How do you like that for a descriptive subject line? Sorry, but I
really don't know what is going wrong so I don't know how to write a
better one.
I have an OpenBSD host running 4.4 stable. I have configured relayd to
accept connections on port 443 and forward them on to one of two hosts
using loadbalancing. I am able to connect to the OpenBSD host on port
443, but the nothing happens.
According to relayctl show sessions there is a connection being relayed:
# relayctl show sessions
session 0:1 134.29.3.217:50025 -> 134.29.52.142:443 RUNNING
age 00:00:09, idle 00:00:09, relay 1
According to relayctl show hosts both of my destinations are up:
# relayctl show hosts
Id Type Name Avlblty Status
1 table cas_server:443 active (2
hosts up)
1 host 134.29.52.141 100.00% up
total: 9/9 checks
2 host 134.29.52.142 100.00% up
total: 9/9 checks
My relayd.conf file is pretty simple since I'm just trying to work up a
proof of concept right now:
table <cas_server> { 134.29.52.141, 134.29.52.142 }
cas_port="443"
bge0_ip="134.29.32.88"
relayd_port="443"
interval 10
timeout 200
prefork 5
log updates
http protocol "httpfilter" {
# TCP Performance options
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
# Return HTTP/HTML error pages
return error
# allow logging of remote client ips to internal web servers
header append "$REMOTE_ADDR" to "X-Forwarded-For"
# Set keep alive timeout to global timeout
header change "Keep-Alive" to "$TIMEOUT"
# Close connection upon receipt
header change "Connection" to "close"
# Anonymize webservers name/type
response header change "Server" to "DeezNuts"
# SSL options
ssl { sslv3, tlsv1, ciphers "HIGH:!ADH", no sslv2 }
}
relay cas_proxy {
listen on $bge0_ip port $relayd_port ssl
protocol "httpfilter"
forward to <cas_server> port $cas_port mode loadbalance check https
"/" code 200
}
And my pf.conf file is pretty much the stock example file, with my
interface put in ext_if and uncommenting the lines needed for relayd:
# $OpenBSD: pf.conf,v 1.37 2008/05/09 06:04:08 reyk Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if="bge0"
#int_if="int0"
#table <spamd-white> persist
#set skip on lo
#scrub in
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
rdr-anchor "relayd/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
# -> 127.0.0.1 port spamd
#anchor "ftp-proxy/*"
anchor "relayd/*"
#block in
#pass out
#pass quick on $int_if no state
#antispoof quick for { lo $int_if }
#pass in on $ext_if proto icmp to ($ext_if)
#pass in on $ext_if proto tcp to ($ext_if) port ssh
pass in on $ext_if proto tcp to ($ext_if) port 443
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
When I try to connect to this machine, I see that a session is being set
up, and pf also knows that something is going on:
# pfctl -ss
all tcp 134.29.32.88:443 <- 134.29.3.217:50090 FIN_WAIT_2:FIN_WAIT_2
What I don't see is any session going to the two servers that I am
supposed to be load balancing for. Also, pf knows that it is supposed
to be reading anchors for relayd but those files dont seem to be showing
up anywhere.
# pfctl -sn
rdr-anchor "relayd/*" all
# pfctl -sr
anchor "relayd/*" all
pass in on bge0 proto tcp from any to (bge0) port = https flags S/SA
keep state
Shouldn't there be a folder called /etc/relayd that would have some
files in it? I don't have that. Does anyone have any thoughts on what
I'm missing here?
Kevin Thompson
