Re: relayd stops processing traffic intermittently

Claudio Jeker Sat, 23 Dec 2017 04:08:54 -0800

On Sat, Dec 23, 2017 at 11:40:57AM +0100, Mischa wrote:
> Hi All,
> 
> Since OpenBSD 6.2, just confirmed this in the latest snapshot 
> (GENERIC.MP#305) as well, for some reason relayd stops processing traffic and 
> starts flooding the log file with the following message:
> 
> Dec 23 11:19:11 lb2 relayd[22515]: rsae_send_imsg: poll timeout
> Dec 23 11:19:12 lb2 relayd[52110]: rsae_send_imsg: poll timeout
> Dec 23 11:19:12 lb2 relayd[69641]: rsae_send_imsg: poll timeout
> Dec 23 11:19:12 lb2 relayd[22515]: rsae_send_imsg: poll timeout
> [snip]
> Dec 23 11:19:17 lb2 relayd[69641]: rsae_send_imsg: poll timeout
> Dec 23 11:19:18 lb2 relayd[22515]: rsae_send_imsg: poll timeout
> Dec 23 11:19:18 lb2 relayd[52110]: rsae_send_imsg: poll timeout
> Dec 23 11:19:18 lb2 relayd[69641]: rsae_send_imsg: poll timeout
> ...etc...
> 
> Restarting the daemon "fixes" the problem.
> Not sure how to trouble shoot this but I am able to reproduce this 
> consistently by pointing SSLLabs towards relayd.
> Would be great to get some pointers.
>


I have seen this as well on our production systems. This is a problem in
the privsep part of the TLS code. I could not do more testing yet but my
assumption is that a new option / feature is freaking this code out.

-- 
:wq Claudio


> Anonymised config below:
> # relayd.conf
> local_v4 = "xxx"
> local_v6 = "xxx"
> table <localhost> { 127.0.0.1 }
> 
> www1_addr_v4 = "xxx"
> www1_addr_v6 = "xxx"
> table <www1hosts> { xxx }
> 
> www3_addr_v4 = "xxx"
> www3_addr_v6 = "xxx"
> table <www3hosts> { xxx }
> 
> cust1_addr_v4 = "xxx"
> cust1_addr_v6 = "xxx"
> 
> cust2_addr_v4 = "xxx"
> cust3_addr_v4 = "xxx"
> cust4_addr_v4 = "xxx"
> table <cust_3hosts> { xxx }
> table <cust_3hosts_fallback> { xxx }
> table <cust4_hosts> { xxx }
> 
> cust5_addr_v4 = "xxx"
> table <cust5_hosts> { xxx }
> 
> http protocol httpfilter_default {
>         match request header remove "Proxy"
>         match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
>         match request header append "X-Forwarded-By" value 
> "$SERVER_ADDR:$SERVER_PORT"
>         match response header set "Server" value "Sever"
>         match response header set "X-Powered-By" value "Power"
>         tcp { no splice }
> }
> http protocol httpsfilter_default {
>         match request header remove "Proxy"
>         match request header set "X-ClientIP" value "$REMOTE_ADDR"
>         match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
>         match request header append "X-Forwarded-By" value 
> "$SERVER_ADDR:$SERVER_PORT"
>         match response header set "Strict-Transport-Security" value 
> "max-age=31536000"
>         match response header set "Server" value "Sever"
>         match response header set "X-Powered-By" value "Power"
>         match request quick header "Host" value "images.webcam.nl" forward to 
> <imageshosts>
>         tcp { no splice }
>         tls { no client-renegotiation }
> }
> 
> http protocol httpfilter {
>         match request header remove "Proxy"
>         match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
>         match request header append "X-Forwarded-By" value 
> "$SERVER_ADDR:$SERVER_PORT"
>         match response header set "Content-Security-Policy" value 
> "default-src high5.nl; script-src https://high5.nl http://www.w3.org/; 
> style-src 'self' 'unsafe-inline'; img-src 'self'"
>         match response header set "Server" value "Sever"
>         match response header set "X-Powered-By" value "Power"
>         match response header set "X-Frame-Options" value "SAMEORIGIN"
>         match response header set "X-Xss-Protection" value "1; mode=block"
>         match response header set "X-Content-Type-Options" value "nosniff"
>         match request quick header "Host" value "*xxx*" forward to <www1hosts>
>         match request quick header "Host" value "*xxx*" forward to <www1hosts>
>         tcp { no splice }
> }
> http protocol httpsfilter {
>         return error
>         match request header remove "Proxy"
>         match request header set "X-ClientIP" value "$REMOTE_ADDR"
>         match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
>         match request header append "X-Forwarded-By" value 
> "$SERVER_ADDR:$SERVER_PORT"
>         match response header set "Strict-Transport-Security" value 
> "max-age=31536000"
>         match response header set "Content-Security-Policy" value 
> "default-src high5.nl; script-src https://high5.nl http://www.w3.org/; 
> style-src 'self' 'unsafe-inline'; img-src 'self'"
>         match response header set "Server" value "Sever"
>         match response header set "X-Powered-By" value "Power"
>         match response header set "X-Frame-Options" value "SAMEORIGIN"
>         match response header set "X-Xss-Protection" value "1; mode=block"
>         match response header set "X-Content-Type-Options" value "nosniff"
>         tcp { no splice }
>         tls { no client-renegotiation }
> }
> relay default {
>         listen on $local_v4 port 80
>         listen on $local_v6 port 80
>         protocol httpfilter_default
>         forward to <localhost> port 8080
> }
> relay default_redirect {
>         listen on $cust2_addr_v4 port 80
>         listen on $cust3_addr_v4 port 80
>         listen on $cust4_addr_v4 port 80
>         listen on $cust5_addr_v4 port 80
>         listen on $cust1_addr_v4 port 80
>         listen on $cust1_addr_v6 port 80
>         protocol httpfilter_default
>         forward to <localhost> port 8081
> }
> relay default_redirect_tls {
>         listen on $cust4_addr_v4 port 443 tls
>         protocol httpsfilter_default
>         forward to <localhost> port 8081
> }
> relay www1 {
>         listen on $www1_addr_v4 port 80
>         listen on $www1_addr_v6 port 80
>         protocol httpfilter
>         forward to <localhost> port 8081
>         forward to <www1hosts> port 80
> }
> relay www1_tls {
>         listen on $www1_addr_v4 port 443 tls
>         listen on $www1_addr_v6 port 443 tls
>         protocol httpsfilter
>         forward to <www1hosts> port 80 mode roundrobin check http "/" host 
> www1 code 200
>         #forward to <comic> port 80
> }
> relay www3 {
>         listen on $www3_addr_v4 port 80
>         listen on $www3_addr_v6 port 80
>         forward to <www3hosts> port 80
> }
> relay www3_tls {
>         listen on $www3_addr_v4 port 443 tls
>         listen on $www3_addr_v6 port 443 tls
>         forward with tls to <www3hosts> port 443
> }
> relay cust2_tls {
>         listen on $cust2_addr_v4 port 443 tls
>         protocol httpsfilter_default
>         forward to <cust2_hosts> port 80 check http "/" host cust2 code 200
>         forward to <cust2_hosts_fallback> port 80 check http "/" host cust2 
> code 200
>         forward to <cust4_hosts> port 80
> }
> relay cust3_tls {
>         listen on $cust3_addr_v4 port 443 tls
>         protocol httpsfilter_default
>         forward to <cust3_hosts> port 80 check http "/" host cust3 code 200
>         forward to <cust3_hosts_fallback> port 80 check http "/" host cust3 
> code 200
> }
> relay cust5_tls {
>         listen on $cust5_addr_v4 port 443 tls
>         protocol httpsfilter_default
>         forward to <cust5_hosts> port 80
> }
> 
> Mischa
>

Re: relayd stops processing traffic intermittently

Reply via email to