relayd transparent proxy for a local daemon
Hello,
I am trying to solve a problem and I am really out of ideas.
I want
to use relayd to setup a transparent reversed proxy with ssl offloading for a
local daemon.
The data flow is the follwing:
Client -->| $ext_if
relayd box lo0 (local daemon) |
It is possible for local daemon to
see the original client ip, instead of 127.0.0.1 ?
The original client IP
should arrive to the local daemon, because it is needed in further operations.
If it would have been only logging that would have been a problem.
I am aware
of the setup describe here:
http://marc.info/?l=openbsd-misc&m=130479125318862&w=2
but I do not know how
to obtain this behaviour with a local bounded daemon.
This local daemon is
running under an unpriviledged user.
I have the follwing setup:
in
/etc/relayd.conf:
ext_addr="192.162.16.133"
protocol tcp_ssl_prot {
# Various TCP performance options
tcp { nodelay, sack, socket
buffer 65536, backlog 128 }
ssl { no sslv2, sslv3, tlsv1, ciphers
"HIGH" }
ssl session cache disable
}
relay tcp_ssl_inet4 {
#
Run as a SSL accelerator
listen on $ext_addr port 1122 ssl
protocol "tcp_ssl_prot"
# Forward to hosts in the
webhosts table using a src/dst hash
transparent forward to 127.0.0.1
port 1133 interface lo0
}
pf is disabled (in pf.conf I really do not know
what should I put)
Any idea very much appreciated.
Thank you very much,
Bogdan
munin-node not working from packages in 5.2
Hi, just updated a machine (fresh installation from scratch) to OpenBSD 5.2 (amd64). munin-node-1.4.7p0 added via pkg_add throws this error in its log: 2012/11/07-14:08:42 CONNECT TCP Peer: "[12.34.56.78]:20963" Local: "[12.34.56.100]:4949" Use of uninitialized value in pattern match (m//) at /usr/local/libdata/perl5/site_perl/Net/Server.pm line 600. Use of uninitialized value in pattern match (m//) at /usr/local/libdata/perl5/site_perl/Net/Server.pm line 600. Is this a known issue? Best, Bernd
Is this CVS message important? Trying to update -stable sources.
Hello misc@ Trying to update -stable sources I got the following message: root@host:/usr/src# cvs -q -d$CVSROOT up -Pd cvs server: use `cvs add' to create an entry for gnu/usr.bin/gcc/INSTALL Attempting to comply with cvs's wishes: root@host:/usr/src# cvs add gnu/usr.bin/gcc/INSTALL cvs [add aborted]: there is a version in gnu/usr.bin/gcc/INSTALL already but: root@host:/usr/src# cat gnu/usr.bin/gcc/INSTALL/CVS/Tag TOPENBSD_5_2 Does the cvs message saying to use cvs add mean anything to anybody? Does this need to be fixed anywhere or can I just ignore it? Or did I miss something on the cvs add that would have fixed this? /jl -- ASCII ribbon campaign ( ) Powered by Lemote Fuloong against HTML e-mail X Loongson MIPS and OpenBSD and proprietary/ \http://www.mutt.org attachments / \ Code Blue or Go Home! Encrypted email preferred PGP Key 2048R/DA65BC04
Re: hardware suggestion: off topic (probably)
On Tue, November 6, 2012 22:31, Jiri B wrote: > On Tue, Nov 06, 2012 at 02:28:49PM -0200, Friedrich Locke wrote: >> Dear list members, >> >> I have setted up a web server in my working environment and i was asked to >> install webalizer. Now my boss asked me to install a tool that "looks" at >> webalizer stats files and suggest a hardware capacity for that workload >> reported by webalizer. >> >> I dont know what to tell him. Why do you think he asked me that ? > > If I understood correctly he wants a trend tool, it means to know when > you should buy new disks/storage/whatever based on resources utilization > projection trend... > > No idea which OSS app can do that. > > jirib > > Some monitoring tools like munin, I think.
Benchmark for nginx + php + mysql
Hi @misc, Just create a webserver in openbsd5.2 by nginx+php+mysql , hardware is : 512M + 2.4G CPU + 40G disk . And I do some benchmark by ab/webbench tools, open 100 clients & 10 process to do the test . the result is(close nginx access log in all tests) : (1)static html file>498 requests/sec (2)php file> 284 requests/sec , and five php-fpm process use 100% cpu !! :( I think the test result is so bad . next is my /etc/sysctl.conf context: --- kern.maxvnodes=131072 kern.maxproc=65536 kern.maxfiles=65536 kern.somaxconn=65536 kern.sominconn=256 kern.maxclusters=32768 net.inet.tcp.recvspace=65536 net.inet.tcp.sendspace=65536 net.inet.udp.recvspace=65536 net.inet.udp.sendspace=65536 --- What can I do to improve the performance ? Thanks a lot . Raindy Long
Re: Benchmark for nginx + php + mysql
Hi, On Wed, 07 nov 2012 at 23:43 CET "Raindy Long" wrote: > Hi @misc, > > Just create a webserver in openbsd5.2 by nginx+php+mysql , hardware is > : 512M + 2.4G CPU + 40G disk . > And I do some benchmark by ab/webbench tools, open 100 clients & 10 > process to do the test . the result is(close nginx access log in all tests) : > (1)static html file>498 requests/sec > (2)php file> 284 requests/sec , and five php-fpm process use 100% cpu !! > :( > I think the test result is so bad . > > next is my /etc/sysctl.conf context: > --- > kern.maxvnodes=131072 > kern.maxproc=65536 > kern.maxfiles=65536 > kern.somaxconn=65536 > kern.sominconn=256 > kern.maxclusters=32768 > net.inet.tcp.recvspace=65536 > net.inet.tcp.sendspace=65536 > net.inet.udp.recvspace=65536 > net.inet.udp.sendspace=65536 > --- > > What can I do to improve the performance ? > Thanks a lot . Try this: echo "" > test.php PS. You didn't even show what are you testing (your configuration and the php script code) and want some improvement advices? You must be kidding... ;-) -- Greetings Rafal Bisingier
Re: Benchmark for nginx + php + mysql
Sorry , my php script just like And , I think even the static html file test is unreasonable . Thanks . Raindy Long From: Rafal Bisingier Date: 2012-11-08 00:42 To: sopato CC: misc Subject: Re: Benchmark for nginx + php + mysql Hi, On Wed, 07 nov 2012 at 23:43 CET "Raindy Long" wrote: > Hi @misc, > > Just create a webserver in openbsd5.2 by nginx+php+mysql , hardware is : > 512M + 2.4G CPU + 40G disk . > And I do some benchmark by ab/webbench tools, open 100 clients & 10 process > to do the test . the result is(close nginx access log in all tests) : > (1)static html file>498 requests/sec > (2)php file> 284 requests/sec , and five php-fpm process use 100% cpu !! > :( > I think the test result is so bad . > > next is my /etc/sysctl.conf context: > --- > kern.maxvnodes=131072 > kern.maxproc=65536 > kern.maxfiles=65536 > kern.somaxconn=65536 > kern.sominconn=256 > kern.maxclusters=32768 > net.inet.tcp.recvspace=65536 > net.inet.tcp.sendspace=65536 > net.inet.udp.recvspace=65536 > net.inet.udp.sendspace=65536 > --- > > What can I do to improve the performance ? > Thanks a lot . Try this: echo "" > test.php PS. You didn't even show what are you testing (your configuration and the php script code) and want some improvement advices? You must be kidding... ;-) -- Greetings Rafal Bisingier
mountd needs to reboot to change mapall argument
On a 5.2 system we are using nfsd with the following in rc.conf.local: portmap_flags="" mountd_flags="" nfsd_flags="-tun 4" using exports file like the following... /sharedstuff -alldirs -mapall=testuser1 -network=172.20.0 -mask=255.255.255.0 Everything will work as expected at boot time. However if we change the mapall user to something else (say, testuser2), and reload the configuration, the permissions on created files act as if we have not made any changes. If we do "/etc/rc.d/mountd restart", mountd eventually stops running, but no startup takes place. if we verify it isn't running and then "/etc/rc.d/mountd start" it will come back up, but it still does not use the new -mapall setting. We have to reboot the server for the new -mapall setting to be recognized. We've tried various things to try to convince mountd to die and start with the new config. If I run mountd -d, it clearly reads the new configuration, but it acts as if the changes had not taken place. Simple changes seem to work. If we scale back the exports file to something like: /shared1 And then change it to another directory, a reload command will be enough to use the new setting. So, somehow the user permission change is what it won't take. We tried with -maproot as well. We also tried various other -mapall syntax changes. Please cc me in any replies, I am not currently on the list. --TimH Obligatory dmesg: OpenBSD 5.2 (GENERIC.MP) #365: Tue Jul 24 09:39:12 MDT 2012 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4292739072 (4093MB) avail mem = 4156096512 (3963MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.51 @ 0xe7eea000 (33 entries) bios0: vendor Phoenix Technologies LTD version "6.00" date 08/27/2007 bios0: Supermicro PDSML acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP MCFG APIC BOOT SPCR SSDT acpi0: wakeup devices DEV1(S5) EXP1(S5) EXP5(S5) EXP6(S5) PCIB(S5) KBC0(S1) MSE0(S1) COM1(S5) COM2(S5) USB1(S4) USB2(S4) USB3(S4) USB4(S4) EUSB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 addr 0xf000, bus 0-14 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Pentium(R) Dual CPU E2180 @ 2.00GHz, 1995.30 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF cpu0: 1MB 64b/line 4-way L2 cache cpu0: apic clock running at 199MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Pentium(R) Dual CPU E2180 @ 2.00GHz, 1995.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF cpu1: 1MB 64b/line 4-way L2 cache ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (DEV1) acpiprt2 at acpi0: bus 9 (EXP1) acpiprt3 at acpi0: bus 13 (EXP5) acpiprt4 at acpi0: bus 14 (EXP6) acpiprt5 at acpi0: bus 15 (PCIB) acpicpu0 at acpi0 acpicpu1 at acpi0 acpibtn0 at acpi0: PWRB ipmi at mainbus0 not configured pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel E7230 Host" rev 0xc0 ppb0 at pci0 dev 1 function 0 "Intel E7230 PCIE" rev 0xc0: msi pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: msi pci2 at ppb1 bus 9 ppb2 at pci2 dev 0 function 0 "Intel IOP333 PCIE-PCIX" rev 0x00 pci3 at ppb2 bus 10 arc0 at pci3 dev 14 function 0 "Areca ARC-1220" rev 0x00: apic 2 int 18 arc0: 8 ports, 256MB SDRAM, firmware V1.49 2010-12-02 scsibus0 at arc0: 16 targets sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct fixed eui.0004d927f800 sd0: 4768371MB, 512 bytes/sector, 9765624320 sectors ppb3 at pci2 dev 0 function 2 "Intel IOP333 PCIE-PCIX" rev 0x00 pci4 at ppb3 bus 11 ppb4 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01: msi pci5 at ppb4 bus 13 em0 at pci5 dev 0 function 0 "Intel PRO/1000MT (82573E)" rev 0x03: msi, address 00:30:48:9b:10:84 ppb5 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01: msi pci6 at ppb5 bus 14 em1 at pci6 dev 0 function 0 "Intel PRO/1000MT (82573L)" rev 0x00: msi, address 00:30:48:9b:10:85 uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 2 int 23 uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: apic 2 int 19 uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: apic 2 int 18 uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: apic 2 int 16 ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: apic 2 int 23 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb6 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1 pci7 at ppb6 bus 15 vga1 at pci7 dev 0 function 0 "XGI Technology Volari Z7" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added
crypto volume damaged after crash
I'm running current on a ThinkPad T500 with a fully encrypted disk (sd0) and using a usb keydisk (sd1) to assemble the crypto volume on sd2. Last snapshot upgrade was around 11th of October. Yesterday the machine suddenly stopped responding to keystrokes (even though xscreensaver was running "fine"). Pinging it from one of my other OpenBSD-machines worked, but when I tried to ssh into it, the connection just timed out. Finally, when I tried to switch console by hitting Ctrl-Alt-F2, it froze completely. No big deal, I thought. It had crashed numerous times before from empty battery. So I booted, plugged in the keydisk, but after entering the usual location for boot and swap partitions: root device (default sd0a): sd2a swap device (default sd2b): sd0b I got this: (I had to write this down by hand. FYI, in case of typos.) ---8<--- root on sd2a swap on sd0b dump on sd0b Automatic boot in process: starting file system check. /dev/sd2a (290d4f6dcbc2d7a7.a): file system is clean; not checking softraid0: i/o error on block 257269168 CANNOT READ: BLK 183692704 /dev/sd2k (290d4f6dcbc2d7a7.k): UNEXPECTED INCONSISTENCY: RUN fsck_ffs MANUALLY. CANNOT READ: BLK 128 /dev/sd2d (290d4f6dcbc2d7a7.d): UNEXPECTED INCONSISTENCY: RUN fsck_ffs MANUALLY. CANNOT READ: BLK 128 /dev/sd2f (290d4f6dcbc2d7a7.f): UNEXPECTED INCONSISTENCY: RUN fsck_ffs MANUALLY. CANNOT READ: BLK 128 /dev/sd2g (290d4f6dcbc2d7a7.g): UNEXPECTED INCONSISTENCY: RUN fsck_ffs MANUALLY. CANNOT READ: BLK 128 /dev/sd2h (290d4f6dcbc2d7a7.h): UNEXPECTED INCONSISTENCY: RUN fsck_ffs MANUALLY. CANNOT READ: BLK 128 /dev/sd2j (290d4f6dcbc2d7a7.j): UNEXPECTED INCONSISTENCY: RUN fsck_ffs MANUALLY. CANNOT READ: BLK 128 /dev/sd2i (290d4f6dcbc2d7a7.i): UNEXPECTED INCONSISTENCY: RUN fsck_ffs MANUALLY. CANNOT READ: BLK 128 /dev/sd2e (290d4f6dcbc2d7a7.e): UNEXPECTED INCONSISTENCY: RUN fsck_ffs MANUALLY. THE FOLLOWING FILE SYSTEMS HAD AN UNEXPECTED INCONSISTENSY: ffs: 290d4f6dcbc2d7a7.k (/home), ffs: 290d4f6dcbc2d7a7.d (/tmp), ffs: 29 0d4f6dcbc2d7a7.f (/usr), ffs: 290d4f6dcbc2d7a7.g (/usr/X11R6), ffs: 290d4f6dcbc2 d7a7.h (/usr/local), ffs: 290d4f6dcbc2d7a7.j (/usr/obj), ffs: 290d4f6dcbc2d7a7.i (/usr/src), ffs: 290d4f6dcbc2d7a7.e (/var) Automatic file system check failed; help! Nov 7 23:09:59 init: /etc/pwd.db: Input/output error Enter pathname of shell or RETURN for sh: # fsck_ffs 290d4f6dcbc2d7a7.k ** /dev/sd2k (290d4f6dcbc2d7a7.k ) CANNOT READ: BLK 128 CONTINUE? [Fyn?] THE FOLLOWING DISK SECTORS COULD NOT BE READ: 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143 LOOK FOR ALTERNATE SUPERBLOCKS? [Fyn?] _ --->8--- Pressing "y" just causes similar messages to pop up "ad infitum". Any clues? I got everything backed up but would like to understand what is going on rather than just do a fresh install. Erling
Re: spammers getting less stupid?
(It seems like some of my mail do not go through to misc@, perhaps some of my ISPs outgoing mailservers are blacklisted..?) * Peter N. M. Hansteen (pe...@bsdly.net) wrote: > > http://undeadly.org/cgi?action=article&sid=20120604050025 and references > therein show a 'works for me' example config (although the first ruleset > block should really be discarded in favor of the second one, a true > brainfart if there ever was one), with some further field notes to be > found over at my blag. > Interesting, will check that. I automated my trapping using greyscanner to automatically catch all mail servers sending to addresses with numbers in them. Then I don't need to update spamdb manually. Sometimes I see mailservers attempting delivery to both legit and non legit addresses in one connection and this will then catch that mailserver. I.e. in greyscanner.conf (use with caution..): @GOOD = ( qr'^[A-Za-z\.\+]+@mydomain.(com|se)$'i, ); $COMPREHENSIVE = 1; The main risk I see (as I am paranoid) is that a malicious person could use a bouncing mail to make my mailserver trap a legit mail server that I do not yet have as whitelisted. BR /Joakim
