Hello,
I have the follwing setup on a single machine:
RELAYD[PUBLIC IP]:443
-> WEB_SERVER[127.0.0.1]:8080
pf is disbaled for testing purposes
relayd is
configured like this (snip):
/etc/relayd.conf:
###############################
table <webhosts> { 127.0.0.1}
http protocol
www_ssl_prot {
# header append "$REMOTE_ADDR" to "X-Forwarded-For"
# header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
# header change "Keep-Alive" to "$TIMEOUT"
# Various TCP
performance options
tcp { nodelay, sack, socket buffer 65536, backlog
128 }
ssl { sslv3, tlsv1, ciphers "HIGH" }
ssl session cache
disable
}
relay www_ssl {
# Run as a SSL accelerator
listen
on $ext_addr port 443 ssl
protocol www_ssl_prot
# Forward to
hosts in the webhosts table using a src/dst hash
forward to <webhosts>
port 8080
}
###############################
The problem is that when I want
to append or modify a header, this results in the error below
relay
www_ssl, session 1 (1 active), 0, 10.10.11.66 -> 127.0.0.1:8080, invalid
A
failed tcpdump session looks like this:
$ sudo tcpdump -A -i lo0 port 8080
tcpdump: listening on lo0, link-type LOOP
09:15:56.710348 localhost.24156 >
localhost.8080: S 2366115149:2366115149(0) win 65535 <mss
33112,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 611410478 0> (DF)
M.........v.....X...........
$qb.....
09:15:56.710356 localhost.8080 >
localhost.24156: S 1050504178:1050504178(0) ack 2366115150 win 16384 <mss
33112,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 184181294 611410478> (DF)
N..@........X...........>.k...
.b.$qb.
09:15:56.710362 localhost.24156 >
localhost.8080: . ack 1 win 8192 <nop,nop,timestamp 611410478 184181294> (DF)
N>.k... ............^\....
$qb.
.b.
tcpdump: WARNING: compensating for
unaligned libpcap packets
09:15:56.711365 localhost.24156 > localhost.8080: F
1:1(0) ack 1 win 8192 <nop,nop,timestamp 611410478 184181294> (DF)
N>.k...
........^\....
$qb.
.b.....
09:15:56.711373 localhost.8080 > localhost.24156:
. ack 2 win 2048 <nop,nop,timestamp 184181294 611410478> (DF)
O.....................^\>.k...
.b.$qb.
09:15:56.711390 localhost.8080 >
localhost.24156: F 1:1(0) ack 2 win 2048 <nop,nop,timestamp 184181294
611410478> (DF)
O.................^\>.k...
.b.$qb.....
09:15:56.711398
localhost.24156 > localhost.8080: . ack 2 win 8192 <nop,nop,timestamp
611410478 184181294> (DF)
O>.k... ............^\....
$qb.
.b.
It seems that
after the connection is established, the client side of the relayd instead of
Pushing data and send at least the HTTP header it sends the FIN flag and the
handshake of closing the connection with local web server begins.
If all
header directives are commented out, then everything works fine.
A successful
tcpdump session looks like this:
$ sudo tcpdump -A -i lo0 port 8080
tcpdump:
listening on lo0, link-type LOOP
09:27:05.334568 localhost.14030 >
localhost.8080: S 2866784757:2866784757(0) win 65535 <mss
33112,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 2152179840 0> (DF)
E..@.2@.@...........6................[.....X...........
.G......
09:27:05.334576 localhost.8080 > localhost.14030: S 3002945289:3002945289(0)
ack 2866784758 win 16384 <mss 33112,nop,nop,sackOK,nop,wscale
3,nop,nop,timestamp 669666639 2152179840> (DF)
E..@..@.@.{...........6...O
......@.1
.....X...........
'.MO.G..
09:27:05.334582 localhost.14030 >
localhost.8080: . ack 1 win 8192 <nop,nop,timestamp 2152179840 669666639> (DF)
E..4.n@.@.]S........6.........O
}.....
.G..'.MO
tcpdump: WARNING: compensating
for unaligned libpcap packets
09:27:05.335528 localhost.14030 >
localhost.8080: P 1:199(198) ack 1 win 8192 <nop,nop,timestamp 2152179840
669666639> (DF)
q]@.@...........6.........O
.. ........
.G..'.MOPOST
/cereri/noi/cgi-bin/query?lang=ro HTTP/1.1
User-Agent:....
09:27:05.335535
localhost.8080 > localhost.14030: . ack 199 win 2023 <nop,nop,timestamp
669666639 2152179840> (DF)
.C@.@..~..........6...O
........$......
'.MO.G..POST
09:27:05.671832 localhost.8080 > localhost.14030: P
1:11455(11454) ack 199 win 2048 <nop,nop,timestamp 669666639 2152179840> (DF)
E.,..9@.@.............6...O
........
e.....
'.MO.G..HTTP/1.1 200 OK
Date: Tue, 13 Nov 2012 07:27:05 GMT
Server
09:27:05.671851 localhost.14030 >
localhost.8080: . ack 11455 win 6760 <nop,nop,timestamp 2152179840 669666639>
(DF)
E..4..@.@.93........6.........{....h.......
.G..'.MO
09:27:05.673411
localhost.8080 > localhost.14030: P 11455:11460(5) ack 199 win 2048
<nop,nop,timestamp 669666640 2152179840> (DF)
..@.@.............6...{................
'.MP.G..0
/cer
09:27:05.673418
localhost.14030 > localhost.8080: . ack 11460 win 8191 <nop,nop,timestamp
2152179841 669666640> (DF)
E..4.K@.@.cv........6.........{............
.G..'.MP
09:27:05.675649 localhost.14030 > localhost.8080: F 199:199(0) ack
11460 win 8192 <nop,nop,timestamp 2152179841 669666640> (DF)
b.@.@...........6.........{... ........
.G..'.MP0
09:27:05.675658
localhost.8080 > localhost.14030: . ack 200 win 2048 <nop,nop,timestamp
669666640 2152179841> (DF)
E..4..@.@.w...........6...{................
'.MP.G..
09:27:05.675688 localhost.8080 > localhost.14030: F 11460:11460(0)
ack 200 win 2048 <nop,nop,timestamp 669666640 2152179841> (DF)
..@.@.Q...........6...{................
'.MP.G..0
09:27:05.675697
localhost.14030 > localhost.8080: . ack 11461 win 8192 <nop,nop,timestamp
2152179841 669666640> (DF)
E..4x @.@...........6.........{... ........
.G..'.MP
Here the client side of the relayd does not begins to close the
connections, but actually Pushes data to the local web server and the dialog
carries on normally
Please advice me what should I do.
Where is the
problem?
The digital certificate is issued by GeoTrust, if this matters.
Why
relaying the HTTP headers has this effect?
Thank you,
Bogdan
P.S. Sorry
for this long post
relay www_ssl, session 1 (1 active), 0, 10.10.11.66 ->
127.0.0.1:8080, invalid
