SlideShare ist ein Scribd-Unternehmen logo

Relayd: a load balancer for OpenBSD

Giovanni Bechis
Giovanni Bechis

Relayd is a daemon to relay and dynamically redirect incoming connections to a target host. Its main purposes are to run as a load-balancer, application layer gateway, or transparent proxy.

Technologie
1 von 31
Downloaden Sie, um offline zu lesen
Relayd: a load-balancer for OpenBSD Giovanni Bechis giovanni@openbsd.org University of Applied Sciences, Vienna, Austria May 5, 2012
what is relayd useful for ? Reverse proxy Ssl accelerated reverse proxy Transparent proxy with filtering capabilities Application redirector Load balancer Wan link balancer
a short story First imported in OpenBSD 4.1 Initially it was called hoststated(8) Renamed to relayd(8) in OpenBSD 4.3 Written by pyr@ and reyk@
some relayd(8) features written with security in mind and based on imsg framework ipv4 and ipv6 capable carp(4) capable snmpd(8) integration
software anatomy Relayd is divided in a main process and 3 different engines Parent process HCE: Host check engine PFE: Pf engine Relay engine
the parent process The parent process is the only one that runs with elevated privileges, it runs as ’root’ to be able to handle: configuration files setup sockets external script execution (privileges will be dropped to relayd user before ”execlp” function call) carp demotion requests
host check engine The Host Check Engine uses some methods to verify that the target host service is functional, before routing traffic to the host. It can use: icmp tcp ssl http/https external scripts
pf engine The Packet Filter Engine allows integration with the OpenBSD Packet Filter. Creates and destroys PF rules Updates PF tables based on HCE notifications
relay engine This engine is responsible to filter and relay packets Creates listening sockets for services Filters protocols before relaying
reverse http proxy
reverse http proxy table <web_hosts> { 10.0.0.1 } interval 10 timeout 200 prefork 5 log updates relay httpproxy { listen on 192.168.0.1 port 80 forward to <web_hosts> port 80 check http "/" code 200 }
reverse http proxy A script can be used to check the web server status table <web_hosts> { 10.0.0.1 } relay httpproxy { listen on 192.168.0.1 port 80 forward to <web_hosts> port 80 check script "/scripts/chkweb.pl" }
relayd(8) check scripts A script can be used to check the web server status ... or everything else #!/usr/bin/perl -w use Socket; my $remote = $ARGV[0]; my $proto = getprotobyname(’tcp’); socket(Socket_Handle, PF_INET, SOCK_STREAM, $proto); my $hport = 80; # Http port my $sin = sockaddr_in($hport,inet_aton("$remote")); if (connect(Socket_Handle,$sin)) { socket(Socket_Handle, PF_INET, SOCK_STREAM, $proto); my $mport = 11211; # Memcached port $sin = sockaddr_in($mport,inet_aton("$remote")); if (connect(Socket_Handle,$sin)) { exit 1; } else { exit 0; }
http filters Relayd in ”reverse proxy” configuration can filter http requests Change or append http headers Filter http requests by checking http headers Filter http requests by checking url
http filters http protocol "httpfilter" { # Return HTML error pages return error # allow logging of remote client ips to internal web servers header append "$REMOTE_ADDR" to "X-Forwarded-For" # URL filtering request path filter "articleid=*select*" from "/module/article/article/article.asp" # close connections upon receipt header change "Connection" to "close" }
http filters
ssl accelerated reverse http proxy
ssl accelerated reverse http proxy table <web_hosts> { 10.0.0.1 } http protocol "httpfilter" { # close connections upon receipt header change "Connection" to "close" # SSL accelerator ciphers ssl { sslv3, tlsv1, ciphers "HIGH:!ADH", no sslv2 } } relay httpproxy { listen on 192.168.0.1 port 443 ssl protocol "httpfilter" forward to <web_hosts> port 80 check http "/" code 200 }
ssl accelerated reverse http proxy Rsa certificate generation openssl genrsa -out /etc/ssl/private/192.168.0.1:443.key 1024 openssl req -new -key /etc/ssl/private/192.168.0.1:443.key -out /etc/ssl/private/192.168.0.1:443.csr openssl x509 -req -days 365 -in /etc/ssl/private/192.168.0.1:443.csr -signkey /etc/ssl/private/192.168.0.1:443.key -out /etc/ssl/192.168.0.1:443.crt With the files 192.168.0.1:443.crt and 192.168.0.1:443.key in the right place relayd will do his job
transparent http proxy
transparent http proxy, relayd setup http protocol "httpfilter" { # Return HTML error pages return error header change "Connection" to "close" # Block requests to unwanted hosts request header filter "*youtube.com*" from "Host" request header filter "*facebook.com*" from "Host" } relay httpproxy { listen on 127.0.0.1 port 8080 protocol "httpfilter" forward to destination }
application redirector
application redirector, relayd setup table <srv> { 192.168.0.1, 192.168.0.2 } redirect mysql { listen on 192.168.3.1 port 3306 tag RELAYD sticky-address forward to <srv> port 3306 mode roundrobin check tcp }
load balancer
load balancer dns protocol "dnsfilter" { tcp { nodelay, sack, socket buffer 1024, backlog 1000 } } relay dnsproxy { listen on 127.0.0.1 port 8053 protocol "dnsfilter" forward to <dns_servers> port 53 mode loadbalance check tcp }
relayctl(8) relayctl is the software used to control relayd It can change many configurations at runtime It can be used to show many informations about our current relayd(8) setup
relayctl(8) Some info for our ”relay” setup $ sudo relayctl show sessions session 0:1 192.168.107.205:44159 -> :80 RUNNING age 00:00:01, idle 00:00:01, relay 1, pid 5613 $ sudo relayctl show hosts Id Type Name Avlblty Status 1 table web_hosts:80 active (3 hosts) 1 host 10.0.0.1 100.00% up total: 12/12 checks 2 host 10.10.10.22 100.00% up total: 12/12 checks 3 host 10.10.10.33 100.00% up total: 12/12 checks
relayctl(8) Some info for our ”redirect” setup $ sudo relayctl show summary Id Type Name Avlblty Status 1 redirect mysql active 1 table srv:3306 active (1 hosts) 1 host 192.168.1.3 100.00% up 2 host 192.168.1.4 0.00% down
relayctl(8) Pf interaction $ sudo pfctl -a relayd/mysql -s rules pass in quick on rdomain 0 inet proto tcp from any to 192.168.1.5 port = 3306 flags S/SA keep state (tcp.established 600) tag RELAYD rdr-to <mysql> port 3306 round-robin sticky-address
advanced monitoring Both Munin and Nagios have plugins to check relayd health status
questions ?

Empfohlen

FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
FIDO Certification Update (Korean Language)
FIDO Certification Update (Korean Language)FIDO Certification Update (Korean Language)
FIDO Certification Update (Korean Language)FIDO Alliance
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX, Inc.
 
Alphorm.com Formation Nouveautés Windows Server 2016
Alphorm.com Formation Nouveautés Windows Server 2016Alphorm.com Formation Nouveautés Windows Server 2016
Alphorm.com Formation Nouveautés Windows Server 2016Alphorm
 
Création et application d'un script d'ouverture de session
Création et application d'un script d'ouverture de sessionCréation et application d'un script d'ouverture de session
Création et application d'un script d'ouverture de sessionMehdi HAMMADI
 
Ssl https
Ssl httpsSsl https
Ssl httpsAndrada Boldis
 
Active directory Intégration machine
Active directory Intégration machine Active directory Intégration machine
Active directory Intégration machine Yaya N'Tyeni Sanogo
 
OpenGurukul : Database : PostgreSQL
OpenGurukul : Database : PostgreSQLOpenGurukul : Database : PostgreSQL
OpenGurukul : Database : PostgreSQLOpen Gurukul
 

Empfohlen

FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
FIDO Certification Update (Korean Language)
FIDO Certification Update (Korean Language)FIDO Certification Update (Korean Language)
FIDO Certification Update (Korean Language)FIDO Alliance
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX, Inc.
 
Alphorm.com Formation Nouveautés Windows Server 2016
Alphorm.com Formation Nouveautés Windows Server 2016Alphorm.com Formation Nouveautés Windows Server 2016
Alphorm.com Formation Nouveautés Windows Server 2016Alphorm
 
Création et application d'un script d'ouverture de session
Création et application d'un script d'ouverture de sessionCréation et application d'un script d'ouverture de session
Création et application d'un script d'ouverture de sessionMehdi HAMMADI
 
Ssl https
Ssl httpsSsl https
Ssl httpsAndrada Boldis
 
Active directory Intégration machine
Active directory Intégration machine Active directory Intégration machine
Active directory Intégration machine Yaya N'Tyeni Sanogo
 
OpenGurukul : Database : PostgreSQL
OpenGurukul : Database : PostgreSQLOpenGurukul : Database : PostgreSQL
OpenGurukul : Database : PostgreSQLOpen Gurukul
 
Sécurité des Applications Web avec Json Web Token (JWT)
Sécurité des Applications Web avec Json Web Token (JWT)Sécurité des Applications Web avec Json Web Token (JWT)
Sécurité des Applications Web avec Json Web Token (JWT)ENSET, Université Hassan II Casablanca
 
Pfsense 121202023417-phpapp02
Pfsense 121202023417-phpapp02Pfsense 121202023417-phpapp02
Pfsense 121202023417-phpapp02Mohamed Houssem
 
Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0Alphorm
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX, Inc.
 
Sécurité Réseau à Base d'un Firewall Matériel (fortigate)
Sécurité Réseau à Base d'un Firewall Matériel (fortigate)Sécurité Réseau à Base d'un Firewall Matériel (fortigate)
Sécurité Réseau à Base d'un Firewall Matériel (fortigate)Sakka Mustapha
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90minsLarry Cai
 
Vpn
VpnVpn
Vpnmalekoff
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAPJesse Pretorius
 
Solidity
SoliditySolidity
Soliditygavofyork
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxFIDO Alliance
 
macvlan and ipvlan
macvlan and ipvlanmacvlan and ipvlan
macvlan and ipvlanSuraj Deshmukh
 
HTTP/2 standard for video streaming
HTTP/2 standard for video streamingHTTP/2 standard for video streaming
HTTP/2 standard for video streamingHung Thai Le
 
Dfs
DfsDfs
DfsAichétou Djimé Gallédou
 
Mise en place de deux réseaux LAN interconnectés par un réseau WAN
Mise en place de deux réseaux LAN interconnectés par un réseau WANMise en place de deux réseaux LAN interconnectés par un réseau WAN
Mise en place de deux réseaux LAN interconnectés par un réseau WANGhassen Chaieb
 
Access control list acl - permissions in linux
Access control list acl - permissions in linuxAccess control list acl - permissions in linux
Access control list acl - permissions in linuxSreenatha Reddy K R
 
Bypass pfsense
Bypass pfsenseBypass pfsense
Bypass pfsenseSalmenHAJJI1
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSITorsten Lodderstedt
 
Introduction au Software Defined Networking (SDN)
Introduction au Software Defined Networking (SDN)Introduction au Software Defined Networking (SDN)
Introduction au Software Defined Networking (SDN)Edouard DEBERDT
 
RADIUS ET TACACS+.pptx
RADIUS ET TACACS+.pptxRADIUS ET TACACS+.pptx
RADIUS ET TACACS+.pptxZokomElie
 
XXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngXXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngVõ Thái Lâm
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionIan Barber
 
PostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulPostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulSean Chittenden
 

Weitere ähnliche Inhalte

Was ist angesagt?

Pfsense 121202023417-phpapp02
Pfsense 121202023417-phpapp02Pfsense 121202023417-phpapp02
Pfsense 121202023417-phpapp02Mohamed Houssem
 
Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0Alphorm
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX, Inc.
 
Sécurité Réseau à Base d'un Firewall Matériel (fortigate)
Sécurité Réseau à Base d'un Firewall Matériel (fortigate)Sécurité Réseau à Base d'un Firewall Matériel (fortigate)
Sécurité Réseau à Base d'un Firewall Matériel (fortigate)Sakka Mustapha
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90minsLarry Cai
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAPJesse Pretorius
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxFIDO Alliance
 
HTTP/2 standard for video streaming
HTTP/2 standard for video streamingHTTP/2 standard for video streaming
HTTP/2 standard for video streamingHung Thai Le
 
Mise en place de deux réseaux LAN interconnectés par un réseau WAN
Mise en place de deux réseaux LAN interconnectés par un réseau WANMise en place de deux réseaux LAN interconnectés par un réseau WAN
Mise en place de deux réseaux LAN interconnectés par un réseau WANGhassen Chaieb
 
Access control list acl - permissions in linux
Access control list acl - permissions in linuxAccess control list acl - permissions in linux
Access control list acl - permissions in linuxSreenatha Reddy K R
 
Introduction au Software Defined Networking (SDN)
Introduction au Software Defined Networking (SDN)Introduction au Software Defined Networking (SDN)
Introduction au Software Defined Networking (SDN)Edouard DEBERDT
 
RADIUS ET TACACS+.pptx
RADIUS ET TACACS+.pptxRADIUS ET TACACS+.pptx
RADIUS ET TACACS+.pptxZokomElie
 
XXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngXXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngVõ Thái Lâm
 

Was ist angesagt? (20)

Sécurité des Applications Web avec Json Web Token (JWT)
Sécurité des Applications Web avec Json Web Token (JWT)Sécurité des Applications Web avec Json Web Token (JWT)
Sécurité des Applications Web avec Json Web Token (JWT)
 
Pfsense 121202023417-phpapp02
Pfsense 121202023417-phpapp02Pfsense 121202023417-phpapp02
Pfsense 121202023417-phpapp02
 
Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA Broadcast
 
Sécurité Réseau à Base d'un Firewall Matériel (fortigate)
Sécurité Réseau à Base d'un Firewall Matériel (fortigate)Sécurité Réseau à Base d'un Firewall Matériel (fortigate)
Sécurité Réseau à Base d'un Firewall Matériel (fortigate)
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90mins
 
Vpn
VpnVpn
Vpn
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAP
 
Solidity
SoliditySolidity
Solidity
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
 
macvlan and ipvlan
macvlan and ipvlanmacvlan and ipvlan
macvlan and ipvlan
 
HTTP/2 standard for video streaming
HTTP/2 standard for video streamingHTTP/2 standard for video streaming
HTTP/2 standard for video streaming
 
Dfs
DfsDfs
Dfs
 
Mise en place de deux réseaux LAN interconnectés par un réseau WAN
Mise en place de deux réseaux LAN interconnectés par un réseau WANMise en place de deux réseaux LAN interconnectés par un réseau WAN
Mise en place de deux réseaux LAN interconnectés par un réseau WAN
 
Access control list acl - permissions in linux
Access control list acl - permissions in linuxAccess control list acl - permissions in linux
Access control list acl - permissions in linux
 
Bypass pfsense
Bypass pfsenseBypass pfsense
Bypass pfsense
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
 
Introduction au Software Defined Networking (SDN)
Introduction au Software Defined Networking (SDN)Introduction au Software Defined Networking (SDN)
Introduction au Software Defined Networking (SDN)
 
RADIUS ET TACACS+.pptx
RADIUS ET TACACS+.pptxRADIUS ET TACACS+.pptx
RADIUS ET TACACS+.pptx
 
XXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngXXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng Hưng
 

Ähnlich wie Relayd: a load balancer for OpenBSD

Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionIan Barber
 
PostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulPostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulSean Chittenden
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & ToolsIan Barber
 
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come backVladimir Vorontsov - Splitting, smuggling and cache poisoning come back
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come backDefconRussia
 
Rpi python web
Rpi python webRpi python web
Rpi python websewoo lee
 
Everybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with ErlangEverybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with ErlangRusty Klophaus
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commandstmavroidis
 
Non-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsNon-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsMarcus Frödin
 
Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)Данил Иванов
 
Bootstrapping multidc observability stack
Bootstrapping multidc observability stackBootstrapping multidc observability stack
Bootstrapping multidc observability stackBram Vogelaar
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesSreenivas Makam
 
Load Balancing with Apache
Load Balancing with ApacheLoad Balancing with Apache
Load Balancing with ApacheBradley Holt
 
Lua tech talk
Lua tech talkLua tech talk
Lua tech talkLocaweb
 
Tips
TipsTips
Tipsmclee
 
Come configurare Liferay 6.0 per Oracle
Come configurare Liferay 6.0 per OracleCome configurare Liferay 6.0 per Oracle
Come configurare Liferay 6.0 per OracleAntonio Musarra
 
Apache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual HostingApache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual Hostingwebhostingguy
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefMatt Ray
 

Ähnlich wie Relayd: a load balancer for OpenBSD (20)

Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 Version
 
PostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulPostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consul
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & Tools
 
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come backVladimir Vorontsov - Splitting, smuggling and cache poisoning come back
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back
 
Rpi python web
Rpi python webRpi python web
Rpi python web
 
Everybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with ErlangEverybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with Erlang
 
tdc2012
tdc2012tdc2012
tdc2012
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commands
 
Non-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsNon-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.js
 
Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)
 
Bootstrapping multidc observability stack
Bootstrapping multidc observability stackBootstrapping multidc observability stack
Bootstrapping multidc observability stack
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and Kubernetes
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 
Load Balancing with Apache
Load Balancing with ApacheLoad Balancing with Apache
Load Balancing with Apache
 
Lua tech talk
Lua tech talkLua tech talk
Lua tech talk
 
Haproxy - zastosowania
Haproxy - zastosowaniaHaproxy - zastosowania
Haproxy - zastosowania
 
Tips
TipsTips
Tips
 
Come configurare Liferay 6.0 per Oracle
Come configurare Liferay 6.0 per OracleCome configurare Liferay 6.0 per Oracle
Come configurare Liferay 6.0 per Oracle
 
Apache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual HostingApache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual Hosting
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and Chef
 

Mehr von Giovanni Bechis

SpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresSpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresGiovanni Bechis
 
ACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyGiovanni Bechis
 
Scaling antispam solutions with Puppet
Scaling antispam solutions with PuppetScaling antispam solutions with Puppet
Scaling antispam solutions with PuppetGiovanni Bechis
 
What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3Giovanni Bechis
 
Fighting Spam for fun and profit
Fighting Spam for fun and profitFighting Spam for fun and profit
Fighting Spam for fun and profitGiovanni Bechis
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filterGiovanni Bechis
 
ELK: a log management framework
ELK: a log management frameworkELK: a log management framework
ELK: a log management frameworkGiovanni Bechis
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeGiovanni Bechis
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!Giovanni Bechis
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
SOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceSOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceGiovanni Bechis
 
Cloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teCloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teGiovanni Bechis
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDGiovanni Bechis
 
Openssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaOpenssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaGiovanni Bechis
 
Ipv6: il futuro di internet
Ipv6: il futuro di internetIpv6: il futuro di internet
Ipv6: il futuro di internetGiovanni Bechis
 
L'ABC della crittografia
L'ABC della crittografiaL'ABC della crittografia
L'ABC della crittografiaGiovanni Bechis
 

Mehr von Giovanni Bechis (20)

the Apache way
the Apache waythe Apache way
the Apache way
 
SpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresSpamAssassin 4.0 new features
SpamAssassin 4.0 new features
 
ACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easy
 
Scaling antispam solutions with Puppet
Scaling antispam solutions with PuppetScaling antispam solutions with Puppet
Scaling antispam solutions with Puppet
 
What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3
 
Fighting Spam for fun and profit
Fighting Spam for fun and profitFighting Spam for fun and profit
Fighting Spam for fun and profit
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSD
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
 
ELK: a log management framework
ELK: a log management frameworkELK: a log management framework
ELK: a log management framework
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
LibreSSL
LibreSSLLibreSSL
LibreSSL
 
SOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceSOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open Source
 
Cloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teCloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con te
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSD
 
Openssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaOpenssh: comunicare in sicurezza
Openssh: comunicare in sicurezza
 
Ipv6: il futuro di internet
Ipv6: il futuro di internetIpv6: il futuro di internet
Ipv6: il futuro di internet
 
L'ABC della crittografia
L'ABC della crittografiaL'ABC della crittografia
L'ABC della crittografia
 

Kürzlich hochgeladen

Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Hiroshi SHIBATA
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfalexjohnson7307
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideStefan Dietze
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfSrushith Repakula
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...ScyllaDB
 

Kürzlich hochgeladen (20)

Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 

Relayd: a load balancer for OpenBSD

  • 1. Relayd: a load-balancer for OpenBSD Giovanni Bechis giovanni@openbsd.org University of Applied Sciences, Vienna, Austria May 5, 2012
  • 2. what is relayd useful for ? Reverse proxy Ssl accelerated reverse proxy Transparent proxy with filtering capabilities Application redirector Load balancer Wan link balancer
  • 3. a short story First imported in OpenBSD 4.1 Initially it was called hoststated(8) Renamed to relayd(8) in OpenBSD 4.3 Written by pyr@ and reyk@
  • 4. some relayd(8) features written with security in mind and based on imsg framework ipv4 and ipv6 capable carp(4) capable snmpd(8) integration
  • 5. software anatomy Relayd is divided in a main process and 3 different engines Parent process HCE: Host check engine PFE: Pf engine Relay engine
  • 6. the parent process The parent process is the only one that runs with elevated privileges, it runs as ’root’ to be able to handle: configuration files setup sockets external script execution (privileges will be dropped to relayd user before ”execlp” function call) carp demotion requests
  • 7. host check engine The Host Check Engine uses some methods to verify that the target host service is functional, before routing traffic to the host. It can use: icmp tcp ssl http/https external scripts
  • 8. pf engine The Packet Filter Engine allows integration with the OpenBSD Packet Filter. Creates and destroys PF rules Updates PF tables based on HCE notifications
  • 9. relay engine This engine is responsible to filter and relay packets Creates listening sockets for services Filters protocols before relaying
  • 11. reverse http proxy table <web_hosts> { 10.0.0.1 } interval 10 timeout 200 prefork 5 log updates relay httpproxy { listen on 192.168.0.1 port 80 forward to <web_hosts> port 80 check http "/" code 200 }
  • 12. reverse http proxy A script can be used to check the web server status table <web_hosts> { 10.0.0.1 } relay httpproxy { listen on 192.168.0.1 port 80 forward to <web_hosts> port 80 check script "/scripts/chkweb.pl" }
  • 13. relayd(8) check scripts A script can be used to check the web server status ... or everything else #!/usr/bin/perl -w use Socket; my $remote = $ARGV[0]; my $proto = getprotobyname(’tcp’); socket(Socket_Handle, PF_INET, SOCK_STREAM, $proto); my $hport = 80; # Http port my $sin = sockaddr_in($hport,inet_aton("$remote")); if (connect(Socket_Handle,$sin)) { socket(Socket_Handle, PF_INET, SOCK_STREAM, $proto); my $mport = 11211; # Memcached port $sin = sockaddr_in($mport,inet_aton("$remote")); if (connect(Socket_Handle,$sin)) { exit 1; } else { exit 0; }
  • 14. http filters Relayd in ”reverse proxy” configuration can filter http requests Change or append http headers Filter http requests by checking http headers Filter http requests by checking url
  • 15. http filters http protocol "httpfilter" { # Return HTML error pages return error # allow logging of remote client ips to internal web servers header append "$REMOTE_ADDR" to "X-Forwarded-For" # URL filtering request path filter "articleid=*select*" from "/module/article/article/article.asp" # close connections upon receipt header change "Connection" to "close" }
  • 18. ssl accelerated reverse http proxy table <web_hosts> { 10.0.0.1 } http protocol "httpfilter" { # close connections upon receipt header change "Connection" to "close" # SSL accelerator ciphers ssl { sslv3, tlsv1, ciphers "HIGH:!ADH", no sslv2 } } relay httpproxy { listen on 192.168.0.1 port 443 ssl protocol "httpfilter" forward to <web_hosts> port 80 check http "/" code 200 }
  • 19. ssl accelerated reverse http proxy Rsa certificate generation openssl genrsa -out /etc/ssl/private/192.168.0.1:443.key 1024 openssl req -new -key /etc/ssl/private/192.168.0.1:443.key -out /etc/ssl/private/192.168.0.1:443.csr openssl x509 -req -days 365 -in /etc/ssl/private/192.168.0.1:443.csr -signkey /etc/ssl/private/192.168.0.1:443.key -out /etc/ssl/192.168.0.1:443.crt With the files 192.168.0.1:443.crt and 192.168.0.1:443.key in the right place relayd will do his job
  • 21. transparent http proxy, relayd setup http protocol "httpfilter" { # Return HTML error pages return error header change "Connection" to "close" # Block requests to unwanted hosts request header filter "*youtube.com*" from "Host" request header filter "*facebook.com*" from "Host" } relay httpproxy { listen on 127.0.0.1 port 8080 protocol "httpfilter" forward to destination }
  • 23. application redirector, relayd setup table <srv> { 192.168.0.1, 192.168.0.2 } redirect mysql { listen on 192.168.3.1 port 3306 tag RELAYD sticky-address forward to <srv> port 3306 mode roundrobin check tcp }
  • 25. load balancer dns protocol "dnsfilter" { tcp { nodelay, sack, socket buffer 1024, backlog 1000 } } relay dnsproxy { listen on 127.0.0.1 port 8053 protocol "dnsfilter" forward to <dns_servers> port 53 mode loadbalance check tcp }
  • 26. relayctl(8) relayctl is the software used to control relayd It can change many configurations at runtime It can be used to show many informations about our current relayd(8) setup
  • 27. relayctl(8) Some info for our ”relay” setup $ sudo relayctl show sessions session 0:1 192.168.107.205:44159 -> :80 RUNNING age 00:00:01, idle 00:00:01, relay 1, pid 5613 $ sudo relayctl show hosts Id Type Name Avlblty Status 1 table web_hosts:80 active (3 hosts) 1 host 10.0.0.1 100.00% up total: 12/12 checks 2 host 10.10.10.22 100.00% up total: 12/12 checks 3 host 10.10.10.33 100.00% up total: 12/12 checks
  • 28. relayctl(8) Some info for our ”redirect” setup $ sudo relayctl show summary Id Type Name Avlblty Status 1 redirect mysql active 1 table srv:3306 active (1 hosts) 1 host 192.168.1.3 100.00% up 2 host 192.168.1.4 0.00% down
  • 29. relayctl(8) Pf interaction $ sudo pfctl -a relayd/mysql -s rules pass in quick on rdomain 0 inet proto tcp from any to 192.168.1.5 port = 3306 flags S/SA keep state (tcp.established 600) tag RELAYD rdr-to <mysql> port 3306 round-robin sticky-address
  • 30. advanced monitoring Both Munin and Nagios have plugins to check relayd health status