relayd - prefork option seems to be ignored
According to relayd.conf(5) the prefork option should spawn the defined number of processes to handle relayed connections - the default is 3. I've tried setting it to 5, 10, and 12 on OpenBSD 5.8 - but it seems like it is getting ignored, as ps(1) always shows me 3 relay processes, which is the default number: USER PIDCOMMAND root 17010 relayd: parent (relayd) _relayd 3243 relayd: pfe (relayd) _relayd 16594 relayd: hce (relayd) _relayd 4279 relayd: ca (relayd) _relayd 28332 relayd: ca (relayd) _relayd 4436 relayd: ca (relayd) _relayd 24605 relayd: relay (relayd) _relayd 19110 relayd: relay (relayd) _relayd 15295 relayd: relay (relayd) Am I missing something? ### # relayd.conf ip4_244 = "xx.xx.xx.244" ip4_245 = "xx.xx.xx.245" tracker5 = "10.5.3.34" tracker6 = "10.5.3.42" tracker7 = "10.5.3.50" table { $tracker5, $tracker6, $tracker7 } prefork 10 http protocol https { tcp { nodelay, sack, socket buffer 65536, backlog 128 } match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" match header set "Keep-Alive" value "$TIMEOUT" pass tls { no tlsv1.0, ciphers "HIGH:!aNULL" } tls session cache disable } relay wwwssl { listen on $ip4_244 port 443 tls listen on $ip4_245 port 443 tls protocol "https" forward to port 8083 mode roundrobin check tcp session timeout 60 } relay www { listen on $ip4_244 port 80 listen on $ip4_245 port 80 forward to port 8083 mode roundrobin check tcp }
Re: relayd - prefork option seems to be ignored
Yes. Ordering is important *D'oh*: Putting prefork before the table definition fixed the issue. On Wed, Mar 16, 2016 at 2:02 PM, Tobias Feldhaus wrote: > According to relayd.conf(5) the prefork option should spawn the defined > number of processes to handle relayed connections - the default is 3. > > I've tried setting it to 5, 10, and 12 on OpenBSD 5.8 - but it seems > like it is getting ignored, as ps(1) always shows me 3 relay processes, > which is the default number: > > USER PIDCOMMAND > root 17010 relayd: parent (relayd) > _relayd 3243 relayd: pfe (relayd) > _relayd 16594 relayd: hce (relayd) > _relayd 4279 relayd: ca (relayd) > _relayd 28332 relayd: ca (relayd) > _relayd 4436 relayd: ca (relayd) > _relayd 24605 relayd: relay (relayd) > _relayd 19110 relayd: relay (relayd) > _relayd 15295 relayd: relay (relayd) > > Am I missing something? > > ### > # relayd.conf > > ip4_244 = "xx.xx.xx.244" > ip4_245 = "xx.xx.xx.245" > > tracker5 = "10.5.3.34" > tracker6 = "10.5.3.42" > tracker7 = "10.5.3.50" > table { $tracker5, $tracker6, $tracker7 } > > prefork 10 > > http protocol https { > tcp { nodelay, sack, socket buffer 65536, backlog 128 } > > match request header append "X-Forwarded-For" value "$REMOTE_ADDR" > match request header append "X-Forwarded-By" \ > value "$SERVER_ADDR:$SERVER_PORT" > match header set "Keep-Alive" value "$TIMEOUT" > > pass > tls { no tlsv1.0, ciphers "HIGH:!aNULL" } > tls session cache disable > } > > relay wwwssl { > listen on $ip4_244 port 443 tls > listen on $ip4_245 port 443 tls > protocol "https" > forward to port 8083 mode roundrobin check tcp > session timeout 60 > } > > relay www { > listen on $ip4_244 port 80 > listen on $ip4_245 port 80 > forward to port 8083 mode roundrobin check tcp > } > -- *Tobias Feldhaus | Data Engineer* Wooga GmbH | Saarbrücker Str. 38 | D-10405 Berlin Place of business: Berlin Registered at the local court Berlin-Charlottenburg, HRB 117846 B Managing Directors: Jens Begemann, Philipp Möser, Jan Miczaika
Re: openbsd.org, openssh.com server(s) down
Failing PSU AFAIK from IRC. > On 15 Mar 2016, at 19:56, Gene wrote: > >> On Tue, Mar 15, 2016 at 7:22 AM, Martin Schröder wrote: >> >> 2016-03-15 14:31 GMT+01:00 Rudolf Sykora : >>> is it only I who cannot connect to either >>> of openbsd.org and openssh.com, or >> >> Nope. >> http://www.downforeveryoneorjustme.com/openbsd.org >> >> Best >> Martin > > They're back up. > > Any info on what caused the outage? (Just curious) > > -Gene
Re: relayd - SSL acceleration / loadbalacing performance
With the following settings - e.g. by optimizing and simplifying pf.conf rules and relayd.conf we were able to push 24400 req/s through with HTTPS. :) Maybe this helps someone else. # ### # OpenBSD sysctl.conf net.inet.carp.preempt=1 kern.bufcachepercent=90 kern.maxfiles=20 kern.maxproc=5 kern.maxclusters=32768 net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 net.inet.ip.ifq.maxlen=8192 net.inet.ip.mtudisc=0 net.inet.tcp.rfc3390=1 net.inet.tcp.mssdflt=1440 # ### # OpenBSD relayd.conf ip4_244 = "xx.xx.xx.244" ip4_245 = "xx.xx.xx.245" tracker5 = "10.5.3.34" tracker6 = "10.5.3.42" tracker7 = "10.5.3.50" interval 10 table { $tracker5, $tracker6, $tracker7 } prefork 12 http protocol https { ### TCP performance options tcp { nodelay, sack, socket buffer 65536, backlog 128 } match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" match header set "Keep-Alive" value "$TIMEOUT" pass tls { no tlsv1.0, ciphers "HIGH:!aNULL" } tls session cache disable } relay wwwssl { listen on $ip4_244 port 443 tls listen on $ip4_245 port 443 tls protocol "https" forward to port 8083 mode roundrobin check tcp session timeout 60 } relay www { listen on $ip4_244 port 80 listen on $ip4_245 port 80 forward to port 8083 mode roundrobin check tcp } # ### # OpenBSD: pf.conf tcp_services = "{ domain }" udp_services = "{ domain }" tcp_public_services = "{ www, https }" pfsync_int = trunk2 # Pfsync interface int_if = trunk1 # DMZ (internal) interface ext_if = trunk0 # External CARP interface # Increase limits set limit { states 25000, src-nodes 25000, table-entries 30 } # Aggressive settings set optimization aggressive set timeout { adaptive.end 12, interval 2, tcp.tsdiff 5, tcp.first 5, tcp.closing 5, tcp.closed 5, tcp.finwait 5, tcp.established 4200} # See pf.conf(5) and /etc/examples/pf.conf anchor "relayd/*" set block-policy drop set loginterface $ext_if set skip on lo set skip on $int_if set skip on $pfsync_int match in all scrub (no-df max-mss 1440) # Block everything by default block all # Allow main service of this host pass quick proto tcp to port $tcp_public_services keep state pass out quick proto tcp to port $tcp_services keep state pass proto udp to port $udp_services keep state # Pass CARP pass quick proto carp keep state (no-sync) # SSH backup channel from Wooga office pass in on trunk0 inet proto tcp from xx.xx.xx.xx/xx to any port 22 keep state (no-sync) # Allow pings for Pingdom status checks pass on trunk0 inet proto icmp keep state (no-sync) pass on trunk0 inet6 proto icmp6 keep state (no-sync) On Tue, Mar 15, 2016 at 11:49 AM, Tobias Feldhaus wrote: > We have 3x Supermicro Intel Dual Xeon E5-2620v3 powered systems with 32GB > ECC > memory, 4x 10 Gigabit Ethernet NICs (Intel X520-DA2), and 2x Gigabit > Ethernet > onboard NICs connected towards a Virtual Chassis of a Juniper EX 4550 > Ethernet > Switch, running OpenBSD 5.8 with all (11) patches. > > We want to use these 3 systems as loadbalancers, 2x 10GE (trunk0, LACP) > inbound, > 2x 10GE (trunk1, LACP) outbound, 2x 1GE (trunk2, LACP) for Pfsync. > > LB-1 shares a public IP with LB-2, and LB-2 and LB-3 do the same (via > CARP). We > use relayd for Loadbalancing the traffic towards 3 backend servers, all > they > currently do is serving a HTTP 200 OK response. > > When we load tested one LB's HTTP performance alone with wrk - we get > about 40k > req/s when testing with one machine in the same network as a client, and > more > than 100k req/s when testing with 3 client machines. Doing the test with > HTTPS > brings the performance down to 1400 req/s, and it does not matter if using > more > or less clients, the total number of req/s stays almost the same. > > The overall load of the systems is low (below 2-3), memory utilization is > low as well. > > As we don't have experience with OpenBSD and relayd we can only compare > these > numbers to FreeBSD and HAproxy, which we used in our previous setup. Our > configuration files are listed below - we would be happy about any comment > how > to improve the HTTPS performance. > > > # ### > # OpenBSD sysctl.conf > > net.inet.carp.preempt=1 > > ### Tried wi
relayd - SSL acceleration / loadbalacing performance
We have 3x Supermicro Intel Dual Xeon E5-2620v3 powered systems with 32GB ECC memory, 4x 10 Gigabit Ethernet NICs (Intel X520-DA2), and 2x Gigabit Ethernet onboard NICs connected towards a Virtual Chassis of a Juniper EX 4550 Ethernet Switch, running OpenBSD 5.8 with all (11) patches. We want to use these 3 systems as loadbalancers, 2x 10GE (trunk0, LACP) inbound, 2x 10GE (trunk1, LACP) outbound, 2x 1GE (trunk2, LACP) for Pfsync. LB-1 shares a public IP with LB-2, and LB-2 and LB-3 do the same (via CARP). We use relayd for Loadbalancing the traffic towards 3 backend servers, all they currently do is serving a HTTP 200 OK response. When we load tested one LB's HTTP performance alone with wrk - we get about 40k req/s when testing with one machine in the same network as a client, and more than 100k req/s when testing with 3 client machines. Doing the test with HTTPS brings the performance down to 1400 req/s, and it does not matter if using more or less clients, the total number of req/s stays almost the same. The overall load of the systems is low (below 2-3), memory utilization is low as well. As we don't have experience with OpenBSD and relayd we can only compare these numbers to FreeBSD and HAproxy, which we used in our previous setup. Our configuration files are listed below - we would be happy about any comment how to improve the HTTPS performance. # OpenBSD sysctl.conf net.inet.carp.preempt=1 ### Tried with and without the following settings - with some effect kern.bufcachepercent=90 kern.maxfiles=20 kern.maxproc=5 kern.maxclusters=32768 machdep.allowaperture=2 net.inet.ip.forwarding=1 net.inet.ip.ifq.maxlen=8192 net.inet.ip.mtudisc=0 net.inet.tcp.rfc3390=1 net.inet.tcp.mssdflt=1440 # OpenBSD relayd.conf ip4_244 = "xx.xx.xx.244" ip4_245 = "xx.xx.xx.245" tracker5 = "10.5.3.34" tracker6 = "10.5.3.42" tracker7 = "10.5.3.50" interval 10 table { $tracker5, $tracker6, $tracker7 } prefork 12 http protocol https { ### TCP performance options tcp { nodelay, sack, socket buffer 65536, backlog 128 } match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" match request header set "Connection" value "close" tls { no tlsv1.0, ciphers HIGH } tls session cache disable # tried enabling/disabling -> no effect } relay wwwssl { listen on $ip4_244 port 443 tls listen on $ip4_245 port 443 tls protocol "https" forward to port 8083 mode loadbalance check tcp } relay www { listen on $ip4_244 port 80 listen on $ip4_245 port 80 forward to port 8083 mode loadbalance check tcp } # OpenBSD: pf.conf tcp_services = "{ domain, www, https }" udp_services = "{ domain }" tcp_public_services = "{ www, https }" icmp_types = "{ echorep, echoreq, unreach}" icmp6_types = "{ echorep, echoreq, unreach, timex, paramprob, routersol, routeradv, neighbrsol, neighbradv, redir }" pfsync_int = trunk2 # Pfsync interface int_if = trunk1 # DMZ (internal) interface ext_if = trunk0 # External CARP interface # Increase limits set limit { states 10, src-nodes 10, table-entries 200 } # Optimizations set optimization aggressive set timeout { adaptive.end 12, interval 2, tcp.tsdiff 5, tcp.first 5, tcp.closing 5, tcp.closed 5, tcp.finwait 5, tcp.established 4200} # tried with # and without - very small effect # See pf.conf(5) and /etc/examples/pf.conf anchor "relayd/*" set reassemble yes set block-policy drop set loginterface $ext_if set skip on lo set skip on $int_if set skip on $pfsync_int # Scrub incoming match in all scrub (no-df max-mss 1440) # Block everything by default block all # Activate spoofing protection block in quick from urpf-failed # Allow main service of this host pass out proto tcp to port $tcp_services keep state pass in proto tcp to port $tcp_public_services keep state pass proto udp to port $udp_services keep state # Pass CARP and pfsync pass proto carp keep state (no-sync) pass quick proto pfsync keep state (no-sync) # SSH backup channel from Wooga office pass in on trunk0 inet proto tcp from 185.74.12.0/22 to any port 22 keep state (no-sync) # Allow pings for Pingdom status checks pass on trunk0 inet proto icmp icmp-type $icmp_types keep state (no-sync) pass on trunk0 inet6 proto icmp6 icmp6-type $icmp6_types keep state (no-sync)