I am trying to use relayd to provide TLS acceleration for 20+ user services.
Here is my /etc/relayd.conf (with ip4 and ip6 redacted):
ip4="192.168.0.1"
ip6="2001:db8::"
table <username01> { 127.0.0.1 }
table <username02> { 127.0.0.1 }
table <username03> { 127.0.0.1 }
table <username04> { 127.0.0.1 }
table <username05> { 127.0.0.1 }
table <username06> { 127.0.0.1 }
table <username07> { 127.0.0.1 }
table <username08> { 127.0.0.1 }
table <username09> { 127.0.0.1 }
table <username10> { 127.0.0.1 }
table <username11> { 127.0.0.1 }
table <username12> { 127.0.0.1 }
table <username13> { 127.0.0.1 }
table <username14> { 127.0.0.1 }
table <username15> { 127.0.0.1 }
table <username16> { 127.0.0.1 }
table <username17> { 127.0.0.1 }
table <username18> { 127.0.0.1 }
log connection
http protocol https {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" \
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Connection" value "close"
tcp { sack, backlog 128 }
tls { keypair username01.example.ircnow.org
keypair username02.example.ircnow.org
keypair username03.example.ircnow.org
keypair username04.example.ircnow.org
keypair username05.example.ircnow.org
keypair username06.example.ircnow.org
keypair username07.example.ircnow.org
keypair username08.example.ircnow.org
keypair username09.example.ircnow.org
keypair username10.example.ircnow.org
keypair username11.example.ircnow.org
keypair username12.example.ircnow.org
keypair username13.example.ircnow.org
keypair username14.example.ircnow.org
keypair username15.example.ircnow.org
keypair username16.example.ircnow.org
keypair username17.example.ircnow.org
keypair username18.example.ircnow.org }
match request header "Host" value "username01.example.ircnow.org"
forward to <username01>
match request header "Host" value "username01.example.ircnow.org"
forward to <username01>
match request header "Host" value "username02.example.ircnow.org"
forward to <username02>
match request header "Host" value "username03.example.ircnow.org"
forward to <username03>
match request header "Host" value "username04.example.ircnow.org"
forward to <username04>
match request header "Host" value "username05.example.ircnow.org"
forward to <username05>
match request header "Host" value "username06.example.ircnow.org"
forward to <username06>
match request header "Host" value "username07.example.ircnow.org"
forward to <username07>
match request header "Host" value "username08.example.ircnow.org"
forward to <username08>
match request header "Host" value "username09.example.ircnow.org"
forward to <username09>
match request header "Host" value "username10.example.ircnow.org"
forward to <username10>
match request header "Host" value "username11.example.ircnow.org"
forward to <username11>
match request header "Host" value "username12.example.ircnow.org"
forward to <username12>
match request header "Host" value "username13.example.ircnow.org"
forward to <username13>
match request header "Host" value "username14.example.ircnow.org"
forward to <username14>
match request header "Host" value "username15.example.ircnow.org"
forward to <username15>
match request header "Host" value "username16.example.ircnow.org"
forward to <username16>
match request header "Host" value "username17.example.ircnow.org"
forward to <username17>
match request header "Host" value "username18.example.ircnow.org"
forward to <username18>
}
relay wwwtls {
listen on $ip4 port 443 tls
protocol https
forward to <username01> port 8001 check icmp
forward to <username02> port 8001 check icmp
forward to <username03> port 8001 check icmp
forward to <username04> port 8001 check icmp
forward to <username05> port 8001 check icmp
forward to <username06> port 8001 check icmp
forward to <username07> port 8001 check icmp
forward to <username08> port 8001 check icmp
forward to <username09> port 8001 check icmp
forward to <username10> port 8001 check icmp
forward to <username11> port 8001 check icmp
forward to <username12> port 8001 check icmp
forward to <username13> port 8001 check icmp
forward to <username14> port 8001 check icmp
forward to <username15> port 8001 check icmp
forward to <username16> port 8001 check icmp
forward to <username17> port 8001 check icmp
forward to <username18> port 8001 check icmp
}
relay www6tls {
listen on $ip6 port 443 tls
protocol https
forward to <username01> port 8001 check icmp
forward to <username02> port 8001 check icmp
forward to <username03> port 8001 check icmp
forward to <username04> port 8001 check icmp
forward to <username05> port 8001 check icmp
forward to <username06> port 8001 check icmp
forward to <username07> port 8001 check icmp
forward to <username08> port 8001 check icmp
forward to <username09> port 8001 check icmp
forward to <username10> port 8001 check icmp
forward to <username11> port 8001 check icmp
forward to <username12> port 8001 check icmp
forward to <username13> port 8001 check icmp
forward to <username14> port 8001 check icmp
forward to <username15> port 8001 check icmp
forward to <username16> port 8001 check icmp
forward to <username17> port 8001 check icmp
forward to <username18> port 8001 check icmp
}
I then run:
# relayd -dvvv
Then I request the web page https://username01.example.ircnow.org, and I see
this debug output from relayd:
startup
relay_load_certfiles: using certificate
/etc/ssl/username01.example.ircnow.org:443.crt
relay_load_certfiles: using private key
/etc/ssl/private/username01.example.ircnow.org:443.key
...
parent_tls_ticket_rekey: rekeying tickets
relay_privinit: adding relay wwwtls
protocol 1: name https
flags: used, relay flags: tls
tcp flags: sack
tls flags: tlsv1.2, tlsv1.3, cipher-server-preference
tls session tickets: disabled
type: http
match request header append "X-Forwarded-For" value
"$REMOTE_ADDR"
match request header append "X-Forwarded-By" value
"$SERVER_ADDR:$SERVER
_PORT"
match request header set "Connection" value "close"
match request header "Host" value
"username01.example.ircnow.org" forward to <username01>
...
pfe: filter init done
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
config_setrelay: fd passing failed for `wwwtls': Too many open files
relay_privinit: adding relay www6tls
protocol 1: name https
flags: used, relay flags: tls
tcp flags: sack
tls flags: tlsv1.2, tlsv1.3, cipher-server-preference
tls session tickets: disabled
type: http
match request header append "X-Forwarded-For" value
"$REMOTE_ADDR"
match request header append "X-Forwarded-By" value
"$SERVER_ADDR:$SERVER
_PORT"
...
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine
hce_notify_done: 127.0.0.1 (icmp ok)
host 127.0.0.1, check icmp (4ms,icmp ok), state unknown -> up, availability
100.00%
pfe_dispatch_hce: state 1 for host 1 127.0.0.1
hce_notify_done: 127.0.0.1 (icmp ok)
host 127.0.0.1, check icmp (5ms,icmp ok), state unknown -> up, availability
100.00%
hce_notify_done: 127.0.0.1 (icmp ok)
pfe_dispatch_hce: state 1 for host 2 127.0.0.1
host 127.0.0.1, check icmp (6ms,icmp ok), state unknown -> up, availability
100.00%
hce_notify_done: 127.0.0.1 (icmp ok)
...
relay_tls_ctx_create: loading certificate
pfe_dispatch_hce: state 1 for host 7 127.0.0.1
pfe_dispatch_hce: state 1 for host 8 127.0.0.1
pfe_dispatch_hce: state 1 for host 9 127.0.0.1
pfe_dispatch_hce: state 1 for host 10 127.0.0.1
pfe_dispatch_hce: state 1 for host 11 127.0.0.1
pfe_dispatch_hce: state 1 for host 12 127.0.0.1
pfe_dispatch_hce: state 1 for host 13 127.0.0.1
pfe_dispatch_hce: state 1 for host 14 127.0.0.1
pfe_dispatch_hce: state 1 for host 15 127.0.0.1
...
relay_launch: running relay wwwtls
relay_launch: running relay wwwtls
relay_tls_transaction: session 1: scheduling on EV_READ
ca: ca_dispatch_relay: invalid relay hash
'SHA256:f11ab4ded2188f1eb2fb959078e32a44cc7346
4fe6d87c82da8d8b1b185d6d0f'
relay: pipe closed
hce exiting, pid 84447
pfe exiting, pid 60018
ca exiting, pid 67605
ca exiting, pid 33655
lost child: pid 15150 exited abnormally
lost child: pid 55246 exited abnormally
I thought perhaps it would help to increase the max number of open files in the
daemon login class in /etc/login.conf:
daemon:\
:ignorenologin:\
:datasize=infinity:\
:maxproc-cur=4096:\
:maxproc=infinity:\
:openfiles-max=4096:\
:openfiles=4096:\
:openfiles-cur=1024:\
:stacksize-cur=96M:\
:stacksize-max=96M:\
:tc=default:
I made sure to set _relayd to the daemon login class using vipw, then I ran
$ doas cap_mkdb /etc/login.conf
$ doas relayd -dvv
Still getting the same error.
Question: 1) is there a more elegant relayd.conf, and 2) how can I get rid of
the "socket_rlimit: max open files 1024" error?
