Discussion:
relayd: Layer 7 proxy: forward failed
(too old to reply)
Leo Unglaub
2018-12-06 17:04:11 UTC
Permalink
Hi,
i am trying to use relayd as an outbound proxy. I am following the
manual page and also the book "Httpd and Relayd Mastery". I did this on
the latest release 6.4 and also on the latest snapshot to make sure this
was not already fixed somewhere. I am on amd64.
# cat /etc/relayd.conf
relay "proxy" {
listen on 127.0.0.1 port 8080
forward to destination
}
relay "proxy2" {
listen on 192.168.0.19 port 9090
forward to destination
}
I use this command to open up a connection from a different host in the
$ curl -i -x 192.168.0.19:9090 openbsd.org
$ curl -i -x 127.0.0.1:8080 openbsd.org
# relayd -dvvvvf /etc/relayd.conf
startup
pfe: filter init done
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
parent_tls_ticket_rekey: rekeying tickets
relay_privinit: adding relay proxy
protocol -1: name default
flags: used, relay flags: divert
tls session tickets: disabled
type: tcp
relay_privinit: adding relay proxy2
protocol -1: name default
flags: used, relay flags: divert
tls session tickets: disabled
type: tcp
init_tables: created 0 tables
relay_launch: running relay proxy
relay_launch: running relay proxy
relay_launch: running relay proxy2
relay_launch: running relay proxy
relay_launch: running relay proxy2
relay_launch: running relay proxy2
relay_connect: session 1: forward failed: Operation not permitted
relay_close: sessions inflight decremented, now 0
I used the following addition to the default pf.conf.
pass in on egress inet proto tcp to port 80 divert-to 127.0.0.1 port 8080
Is this a bug in my setup or a problem with relayd?

I also tryed the entire config from the book "Httpd and Relayd Mastery"
and even when i type it down 1 by 1 i get the same error.

Thanks and greetings
Leo
# dmesg
OpenBSD 6.4-current (GENERIC) #473: Wed Dec 5 21:55:23 MST 2018
real mem = 1056899072 (1007MB)
avail mem = 1015734272 (968MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006
bios0: innotek GmbH VirtualBox
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Ryzen 7 1700X Eight-Core Processor, 3400.47 MHz, 17-01-01
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,MMXX,FFXSR,RDTSCP,LONG,LAHF,AMCR8,ABM,SSE4A,MASSE,3DNOWP,FSGSBASE,AVX2,RDSEED,CLFLUSHOPT
cpu0: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache, 16MB 64b/line 16-way L3 cache
cpu0: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu0: smt 0, core 0, package 0
mtrr: CPU supports MTRRs but not enabled by BIOS
cpu0: apic clock running at 1000MHz
cpu0: mwait min=64, max=64
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 20, 24 pins, remapped
acpiprt0 at acpi0: bus 0 (PCI0)
acpipci0 at acpi0 PCI0: 0x00000000 0x00000011 0x00000001
acpiac0 at acpi0: AC unit online
acpivideo0 at acpi0: GFX0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: <VBOX HARDDISK>
wd0: 128-sector PIO, LBA, 16384MB, 33554432 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <VBOX, CD-ROM, 1.0> ATAPI 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
vga1 at pci0 dev 2 function 0 "InnoTek VirtualBox Graphics Adapter" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 1 int 19, address 08:00:27:f2:b6:00
"InnoTek VirtualBox Guest Service" rev 0x00 at pci0 dev 4 function 0 not configured
auich0 at pci0 dev 5 function 0 "Intel 82801AA AC97" rev 0x01: apic 1 int 21, ICH
ac97: codec id 0x83847600 (SigmaTel STAC9700)
audio0 at auich0
ohci0 at pci0 dev 6 function 0 "Apple Intrepid USB" rev 0x00: apic 1 int 22, version 1.0
piixpm0 at pci0 dev 7 function 0 "Intel 82371AB Power" rev 0x08: apic 1 int 23
iic0 at piixpm0
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb0 at ohci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Apple OHCI root hub" rev 1.00/1.00 addr 1
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on wd0a (991f16397ab65078.a) swap on wd0b dump on wd0b
trondd
2018-12-07 16:11:54 UTC
Permalink
Post by Leo Unglaub
Hi,
i am trying to use relayd as an outbound proxy. I am following the
manual page and also the book "Httpd and Relayd Mastery". I did this on
the latest release 6.4 and also on the latest snapshot to make sure this
was not already fixed somewhere. I am on amd64.
# cat /etc/relayd.conf
relay "proxy" {
listen on 127.0.0.1 port 8080
forward to destination
}
relay "proxy2" {
listen on 192.168.0.19 port 9090
forward to destination
}
I use this command to open up a connection from a different host in the
$ curl -i -x 192.168.0.19:9090 openbsd.org
$ curl -i -x 127.0.0.1:8080 openbsd.org
I don't have the time to set this up to test, so just throwing ideas out.

Doesn't this set up a transparent relay? Should you be configuring a
proxy with curl in this case? Did you try it without?
Post by Leo Unglaub
# relayd -dvvvvf /etc/relayd.conf
startup
pfe: filter init done
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
parent_tls_ticket_rekey: rekeying tickets
relay_privinit: adding relay proxy
protocol -1: name default
flags: used, relay flags: divert
tls session tickets: disabled
type: tcp
relay_privinit: adding relay proxy2
protocol -1: name default
flags: used, relay flags: divert
tls session tickets: disabled
type: tcp
init_tables: created 0 tables
relay_launch: running relay proxy
relay_launch: running relay proxy
relay_launch: running relay proxy2
relay_launch: running relay proxy
relay_launch: running relay proxy2
relay_launch: running relay proxy2
relay_connect: session 1: forward failed: Operation not permitted
relay_close: sessions inflight decremented, now 0
I used the following addition to the default pf.conf.
pass in on egress inet proto tcp to port 80 divert-to 127.0.0.1 port 8080
If you're connecting from inside the network, is 'in on egress' the
correct interace here?
Post by Leo Unglaub
Is this a bug in my setup or a problem with relayd?
I also tryed the entire config from the book "Httpd and Relayd Mastery"
and even when i type it down 1 by 1 i get the same error.
Thanks and greetings
Leo
Loading...