Hi All,
Since OpenBSD 6.2, just confirmed this in the latest snapshot (GENERIC.MP#305)
as well, for some reason relayd stops processing traffic and starts flooding
the log file with the following message:
Dec 23 11:19:11 lb2 relayd[22515]: rsae_send_imsg: poll timeout
Dec 23 11:19:12 lb2 relayd[52110]: rsae_send_imsg: poll timeout
Dec 23 11:19:12 lb2 relayd[69641]: rsae_send_imsg: poll timeout
Dec 23 11:19:12 lb2 relayd[22515]: rsae_send_imsg: poll timeout
[snip]
Dec 23 11:19:17 lb2 relayd[69641]: rsae_send_imsg: poll timeout
Dec 23 11:19:18 lb2 relayd[22515]: rsae_send_imsg: poll timeout
Dec 23 11:19:18 lb2 relayd[52110]: rsae_send_imsg: poll timeout
Dec 23 11:19:18 lb2 relayd[69641]: rsae_send_imsg: poll timeout
...etc...
Restarting the daemon "fixes" the problem.
Not sure how to trouble shoot this but I am able to reproduce this consistently
by pointing SSLLabs towards relayd.
Would be great to get some pointers.
Anonymised config below:
# relayd.conf
local_v4 = "xxx"
local_v6 = "xxx"
table <localhost> { 127.0.0.1 }
www1_addr_v4 = "xxx"
www1_addr_v6 = "xxx"
table <www1hosts> { xxx }
www3_addr_v4 = "xxx"
www3_addr_v6 = "xxx"
table <www3hosts> { xxx }
cust1_addr_v4 = "xxx"
cust1_addr_v6 = "xxx"
cust2_addr_v4 = "xxx"
cust3_addr_v4 = "xxx"
cust4_addr_v4 = "xxx"
table <cust_3hosts> { xxx }
table <cust_3hosts_fallback> { xxx }
table <cust4_hosts> { xxx }
cust5_addr_v4 = "xxx"
table <cust5_hosts> { xxx }
http protocol httpfilter_default {
match request header remove "Proxy"
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" value
"$SERVER_ADDR:$SERVER_PORT"
match response header set "Server" value "Sever"
match response header set "X-Powered-By" value "Power"
tcp { no splice }
}
http protocol httpsfilter_default {
match request header remove "Proxy"
match request header set "X-ClientIP" value "$REMOTE_ADDR"
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" value
"$SERVER_ADDR:$SERVER_PORT"
match response header set "Strict-Transport-Security" value
"max-age=31536000"
match response header set "Server" value "Sever"
match response header set "X-Powered-By" value "Power"
match request quick header "Host" value "images.webcam.nl" forward to
<imageshosts>
tcp { no splice }
tls { no client-renegotiation }
}
http protocol httpfilter {
match request header remove "Proxy"
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" value
"$SERVER_ADDR:$SERVER_PORT"
match response header set "Content-Security-Policy" value "default-src
high5.nl; script-src https://high5.nl http://www.w3.org/; style-src 'self'
'unsafe-inline'; img-src 'self'"
match response header set "Server" value "Sever"
match response header set "X-Powered-By" value "Power"
match response header set "X-Frame-Options" value "SAMEORIGIN"
match response header set "X-Xss-Protection" value "1; mode=block"
match response header set "X-Content-Type-Options" value "nosniff"
match request quick header "Host" value "*xxx*" forward to <www1hosts>
match request quick header "Host" value "*xxx*" forward to <www1hosts>
tcp { no splice }
}
http protocol httpsfilter {
return error
match request header remove "Proxy"
match request header set "X-ClientIP" value "$REMOTE_ADDR"
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" value
"$SERVER_ADDR:$SERVER_PORT"
match response header set "Strict-Transport-Security" value
"max-age=31536000"
match response header set "Content-Security-Policy" value "default-src
high5.nl; script-src https://high5.nl http://www.w3.org/; style-src 'self'
'unsafe-inline'; img-src 'self'"
match response header set "Server" value "Sever"
match response header set "X-Powered-By" value "Power"
match response header set "X-Frame-Options" value "SAMEORIGIN"
match response header set "X-Xss-Protection" value "1; mode=block"
match response header set "X-Content-Type-Options" value "nosniff"
tcp { no splice }
tls { no client-renegotiation }
}
relay default {
listen on $local_v4 port 80
listen on $local_v6 port 80
protocol httpfilter_default
forward to <localhost> port 8080
}
relay default_redirect {
listen on $cust2_addr_v4 port 80
listen on $cust3_addr_v4 port 80
listen on $cust4_addr_v4 port 80
listen on $cust5_addr_v4 port 80
listen on $cust1_addr_v4 port 80
listen on $cust1_addr_v6 port 80
protocol httpfilter_default
forward to <localhost> port 8081
}
relay default_redirect_tls {
listen on $cust4_addr_v4 port 443 tls
protocol httpsfilter_default
forward to <localhost> port 8081
}
relay www1 {
listen on $www1_addr_v4 port 80
listen on $www1_addr_v6 port 80
protocol httpfilter
forward to <localhost> port 8081
forward to <www1hosts> port 80
}
relay www1_tls {
listen on $www1_addr_v4 port 443 tls
listen on $www1_addr_v6 port 443 tls
protocol httpsfilter
forward to <www1hosts> port 80 mode roundrobin check http "/" host www1
code 200
#forward to <comic> port 80
}
relay www3 {
listen on $www3_addr_v4 port 80
listen on $www3_addr_v6 port 80
forward to <www3hosts> port 80
}
relay www3_tls {
listen on $www3_addr_v4 port 443 tls
listen on $www3_addr_v6 port 443 tls
forward with tls to <www3hosts> port 443
}
relay cust2_tls {
listen on $cust2_addr_v4 port 443 tls
protocol httpsfilter_default
forward to <cust2_hosts> port 80 check http "/" host cust2 code 200
forward to <cust2_hosts_fallback> port 80 check http "/" host cust2
code 200
forward to <cust4_hosts> port 80
}
relay cust3_tls {
listen on $cust3_addr_v4 port 443 tls
protocol httpsfilter_default
forward to <cust3_hosts> port 80 check http "/" host cust3 code 200
forward to <cust3_hosts_fallback> port 80 check http "/" host cust3
code 200
}
relay cust5_tls {
listen on $cust5_addr_v4 port 443 tls
protocol httpsfilter_default
forward to <cust5_hosts> port 80
}
Mischa
