Hello everybody,
I return with the same question. I am sorry I am disturbing you with such questions, but I really do not know where to ask advice, and this is the most appropriate place. The service I created is not http-like, so there are no headers where to insert the original IP. The reason I want this is that the daemon is wriiten in Erlang and ssl processing consumes memory and processor, As one can imagine all ssl processing is going on in the same erlang virtual machine , and a low resource footprint is required; ssl increases the resource consumption due to the fact ssl erlang library is built. If all ssl processing is moved outside erlang virtual machine, than resource consumption decreases dramatically, but also I need the original IP address to be seen by the daemon, not the address of relayd host - 127.0.0.1. The problem with Erlang, dispite its support for massive concurrency, is that all threads are running inside a single instance of a erlang virtual machine so care need to be taken to ensure that there are no memory and processor hungry threads inside that machine instance, and ssl threads are such kind of threads. ssl offloading with relayd results in both speed processing and low resource footprint of the daemon. relayd really outperfoms erlang at ssl processing. relayd is fast, stable, reliable and secure and I really want to take advantage of these. I really want to offload the ssl processing from that daemon, but also I want the original IP to be seen by my daemon. Please somebody give me an advice of how can this become possible. At least somebody tell me if this is posible at all, and if yes how this can be achieved with relayd. With many thanks in advanced, Bogdan ________________________________ From: Bogdan Andu <bo...@yahoo.com> To: "misc@openbsd.org" <misc@openbsd.org> Sent: Wednesday, November 7, 2012 9:58 AM Subject: relayd transparent proxy for a local daemon Hello, I am trying to solve a problem and I am really out of ideas. I want to use relayd to setup a transparent reversed proxy with ssl offloading for a local daemon. The data flow is the follwing: Client ------>| $ext_if relayd box lo0 (local daemon) | It is possible for local daemon to see the original client ip, instead of 127.0.0.1 ? The original client IP should arrive to the local daemon, because it is needed in further operations. If it would have been only logging that would have been a problem. I am aware of the setup describe here: http://marc.info/?l=openbsd-misc&m=130479125318862&w=2 but I do not know how to obtain this behaviour with a local bounded daemon. This local daemon is running under an unpriviledged user. I have the follwing setup: in /etc/relayd.conf: ext_addr="192.162.16.133" protocol tcp_ssl_prot { # Various TCP performance options tcp { nodelay, sack, socket buffer 65536, backlog 128 } ssl { no sslv2, sslv3, tlsv1, ciphers "HIGH" } ssl session cache disable } relay tcp_ssl_inet4 { # Run as a SSL accelerator listen on $ext_addr port 1122 ssl protocol "tcp_ssl_prot" # Forward to hosts in the webhosts table using a src/dst hash transparent forward to 127.0.0.1 port 1133 interface lo0 } pf is disabled (in pf.conf I really do not know what should I put) Any idea very much appreciated. Thank you very much, Bogdan
