SlideShare ist ein Scribd-Unternehmen logo

Relayd: a load balancer for OpenBSD

Giovanni Bechis
Giovanni Bechis

Relayd is a daemon to relay and dynamically redirect incoming connections to a target host. Its main purposes are to run as a load-balancer, application layer gateway, or transparent proxy.

Technologie
1 von 31
Downloaden Sie, um offline zu lesen
Relayd: a load-balancer for OpenBSD Giovanni Bechis giovanni@openbsd.org University of Applied Sciences, Vienna, Austria May 5, 2012
what is relayd useful for ? Reverse proxy Ssl accelerated reverse proxy Transparent proxy with filtering capabilities Application redirector Load balancer Wan link balancer
a short story First imported in OpenBSD 4.1 Initially it was called hoststated(8) Renamed to relayd(8) in OpenBSD 4.3 Written by pyr@ and reyk@
some relayd(8) features written with security in mind and based on imsg framework ipv4 and ipv6 capable carp(4) capable snmpd(8) integration
software anatomy Relayd is divided in a main process and 3 different engines Parent process HCE: Host check engine PFE: Pf engine Relay engine
the parent process The parent process is the only one that runs with elevated privileges, it runs as ’root’ to be able to handle: configuration files setup sockets external script execution (privileges will be dropped to relayd user before ”execlp” function call) carp demotion requests
host check engine The Host Check Engine uses some methods to verify that the target host service is functional, before routing traffic to the host. It can use: icmp tcp ssl http/https external scripts
pf engine The Packet Filter Engine allows integration with the OpenBSD Packet Filter. Creates and destroys PF rules Updates PF tables based on HCE notifications
relay engine This engine is responsible to filter and relay packets Creates listening sockets for services Filters protocols before relaying
reverse http proxy
reverse http proxy table <web_hosts> { 10.0.0.1 } interval 10 timeout 200 prefork 5 log updates relay httpproxy { listen on 192.168.0.1 port 80 forward to <web_hosts> port 80 check http "/" code 200 }
reverse http proxy A script can be used to check the web server status table <web_hosts> { 10.0.0.1 } relay httpproxy { listen on 192.168.0.1 port 80 forward to <web_hosts> port 80 check script "/scripts/chkweb.pl" }
relayd(8) check scripts A script can be used to check the web server status ... or everything else #!/usr/bin/perl -w use Socket; my $remote = $ARGV[0]; my $proto = getprotobyname(’tcp’); socket(Socket_Handle, PF_INET, SOCK_STREAM, $proto); my $hport = 80; # Http port my $sin = sockaddr_in($hport,inet_aton("$remote")); if (connect(Socket_Handle,$sin)) { socket(Socket_Handle, PF_INET, SOCK_STREAM, $proto); my $mport = 11211; # Memcached port $sin = sockaddr_in($mport,inet_aton("$remote")); if (connect(Socket_Handle,$sin)) { exit 1; } else { exit 0; }
http filters Relayd in ”reverse proxy” configuration can filter http requests Change or append http headers Filter http requests by checking http headers Filter http requests by checking url
http filters http protocol "httpfilter" { # Return HTML error pages return error # allow logging of remote client ips to internal web servers header append "$REMOTE_ADDR" to "X-Forwarded-For" # URL filtering request path filter "articleid=*select*" from "/module/article/article/article.asp" # close connections upon receipt header change "Connection" to "close" }
http filters
ssl accelerated reverse http proxy
ssl accelerated reverse http proxy table <web_hosts> { 10.0.0.1 } http protocol "httpfilter" { # close connections upon receipt header change "Connection" to "close" # SSL accelerator ciphers ssl { sslv3, tlsv1, ciphers "HIGH:!ADH", no sslv2 } } relay httpproxy { listen on 192.168.0.1 port 443 ssl protocol "httpfilter" forward to <web_hosts> port 80 check http "/" code 200 }
ssl accelerated reverse http proxy Rsa certificate generation openssl genrsa -out /etc/ssl/private/192.168.0.1:443.key 1024 openssl req -new -key /etc/ssl/private/192.168.0.1:443.key -out /etc/ssl/private/192.168.0.1:443.csr openssl x509 -req -days 365 -in /etc/ssl/private/192.168.0.1:443.csr -signkey /etc/ssl/private/192.168.0.1:443.key -out /etc/ssl/192.168.0.1:443.crt With the files 192.168.0.1:443.crt and 192.168.0.1:443.key in the right place relayd will do his job
transparent http proxy
transparent http proxy, relayd setup http protocol "httpfilter" { # Return HTML error pages return error header change "Connection" to "close" # Block requests to unwanted hosts request header filter "*youtube.com*" from "Host" request header filter "*facebook.com*" from "Host" } relay httpproxy { listen on 127.0.0.1 port 8080 protocol "httpfilter" forward to destination }
application redirector
application redirector, relayd setup table <srv> { 192.168.0.1, 192.168.0.2 } redirect mysql { listen on 192.168.3.1 port 3306 tag RELAYD sticky-address forward to <srv> port 3306 mode roundrobin check tcp }
load balancer
load balancer dns protocol "dnsfilter" { tcp { nodelay, sack, socket buffer 1024, backlog 1000 } } relay dnsproxy { listen on 127.0.0.1 port 8053 protocol "dnsfilter" forward to <dns_servers> port 53 mode loadbalance check tcp }
relayctl(8) relayctl is the software used to control relayd It can change many configurations at runtime It can be used to show many informations about our current relayd(8) setup
relayctl(8) Some info for our ”relay” setup $ sudo relayctl show sessions session 0:1 192.168.107.205:44159 -> :80 RUNNING age 00:00:01, idle 00:00:01, relay 1, pid 5613 $ sudo relayctl show hosts Id Type Name Avlblty Status 1 table web_hosts:80 active (3 hosts) 1 host 10.0.0.1 100.00% up total: 12/12 checks 2 host 10.10.10.22 100.00% up total: 12/12 checks 3 host 10.10.10.33 100.00% up total: 12/12 checks
relayctl(8) Some info for our ”redirect” setup $ sudo relayctl show summary Id Type Name Avlblty Status 1 redirect mysql active 1 table srv:3306 active (1 hosts) 1 host 192.168.1.3 100.00% up 2 host 192.168.1.4 0.00% down
relayctl(8) Pf interaction $ sudo pfctl -a relayd/mysql -s rules pass in quick on rdomain 0 inet proto tcp from any to 192.168.1.5 port = 3306 flags S/SA keep state (tcp.established 600) tag RELAYD rdr-to <mysql> port 3306 round-robin sticky-address
advanced monitoring Both Munin and Nagios have plugins to check relayd health status
questions ?

Empfohlen

3Sem-Logic Design Notes-Unit8-Sequential Design
3Sem-Logic Design Notes-Unit8-Sequential Design3Sem-Logic Design Notes-Unit8-Sequential Design
3Sem-Logic Design Notes-Unit8-Sequential DesignDr. Shivananda Koteshwar
 
Chp6 assembly language programming for pic copy
Chp6 assembly language programming for pic copyChp6 assembly language programming for pic copy
Chp6 assembly language programming for pic copymkazree
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01Hajime Tazaki
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionIan Barber
 
PostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulPostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulSean Chittenden
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & ToolsIan Barber
 
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come backVladimir Vorontsov - Splitting, smuggling and cache poisoning come back
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come backDefconRussia
 

Empfohlen

3Sem-Logic Design Notes-Unit8-Sequential Design
3Sem-Logic Design Notes-Unit8-Sequential Design3Sem-Logic Design Notes-Unit8-Sequential Design
3Sem-Logic Design Notes-Unit8-Sequential DesignDr. Shivananda Koteshwar
 
Chp6 assembly language programming for pic copy
Chp6 assembly language programming for pic copyChp6 assembly language programming for pic copy
Chp6 assembly language programming for pic copymkazree
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01Hajime Tazaki
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionIan Barber
 
PostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulPostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulSean Chittenden
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & ToolsIan Barber
 
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come backVladimir Vorontsov - Splitting, smuggling and cache poisoning come back
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come backDefconRussia
 
Rpi python web
Rpi python webRpi python web
Rpi python websewoo lee
 
Everybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with ErlangEverybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with ErlangRusty Klophaus
 
tdc2012
tdc2012tdc2012
tdc2012Juan Lopes
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commandstmavroidis
 
Non-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsNon-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsMarcus Frödin
 
Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)Данил Иванов
 
Bootstrapping multidc observability stack
Bootstrapping multidc observability stackBootstrapping multidc observability stack
Bootstrapping multidc observability stackBram Vogelaar
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesSreenivas Makam
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Mohammad Reza Kamalifard
 
Load Balancing with Apache
Load Balancing with ApacheLoad Balancing with Apache
Load Balancing with ApacheBradley Holt
 
Lua tech talk
Lua tech talkLua tech talk
Lua tech talkLocaweb
 
Haproxy - zastosowania
Haproxy - zastosowaniaHaproxy - zastosowania
Haproxy - zastosowaniaŁukasz Jagiełło
 
Tips
TipsTips
Tipsmclee
 
Come configurare Liferay 6.0 per Oracle
Come configurare Liferay 6.0 per OracleCome configurare Liferay 6.0 per Oracle
Come configurare Liferay 6.0 per OracleAntonio Musarra
 
Apache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual HostingApache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual Hostingwebhostingguy
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefMatt Ray
 
Service discovery like a pro (presented at reversimX)
Service discovery like a pro (presented at reversimX)Service discovery like a pro (presented at reversimX)
Service discovery like a pro (presented at reversimX)Eran Harel
 
How to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsHow to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsDigitalOcean
 
Apache CouchDB talk at Ontario GNU Linux Fest
Apache CouchDB talk at Ontario GNU Linux FestApache CouchDB talk at Ontario GNU Linux Fest
Apache CouchDB talk at Ontario GNU Linux FestMyles Braithwaite
 
Facebook的缓存系统
Facebook的缓存系统Facebook的缓存系统
Facebook的缓存系统yiditushe
 
the Apache way
the Apache waythe Apache way
the Apache wayGiovanni Bechis
 
SpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresSpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresGiovanni Bechis
 

Weitere ähnliche Inhalte

Ähnlich wie Relayd: a load balancer for OpenBSD

Rpi python web
Rpi python webRpi python web
Rpi python websewoo lee
 
Everybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with ErlangEverybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with ErlangRusty Klophaus
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commandstmavroidis
 
Non-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsNon-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsMarcus Frödin
 
Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)Данил Иванов
 
Bootstrapping multidc observability stack
Bootstrapping multidc observability stackBootstrapping multidc observability stack
Bootstrapping multidc observability stackBram Vogelaar
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesSreenivas Makam
 
Load Balancing with Apache
Load Balancing with ApacheLoad Balancing with Apache
Load Balancing with ApacheBradley Holt
 
Lua tech talk
Lua tech talkLua tech talk
Lua tech talkLocaweb
 
Tips
TipsTips
Tipsmclee
 
Come configurare Liferay 6.0 per Oracle
Come configurare Liferay 6.0 per OracleCome configurare Liferay 6.0 per Oracle
Come configurare Liferay 6.0 per OracleAntonio Musarra
 
Apache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual HostingApache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual Hostingwebhostingguy
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefMatt Ray
 
Service discovery like a pro (presented at reversimX)
Service discovery like a pro (presented at reversimX)Service discovery like a pro (presented at reversimX)
Service discovery like a pro (presented at reversimX)Eran Harel
 
How to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsHow to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsDigitalOcean
 
Apache CouchDB talk at Ontario GNU Linux Fest
Apache CouchDB talk at Ontario GNU Linux FestApache CouchDB talk at Ontario GNU Linux Fest
Apache CouchDB talk at Ontario GNU Linux FestMyles Braithwaite
 
Facebook的缓存系统
Facebook的缓存系统Facebook的缓存系统
Facebook的缓存系统yiditushe
 

Ähnlich wie Relayd: a load balancer for OpenBSD (20)

Rpi python web
Rpi python webRpi python web
Rpi python web
 
Everybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with ErlangEverybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with Erlang
 
tdc2012
tdc2012tdc2012
tdc2012
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commands
 
Non-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsNon-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.js
 
Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)
 
Bootstrapping multidc observability stack
Bootstrapping multidc observability stackBootstrapping multidc observability stack
Bootstrapping multidc observability stack
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and Kubernetes
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 
Load Balancing with Apache
Load Balancing with ApacheLoad Balancing with Apache
Load Balancing with Apache
 
Lua tech talk
Lua tech talkLua tech talk
Lua tech talk
 
Haproxy - zastosowania
Haproxy - zastosowaniaHaproxy - zastosowania
Haproxy - zastosowania
 
Tips
TipsTips
Tips
 
Come configurare Liferay 6.0 per Oracle
Come configurare Liferay 6.0 per OracleCome configurare Liferay 6.0 per Oracle
Come configurare Liferay 6.0 per Oracle
 
Apache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual HostingApache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual Hosting
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and Chef
 
Service discovery like a pro (presented at reversimX)
Service discovery like a pro (presented at reversimX)Service discovery like a pro (presented at reversimX)
Service discovery like a pro (presented at reversimX)
 
How to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsHow to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking Needs
 
Apache CouchDB talk at Ontario GNU Linux Fest
Apache CouchDB talk at Ontario GNU Linux FestApache CouchDB talk at Ontario GNU Linux Fest
Apache CouchDB talk at Ontario GNU Linux Fest
 
Facebook的缓存系统
Facebook的缓存系统Facebook的缓存系统
Facebook的缓存系统
 

Mehr von Giovanni Bechis

SpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresSpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresGiovanni Bechis
 
ACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyGiovanni Bechis
 
Scaling antispam solutions with Puppet
Scaling antispam solutions with PuppetScaling antispam solutions with Puppet
Scaling antispam solutions with PuppetGiovanni Bechis
 
What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3Giovanni Bechis
 
Fighting Spam for fun and profit
Fighting Spam for fun and profitFighting Spam for fun and profit
Fighting Spam for fun and profitGiovanni Bechis
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filterGiovanni Bechis
 
ELK: a log management framework
ELK: a log management frameworkELK: a log management framework
ELK: a log management frameworkGiovanni Bechis
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeGiovanni Bechis
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!Giovanni Bechis
 
SOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceSOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceGiovanni Bechis
 
Cloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teCloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teGiovanni Bechis
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDGiovanni Bechis
 
Openssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaOpenssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaGiovanni Bechis
 
Ipv6: il futuro di internet
Ipv6: il futuro di internetIpv6: il futuro di internet
Ipv6: il futuro di internetGiovanni Bechis
 
L'ABC della crittografia
L'ABC della crittografiaL'ABC della crittografia
L'ABC della crittografiaGiovanni Bechis
 
Pf e netfilter, analisi dei firewall open source
Pf e netfilter, analisi dei firewall open sourcePf e netfilter, analisi dei firewall open source
Pf e netfilter, analisi dei firewall open sourceGiovanni Bechis
 

Mehr von Giovanni Bechis (20)

the Apache way
the Apache waythe Apache way
the Apache way
 
SpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresSpamAssassin 4.0 new features
SpamAssassin 4.0 new features
 
ACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easy
 
Scaling antispam solutions with Puppet
Scaling antispam solutions with PuppetScaling antispam solutions with Puppet
Scaling antispam solutions with Puppet
 
What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3
 
Fighting Spam for fun and profit
Fighting Spam for fun and profitFighting Spam for fun and profit
Fighting Spam for fun and profit
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSD
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
 
ELK: a log management framework
ELK: a log management frameworkELK: a log management framework
ELK: a log management framework
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!
 
LibreSSL
LibreSSLLibreSSL
LibreSSL
 
SOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceSOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open Source
 
Cloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teCloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con te
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSD
 
Openssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaOpenssh: comunicare in sicurezza
Openssh: comunicare in sicurezza
 
Ipv6: il futuro di internet
Ipv6: il futuro di internetIpv6: il futuro di internet
Ipv6: il futuro di internet
 
L'ABC della crittografia
L'ABC della crittografiaL'ABC della crittografia
L'ABC della crittografia
 
Pf e netfilter, analisi dei firewall open source
Pf e netfilter, analisi dei firewall open sourcePf e netfilter, analisi dei firewall open source
Pf e netfilter, analisi dei firewall open source
 

Kürzlich hochgeladen

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 

Kürzlich hochgeladen (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

Relayd: a load balancer for OpenBSD

  • 1. Relayd: a load-balancer for OpenBSD Giovanni Bechis giovanni@openbsd.org University of Applied Sciences, Vienna, Austria May 5, 2012
  • 2. what is relayd useful for ? Reverse proxy Ssl accelerated reverse proxy Transparent proxy with filtering capabilities Application redirector Load balancer Wan link balancer
  • 3. a short story First imported in OpenBSD 4.1 Initially it was called hoststated(8) Renamed to relayd(8) in OpenBSD 4.3 Written by pyr@ and reyk@
  • 4. some relayd(8) features written with security in mind and based on imsg framework ipv4 and ipv6 capable carp(4) capable snmpd(8) integration
  • 5. software anatomy Relayd is divided in a main process and 3 different engines Parent process HCE: Host check engine PFE: Pf engine Relay engine
  • 6. the parent process The parent process is the only one that runs with elevated privileges, it runs as ’root’ to be able to handle: configuration files setup sockets external script execution (privileges will be dropped to relayd user before ”execlp” function call) carp demotion requests
  • 7. host check engine The Host Check Engine uses some methods to verify that the target host service is functional, before routing traffic to the host. It can use: icmp tcp ssl http/https external scripts
  • 8. pf engine The Packet Filter Engine allows integration with the OpenBSD Packet Filter. Creates and destroys PF rules Updates PF tables based on HCE notifications
  • 9. relay engine This engine is responsible to filter and relay packets Creates listening sockets for services Filters protocols before relaying
  • 11. reverse http proxy table <web_hosts> { 10.0.0.1 } interval 10 timeout 200 prefork 5 log updates relay httpproxy { listen on 192.168.0.1 port 80 forward to <web_hosts> port 80 check http "/" code 200 }
  • 12. reverse http proxy A script can be used to check the web server status table <web_hosts> { 10.0.0.1 } relay httpproxy { listen on 192.168.0.1 port 80 forward to <web_hosts> port 80 check script "/scripts/chkweb.pl" }
  • 13. relayd(8) check scripts A script can be used to check the web server status ... or everything else #!/usr/bin/perl -w use Socket; my $remote = $ARGV[0]; my $proto = getprotobyname(’tcp’); socket(Socket_Handle, PF_INET, SOCK_STREAM, $proto); my $hport = 80; # Http port my $sin = sockaddr_in($hport,inet_aton("$remote")); if (connect(Socket_Handle,$sin)) { socket(Socket_Handle, PF_INET, SOCK_STREAM, $proto); my $mport = 11211; # Memcached port $sin = sockaddr_in($mport,inet_aton("$remote")); if (connect(Socket_Handle,$sin)) { exit 1; } else { exit 0; }
  • 14. http filters Relayd in ”reverse proxy” configuration can filter http requests Change or append http headers Filter http requests by checking http headers Filter http requests by checking url
  • 15. http filters http protocol "httpfilter" { # Return HTML error pages return error # allow logging of remote client ips to internal web servers header append "$REMOTE_ADDR" to "X-Forwarded-For" # URL filtering request path filter "articleid=*select*" from "/module/article/article/article.asp" # close connections upon receipt header change "Connection" to "close" }
  • 18. ssl accelerated reverse http proxy table <web_hosts> { 10.0.0.1 } http protocol "httpfilter" { # close connections upon receipt header change "Connection" to "close" # SSL accelerator ciphers ssl { sslv3, tlsv1, ciphers "HIGH:!ADH", no sslv2 } } relay httpproxy { listen on 192.168.0.1 port 443 ssl protocol "httpfilter" forward to <web_hosts> port 80 check http "/" code 200 }
  • 19. ssl accelerated reverse http proxy Rsa certificate generation openssl genrsa -out /etc/ssl/private/192.168.0.1:443.key 1024 openssl req -new -key /etc/ssl/private/192.168.0.1:443.key -out /etc/ssl/private/192.168.0.1:443.csr openssl x509 -req -days 365 -in /etc/ssl/private/192.168.0.1:443.csr -signkey /etc/ssl/private/192.168.0.1:443.key -out /etc/ssl/192.168.0.1:443.crt With the files 192.168.0.1:443.crt and 192.168.0.1:443.key in the right place relayd will do his job
  • 21. transparent http proxy, relayd setup http protocol "httpfilter" { # Return HTML error pages return error header change "Connection" to "close" # Block requests to unwanted hosts request header filter "*youtube.com*" from "Host" request header filter "*facebook.com*" from "Host" } relay httpproxy { listen on 127.0.0.1 port 8080 protocol "httpfilter" forward to destination }
  • 23. application redirector, relayd setup table <srv> { 192.168.0.1, 192.168.0.2 } redirect mysql { listen on 192.168.3.1 port 3306 tag RELAYD sticky-address forward to <srv> port 3306 mode roundrobin check tcp }
  • 25. load balancer dns protocol "dnsfilter" { tcp { nodelay, sack, socket buffer 1024, backlog 1000 } } relay dnsproxy { listen on 127.0.0.1 port 8053 protocol "dnsfilter" forward to <dns_servers> port 53 mode loadbalance check tcp }
  • 26. relayctl(8) relayctl is the software used to control relayd It can change many configurations at runtime It can be used to show many informations about our current relayd(8) setup
  • 27. relayctl(8) Some info for our ”relay” setup $ sudo relayctl show sessions session 0:1 192.168.107.205:44159 -> :80 RUNNING age 00:00:01, idle 00:00:01, relay 1, pid 5613 $ sudo relayctl show hosts Id Type Name Avlblty Status 1 table web_hosts:80 active (3 hosts) 1 host 10.0.0.1 100.00% up total: 12/12 checks 2 host 10.10.10.22 100.00% up total: 12/12 checks 3 host 10.10.10.33 100.00% up total: 12/12 checks
  • 28. relayctl(8) Some info for our ”redirect” setup $ sudo relayctl show summary Id Type Name Avlblty Status 1 redirect mysql active 1 table srv:3306 active (1 hosts) 1 host 192.168.1.3 100.00% up 2 host 192.168.1.4 0.00% down
  • 29. relayctl(8) Pf interaction $ sudo pfctl -a relayd/mysql -s rules pass in quick on rdomain 0 inet proto tcp from any to 192.168.1.5 port = 3306 flags S/SA keep state (tcp.established 600) tag RELAYD rdr-to <mysql> port 3306 round-robin sticky-address
  • 30. advanced monitoring Both Munin and Nagios have plugins to check relayd health status