SlideShare uma empresa Scribd logo
1 de 31
Baixar para ler offline
Relayd: a load-balancer for OpenBSD

            Giovanni Bechis
        giovanni@openbsd.org




      University of Applied Sciences,
             Vienna, Austria
               May 5, 2012
what is relayd useful for ?




       Reverse proxy
       Ssl accelerated reverse proxy
       Transparent proxy with filtering capabilities
       Application redirector
       Load balancer
       Wan link balancer
a short story




       First imported in OpenBSD 4.1
       Initially it was called hoststated(8)
       Renamed to relayd(8) in OpenBSD 4.3
       Written by pyr@ and reyk@
some relayd(8) features




      written with security in mind and based on imsg framework
      ipv4 and ipv6 capable
      carp(4) capable
      snmpd(8) integration
software anatomy




   Relayd is divided in a main process and 3 different engines
       Parent process
       HCE: Host check engine
       PFE: Pf engine
       Relay engine
the parent process



   The parent process is the only one that runs with elevated
   privileges, it runs as ’root’ to be able to handle:
       configuration files
       setup sockets
       external script execution (privileges will be dropped to relayd
       user before ”execlp” function call)
       carp demotion requests
host check engine



   The Host Check Engine uses some methods to verify that the
   target host service is functional, before routing traffic to the host.
   It can use:
       icmp
       tcp
       ssl
       http/https
       external scripts
pf engine




   The Packet Filter Engine allows integration with the OpenBSD
   Packet Filter.
       Creates and destroys PF rules
       Updates PF tables based on HCE notifications
relay engine




   This engine is responsible to filter and relay packets
       Creates listening sockets for services
       Filters protocols before relaying
reverse http proxy
reverse http proxy


   table <web_hosts> { 10.0.0.1 }

   interval 10
   timeout 200
   prefork 5
   log updates

   relay httpproxy {
      listen on 192.168.0.1 port 80

       forward to <web_hosts> port 80 check http "/" code 200
   }
reverse http proxy


   A script can be used to check the web server status


   table <web_hosts> { 10.0.0.1 }

   relay httpproxy {
      listen on 192.168.0.1 port 80

       forward to <web_hosts> port 80 
          check script "/scripts/chkweb.pl"
   }
relayd(8) check scripts
   A script can be used to check the web server status ... or
   everything else
   #!/usr/bin/perl -w

   use Socket;

   my $remote = $ARGV[0];
   my $proto = getprotobyname(’tcp’);
   socket(Socket_Handle, PF_INET, SOCK_STREAM, $proto);
   my $hport = 80; # Http port
   my $sin = sockaddr_in($hport,inet_aton("$remote"));
   if (connect(Socket_Handle,$sin)) {
    socket(Socket_Handle, PF_INET, SOCK_STREAM, $proto);
    my $mport = 11211; # Memcached port
    $sin = sockaddr_in($mport,inet_aton("$remote"));
    if (connect(Socket_Handle,$sin)) {
     exit 1;
    } else {
     exit 0;
    }
http filters




   Relayd in ”reverse proxy” configuration can filter http requests
       Change or append http headers
       Filter http requests by checking http headers
       Filter http requests by checking url
http filters

   http protocol "httpfilter" {

       # Return HTML error pages
       return error

       # allow logging of remote client ips to internal web servers
       header append "$REMOTE_ADDR" to "X-Forwarded-For"

       # URL filtering
       request path filter "articleid=*select*" 
          from "/module/article/article/article.asp"

       # close connections upon receipt
       header change "Connection" to "close"
   }
http filters
ssl accelerated reverse http proxy
ssl accelerated reverse http proxy

   table <web_hosts> { 10.0.0.1 }

   http protocol "httpfilter" {

       # close connections upon receipt
       header change "Connection" to "close"
       # SSL accelerator ciphers
       ssl { sslv3, tlsv1, ciphers "HIGH:!ADH", no sslv2 }
   }

   relay httpproxy {
      listen on 192.168.0.1 port 443 ssl
      protocol "httpfilter"
      forward to <web_hosts> port 80 check http "/" code 200
   }
ssl accelerated reverse http proxy

   Rsa certificate generation


   openssl genrsa -out /etc/ssl/private/192.168.0.1:443.key 1024
   openssl req -new -key /etc/ssl/private/192.168.0.1:443.key 
      -out /etc/ssl/private/192.168.0.1:443.csr

   openssl x509 -req -days 365 
      -in /etc/ssl/private/192.168.0.1:443.csr 
      -signkey /etc/ssl/private/192.168.0.1:443.key 
      -out /etc/ssl/192.168.0.1:443.crt


   With the files 192.168.0.1:443.crt and 192.168.0.1:443.key in the
   right place relayd will do his job
transparent http proxy
transparent http proxy, relayd setup

   http protocol "httpfilter" {
      # Return HTML error pages
      return error

       header change "Connection" to "close"

       # Block requests to unwanted hosts
       request header filter "*youtube.com*" from "Host"
       request header filter "*facebook.com*" from "Host"
   }

   relay httpproxy {
      listen on 127.0.0.1 port 8080
      protocol "httpfilter"
      forward to destination
   }
application redirector
application redirector, relayd setup




   table <srv> { 192.168.0.1, 192.168.0.2 }

   redirect mysql {
           listen on 192.168.3.1 port 3306
           tag RELAYD
           sticky-address
           forward to <srv> port 3306 mode roundrobin check tcp
   }
load balancer
load balancer


   dns protocol "dnsfilter" {
      tcp { nodelay, sack, socket buffer 1024, backlog 1000 }
   }

   relay dnsproxy {
         listen on 127.0.0.1 port 8053

        protocol "dnsfilter"

        forward to <dns_servers> port 53 
                  mode loadbalance check tcp
   }
relayctl(8)




       relayctl is the software used to control relayd
       It can change many configurations at runtime
       It can be used to show many informations about our current
       relayd(8) setup
relayctl(8)
   Some info for our ”relay” setup


   $ sudo relayctl show sessions
   session 0:1 192.168.107.205:44159 -> :80        RUNNING
           age 00:00:01, idle 00:00:01, relay 1, pid 5613
   $ sudo relayctl show hosts
   Id      Type     Name                   Avlblty Status
   1       table    web_hosts:80                   active (3 hosts)
   1       host     10.0.0.1                       100.00% up
                    total: 12/12 checks
   2       host     10.10.10.22                    100.00% up
                    total: 12/12 checks
   3       host     10.10.10.33                    100.00% up
                    total: 12/12 checks
relayctl(8)


   Some info for our ”redirect” setup


   $ sudo relayctl show summary
   Id      Type            Name          Avlblty Status
   1       redirect        mysql                 active
   1       table           srv:3306              active (1 hosts)
   1       host            192.168.1.3           100.00% up
   2       host            192.168.1.4           0.00%   down
relayctl(8)


   Pf interaction


   $ sudo pfctl -a relayd/mysql -s rules
   pass in quick on rdomain 0 inet proto tcp from any 
      to 192.168.1.5 port = 3306 flags S/SA 
      keep state (tcp.established 600) 
      tag RELAYD rdr-to <mysql> port 3306 
      round-robin sticky-address
advanced monitoring
   Both Munin and Nagios have plugins to check relayd health status
questions ?

Mais conteúdo relacionado

Mais procurados

An Introduction to CMake
An Introduction to CMakeAn Introduction to CMake
An Introduction to CMakeICS
 
Introduce to Rust-A Powerful System Language
Introduce to Rust-A Powerful System LanguageIntroduce to Rust-A Powerful System Language
Introduce to Rust-A Powerful System Language安齊 劉
 
Chap 6 : classes et interfaces
Chap 6 : classes et interfacesChap 6 : classes et interfaces
Chap 6 : classes et interfacesAziz Darouichi
 
Hibernate
Hibernate Hibernate
Hibernate Sunil OS
 
CCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan RedundancyCCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan RedundancyVuz Dở Hơi
 
Développement d'applications pour la plateforme Java EE
Développement d'applications pour la plateforme Java EEDéveloppement d'applications pour la plateforme Java EE
Développement d'applications pour la plateforme Java EESabri Bouchlema
 
From framework coupled code to #microservices through #DDD /by @codelytv
From framework coupled code to #microservices through #DDD /by @codelytvFrom framework coupled code to #microservices through #DDD /by @codelytv
From framework coupled code to #microservices through #DDD /by @codelytvCodelyTV
 
Java Socket Programming
Java Socket ProgrammingJava Socket Programming
Java Socket ProgrammingVipin Yadav
 
SR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and ImprovementSR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and ImprovementLF Events
 
Introduction à spring boot
Introduction à spring bootIntroduction à spring boot
Introduction à spring bootAntoine Rey
 
Bridge Protocol Data Unit (BPDU) Frame Format
Bridge Protocol Data Unit (BPDU) Frame FormatBridge Protocol Data Unit (BPDU) Frame Format
Bridge Protocol Data Unit (BPDU) Frame FormatNetProtocol Xpert
 
Programmation réseau en JAVA
Programmation réseau en JAVAProgrammation réseau en JAVA
Programmation réseau en JAVABachir Benyammi
 
CCNA 2 Routing and Switching v5.0 Chapter 4
CCNA 2 Routing and Switching v5.0 Chapter 4CCNA 2 Routing and Switching v5.0 Chapter 4
CCNA 2 Routing and Switching v5.0 Chapter 4Nil Menon
 
Algebre relationelle
Algebre relationelleAlgebre relationelle
Algebre relationellehnsfr
 

Mais procurados (20)

An Introduction to CMake
An Introduction to CMakeAn Introduction to CMake
An Introduction to CMake
 
Introduce to Rust-A Powerful System Language
Introduce to Rust-A Powerful System LanguageIntroduce to Rust-A Powerful System Language
Introduce to Rust-A Powerful System Language
 
Chap 6 : classes et interfaces
Chap 6 : classes et interfacesChap 6 : classes et interfaces
Chap 6 : classes et interfaces
 
Hibernate
Hibernate Hibernate
Hibernate
 
CCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan RedundancyCCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan Redundancy
 
Développement d'applications pour la plateforme Java EE
Développement d'applications pour la plateforme Java EEDéveloppement d'applications pour la plateforme Java EE
Développement d'applications pour la plateforme Java EE
 
Clean architecture - PHP
Clean architecture - PHPClean architecture - PHP
Clean architecture - PHP
 
Sockets
SocketsSockets
Sockets
 
From framework coupled code to #microservices through #DDD /by @codelytv
From framework coupled code to #microservices through #DDD /by @codelytvFrom framework coupled code to #microservices through #DDD /by @codelytv
From framework coupled code to #microservices through #DDD /by @codelytv
 
Rapport Sockets en Java
Rapport Sockets en JavaRapport Sockets en Java
Rapport Sockets en Java
 
Java Socket Programming
Java Socket ProgrammingJava Socket Programming
Java Socket Programming
 
SR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and ImprovementSR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and Improvement
 
Introduction à spring boot
Introduction à spring bootIntroduction à spring boot
Introduction à spring boot
 
Bridge Protocol Data Unit (BPDU) Frame Format
Bridge Protocol Data Unit (BPDU) Frame FormatBridge Protocol Data Unit (BPDU) Frame Format
Bridge Protocol Data Unit (BPDU) Frame Format
 
Smart pointers
Smart pointersSmart pointers
Smart pointers
 
Programmation réseau en JAVA
Programmation réseau en JAVAProgrammation réseau en JAVA
Programmation réseau en JAVA
 
CCNA 2 Routing and Switching v5.0 Chapter 4
CCNA 2 Routing and Switching v5.0 Chapter 4CCNA 2 Routing and Switching v5.0 Chapter 4
CCNA 2 Routing and Switching v5.0 Chapter 4
 
Algebre relationelle
Algebre relationelleAlgebre relationelle
Algebre relationelle
 
Java servlets
Java servletsJava servlets
Java servlets
 
Spring JMS
Spring JMSSpring JMS
Spring JMS
 

Semelhante a Relayd: a load balancer for OpenBSD

Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionIan Barber
 
PostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulPostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulSean Chittenden
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & ToolsIan Barber
 
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come backVladimir Vorontsov - Splitting, smuggling and cache poisoning come back
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come backDefconRussia
 
Rpi python web
Rpi python webRpi python web
Rpi python websewoo lee
 
Everybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with ErlangEverybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with ErlangRusty Klophaus
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commandstmavroidis
 
Non-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsNon-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsMarcus Frödin
 
Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)Данил Иванов
 
Bootstrapping multidc observability stack
Bootstrapping multidc observability stackBootstrapping multidc observability stack
Bootstrapping multidc observability stackBram Vogelaar
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesSreenivas Makam
 
Load Balancing with Apache
Load Balancing with ApacheLoad Balancing with Apache
Load Balancing with ApacheBradley Holt
 
Lua tech talk
Lua tech talkLua tech talk
Lua tech talkLocaweb
 
Tips
TipsTips
Tipsmclee
 
Come configurare Liferay 6.0 per Oracle
Come configurare Liferay 6.0 per OracleCome configurare Liferay 6.0 per Oracle
Come configurare Liferay 6.0 per OracleAntonio Musarra
 
Apache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual HostingApache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual Hostingwebhostingguy
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefMatt Ray
 

Semelhante a Relayd: a load balancer for OpenBSD (20)

Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 Version
 
PostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulPostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consul
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & Tools
 
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come backVladimir Vorontsov - Splitting, smuggling and cache poisoning come back
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back
 
Rpi python web
Rpi python webRpi python web
Rpi python web
 
Everybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with ErlangEverybody Polyglot! - Cross-Language RPC with Erlang
Everybody Polyglot! - Cross-Language RPC with Erlang
 
tdc2012
tdc2012tdc2012
tdc2012
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commands
 
Non-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsNon-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.js
 
Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)
 
Bootstrapping multidc observability stack
Bootstrapping multidc observability stackBootstrapping multidc observability stack
Bootstrapping multidc observability stack
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and Kubernetes
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 
Load Balancing with Apache
Load Balancing with ApacheLoad Balancing with Apache
Load Balancing with Apache
 
Lua tech talk
Lua tech talkLua tech talk
Lua tech talk
 
Haproxy - zastosowania
Haproxy - zastosowaniaHaproxy - zastosowania
Haproxy - zastosowania
 
Tips
TipsTips
Tips
 
Come configurare Liferay 6.0 per Oracle
Come configurare Liferay 6.0 per OracleCome configurare Liferay 6.0 per Oracle
Come configurare Liferay 6.0 per Oracle
 
Apache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual HostingApache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual Hosting
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and Chef
 

Mais de Giovanni Bechis

SpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresSpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresGiovanni Bechis
 
ACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyGiovanni Bechis
 
Scaling antispam solutions with Puppet
Scaling antispam solutions with PuppetScaling antispam solutions with Puppet
Scaling antispam solutions with PuppetGiovanni Bechis
 
What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3Giovanni Bechis
 
Fighting Spam for fun and profit
Fighting Spam for fun and profitFighting Spam for fun and profit
Fighting Spam for fun and profitGiovanni Bechis
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filterGiovanni Bechis
 
ELK: a log management framework
ELK: a log management frameworkELK: a log management framework
ELK: a log management frameworkGiovanni Bechis
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeGiovanni Bechis
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!Giovanni Bechis
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
SOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceSOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceGiovanni Bechis
 
Cloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teCloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teGiovanni Bechis
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDGiovanni Bechis
 
Openssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaOpenssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaGiovanni Bechis
 
Ipv6: il futuro di internet
Ipv6: il futuro di internetIpv6: il futuro di internet
Ipv6: il futuro di internetGiovanni Bechis
 
L'ABC della crittografia
L'ABC della crittografiaL'ABC della crittografia
L'ABC della crittografiaGiovanni Bechis
 

Mais de Giovanni Bechis (20)

the Apache way
the Apache waythe Apache way
the Apache way
 
SpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresSpamAssassin 4.0 new features
SpamAssassin 4.0 new features
 
ACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easy
 
Scaling antispam solutions with Puppet
Scaling antispam solutions with PuppetScaling antispam solutions with Puppet
Scaling antispam solutions with Puppet
 
What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3
 
Fighting Spam for fun and profit
Fighting Spam for fun and profitFighting Spam for fun and profit
Fighting Spam for fun and profit
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSD
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
 
ELK: a log management framework
ELK: a log management frameworkELK: a log management framework
ELK: a log management framework
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
LibreSSL
LibreSSLLibreSSL
LibreSSL
 
SOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceSOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open Source
 
Cloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teCloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con te
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSD
 
Openssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaOpenssh: comunicare in sicurezza
Openssh: comunicare in sicurezza
 
Ipv6: il futuro di internet
Ipv6: il futuro di internetIpv6: il futuro di internet
Ipv6: il futuro di internet
 
L'ABC della crittografia
L'ABC della crittografiaL'ABC della crittografia
L'ABC della crittografia
 

Último

Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 

Último (20)

Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 

Relayd: a load balancer for OpenBSD

  • 1. Relayd: a load-balancer for OpenBSD Giovanni Bechis giovanni@openbsd.org University of Applied Sciences, Vienna, Austria May 5, 2012
  • 2. what is relayd useful for ? Reverse proxy Ssl accelerated reverse proxy Transparent proxy with filtering capabilities Application redirector Load balancer Wan link balancer
  • 3. a short story First imported in OpenBSD 4.1 Initially it was called hoststated(8) Renamed to relayd(8) in OpenBSD 4.3 Written by pyr@ and reyk@
  • 4. some relayd(8) features written with security in mind and based on imsg framework ipv4 and ipv6 capable carp(4) capable snmpd(8) integration
  • 5. software anatomy Relayd is divided in a main process and 3 different engines Parent process HCE: Host check engine PFE: Pf engine Relay engine
  • 6. the parent process The parent process is the only one that runs with elevated privileges, it runs as ’root’ to be able to handle: configuration files setup sockets external script execution (privileges will be dropped to relayd user before ”execlp” function call) carp demotion requests
  • 7. host check engine The Host Check Engine uses some methods to verify that the target host service is functional, before routing traffic to the host. It can use: icmp tcp ssl http/https external scripts
  • 8. pf engine The Packet Filter Engine allows integration with the OpenBSD Packet Filter. Creates and destroys PF rules Updates PF tables based on HCE notifications
  • 9. relay engine This engine is responsible to filter and relay packets Creates listening sockets for services Filters protocols before relaying
  • 11. reverse http proxy table <web_hosts> { 10.0.0.1 } interval 10 timeout 200 prefork 5 log updates relay httpproxy { listen on 192.168.0.1 port 80 forward to <web_hosts> port 80 check http "/" code 200 }
  • 12. reverse http proxy A script can be used to check the web server status table <web_hosts> { 10.0.0.1 } relay httpproxy { listen on 192.168.0.1 port 80 forward to <web_hosts> port 80 check script "/scripts/chkweb.pl" }
  • 13. relayd(8) check scripts A script can be used to check the web server status ... or everything else #!/usr/bin/perl -w use Socket; my $remote = $ARGV[0]; my $proto = getprotobyname(’tcp’); socket(Socket_Handle, PF_INET, SOCK_STREAM, $proto); my $hport = 80; # Http port my $sin = sockaddr_in($hport,inet_aton("$remote")); if (connect(Socket_Handle,$sin)) { socket(Socket_Handle, PF_INET, SOCK_STREAM, $proto); my $mport = 11211; # Memcached port $sin = sockaddr_in($mport,inet_aton("$remote")); if (connect(Socket_Handle,$sin)) { exit 1; } else { exit 0; }
  • 14. http filters Relayd in ”reverse proxy” configuration can filter http requests Change or append http headers Filter http requests by checking http headers Filter http requests by checking url
  • 15. http filters http protocol "httpfilter" { # Return HTML error pages return error # allow logging of remote client ips to internal web servers header append "$REMOTE_ADDR" to "X-Forwarded-For" # URL filtering request path filter "articleid=*select*" from "/module/article/article/article.asp" # close connections upon receipt header change "Connection" to "close" }
  • 18. ssl accelerated reverse http proxy table <web_hosts> { 10.0.0.1 } http protocol "httpfilter" { # close connections upon receipt header change "Connection" to "close" # SSL accelerator ciphers ssl { sslv3, tlsv1, ciphers "HIGH:!ADH", no sslv2 } } relay httpproxy { listen on 192.168.0.1 port 443 ssl protocol "httpfilter" forward to <web_hosts> port 80 check http "/" code 200 }
  • 19. ssl accelerated reverse http proxy Rsa certificate generation openssl genrsa -out /etc/ssl/private/192.168.0.1:443.key 1024 openssl req -new -key /etc/ssl/private/192.168.0.1:443.key -out /etc/ssl/private/192.168.0.1:443.csr openssl x509 -req -days 365 -in /etc/ssl/private/192.168.0.1:443.csr -signkey /etc/ssl/private/192.168.0.1:443.key -out /etc/ssl/192.168.0.1:443.crt With the files 192.168.0.1:443.crt and 192.168.0.1:443.key in the right place relayd will do his job
  • 21. transparent http proxy, relayd setup http protocol "httpfilter" { # Return HTML error pages return error header change "Connection" to "close" # Block requests to unwanted hosts request header filter "*youtube.com*" from "Host" request header filter "*facebook.com*" from "Host" } relay httpproxy { listen on 127.0.0.1 port 8080 protocol "httpfilter" forward to destination }
  • 23. application redirector, relayd setup table <srv> { 192.168.0.1, 192.168.0.2 } redirect mysql { listen on 192.168.3.1 port 3306 tag RELAYD sticky-address forward to <srv> port 3306 mode roundrobin check tcp }
  • 25. load balancer dns protocol "dnsfilter" { tcp { nodelay, sack, socket buffer 1024, backlog 1000 } } relay dnsproxy { listen on 127.0.0.1 port 8053 protocol "dnsfilter" forward to <dns_servers> port 53 mode loadbalance check tcp }
  • 26. relayctl(8) relayctl is the software used to control relayd It can change many configurations at runtime It can be used to show many informations about our current relayd(8) setup
  • 27. relayctl(8) Some info for our ”relay” setup $ sudo relayctl show sessions session 0:1 192.168.107.205:44159 -> :80 RUNNING age 00:00:01, idle 00:00:01, relay 1, pid 5613 $ sudo relayctl show hosts Id Type Name Avlblty Status 1 table web_hosts:80 active (3 hosts) 1 host 10.0.0.1 100.00% up total: 12/12 checks 2 host 10.10.10.22 100.00% up total: 12/12 checks 3 host 10.10.10.33 100.00% up total: 12/12 checks
  • 28. relayctl(8) Some info for our ”redirect” setup $ sudo relayctl show summary Id Type Name Avlblty Status 1 redirect mysql active 1 table srv:3306 active (1 hosts) 1 host 192.168.1.3 100.00% up 2 host 192.168.1.4 0.00% down
  • 29. relayctl(8) Pf interaction $ sudo pfctl -a relayd/mysql -s rules pass in quick on rdomain 0 inet proto tcp from any to 192.168.1.5 port = 3306 flags S/SA keep state (tcp.established 600) tag RELAYD rdr-to <mysql> port 3306 round-robin sticky-address
  • 30. advanced monitoring Both Munin and Nagios have plugins to check relayd health status