Re: Issues with relayd

2018-04-07 Thread Matt Schwartz 
Thanks for the reply, Claudio. Damnit Batman! I knew I forgot to give 
you some relevant data. Sorry 'bout that. Here is my relayd.conf file. 
It's nothing spectacular. Relayd is proxying my Ghost Blog.


http protocol https {
    match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
    match request header append "X-Forwarded-By" \
    value "$SERVER_ADDR:$SERVER_PORT"
    match request header append "X-Forwarded-Proto" value "https"
    match request header set "Keep-Alive" value "$TIMEOUT"

    tcp { nodelay, sack, socket buffer 65536, backlog 128 }

    tls { no tlsv1.0, ciphers HIGH }
    tls no session tickets
}

relay ghost {
    listen on vio0 port 443 tls
    protocol https
    forward to 127.0.0.1 port 2368
}

On 4/7/2018 3:32 AM, Claudio Jeker wrote:

On Fri, Apr 06, 2018 at 09:28:01AM -0400, Matt Schwartz wrote:

Hi misc@

I am running relayd as a reverse TLS proxy on OpenBSD 6.3 release with the
GENERIC kernel. I have noticed two issues that happen: (1) netstat reports
that the Recv-q for the ip protocol steadily climbs and never goes back to 0
unless I restart relayd and (2) I am getting a lot of spurious TLS handshake
errors that I can't pin down. I am running relayd with relayd -vv logging.
Below is output from my relayd.log and dmesg.


Not sure what the problem is with the IP Recv-q without looking at the
config. For the TLS errors, relayd in 6.3 logs a bit more that's all.

Re: Issues with relayd

2018-04-07 Thread Claudio Jeker 
On Fri, Apr 06, 2018 at 09:28:01AM -0400, Matt Schwartz wrote:
> Hi misc@
> 
> I am running relayd as a reverse TLS proxy on OpenBSD 6.3 release with the
> GENERIC kernel. I have noticed two issues that happen: (1) netstat reports
> that the Recv-q for the ip protocol steadily climbs and never goes back to 0
> unless I restart relayd and (2) I am getting a lot of spurious TLS handshake
> errors that I can't pin down. I am running relayd with relayd -vv logging.
> Below is output from my relayd.log and dmesg.
> 

Not sure what the problem is with the IP Recv-q without looking at the
config. For the TLS errors, relayd in 6.3 logs a bit more that's all.

-- 
:wq Claudio

Issues with relayd

2018-04-06 Thread Matt Schwartz 

Hi misc@

I am running relayd as a reverse TLS proxy on OpenBSD 6.3 release with 
the GENERIC kernel. I have noticed two issues that happen: (1) netstat 
reports that the Recv-q for the ip protocol steadily climbs and never 
goes back to 0 unless I restart relayd and (2) I am getting a lot of 
spurious TLS handshake errors that I can't pin down. I am running relayd 
with relayd -vv logging. Below is output from my relayd.log and dmesg.


Thanks,

Matt

/var/log/relayd:

Apr  5 23:45:43 panther relayd[94018]: startup
Apr  5 23:46:08 panther relayd[43579]: relay_tls_transaction: session 1: 
scheduling on EV_READ
Apr  5 23:46:08 panther relayd[43579]: relay ghost, tls session 1 
established (1 active)
Apr  5 23:46:15 panther relayd[43579]: relay_tls_transaction: session 2: 
scheduling on EV_READ
Apr  5 23:46:15 panther relayd[43579]: relay ghost, tls session 2 
established (1 active)
Apr  5 23:46:15 panther relayd[43579]: relay_tls_transaction: session 3: 
scheduling on EV_READ
Apr  5 23:46:15 panther relayd[43579]: relay ghost, tls session 3 
established (1 active)
Apr  5 23:46:15 panther relayd[43579]: relay_tls_transaction: session 4: 
scheduling on EV_READ
Apr  5 23:46:15 panther relayd[11143]: relay_tls_transaction: session 1: 
scheduling on EV_READ
Apr  5 23:46:15 panther relayd[43579]: relay ghost, tls session 4 
established (2 active)
Apr  5 23:46:15 panther relayd[11143]: relay ghost, tls session 1 
established (1 active)
Apr  5 23:46:21 panther relayd[11143]: relay_tls_transaction: session 2: 
scheduling on EV_READ
Apr  5 23:46:22 panther relayd[11143]: relay ghost, tls session 2 
established (1 active)
Apr  5 23:47:04 panther relayd[11143]: relay_tls_transaction: session 3: 
scheduling on EV_READ
Apr  5 23:47:04 panther relayd[11143]: relay ghost, tls session 3 
established (1 active)
Apr  5 23:47:09 panther relayd[11143]: relay_tls_transaction: session 4: 
scheduling on EV_READ
Apr  5 23:47:09 panther relayd[11143]: relay ghost, tls session 4 
established (2 active)
Apr  5 23:47:09 panther relayd[73657]: relay_tls_transaction: session 1: 
scheduling on EV_READ
Apr  5 23:47:09 panther relayd[11143]: relay_tls_transaction: session 5: 
scheduling on EV_READ
Apr  5 23:47:09 panther relayd[73657]: relay ghost, tls session 1 
established (1 active)
Apr  5 23:47:09 panther relayd[11143]: relay ghost, tls session 5 
established (1 active)
Apr  5 23:48:23 panther relayd[73657]: relay_tls_transaction: session 2: 
scheduling on EV_READ
Apr  5 23:48:23 panther relayd[73657]: TLS handshake failed: ghost: 
relay_tls_handshake: handshake failed: error:1402610B:SSL 
routines:ACCEPT_SR_CLNT_HELLO:wrong version number
Apr  5 23:48:23 panther relayd[73657]: relay_close: sessions inflight 
decremented, now 0
Apr  5 23:48:23 panther relayd[73657]: relay_tls_transaction: session 3: 
scheduling on EV_READ
Apr  5 23:48:23 panther relayd[73657]: TLS handshake failed: ghost: 
relay_tls_handshake: handshake failed: error:1402710B:SSL 
routines:ACCEPT_SR_CLNT_HELLO_C:wrong version number
Apr  5 23:48:23 panther relayd[73657]: relay_close: sessions inflight 
decremented, now 0
Apr  5 23:48:24 panther relayd[73657]: relay_tls_transaction: session 4: 
scheduling on EV_READ
Apr  5 23:48:24 panther relayd[73657]: TLS handshake failed: ghost: 
relay_tls_handshake: handshake failed: error:1402710B:SSL 
routines:ACCEPT_SR_CLNT_HELLO_C:wrong version number
Apr  5 23:48:24 panther relayd[73657]: relay_close: sessions inflight 
decremented, now 0
Apr  5 23:48:24 panther relayd[43579]: relay_tls_transaction: session 5: 
scheduling on EV_READ
Apr  5 23:48:24 panther relayd[43579]: TLS handshake failed: ghost: 
relay_tls_handshake: handshake failed: error:1402710B:SSL 
routines:ACCEPT_SR_CLNT_HELLO_C:wrong version number
Apr  5 23:48:24 panther relayd[43579]: relay_close: sessions inflight 
decremented, now 0
Apr  5 23:48:24 panther relayd[73657]: relay_tls_transaction: session 5: 
scheduling on EV_READ
Apr  5 23:48:24 panther relayd[73657]: TLS handshake failed: ghost: 
relay_tls_handshake: handshake failed: error:1402710B:SSL 
routines:ACCEPT_SR_CLNT_HELLO_C:wrong version number
Apr  5 23:48:24 panther relayd[73657]: relay_close: sessions inflight 
decremented, now 0
Apr  5 23:48:24 panther relayd[43579]: relay_tls_transaction: session 6: 
scheduling on EV_READ
Apr  5 23:48:24 panther relayd[43579]: TLS handshake failed: ghost: 
relay_tls_handshake: handshake failed: unexpected EOF
Apr  5 23:48:24 panther relayd[43579]: relay_close: sessions inflight 
decremented, now 0
Apr  5 23:48:25 panther relayd[43579]: relay_tls_transaction: session 7: 
scheduling on EV_READ
Apr  5 23:48:25 panther relayd[43579]: TLS handshake failed: ghost: 
relay_tls_handshake: handshake failed: error:140270C1:SSL 
routines:ACCEPT_SR_CLNT_HELLO_C:no shared cipher
Apr  5 23:48:25 panther relayd[43579]: relay_close: sessions inflight 
decremented, now 0
Apr  5 23:48:25 panther relayd[11143]: relay_tls_transaction: session 6: 
scheduling on EV_READ
Apr  5