilter_default > forward to <cust2_hosts> port 80 check http "/" host cust2 code 200 > forward to <cust2_hosts_fallback> port 80 check http "/" host cust2 > code 200 > forward to <cust4_hosts> port 80 > } > relay cust3_tls { > listen on $cust3_addr_v4 port 443 tls > protocol httpsfilter_default > forward to <cust3_hosts> port 80 check http "/" host cust3 code 200 > forward to <cust3_hosts_fallback> port 80 check http "/" host cust3 > code 200 > } > relay cust5_tls { > listen on $cust5_addr_v4 port 443 tls > protocol httpsfilter_default > forward to <cust5_hosts> port 80 > } > > Mischa >