Re: OpenBSD 6.0 - Silicom PE2G4SFPI35L Intel i340AM4 based
Stuart, Thank you for your quick response. We are in requirement of a 4-Port 1000Base-LX capable network card, whether it's 10GbE or 1GbE it doesn't matter. I took a look a the vendor, and I have to say it feels awesome learn something new every day. I did not know this vendor and the mere fact that they openly support OpenBSD is reassuring. I'll have my distributor take a look at it. Thanks a lot. /Uday On Fri, Mar 10, 2017 at 1:47 AM, Stuart Henderson <s...@spacehopper.org> wrote: > On 2017-03-09, Uday MOORJANI <umoorjani.v...@gmail.com> wrote: >> Dear Community, >> >> Hope all is well. I'm on my last stretch to put in production our >> OpenBSD/OpenBGPd implementation. I have chosen a SuperMicro box as my >> platform, some of our transit providers at the data center come in >> through 1000-Base-LX fiber cross connects hence the search for an SFP >> and LX capable network card. >> >> My question is, does the em driver work with Intel-based network cards >> of other vendors such as the Silicom PE2G4SFPI35L or the PE2G4SFPI80L, >> both respectively are based on Intel i340AM4 and 82580EB controllers. > > I haven't tried those Silicom cards but I have a couple of 6-port > HotLava 1000base-T em(4) cards which are working nicely. > > I don't see I340AM4 on the list in the em(4) manual. I can't say whether > this is just an omission from the manual, or whether it's unsupported. > 82580EB is listed there. > >> Or is there another card with 4-Ports 1000-Base-LX capable hardware I >> missed? >> >> Sincerely, >> >> Uday MOORJANI >> >> PS >> Loving the OS. >> >> > > When I had a circuit delivered on single-mode fibre I couldn't find > a suitable 1Gb SFP card for any sensible money so I used a 10Gb card > instead (in my case some 82599-based Intel SFP+ which uses the ix(4) > driver), which also work with 1Gb SFPs. > > $ ifconfig ix1 | grep -e ^ix -e media > ix1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > media: Ethernet autoselect (1000baseLX full-duplex,rxpause,txpause) > > $ dmesg | grep ^ix1 | tail -1 > ix1 at pci1 dev 0 function 1 "Intel 82599" rev 0x01: msi, address > 00:1b:21:c0:25:bd
OpenBSD 6.0 - Silicom PE2G4SFPI35L Intel i340AM4 based
Dear Community, Hope all is well. I'm on my last stretch to put in production our OpenBSD/OpenBGPd implementation. I have chosen a SuperMicro box as my platform, some of our transit providers at the data center come in through 1000-Base-LX fiber cross connects hence the search for an SFP and LX capable network card. My question is, does the em driver work with Intel-based network cards of other vendors such as the Silicom PE2G4SFPI35L or the PE2G4SFPI80L, both respectively are based on Intel i340AM4 and 82580EB controllers. Or is there another card with 4-Ports 1000-Base-LX capable hardware I missed? Sincerely, Uday MOORJANI PS Loving the OS.
Re: gKrypt GPU Accelerated Encryption for OpenBSD
PS. This seems to be a proprietary project, on the other thoughts are towards a new open source BSD license integration of commodity GPU to native encryption in OpenBSD. If this has already been done, by all means please advise as to where I can get more information. On Fri, Mar 3, 2017 at 11:51 AM, Uday MOORJANI <umoorjani.v...@gmail.com> wrote: > Hi Guys, > > Do you think this would be a good project to port? I have a personal > project based on OpenBSD (not limited to), it's a network function for the > SDDC space; since scalability is CPU intensive I believe the ability to > offload encryption hooks native to OS used by services (VPN, SSL/TLS, > SSL-VPN, SSL Offloading etc..) in the SDDC could be a good addition to > OpenBSD, a great niche as well. :) > > Glad to hear your thoughts. > > Sincerely, > > Uday M
gKrypt GPU Accelerated Encryption for OpenBSD
Hi Guys, Do you think this would be a good project to port? I have a personal project based on OpenBSD (not limited to), it's a network function for the SDDC space; since scalability is CPU intensive I believe the ability to offload encryption hooks native to OS used by services (VPN, SSL/TLS, SSL-VPN, SSL Offloading etc..) in the SDDC could be a good addition to OpenBSD, a great niche as well. :) Glad to hear your thoughts. Sincerely, Uday M
OpenBSD BFD Implementation
Dear Misc Hope all is fine. I'm trying to find an implementation of BFD for OpenBSD and I read Peter's that is was still under development. My questions are: - Has anyone tried OpenBFDd on OpenBSD? - Same question but with BIRD's implementation of BFD? Read on a forum that BIRD on OpenBSD doesn't support BFD, but I'm having doubts as the website of BIRD says otherwise. Thanks guys, Uday
OpenBGPd - Multi-home ISP : DDoS Protection
Dear OpenBSD-Misc, First of all, awesome work on the OpenBGPd and BFD code. I'm working on a WAN setup for an enterprise and we are migrating from static route WAN to a full fledge BGP transit in a multi home environment for the specific purpose of providing the best possible path/route to our service catalogue. The service catalogue within the enterprise is orchestrated by a private vmware cloud with added software defined networking (micro-segmentation) capabilities within the private cloud via NSX. My concern is about DDoS protection from the ingress traffic, in my logic it makes no sense to contract a service such as Imperva or Cloudflare as DDoS protection on the network level, as proper PF (firewall) rules in place should protect us at line rate. My doubts are: - Are the rules provided for anti-ddos sufficient? Is there a good soul to share some rulesets? - Am I out of my mind for choosing OpenBGPd/OpenBSD for my transit WAN? I love the fact that we're sandboxed and hyperthreaded and am particularly content with the resolution of convergence time problems ( http://undeadly.org/cgi?action=article=20151106171337=expanded) - Is there a way to contract a support in case sh*t hits the fan with OpenBGPd? - What are the best tools to supervise and test bed the performance of an OpenBGPd instance? (most the definately the dumbest question) Again, love the fact I can get some sleep with OpenBSD/OpenBGPd, please do get back to me for commercial support to calm the nerves. Sincerely, Uday MOORJANI
Re: CARP problem : slave rioting
Can you post configuration files for the carp interfaces ? Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, I have a setup with 2 openBSD boxes used as firewall, redundancy is made using CARP. Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a trunk, collecting all other VLANs. Master's advskew is 10, slave's is 50. All worked like a charm since nearly 2 years, but since 3 weeks I have odd problems : * on the net interface, the backup becomes master, but the master remains master - Nearly half of the packets are lost I did a tcpdump on the slave's interface, carp packets from the master arrive. But it remains master ! Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it is part of a trunk, physical connections are good : they work for all other VLANs. When I shut down the corresponding carp interface on the slave (ifconfig carp4 down), master becomes master again. Could you give me any clue to keep my master in master state ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr
pf-relayd-carp - multiple carp aliases to be used in relayd
Hi,
I've setup pf relayd and carp to work together as a load balancer. I
have one carp interface on the public internet on both servers :
inet 192.168.172.77 255.255.255.240 192.168.172.79 vhid 1 pass foo
inet alias 192.168.172.74 255.255.255.255
I wish to use ip aliases on the carp interface to send load balanced
traffic through relayd, traffic such as http/https. I goal here is the
to be able to bind service ports to external ip aliases on the carp
interface and proxy the traffic to my internal network.
I have relayd configured to recieve https traffic from aliased ip of
the carp interface :
relay https-proxy {
listen on 192.168.172.74 port 443 ssl
protocol https
forward to webhosts port 80 mode loadbalance check http / code 200
}
Now this configuration works like a charm..but not for long. After a
while I get timed out to the server. I tried setting up a second carp
interface with a different vhid to be sure that there was no
conflicts. Even after that I get the same symptom. When I try to
tcpdump the incoming traffic I see nothing coming in. All of this
happens after a while not right away, I have to do sh /etc/netstart on
both servers for it to go back to normal and then a while later it
starts to have the same reaction. Has anyone tried this sort of
configuration ? If Yes, do you have production examples or best
practices you can share ?
Thank you very much for your kind support.
Nonviolence means avoiding not only external physical violence but
also internal violence of spirit. You not only refuse to shoot a man,
but you refuse to hate him. Rev. Martin Luther King Jr.
Re: CARP problem : slave rioting
Pierre, If I'm not mistaken the vhid on all your carp interfaces are the same value. I would suggest you use a unique value for each group. From the man : The Virtual Host ID. This is a unique number that is used to identify the redundancy group to other nodes on the network. Acceptable values are from 1 to 255. I think this is the way to go but I'm not sure. UM Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Fri, Jun 26, 2009 at 6:31 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, CARP is configured using a script. Here it is (truncated version) : ifconfig carp5 create ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description LAN ifconfig carp2 create ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description DMZ 1 ifconfig carp3 create ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description DMZ 2 ifconfig carp12 create ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description DMZ 3 ifconfig carp13 create ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description DMZ 5 ifconfig carp4 create ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description DMZ Internet ifconfig carp4 alias 217.109.108.1/24 ifconfig carp14 create ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28 description Internet -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 12:21 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Can you post configuration files for the carp interfaces ? Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, I have a setup with 2 openBSD boxes used as firewall, redundancy is made using CARP. Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a trunk, collecting all other VLANs. Master's advskew is 10, slave's is 50. All worked like a charm since nearly 2 years, but since 3 weeks I have odd problems : * on the net interface, the backup becomes master, but the master remains master - Nearly half of the packets are lost I did a tcpdump on the slave's interface, carp packets from the master arrive. But it remains master ! Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it is part of a trunk, physical connections are good : they work for all other VLANs. When I shut down the corresponding carp interface on the slave (ifconfig carp4 down), master becomes master again. Could you give me any clue to keep my master in master state ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr
Re: binding services on carp
I got it, for those who don't know, you have to bind to the carp adresse but with a specific pf entry. rdr on $ExtIf proto tcp from any to carp0 port ftp tag FTPROXY - lo0 port 8021 pass in log on $ExtIf inet proto tcp from any to lo0 port 8021 flags S/SA keep state tagged FTPROXY Works like a charm ! Gotta love OpenBSD ! Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Wed, May 27, 2009 at 8:25 AM, Stephan A. Rickauer stephan.ricka...@ini.phys.ethz.ch wrote: On Tue, 2009-05-26 at 16:18 -0400, uday wrote: Hey guys, A quick question, is there a way to bind services to the carp interface ? You see I have an ftp-proxy running and I wanted to use carp since I'm already doing fail-over with PF. FTP client -- Redundant Firewall w/ftp-proxy -- Internal FTP-SERVER man ftp-proxy, see -a flag.
binding services on carp
Hey guys, A quick question, is there a way to bind services to the carp interface ? You see I have an ftp-proxy running and I wanted to use carp since I'm already doing fail-over with PF. FTP client -- Redundant Firewall w/ftp-proxy -- Internal FTP-SERVER HTTP Client -- Redundant Firewall w/ Relayd -- Internal Apache Servers If carp is not suitable, does anyone have any experience implementing something like this ? Thanks for tips. UM Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr.
relayd - trunked web pages
Hi,
I'm experiencing something very peculiar with relayd. I have relayd
for quite sometime in production and I'm observing on a long term that
relayd starts to trunk http responses and I don't seem to know why.
When I restart relayd everything starts working again. Can anyone
point to me a direction to where I can start looking to debug this
issue, eventually resolve it ?
Here is my relayd.conf
relayd_addr=192.168.172.77
https_port=443
http_port=80
table web_hosts { 192.168.223.58 }
interval 10
timeout 1000
prefork 5
log all
http protocol httpssl {
ssl { sslv3, tlsv1, ciphers MEDIUM:!ADH, no sslv2 }
header append $REMOTE_ADDR to X-Forwarded-For
}
http protocol httpsimple {
header append $REMOTE_ADDR to X-Forwarded-For
}
relay https-proxy {
listen on $relayd_addr port $https_port ssl
protocol httpssl
forward to web_hosts port $http_port mode loadbalance check
http / code 200
}
relay http-proxy {
listen on $relayd_addr port $http_port
protocol httpsimple
forward to web_hosts port $http_port mode loadbalance check
http / code 200
}
Here is my pf.conf:
ext_if = vic0
int_if = vic1
ext_ip = 192.168.172.77
ftp_ip = 192.168.223.58
nat-anchor ftp-proxy/*
nat on $ext_if inet from $int_if - ($ext_if)
rdr-anchor relayd/*
rdr-anchor ftp-proxy/*
pass in on $ext_if inet proto tcp to $ext_ip port 21 flags S/SA keep state
pass out on $int_if inet proto tcp to $ftp_ip port 21 user proxy flags
S/SA keep state
pass in log (all, to pflog1) on $ext_if inet proto tcp to $ext_if port
21 keep state
anchor relayd/*
anchor ftp-proxy/*
UM
Thank you for Relayd
I just wanted thank the developers and contributors of Relayd. It's a wonderful load balancer, very well written GOOD JOB guys ! FYI, you saved us 75,000$ in F5 equipments. um
Re: Thank you for Relayd
I'm negotiating a community contribution budget for all the open source software we're using. It should be a good thing for the community. um. On Mon, Jan 26, 2009 at 1:53 PM, Dag Richards dagricha...@speakeasy.net wrote: I assume that your company will send say 10% of that saved cash to the project now to ensure continued development and maintenance ? ;) On 1/26/09 9:32 AM, uday wrote: I just wanted thank the developers and contributors of Relayd. It's a wonderful load balancer, very well written GOOD JOB guys ! FYI, you saved us 75,000$ in F5 equipments. um
Re: Can't get relayd to work for DNS + problem with relayctl reload
pierre,
i'm seeing the same result with relayctl i don't know where it's coming
from.
um
On Wed, Jan 14, 2009 at 8:16 AM, BARDOU Pierre bardo...@mipih.fr wrote:
Shame on me, it didn't worked because I allowed connexion to the real IP
(10.60.0.10x) and no to relayd IP (10.31.33.254).
Now it works, thanks for the help :)
But I still have the issue I reported a few monthes ago : when I use a
relay,
relayctl reload fails saying command failed.
The relayd logs says nothing. Will I be forced to pkill relayd and restart
it
each time ?
--
Cordialement,
Pierre BARDOU
-Message d'origine-
De : Nigel J. Taylor [mailto:njtay...@asterisk.demon.co.uk]
Envoyi : mercredi 14 janvier 2009 02:22
@ : BARDOU Pierre
Objet : Re: Can't get relayd to work for DNS
I have this in my relayd.conf, it's just an extract, only a pass in in
pf.conf
you use either relay or redirect not both at once redirect requires an
anchor
in
pf.conf, relay doesn't.
dns protocol dnsudp
tcp protocol dnstcp
relay relaydnsudp {
protocol dnsudp
listen on $dns_int port domain
forward to DNSSERVERS \
check script /usr/local/bin/dnscheck
}
relay relaydnstcp {
protocol dnstcp
listen on $dns_int port domain
forward to DNSSERVERS \
check script /usr/local/bin/dnscheck
}
dnscheck script does a dig to check dns is up
#!/bin/ksh
dnsserver=$1
if ping -n -c1 -w 1 $dnsserver /dev/null 21 dig -x \
$dnsserver @$dnsserver /dev/null
then
exit 1
fi
exit 0
Regards
Nigel Taylor
BARDOU Pierre wrote:
Hello,
I am trying to setup relayd for loadbalancing on my DNS servers.
The problem is that relayd seems to handle only TCP connexions, UDP isn't
taken into account.
I found a known bug on openBSD 4.2, but I am using openBSD 4.4.
I've tried the same setup with a relay, and still have the same problem.
Where am I mistaking ?
# pfctl -a relayd/DNS -s nat
rdr inet proto tcp from any to 10.31.33.254 port = domain
(tcp.established
600) - DNS port 53 round-robin
# cat /etc/relayd.conf
node1=10.60.0.101
node2=10.60.0.102
node3=10.60.0.103
squid_int=10.31.33.254
dns_int=10.31.33.254
# Global Options
interval 5
log updates
prefork 10
timeout 1500
table squid { $node1 , $node3 }
table DNS { $node1 , $node3 }
redirect squid {
listen on $squid_int port 3128
forward to squid mode roundrobin check tcp
}
redirect DNS {
listen on $dns_int port 53
forward to DNS mode roundrobin check tcp
}
Relay config :
dns protocol dnsfilter {
### TCP performance options
tcp { nodelay, sack, socket buffer 1024, backlog 1000 }
}
relay dns {
### listen and accept redirected connections from pf
listen on $dns_int port 53
### apply web filters
protocol dnsfilter
### forward to web server(s)
forward to DNS mode roundrobin check tcp
}
--
Cordialement,
Pierre BARDOU
CSIM - Bureau 012
Midi Picardie Informatique Hospitalihre
12 rue Michel Labrousse
BP93668
F-31036 Toulouse CEDEX 1
Til : 05 67 31 90 84
Fax : 05 34 61 51 00
Mail : bardo...@mipih.fr
relayd - ssl offloading
hi,
I'm trying to get relayd to work with ssl and I'm having quite a hard
time. I get the error message : SSL library error: httpproxy:
relay_ssl_accept: error:140B512D:SSL routines:SSL_GET_NEW_SESSION:ssl
session id callback failed relay, which is involves /dev/random
issues.
So test if it was a general problem with /dev/random I installed
stunnel and forwarded all https packets from stunnel to the webhosts
in relayd and it works so narrowed it down to relayd. I checked the
rights on /dev/random and I don't have any issues with it. Can someone
point me in the direction to resolving my problem please ? Any idea on
how to solve this ?
Here is the relayd log snippet :
startup
init_filter: filter init done
init_tables: created 0 tables
relay_privinit: adding relay httpproxy
protocol 0: name httpfilter
flags: 0x20004
type: tcp
request change Connection to close
request change Keep-Alive to $TIMEOUT
request append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By
request append $REMOTE_ADDR to X-Forwarded-For
response change Server to Server1
relay_init: max open files 11095
relay_init: max open files 11095
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading private key
relay_ssl_ctx_create: loading private key
adding 1 hosts from table web_hosts:80
adding 1 hosts from table web_hosts:80
relay_launch: running relay httpproxy
relay_launch: running relay httpproxy
relay_init: max open files 11095
relay_init: max open files 11095
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading private key
relay_ssl_ctx_create: loading private key
adding 1 hosts from table web_hosts:80
adding 1 hosts from table web_hosts:80
relay_launch: running relay httpproxy
relay_launch: running relay httpproxy
relay_init: max open files 11095
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading private key
adding 1 hosts from table web_hosts:80
relay_launch: running relay httpproxy
hce_notify_done: 192.168.190.53 (recv_icmp: done)
host 192.168.190.53, check icmp (0ms), state unknown - up, availability 100.00%
pfe_dispatch_imsg: state 1 for host 1 192.168.190.53
hce_notify_done: 192.168.190.53 (recv_icmp: done)
Here is my relayd.conf :
relayd_addr=192.168.172.77
relayd_port=8080
web_port=80
table web_hosts { 192.168.190.53 }
interval 10
timeout 200
prefork 5
http protocol httpfilter {
return error
header append $REMOTE_ADDR to X-Forwarded-For
header append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By
header change Keep-Alive to $TIMEOUT
header change Connection to close
response header change Server to Server1
ssl { sslv3, tlsv1, ciphers HIGH:!ADH, no sslv2 }
}
relay httpproxy {
listen on $relayd_addr port $relayd_port ssl
protocol httpfilter
forward to web_hosts port $web_port mode loadbalance check icmp
}
Here is my pf.conf
int_if=bce0
rdr-anchor relayd/*
rdr pass on $int_if proto tcp to port 443 - 192.168.172.77 port 8080
--
uday
Re: relayd - ssl offloading
Hi guys,
I tried generating random numbers with the _relayd user without a problem :
[_rel...@myserver /etc/ssl]$ od -D -A n /dev/random | head -2
2530374051 2874409472 1650458018 3736200264
1776311775 448067355 3385764049 245858356
[_rel...@myserver /etc/ssl]$ od -D -A n /dev/random | head -2
3500873714 1514410290 1261638879 3441183390
1244646393 1231567229 2455711758 3155117271
[_rel...@myserver /etc/ssl]$ od -X -A n /dev/random | head -2
ec656a22865705affba217e99141ec7c
24cab1151d520b9aba1e1c48a5016cbd
[_rel...@myserver /etc/ssl]$ od -X -A n /dev/random | head -2
82028e10a31642abea289fa8986233be
620b5ed369888e5b938c7cdf2e9f2794
Now I really don't know where to go. I tried out pound and it handled
ssl proxy like a pro. Am I missing something here ? Am I even
debugging correctly ? Thanks alot for the help guys.
uday
On Fri, Dec 19, 2008 at 11:08 AM, uday umoorjani@gmail.com wrote:
hi,
I'm trying to get relayd to work with ssl and I'm having quite a hard
time. I get the error message : SSL library error: httpproxy:
relay_ssl_accept: error:140B512D:SSL routines:SSL_GET_NEW_SESSION:ssl
session id callback failed relay, which is involves /dev/random
issues.
So test if it was a general problem with /dev/random I installed
stunnel and forwarded all https packets from stunnel to the webhosts
in relayd and it works so narrowed it down to relayd. I checked the
rights on /dev/random and I don't have any issues with it. Can someone
point me in the direction to resolving my problem please ? Any idea on
how to solve this ?
Here is the relayd log snippet :
startup
init_filter: filter init done
init_tables: created 0 tables
relay_privinit: adding relay httpproxy
protocol 0: name httpfilter
flags: 0x20004
type: tcp
request change Connection to close
request change Keep-Alive to $TIMEOUT
request append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By
request append $REMOTE_ADDR to X-Forwarded-For
response change Server to Server1
relay_init: max open files 11095
relay_init: max open files 11095
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading private key
relay_ssl_ctx_create: loading private key
adding 1 hosts from table web_hosts:80
adding 1 hosts from table web_hosts:80
relay_launch: running relay httpproxy
relay_launch: running relay httpproxy
relay_init: max open files 11095
relay_init: max open files 11095
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading private key
relay_ssl_ctx_create: loading private key
adding 1 hosts from table web_hosts:80
adding 1 hosts from table web_hosts:80
relay_launch: running relay httpproxy
relay_launch: running relay httpproxy
relay_init: max open files 11095
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading private key
adding 1 hosts from table web_hosts:80
relay_launch: running relay httpproxy
hce_notify_done: 192.168.190.53 (recv_icmp: done)
host 192.168.190.53, check icmp (0ms), state unknown - up, availability
100.00%
pfe_dispatch_imsg: state 1 for host 1 192.168.190.53
hce_notify_done: 192.168.190.53 (recv_icmp: done)
Here is my relayd.conf :
relayd_addr=192.168.172.77
relayd_port=8080
web_port=80
table web_hosts { 192.168.190.53 }
interval 10
timeout 200
prefork 5
http protocol httpfilter {
return error
header append $REMOTE_ADDR to X-Forwarded-For
header append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By
header change Keep-Alive to $TIMEOUT
header change Connection to close
response header change Server to Server1
ssl { sslv3, tlsv1, ciphers HIGH:!ADH, no sslv2 }
}
relay httpproxy {
listen on $relayd_addr port $relayd_port ssl
protocol httpfilter
forward to web_hosts port $web_port mode loadbalance check icmp
}
Here is my pf.conf
int_if=bce0
rdr-anchor relayd/*
rdr pass on $int_if proto tcp to port 443 - 192.168.172.77 port 8080
--
uday
Re: relayd exits when disabling and enabling hosts
I like relayd and am fully satisfied with it. Pyr and Reyk have done a great job. Just needs a little more algorithms and other features but overall it does the job. I know I couldn't have done better :-) Just my 2 cts.
offloading layer 7 packet classification to hardware
hi guys, i just wanted to know if anyone has any experience with offloading PF layer 7 packet classification with hardware accelerators such as sensory networks's hyperscan ? http://sensorynetworks.com/Products/HyperScan sincerely, uday
commercial support - pf/relayd
Hi, just wanted to know if there were any commercial support available for pf/relayd in particular or any other support contract that could include these two components. sincerely, uday
Re: relayd - tcp_write: connect timed out
Ick: those are pre-HTTP-1.0 requests, as they lack a protocol and version identifier. What relayd actually sends is a HEAD request with protocol HTTP/1.0. You don't specify a hostname in your config, so it doesn't send a Host: header field. Try those again using something like: printf HEAD / HTTP/1.0\r\n\r\n | nc 192.168.4.76 80 Did exactly what you said : # printf HEAD / HTTP/1.0\r\n\r\n | nc 192.168.4.76 80 HTTP/1.1 200 OK Date: Mon, 27 Oct 2008 10:51:32 GMT Server: Apache/2.2.8 (Ubuntu) Last-Modified: Wed, 01 Oct 2008 20:01:13 GMT ETag: 1bd35-34-458368fed1440 Accept-Ranges: bytes Content-Length: 52 Connection: close Content-Type: text/html uday
Re: IBM x3350
I don't know about that, but if it doesn't you can install obsd over vmware esxi and it will work like a charm :) uday On Mon, Oct 27, 2008 at 4:03 PM, Johan Borch [EMAIL PROTECTED] wrote: Hi, I know that there has been a lot of mails about the IBM x-series lately, but is it the same problem with all of them (Adaptec raid)? I couldn't find anything about the x3350 on the lists, anyone knows if that one works with OpenBSD? Regards Johan
Re: relayd - tcp_write: connect timed out
For instance can you ensure that you can connect to the web server from the redirector(the machine running relayd) by using netcat? Run this on the web server. $ nc -l 1234 and from the relayd machine try $ nc 192.168.4.78 1234 Well this worked out : # nc 192.168.4.78 80 GET / htmlbodyh1It works! web01 /h1/body/html # nc 192.168.4.76 80 GET / htmlbodyh1It works! web02 /h1/body/html For instance have you ensured that the web server and the clients are in separate networks connected/routed by the relayd machine? My nodes have the relayd machine as default gateway. Is that sufficient ? There are certain unwritten ground rules to be followed for rdr to work. For instance if your reverse path does not match the forward path between the client and the server, then rdr will fail and the TCP handshake will not go through. Okay, as a client we have a firewall that serves as our default gateway for our laptops which 192.168.4.254. The relayd server has that as a default gateway as well. But the nodes have the relayd server as their default gateway so the forward/return should be identical in my configuration if I'm not mistaken. Basically rdr should get a chance to see the packets in both directions to function properly. Thanks for your kind attention to my problem, I'm still confused though, I'll go ahead and tcpdump this and see where it takes me. I would appreciate greater understanding of this. Sincerely, Uday
Re: relayd - tcp_write: connect timed out
I think I'm on to something here, when I change the check instructions from 'http / get 200' to 'icmp' I get no errors and the relaying works like a charm (you should've seen my face). The issue is to get relayd to check http correctly. I'll continue this and post my results for the others after me. uday
relayd - tcp_write: connect timed out
Hi Guys,
I'm trying out relayd here and first of all, filicitation to PYR and
the community for their work on this piece of software. This is my
first time install and while trying it out, I came on to an issue, I
keep on getting tcp_write: connect timed out when relayd checks the
hosts table. I searched the entire net for a solution and the only
solution I found is that a good timeout could solve the issue (rather
than a patch that is wrong said by the man himself PYR), I just ran
out of luck I tried in every possible way to change the config of this
it's just not working, on the webserver side I'm not even seing an
attempt to connect, this is weird for me. I know I'm doing something
wrong here but I don't see it, I greatly appreciate if anyone
encountered this problem to share a bit of info with me.
This is the message I'm getting when I try to connect to the
loadbalancer on port 80:
relay httpproxy, session 1 (1 active), 0, 192.168.4.22 - :80, session
failed
This is the full debug of relayd with -d -vv :
--
startup
relay_privinit: adding relay httpproxy
protocol 0: name httpfilter
flags: 0x20004
type: tcp
request change Keep-Alive to $TIMEOUT
request append $REMOTE_ADDR to X-Forwarded-For
relay_init: max open files 3520
adding 2 hosts from table web_hosts:80
relay_launch: running relay httpproxy
init_filter: filter init done
init_tables: created 0 tables
relay_init: max open files 3520
adding 2 hosts from table web_hosts:80
relay_launch: running relay httpproxy
relay_init: max open files 3520
adding 2 hosts from table web_hosts:80
relay_launch: running relay httpproxy
relay_init: max open files 3520
adding 2 hosts from table web_hosts:80
relay_launch: running relay httpproxy
relay_init: max open files 3520
adding 2 hosts from table web_hosts:80
relay_launch: running relay httpproxy
tcp_write: connect timed out
hce_notify_done: 192.168.4.78 (tcp_write: connect failed)
host 192.168.4.78, check http code (18ms), state unknown - down,
availability 0.00%
tcp_write: connect timed out
hce_notify_done: 192.168.4.76 (tcp_write: connect failed)
host 192.168.4.76, check http code (19ms), state unknown - down,
availability 0.00%
pfe_dispatch_imsg: state -1 for host 3 192.168.4.78
pfe_dispatch_imsg: state -1 for host 2 192.168.4.76
tcp_write: connect timed out
relay httpproxy, session 1 (1 active), 0, 192.168.4.22 - :80, session failed
hce_notify_done: 192.168.4.78 (tcp_write: connect failed)
tcp_write: connect timed out
hce_notify_done: 192.168.4.76 (tcp_write: connect failed)
--
Running OpenBSD 4.3
Here is my relayd.conf :
--
relayd_addr=127.0.0.1
relayd_port=8080
web_port=80
table web_hosts { 192.168.4.78, 192.168.4.76 }
interval 10
timeout 1000
prefork 5
log updates
http protocol httpfilter {
return error
header append $REMOTE_ADDR to X-Forwarded-For
header change Keep-Alive to $TIMEOUT
}
relay httpproxy {
listen on $relayd_addr port $relayd_port
protocol httpfilter
forward to web_hosts port $web_port mode loadbalance check http
/ code 200
}
--
Here is my pf.conf:
--
int_if=vic0
rdr-anchor relayd/*
rdr pass on $int_if proto tcp to port http - 127.0.0.1 port 8080
--
Thanks for the help guys.
Sincerely,
Uday
