Hi bert, the problem is that I want to use relayd. I know about stunnel and I used it, but is not reliable and rock solid as relayd is.
I want relayd because plays very nice with pf and I have other services that are behind relayd. A single service setup/configuration is required to do all jobs. thanks for your response ________________________________ From: bert <bret.lamb...@gmail.com> To: Bogdan Andu <bo...@yahoo.com> Sent: Friday, November 9, 2012 12:29 PM Subject: Re: relayd transparent proxy for a local daemon stunnel. You're looking for stunnel. On Fri, Nov 09, 2012 at 02:18:54AM -0800, Bogdan Andu wrote: > Hello everybody, > > > I return with the same question. > > > I am sorry I am > disturbing you with such questions, but I really do not know where to ask > advice, and this is the most appropriate place. > > > The service I created is not > http-like, so there are no headers where to insert the original IP. > > > The > reason I want this is that the daemon is wriiten in Erlang and ssl processing > consumes memory and processor, As one can imagine all ssl processing is going > on in the same erlang virtual machine , and a low resource footprint is > required; ssl increases the resource consumption due to the fact ssl erlang > library is built. > > > If all ssl processing is moved outside erlang virtual > machine, than resource consumption decreases dramatically, but also I need the > original IP address to be seen by the daemon, not the address of relayd host - > 127.0.0.1. > > > The problem with Erlang, dispite its support for massive > concurrency, is that all threads are running inside a single instance of a > erlang virtual machine so care need to be taken to ensure that there are no > memory and processor hungry threads inside that machine instance, and ssl > threads are such kind of threads. > > ssl offloading with relayd results in both > speed processing and low resource footprint of the daemon. > relayd really > outperfoms erlang at ssl processing. > relayd is fast, stable, reliable and > secure and I really want to take advantage of these. > > > I really want to > offload the ssl processing from that daemon, but also I want the original IP > to be seen by my daemon. > > > Please somebody give me an advice of how can this > become possible. > > At least somebody tell me if this is posible at all, and if > yes how this can be achieved with relayd. > > With many thanks in advanced, > Bogdan > > > > ________________________________ > From: Bogdan Andu > <bo...@yahoo.com> > To: "m...@openbsd.org" <m...@openbsd.org> > Sent: Wednesday, > November 7, 2012 9:58 AM > Subject: relayd transparent proxy for a local daemon > Hello, > > I am trying to solve a problem and I am really out of ideas. > > I want > to use relayd to setup a transparent reversed proxy with ssl offloading for a > local daemon. > > The data flow is the follwing: > > Client ------>| $ext_if???? > relayd box??? lo0 (local daemon) |????? > > > It is possible for local daemon to > see the original client ip, instead of 127.0.0.1 ? > > > The original client IP > should arrive to the local daemon, because it is needed in further operations. > If it would have been only logging that would have been a problem. > > I am aware > of the setup describe here: > http://marc.info/?l=openbsd-misc&m=130479125318862&w=2 > > but I do not know how > to obtain this behaviour with a local bounded daemon. > > This local daemon is > running under an unpriviledged user. > > I have the follwing setup: > > > in > /etc/relayd.conf: > > ext_addr="192.162.16.133" > > protocol tcp_ssl_prot { > ??????? > ??????? # Various TCP performance options > ??????? tcp { nodelay, sack, socket > buffer 65536, backlog 128 } > > ??????? ssl { no sslv2, sslv3, tlsv1, ciphers > "HIGH" } > ??????? ssl session cache disable > } > > > relay tcp_ssl_inet4 { > ??????? # > Run as a SSL accelerator > ??????? listen on $ext_addr port 1122 ssl > ??????? > ??????? protocol "tcp_ssl_prot" > ??????? > ??????? # Forward to hosts in the > webhosts table using a src/dst hash > ??????? transparent forward to 127.0.0.1 > port 1133 interface lo0 > } > > > pf is disabled (in pf.conf I really do not know > what should I put) > > > Any idea very much appreciated. > > Thank you very much, > Bogdan
