Up to [local] / src / usr.sbin / relayd
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.207 / (download) - annotate - [select for diffs], Sun Oct 29 11:27:11 2023 UTC (7 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.206: +6 -8 lines
Diff to previous 1.206 (colored)
Unmention/don't explain SSL, drop 9y old "ssl" keyword/deprecation warning Switch "ssl" to "tls" in relayd.conf(5) if you haven't done so in the last ten years, "ssl" is now an error. Say "TLS" not "SSL/TLS" and drop the primer in the TLS RELAYS section. OK benno
Revision 1.206 / (download) - annotate - [select for diffs], Tue Jun 6 15:16:52 2023 UTC (11 months, 3 weeks ago) by beck
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.205: +6 -14 lines
Diff to previous 1.205 (colored)
Make the tlsv1.0 and tlsv1.1 options in relayd do nothing Also document that fact, and that the existing ssl3 option does nothing. This changes relayd to no longer request tls1.0 or tls1.1 in preparation for the upcoming deprecation of these out of data protocols ok jsing@ bluhm@ tb@ claudio@ benno@
Revision 1.205 / (download) - annotate - [select for diffs], Thu Mar 31 17:27:31 2022 UTC (2 years, 2 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.204: +3 -3 lines
Diff to previous 1.204 (colored)
man pages: add missing commas between subordinate and main clauses jmc@ dislikes a comma before "then" in a conditional, so leave those untouched. ok jmc@
Revision 1.204 / (download) - annotate - [select for diffs], Sun Feb 6 00:29:03 2022 UTC (2 years, 3 months ago) by jsg
Branch: MAIN
Changes since 1.203: +3 -3 lines
Diff to previous 1.203 (colored)
remove please from manual pages ok jmc@ sthen@ millert@
Revision 1.203 / (download) - annotate - [select for diffs], Sat Jan 9 08:53:58 2021 UTC (3 years, 4 months ago) by denis
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.202: +11 -2 lines
Diff to previous 1.202 (colored)
Add 'strip' directive Feedback by Olivier Cherrier, Hiltjo Posthuma, Mischa OK benno@
Revision 1.202 / (download) - annotate - [select for diffs], Fri Oct 30 09:47:35 2020 UTC (3 years, 7 months ago) by martijn
Branch: MAIN
Changes since 1.201: +4 -2 lines
Diff to previous 1.201 (colored)
Use metrics instead of statistics. Also point people where in the tree they might be able to find said metrics. OK denis@ jmc@
Revision 1.201 / (download) - annotate - [select for diffs], Thu Oct 22 08:00:24 2020 UTC (3 years, 7 months ago) by benno
Branch: MAIN
Changes since 1.200: +5 -5 lines
Diff to previous 1.200 (colored)
support for session resumption in TLS1.3 does not exist yet, as confirmed by tb@. While there remove the "no" in front of the statement. text from tb@
Revision 1.200 / (download) - annotate - [select for diffs], Thu Oct 22 07:48:50 2020 UTC (3 years, 7 months ago) by benno
Branch: MAIN
Changes since 1.199: +3 -3 lines
Diff to previous 1.199 (colored)
session tickets are disabled by default, correct the manpage. ok claudio
Revision 1.199 / (download) - annotate - [select for diffs], Mon Sep 14 11:30:25 2020 UTC (3 years, 8 months ago) by martijn
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.198: +15 -14 lines
Diff to previous 1.198 (colored)
Rewrite the agentx code of relayd. This new framework should allow us to add new objects easier if so desired and should handle a lot more corner-cases. This commit should also fix the following: - On most (all) tables it omits the *Entry elements, making it not map to OPENBSD-RELAYD-MIB.txt. - sstolen returns the size of the sockaddr_in{,6}, instead of the sin{,6}_addr resulting in garbage data to be put in the ip-field. - relaydSessionPortIn and relaydSessionPortOut are swapped - relaydSessions only uses relaydSessionIndex, while OPENBSD-RELAYD-MIB.txt says it should have 2 indices - miscellaneous minor things related to the AGENTX-protocol, like wonky index handeling and returning NOSUCHINSTANCE where NOSUCHOBJECT should be returned, etc. This commit does remove traps, but it's large enough as is and I intent on adding it soon(tm). It also deprecates the snmp keyword in favour of an agentx keyword. The snmp keyword is still available, but will be removed in the future. Tweaks and OK denis@ on the relayd parts Tweaks and OK claudio@ on the agentx parts "Get it in" deraadt@
Revision 1.198 / (download) - annotate - [select for diffs], Wed Jul 1 06:47:18 2020 UTC (3 years, 11 months ago) by martijn
Branch: MAIN
Changes since 1.197: +3 -8 lines
Diff to previous 1.197 (colored)
Remove references to snmpd(8) now that agentx support has been removed. Prodded by and OK jmc@
Revision 1.197 / (download) - annotate - [select for diffs], Thu May 14 17:27:39 2020 UTC (4 years ago) by pvk
Branch: MAIN
Changes since 1.196: +7 -3 lines
Diff to previous 1.196 (colored)
Enable TLSv1.3 support in relayd(8) with the help from tb@ jsing@; ok tb@
Revision 1.196 / (download) - annotate - [select for diffs], Sat May 2 19:02:57 2020 UTC (4 years, 1 month ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.195: +15 -11 lines
Diff to previous 1.195 (colored)
Repair the description of "edh [params (none|auto|legacy)]" to configure EDH-based cipher suites with Perfect Forward Secrecy (PFS) for older clients that do not support ECDHE. Problem noticed and initial diff by Jesper Wallin, thanks! ok kn@
Revision 1.195 / (download) - annotate - [select for diffs], Thu Apr 23 21:28:10 2020 UTC (4 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.194: +3 -3 lines
Diff to previous 1.194 (colored)
ce examples of "Ar arg Ar arg" with "Ar arg arg" and stop the spread;
Revision 1.194 / (download) - annotate - [select for diffs], Mon Feb 10 13:18:21 2020 UTC (4 years, 3 months ago) by schwarze
Branch: MAIN
Changes since 1.193: +5 -2 lines
Diff to previous 1.193 (colored)
briefly mention /etc/examples/ in the FILES section of all the manual pages that document the corresponding configuration files; OK jmc@, and general direction discussed with many
Revision 1.193 / (download) - annotate - [select for diffs], Sun Sep 15 19:23:29 2019 UTC (4 years, 8 months ago) by rob
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.192: +29 -2 lines
Diff to previous 1.192 (colored)
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@. ok benno@
Revision 1.192 / (download) - annotate - [select for diffs], Fri Jul 5 13:42:06 2019 UTC (4 years, 10 months ago) by robert
Branch: MAIN
Changes since 1.191: +4 -2 lines
Diff to previous 1.191 (colored)
Add a new macro called $HOST that expands to the Host header's value or falls back to the same value as $SERVER_ADDR in case the Host header is not available. ok reyk@
Revision 1.191 / (download) - annotate - [select for diffs], Wed Jun 26 12:13:47 2019 UTC (4 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.190: +12 -2 lines
Diff to previous 1.190 (colored)
Add support for OCSP stapling Many thanks to Bruno Flueckiger who independently sent a very similar patch. He also tested the one I'm committing that it works as expected. OK tb@
Revision 1.190 / (download) - annotate - [select for diffs], Fri May 31 15:25:57 2019 UTC (5 years ago) by reyk
Branch: MAIN
Changes since 1.189: +21 -19 lines
Diff to previous 1.189 (colored)
Add support for SNI with new "tls keypair" option to load additional certs. Tested by many (thanks!) Feedback & OK rob@
Revision 1.189 / (download) - annotate - [select for diffs], Fri May 10 09:15:00 2019 UTC (5 years ago) by reyk
Branch: MAIN
Changes since 1.188: +9 -2 lines
Diff to previous 1.188 (colored)
Add support for from/to in relay filter rules. For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b> Ok benno@
Revision 1.188 / (download) - annotate - [select for diffs], Mon Mar 4 21:25:03 2019 UTC (5 years, 2 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.187: +5 -1 lines
Diff to previous 1.187 (colored)
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
Revision 1.187 / (download) - annotate - [select for diffs], Mon Aug 6 18:26:29 2018 UTC (5 years, 9 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.186: +3 -3 lines
Diff to previous 1.186 (colored)
space required between macro args and punctuation;
Revision 1.186 / (download) - annotate - [select for diffs], Mon Aug 6 17:31:31 2018 UTC (5 years, 9 months ago) by benno
Branch: MAIN
Changes since 1.185: +15 -9 lines
Diff to previous 1.185 (colored)
replace the current log options log updates|all with log state changes log host checks log connection [errors] The first two control the logging of host check results: either changes in host state only or all checks. The third option controls logging of connections in relay mode: Either log all connections, or only errors. Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog. ok and feedback from claudio@
Revision 1.185 / (download) - annotate - [select for diffs], Mon Jun 18 06:04:25 2018 UTC (5 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.184: +4 -4 lines
Diff to previous 1.184 (colored)
remove the SECTIONS header, since a one line DESCRIPTION is a bit silly; use a more general text for the sections, and avoid the catchup issue that was trying to document how many there were; ok benno rob
Revision 1.184 / (download) - annotate - [select for diffs], Fri Apr 20 16:21:32 2018 UTC (6 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.183: +2 -3 lines
Diff to previous 1.183 (colored)
adjust the example to make it work; from matt schwartz ok claudio
Revision 1.183 / (download) - annotate - [select for diffs], Wed Apr 18 12:10:54 2018 UTC (6 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.182: +2 -2 lines
Diff to previous 1.182 (colored)
Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
Revision 1.182 / (download) - annotate - [select for diffs], Wed Nov 29 21:17:51 2017 UTC (6 years, 6 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.181: +3 -3 lines
Diff to previous 1.181 (colored)
fix double dot;
Revision 1.181 / (download) - annotate - [select for diffs], Wed Nov 29 15:24:50 2017 UTC (6 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.180: +8 -2 lines
Diff to previous 1.180 (colored)
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
Revision 1.180 / (download) - annotate - [select for diffs], Mon Nov 27 23:21:16 2017 UTC (6 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.179: +8 -13 lines
Diff to previous 1.179 (colored)
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
Revision 1.179 / (download) - annotate - [select for diffs], Wed Nov 15 19:03:26 2017 UTC (6 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.178: +11 -2 lines
Diff to previous 1.178 (colored)
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
Revision 1.178 / (download) - annotate - [select for diffs], Tue Jul 11 13:00:59 2017 UTC (6 years, 10 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.177: +3 -3 lines
Diff to previous 1.177 (colored)
The config option is called "no splice", the parser rejects "nosplice".
Revision 1.177 / (download) - annotate - [select for diffs], Wed Apr 19 10:48:57 2017 UTC (7 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.176: +4 -4 lines
Diff to previous 1.176 (colored)
better example; from hiltjo posthuma ok sthen
Revision 1.176 / (download) - annotate - [select for diffs], Sat Mar 25 23:14:04 2017 UTC (7 years, 2 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.175: +3 -3 lines
Diff to previous 1.175 (colored)
X-Forwarded-By should be the server $SERVER_ADDR instead of the client $REMOTE_ADDR. Noticed and diff provided by Hiltjo Posthuma (hiltjo at codemadness dot org)
Revision 1.175 / (download) - annotate - [select for diffs], Mon Feb 27 22:25:58 2017 UTC (7 years, 3 months ago) by benno
Branch: MAIN
Changes since 1.174: +3 -3 lines
Diff to previous 1.174 (colored)
update an example in the relayd.conf manpage, that was not converted to the new syntax 2 years ago. Found by Michael W. Lucas, thanks! ok tb@
Revision 1.174 / (download) - annotate - [select for diffs], Thu Feb 2 08:24:16 2017 UTC (7 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.173: +7 -6 lines
Diff to previous 1.173 (colored)
Disable client-initiated TLS renegotiation by default. It is rarely needed and imposes a light DoS risk. LibreSSL's libssl allows to turn it off with a simple SSL_OP_NO_CLIENT_RENEGOTIATION option instead of the complicated implementation that was used before. It now turns it off completely instead of allowing one initial client-initiated renegotiation. It can still be enabled with "tls client-renegotiation". ok benno@ beck@ jsing@
Revision 1.173 / (download) - annotate - [select for diffs], Sat Sep 3 18:28:45 2016 UTC (7 years, 8 months ago) by jmc
Branch: MAIN
Changes since 1.172: +78 -98 lines
Diff to previous 1.172 (colored)
partial rewrite of the tcp/tls option parts: the trouble was with options which accepted a "no" prefix, it was difficult to see what was enabled and what was disabled; ok reyk (claudio ok'd an earlier version of the diff too)
Revision 1.172 / (download) - annotate - [select for diffs], Thu Sep 1 10:49:48 2016 UTC (7 years, 9 months ago) by claudio
Branch: MAIN
Changes since 1.171: +10 -10 lines
Diff to previous 1.171 (colored)
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
Revision 1.171 / (download) - annotate - [select for diffs], Thu Aug 18 14:12:51 2016 UTC (7 years, 9 months ago) by jmc
Branch: MAIN
Changes since 1.170: +2 -2 lines
Diff to previous 1.170 (colored)
word fix, from remi locherer; ok reyk
Revision 1.170 / (download) - annotate - [select for diffs], Fri Jul 29 10:09:27 2016 UTC (7 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.169: +3 -3 lines
Diff to previous 1.169 (colored)
Bump copyright in files that I touched last. (btw. hostated-hoststated-relayd's 10th birthday is on Dec 16.)
Revision 1.169 / (download) - annotate - [select for diffs], Fri Jul 29 10:00:12 2016 UTC (7 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.168: +19 -3 lines
Diff to previous 1.168 (colored)
Add support for common WebDAV methods; from httpd. Found and tested by Michael Lechtermann OK benno@
Revision 1.168 / (download) - annotate - [select for diffs], Fri Nov 6 18:06:29 2015 UTC (8 years, 6 months ago) by bentley
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.167: +49 -53 lines
Diff to previous 1.167 (colored)
relayd.conf(5) macro cleanup. - use <> instead of \*(Lt and \*(Gt - use <> instead of Aq (Aq is not the same as <> in a UTF-8 locale) - replace Ar usage when appropriate - mark up RTP_STATIC with Dv with input from jmc@ schwarze@, ok schwarze@
Revision 1.167 / (download) - annotate - [select for diffs], Tue Oct 27 12:27:54 2015 UTC (8 years, 7 months ago) by benno
Branch: MAIN
Changes since 1.166: +3 -3 lines
Diff to previous 1.166 (colored)
change cipher-server-preference to be on by default. It can be disabled with no cipher-server-preference this makes more clients select ciphers with pfs. requested and ok by reyk@
Revision 1.166 / (download) - annotate - [select for diffs], Sat Oct 24 11:37:17 2015 UTC (8 years, 7 months ago) by benno
Branch: MAIN
Changes since 1.165: +8 -2 lines
Diff to previous 1.165 (colored)
clarify where "with tls" can be used. ok jmc@
Revision 1.165 / (download) - annotate - [select for diffs], Mon Aug 10 20:45:35 2015 UTC (8 years, 9 months ago) by sthen
Branch: MAIN
Changes since 1.164: +3 -3 lines
Diff to previous 1.164 (colored)
typo, decl*e*ration; from Larry Hynes
Revision 1.164 / (download) - annotate - [select for diffs], Fri Jul 24 15:25:08 2015 UTC (8 years, 10 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.163: +7 -7 lines
Diff to previous 1.163 (colored)
an TLS -> a TLS; from thanos tsouanas
Revision 1.163 / (download) - annotate - [select for diffs], Fri May 15 20:40:26 2015 UTC (9 years ago) by reyk
Branch: MAIN
Changes since 1.162: +3 -9 lines
Diff to previous 1.162 (colored)
Fix kill'n'yank error: the port is mandatory in relay listen on statements. Pointed out by Alex Greif OK jmc@
Revision 1.162 / (download) - annotate - [select for diffs], Fri May 15 19:26:37 2015 UTC (9 years ago) by jmc
Branch: MAIN
Changes since 1.161: +4 -4 lines
Diff to previous 1.161 (colored)
client/server mox ip; from trondd
Revision 1.161 / (download) - annotate - [select for diffs], Mon Mar 9 17:20:38 2015 UTC (9 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.160: +7 -8 lines
Diff to previous 1.160 (colored)
Make relayd TLSv1.2-only by default. OK krw@ benno@ Based on revision 1.66 of usr.sbin/httpd/parse.y: Make httpd TLSv1.2-only by default. Some older browsers, like IE 10, will be incompatible with this change. We do this early in the release cycle, so there is a good chance to get more experience with the impact of it and the upcoming restricted cipher modes. OK jsing@ deraadt@ benno@ bmercer@ krw@ florian@
Revision 1.160 / (download) - annotate - [select for diffs], Tue Jan 13 09:24:20 2015 UTC (9 years, 4 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.159: +3 -3 lines
Diff to previous 1.159 (colored)
bump copyright year
Revision 1.159 / (download) - annotate - [select for diffs], Fri Jan 2 18:28:23 2015 UTC (9 years, 5 months ago) by sobrado
Branch: MAIN
Changes since 1.158: +4 -4 lines
Diff to previous 1.158 (colored)
PFS stands for Perfect Forward Secrecy. ok reyk@
Revision 1.158 / (download) - annotate - [select for diffs], Sat Dec 27 16:09:51 2014 UTC (9 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.157: +3 -3 lines
Diff to previous 1.157 (colored)
zap trailing whitespace;
Revision 1.157 / (download) - annotate - [select for diffs], Fri Dec 26 22:55:02 2014 UTC (9 years, 5 months ago) by benno
Branch: MAIN
Changes since 1.156: +10 -2 lines
Diff to previous 1.156 (colored)
Document forward to in protocols.
Revision 1.156 / (download) - annotate - [select for diffs], Tue Dec 23 13:18:23 2014 UTC (9 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.155: +3 -3 lines
Diff to previous 1.155 (colored)
pf now supports source-hash and random with tables so we can allow it in redirections. Thanks for help and input from jsg and yasuoka who reminded me to dig out and update these old diffs for pf and relayd. ok jsg@
Revision 1.155 / (download) - annotate - [select for diffs], Thu Dec 18 21:26:09 2014 UTC (9 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.154: +3 -3 lines
Diff to previous 1.154 (colored)
an hex -> a hex;
Revision 1.154 / (download) - annotate - [select for diffs], Thu Dec 18 20:55:01 2014 UTC (9 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.153: +24 -10 lines
Diff to previous 1.153 (colored)
Update relayd to use siphash instead of sys/hash. The source-hash, loadbalance and hash modes use a random key by default that can be forced to be a static key with a new configuration argument. With input from Max Fillinger. ok tedu@
Revision 1.153 / (download) - annotate - [select for diffs], Fri Dec 12 10:05:09 2014 UTC (9 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.152: +125 -126 lines
Diff to previous 1.152 (colored)
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now. (btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html) OK benno@, with input from tedu@
Revision 1.152 / (download) - annotate - [select for diffs], Fri Nov 7 13:48:06 2014 UTC (9 years, 6 months ago) by jsing
Branch: MAIN
Changes since 1.151: +2 -8 lines
Diff to previous 1.151 (colored)
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform with another SSL library). Also fix the SSLv3 handling so that 'no sslv3' actually works as intended. ok reyk@
Revision 1.151 / (download) - annotate - [select for diffs], Tue Oct 21 02:29:54 2014 UTC (9 years, 7 months ago) by lteo
Branch: MAIN
Changes since 1.150: +3 -3 lines
Diff to previous 1.150 (colored)
Remove SSLv2 and SSLv3 references from the example relayd.conf and the relevant example snippet in the relayd.conf(5) man page. Change the default SSL protocols in the example file/man page to "no tlsv1.0" (suggested by sthen@), which will enable the TLSv1.1 and TLSv1.2 protocols only. feedback/ok jsing@ reyk@ sthen@
Revision 1.150 / (download) - annotate - [select for diffs], Wed Oct 15 11:06:16 2014 UTC (9 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.149: +28 -5 lines
Diff to previous 1.149 (colored)
Disable SSLv3 by default. OK sthen@ jsing@
Revision 1.149 / (download) - annotate - [select for diffs], Fri Sep 5 10:19:26 2014 UTC (9 years, 8 months ago) by blambert
Branch: MAIN
Changes since 1.148: +4 -16 lines
Diff to previous 1.148 (colored)
revert previous; was based on a work-in-progress, as well as being an incomplete and therefore incorrect adaptation apologies to anybody who got bitten by this mistake ok reyk@
Revision 1.148 / (download) - annotate - [select for diffs], Fri Aug 29 09:03:36 2014 UTC (9 years, 9 months ago) by blambert
Branch: MAIN
Changes since 1.147: +17 -5 lines
Diff to previous 1.147 (colored)
Implement consistent host hashing for relayd, based on work done by andre@ Re-add a randomized hash seed (which had apparently gotten inadvertently removed in the past). Allows for multiple relayd instances to be configured to forward traffic to the same host, falling back to the random seed when not explicitly configured to do so. ok reyk@
Revision 1.147 / (download) - annotate - [select for diffs], Fri Jul 11 16:59:38 2014 UTC (9 years, 10 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.146: +37 -6 lines
Diff to previous 1.146 (colored)
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences. This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults. ok benno@
Revision 1.146 / (download) - annotate - [select for diffs], Wed Jul 9 19:17:08 2014 UTC (9 years, 10 months ago) by jmc
Branch: MAIN
Changes since 1.145: +8 -8 lines
Diff to previous 1.145 (colored)
tweak previous;
Revision 1.145 / (download) - annotate - [select for diffs], Wed Jul 9 17:01:30 2014 UTC (9 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.144: +4 -4 lines
Diff to previous 1.144 (colored)
The "tag" keyword in redirections has been renamed to "pftag".
Revision 1.144 / (download) - annotate - [select for diffs], Wed Jul 9 16:42:05 2014 UTC (9 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.143: +343 -289 lines
Diff to previous 1.143 (colored)
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later. With some testing, feedback, and help from benno@ and andre@. OK benno@
Revision 1.143 / (download) - annotate - [select for diffs], Wed Jun 25 11:05:15 2014 UTC (9 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.142: +3 -3 lines
Diff to previous 1.142 (colored)
sync copyright to reality according to my last changes
Revision 1.142 / (download) - annotate - [select for diffs], Fri Apr 18 13:55:26 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.141: +2 -2 lines
Diff to previous 1.141 (colored)
Introduce privsep for private keys: - Move RSA private keys to a new separate process instead of copying them to the relays. A custom RSA engine is used by the SSL/TLS code of the relay processes to send RSA private key encryption/decryption (also used for sign/verify) requests to the new "ca" processes instead of operating on the private key directly. - Each relay process gets its own related ca process. Setting "prefork 5" in the config file will spawn 10 processes (5 relay, 5 ca). This diff also reduces the default number of relay processes from 5 to 3 which should be suitable in most installations without a very heavy load. - Don't keep text versions of the keys in memory, parse them once and keep the binary representation. This might still be the case in OpenSSL's internals but will be fixed in the library. This diff doesn't prevent something like "heartbleed" but adds an additional mitigation to prevent leakage of the private keys from the processes doing SSL/TLS. With feedback from many ok benno@
Revision 1.141 / (download) - annotate - [select for diffs], Mon Apr 14 15:24:25 2014 UTC (10 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.140: +3 -3 lines
Diff to previous 1.140 (colored)
macro fixes for previous;
Revision 1.140 / (download) - annotate - [select for diffs], Mon Apr 14 12:58:04 2014 UTC (10 years, 1 month ago) by blambert
Branch: MAIN
Changes since 1.139: +13 -6 lines
Diff to previous 1.139 (colored)
Adapt relayd to use AgentX protocol to send traps ok reyk@ benno@
Revision 1.139 / (download) - annotate - [select for diffs], Mon Sep 9 17:57:44 2013 UTC (10 years, 8 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.138: +10 -2 lines
Diff to previous 1.138 (colored)
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS). ok djm@
Revision 1.138 / (download) - annotate - [select for diffs], Sat Sep 7 11:33:29 2013 UTC (10 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.137: +3 -3 lines
Diff to previous 1.137 (colored)
update man page with the new default HIGH:!aNULL
Revision 1.137 / (download) - annotate - [select for diffs], Tue Jul 16 11:13:34 2013 UTC (10 years, 10 months ago) by schwarze
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.136: +4 -4 lines
Diff to previous 1.136 (colored)
use .Mt for email addresses; from Jan Stary <hans at stare dot cz>; ok jmc@
Revision 1.136 / (download) - annotate - [select for diffs], Thu Jul 4 15:05:41 2013 UTC (10 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.135: +4 -3 lines
Diff to previous 1.135 (colored)
have FILES format a bit better;
Revision 1.135 / (download) - annotate - [select for diffs], Sat Jun 29 09:08:41 2013 UTC (10 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.134: +3 -5 lines
Diff to previous 1.134 (colored)
do not use Sx for sections outwith the page; man4 still to go...
Revision 1.134 / (download) - annotate - [select for diffs], Thu May 30 20:17:12 2013 UTC (11 years ago) by reyk
Branch: MAIN
Changes since 1.133: +159 -2 lines
Diff to previous 1.133 (colored)
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details. ok benno@, manpage bits jmc@
Revision 1.133 / (download) - annotate - [select for diffs], Sat Apr 27 16:39:30 2013 UTC (11 years, 1 month ago) by benno
Branch: MAIN
Changes since 1.132: +4 -2 lines
Diff to previous 1.132 (colored)
time_t 64bit fixes for relayd and relayctl: - fix statistics - set INT_MAX limit on session timeouts - make sure we dont use to large session timeouts in pf redirects and openssl tested with old and new time_t ok florian@
Revision 1.132 / (download) - annotate - [select for diffs], Thu Nov 29 01:01:53 2012 UTC (11 years, 6 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.131: +4 -4 lines
Diff to previous 1.131 (colored)
Fix white spaces in relayd. No binary diff.
Revision 1.131 / (download) - annotate - [select for diffs], Fri Oct 19 16:49:50 2012 UTC (11 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.130: +19 -5 lines
Diff to previous 1.130 (colored)
Support additional scheduling algorithms in the load balancer: least-states, random, source-hash. least-states is currently only supported for redirections and the other ones are currently only supported by relays. ok benno@
Revision 1.130 / (download) - annotate - [select for diffs], Wed Oct 3 08:33:31 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.129: +5 -4 lines
Diff to previous 1.129 (colored)
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
Revision 1.129 / (download) - annotate - [select for diffs], Fri Aug 24 20:13:03 2012 UTC (11 years, 9 months ago) by jmc
Branch: MAIN
Changes since 1.128: +4 -4 lines
Diff to previous 1.128 (colored)
- rfc 5082 replaces rfc 3682; ok claudio - flesh out SEE ALSO in bgpd.8 - fix a formatting warning in relayd.conf.5
Revision 1.128 / (download) - annotate - [select for diffs], Sat May 5 17:24:41 2012 UTC (12 years ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.127: +9 -7 lines
Diff to previous 1.127 (colored)
better description of input to mode hash/loadbalance ok sthen@ jmc@
Revision 1.127 / (download) - annotate - [select for diffs], Tue Apr 24 14:56:09 2012 UTC (12 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.126: +7 -4 lines
Diff to previous 1.126 (colored)
take a stab at documenting when arguments need quoted, and valid macro characters; prompted by a diff from robert peichaer org thanks gilles and henning for feedback ok deraadt zinke
Revision 1.126 / (download) - annotate - [select for diffs], Sat Mar 24 14:48:18 2012 UTC (12 years, 2 months ago) by sthen
Branch: MAIN
Changes since 1.125: +18 -7 lines
Diff to previous 1.125 (colored)
Allow relayd to use a separate SSL certificate for each port (/etc/ssl/host:port.crt, /etc/ssl/private/host:port.key). ok benno@, todd@ likes it too, doc tweak suggested by jmc.
Revision 1.125 / (download) - annotate - [select for diffs], Fri Jan 20 12:16:41 2012 UTC (12 years, 4 months ago) by camield
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.124: +2 -13 lines
Diff to previous 1.124 (colored)
Remove global carp demote option. It is currently broken, but also flawed by design. ok henning pyr
Revision 1.124 / (download) - annotate - [select for diffs], Fri Jun 24 14:42:36 2011 UTC (12 years, 11 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.123: +3 -3 lines
Diff to previous 1.123 (colored)
seven main sections here, not six; from Nils Anspach in the long term, i guess we should avoid documenting the number of sections, since it's meaningless and is always in danger of going out of date...
Revision 1.123 / (download) - annotate - [select for diffs], Thu Jun 23 20:35:22 2011 UTC (12 years, 11 months ago) by sthen
Branch: MAIN
Changes since 1.122: +6 -2 lines
Diff to previous 1.122 (colored)
Use a common text explaining how the various configuration parsers using the standard OpenBSD-style parse.y handle continuing lines with backslashes, paying particular attention to how comments are handled (which can cause nasty side-effects if you're not expecting it). Most wording from jmc@, with suggestions from fgsch@, marc@, Richard Toohey, patrick keshishian and Florian Obser, ok jmc@.
Revision 1.122 / (download) - annotate - [select for diffs], Mon May 23 10:44:59 2011 UTC (13 years ago) by reyk
Branch: MAIN
Changes since 1.121: +5 -4 lines
Diff to previous 1.121 (colored)
Support interface groups in address specifications for tables or directives like "listen on egress". Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
Revision 1.121 / (download) - annotate - [select for diffs], Thu May 5 10:20:24 2011 UTC (13 years, 1 month ago) by phessler
Branch: MAIN
Changes since 1.120: +8 -2 lines
Diff to previous 1.120 (colored)
Allow a user to specify the route priority OK reyk@ claudio@ sthen@
Revision 1.120 / (download) - annotate - [select for diffs], Sat Apr 30 07:52:33 2011 UTC (13 years, 1 month ago) by sthen
Branch: MAIN
Changes since 1.119: +3 -3 lines
Diff to previous 1.119 (colored)
no need to escape |, pointed out by jmc@ "it's worth killing, if just to stop it being copied all over the place"
Revision 1.119 / (download) - annotate - [select for diffs], Tue Apr 12 12:37:22 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.118: +7 -1 lines
Diff to previous 1.118 (colored)
update flags and printing of flags in debug mode, handle splicing flag.
Revision 1.118 / (download) - annotate - [select for diffs], Thu Apr 7 14:57:45 2011 UTC (13 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.117: +3 -3 lines
Diff to previous 1.117 (colored)
tweak previous;
Revision 1.117 / (download) - annotate - [select for diffs], Thu Apr 7 13:22:29 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.116: +11 -4 lines
Diff to previous 1.116 (colored)
Add support for divert-to which provides some benefits over rdr-to. ok mikeb@
Revision 1.116 / (download) - annotate - [select for diffs], Tue Oct 26 15:26:58 2010 UTC (13 years, 7 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.115: +2 -3 lines
Diff to previous 1.115 (colored)
no need for .Pp before lists;
Revision 1.115 / (download) - annotate - [select for diffs], Tue Oct 26 15:04:37 2010 UTC (13 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.114: +15 -3 lines
Diff to previous 1.114 (colored)
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly. ok jsg@ mikeb@
Revision 1.114 / (download) - annotate - [select for diffs], Sun Aug 1 22:18:35 2010 UTC (13 years, 10 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.113: +5 -2 lines
Diff to previous 1.113 (colored)
Allow fallback tables for relays, not just redirections. Seems reasonable to jsg, ok phessler, no response from reyk or pyr
Revision 1.113 / (download) - annotate - [select for diffs], Tue May 18 15:09:34 2010 UTC (14 years ago) by sobrado
Branch: MAIN
Changes since 1.112: +3 -3 lines
Diff to previous 1.112 (colored)
use the right capitalization for "HyperText Transfer Protocol (HTTP)" and "server". fixes for bgplg(8) and relayd.conf(5) suggested by jmc@, good catch! ok jmc@
Revision 1.112 / (download) - annotate - [select for diffs], Tue Sep 1 13:43:36 2009 UTC (14 years, 9 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.111: +10 -10 lines
Diff to previous 1.111 (colored)
sync with new pf ok henning@
Revision 1.111 / (download) - annotate - [select for diffs], Thu Aug 27 11:15:20 2009 UTC (14 years, 9 months ago) by jmc
Branch: MAIN
Changes since 1.110: +3 -3 lines
Diff to previous 1.110 (colored)
lookup(n.) -> look up(v.)
Revision 1.110 / (download) - annotate - [select for diffs], Thu Aug 27 09:26:53 2009 UTC (14 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.109: +8 -3 lines
Diff to previous 1.109 (colored)
allow to specify interface names as addresses, for example "listen on em0". the implementation will lookup the first IPv4 address of an interface before any other IPv4 and IPv6 addresses. ok gilles@ (i got inspired by smtpd)
Revision 1.109 / (download) - annotate - [select for diffs], Thu Aug 13 13:51:21 2009 UTC (14 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.108: +75 -4 lines
Diff to previous 1.108 (colored)
add new 'router' functionality to dynamically add or remove routes based on health check results, using the existing table syntax. this allows to maintain multiple (uplink) gateways to implement link balancing or WAN link failover if no routing protocol or other keepalive method is available. works fine with or without net.inet.ip.multipath enabled. ok pyr@, jmc@ for manpages
Revision 1.108 / (download) - annotate - [select for diffs], Fri Aug 7 11:10:23 2009 UTC (14 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.107: +11 -9 lines
Diff to previous 1.107 (colored)
allow to modify the IP TTL value for host checks. this can be used to check if the host is only n hops away and not re-routed over a longer path.
Revision 1.107 / (download) - annotate - [select for diffs], Tue Jun 2 20:22:30 2009 UTC (15 years ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.106: +6 -16 lines
Diff to previous 1.106 (colored)
- minor tweaks - remove unneccessary -compact from a list - remove unneccessary Xo/Xc before it gets copied all over the place
Revision 1.106 / (download) - annotate - [select for diffs], Tue Jun 2 17:10:22 2009 UTC (15 years ago) by pyr
Branch: MAIN
Changes since 1.105: +3 -2 lines
Diff to previous 1.105 (colored)
make it clear that setting the global timeout late will mess things up.
Revision 1.105 / (download) - annotate - [select for diffs], Tue Jun 2 17:05:57 2009 UTC (15 years ago) by jj
Branch: MAIN
Changes since 1.104: +5 -2 lines
Diff to previous 1.104 (colored)
note that order is important in the file regarding global options at this time. ok pyr@
Revision 1.104 / (download) - annotate - [select for diffs], Fri Apr 24 14:20:24 2009 UTC (15 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.103: +25 -4 lines
Diff to previous 1.103 (colored)
Allow UDP and/or TCP redirections instead of just TCP. Thanks to Marek Grzybowski for feedback and testing. ok jmc@ (manpage bits)
Revision 1.103 / (download) - annotate - [select for diffs], Thu Apr 16 20:13:13 2009 UTC (15 years, 1 month ago) by sobrado
Branch: MAIN
Changes since 1.102: +5 -5 lines
Diff to previous 1.102 (colored)
fix a few more typos found by spell(1); rectify a double "with" pointed out by jmc@ while looking at this diff. ok jmc@, reyk@ (for the hostapd part)
Revision 1.102 / (download) - annotate - [select for diffs], Thu Apr 2 14:30:51 2009 UTC (15 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.101: +19 -7 lines
Diff to previous 1.101 (colored)
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
Revision 1.101 / (download) - annotate - [select for diffs], Wed Apr 1 14:56:38 2009 UTC (15 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.100: +16 -3 lines
Diff to previous 1.100 (colored)
Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course. This was tested by some people a while ago.
Revision 1.100 / (download) - annotate - [select for diffs], Mon Feb 16 19:46:12 2009 UTC (15 years, 3 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.99: +4 -4 lines
Diff to previous 1.99 (colored)
relayd complains about a table called "backup", so change it to fallback, as used in /etc/relayd.conf; from Patrik Lundin
Revision 1.99 / (download) - annotate - [select for diffs], Fri Dec 5 16:37:56 2008 UTC (15 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.98: +13 -4 lines
Diff to previous 1.98 (colored)
change the way relayd reports check results: instead of logging an arbitrary string in debugging mode, it will store an error code (HCE_*) for each host. the error code can be translated to a string (in log.c) for debugging but it will also be passed to relayctl via the control socket. from a user point of view, this will print a human-readable error message in the "relayctl show hosts" output if a host is down because the check failed. the relayctl(8) manpage includes detailed explanations of the error messages including mitigations for the most-common problems. ok jmc@ (manpages) ok phessler@
Revision 1.98 / (download) - annotate - [select for diffs], Sun Nov 9 12:34:47 2008 UTC (15 years, 6 months ago) by tobias
Branch: MAIN
Changes since 1.97: +3 -3 lines
Diff to previous 1.97 (colored)
typo fixed (overriden -> overridden) ok espie, jmc
Revision 1.97 / (download) - annotate - [select for diffs], Sun Oct 5 20:37:52 2008 UTC (15 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.96: +3 -3 lines
Diff to previous 1.96 (colored)
tweak previous;
Revision 1.96 / (download) - annotate - [select for diffs], Mon Sep 29 15:06:52 2008 UTC (15 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.95: +4 -4 lines
Diff to previous 1.95 (colored)
Change parsing of comments in external rule files. The hash mark may appear in URLs (eg. /index.html#anchor), so only allow full-line comments indicated by a hash mark # at the beginning of a line.
Revision 1.95 / (download) - annotate - [select for diffs], Mon Sep 29 14:53:35 2008 UTC (15 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.94: +29 -2 lines
Diff to previous 1.94 (colored)
allow to load expect, filter, log, and remove keys from external files just containing on key per line. this allows easier use of URL white/blacklists from external sources.
Revision 1.94 / (download) - annotate - [select for diffs], Mon Sep 29 09:58:51 2008 UTC (15 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.93: +8 -3 lines
Diff to previous 1.93 (colored)
allow to listen on a port range for redirections. this fixes stickyness with web applications that cannot do the clustering on their own and require stickyness with HTTP to HTTPS migration. this is required in many cases; it is a true fact that we cannot always fix the backend application in the real world. Tested and requested by many
Revision 1.93 / (download) - annotate - [select for diffs], Fri Aug 8 22:49:33 2008 UTC (15 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.92: +5 -2 lines
Diff to previous 1.92 (colored)
add a variable $SERVER_NAME which is "OpenBSD relayd" by default.
Revision 1.92 / (download) - annotate - [select for diffs], Fri Jul 25 12:29:33 2008 UTC (15 years, 10 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.91: +3 -3 lines
Diff to previous 1.91 (colored)
doc fix; from David Higgs
Revision 1.91 / (download) - annotate - [select for diffs], Tue Jul 22 23:17:37 2008 UTC (15 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.90: +29 -5 lines
Diff to previous 1.90 (colored)
Add dynamic IPv6-to-IPv4 and IPv4-to-IPv6 translation inspired by faithd(8) by doing a similar mapping of IPv4/6 addresses with relayd(8) and pf(4) redirections without the need of the faith(4) interface. The trick works in both directions, it can accept IPv6 connections and relay them to IPv4 hosts by extracting the last 4 octets from the IPv6 destination (like faithd(8)), and it can accept IPv4 connections and relay them to IPv6 hosts by prepending the 4 octets of the original IPv4 destination to a configured IPv6 prefix. An access list is not needed because the classification is done in pf.conf(5). It helps to get more faith in relayd. manpage bits ok jmc@ yes, sounds good todd@
Revision 1.90 / (download) - annotate - [select for diffs], Sat Jul 19 16:35:50 2008 UTC (15 years, 10 months ago) by jmc
Branch: MAIN
Changes since 1.89: +4 -4 lines
Diff to previous 1.89 (colored)
minor wording tweaks;
Revision 1.89 / (download) - annotate - [select for diffs], Sat Jul 19 10:52:32 2008 UTC (15 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.88: +13 -2 lines
Diff to previous 1.88 (colored)
If the new 'parent' keyword is specified for a host in a table, inherit the state from another host with the specified Id; no additional check will be for the inheriting host. This helps in scenarios with lots of IP aliases that all point to the same service on the same host (like web hosting with many SSL domains). discussed with pyr, tested in different setups
Revision 1.88 / (download) - annotate - [select for diffs], Wed Jun 11 18:21:20 2008 UTC (15 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.87: +8 -2 lines
Diff to previous 1.87 (colored)
add support for "transparent" forwarding in relays: normally the l7 relay will connect to the target host with its own ip address, but this mode will let it use the address of the client that is connecting from the other side. for example, there is no need to add the X-Forwarded-For HTTP headers for internal webservers in this mode anymore since they magically see the remote client ip address in the connection. it also allows to build fully-transparent ssl encapsulation for tcp sessions and many other things... based on an initial idea from dlg@ and pascoe@ (dlg's talk at opencon) using the new BINDANY and divert-reply interfaces from markus@ (since n2k8) ok markus@ pyr@
Revision 1.87 / (download) - annotate - [select for diffs], Wed Jun 11 07:28:02 2008 UTC (15 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.86: +4 -4 lines
Diff to previous 1.86 (colored)
tweak the "route to" text;
Revision 1.86 / (download) - annotate - [select for diffs], Tue Jun 10 23:12:36 2008 UTC (15 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.85: +4 -5 lines
Diff to previous 1.85 (colored)
set the inactivity timeout of redirections to a shorter timeout of 600 seconds by default (pf's default is 86400s), they can be cranked with the "session timeout" directive and it is consistent to relay session timeouts. also remove the hack to modify the closing timeout because pf's sloppy state handling is taking care about half connection closing now.
Revision 1.85 / (download) - annotate - [select for diffs], Tue Jun 10 22:02:28 2008 UTC (15 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.84: +22 -5 lines
Diff to previous 1.84 (colored)
use sloppy pf state keeping for routed sessions (direct server return) where we only see the client side of the TCP session; this removes the timeout limitations that we had before. document "route to" in the manpage since it is fully working now.
Revision 1.84 / (download) - annotate - [select for diffs], Wed May 7 01:49:29 2008 UTC (16 years ago) by reyk
Branch: MAIN
Changes since 1.83: +4 -1 lines
Diff to previous 1.83 (colored)
add an alternative "route to" mode to relayd redirections which maps to pf route-to instead of the default rdr. it is a first steps towards support for "direct server return" (dsr), an asynchronous mode where the load balanced servers send the replies to a different gateway like a l3 switch/router to handle higher amounts of return traffic. because the state handling in pf isn't optimal for this case yet, it just sees half of the TCP connection, the sessions are forced to time out after fixed number of seconds. discussed with many, thought about in the onsen
Revision 1.83 / (download) - annotate - [select for diffs], Tue May 6 16:23:52 2008 UTC (16 years ago) by jmc
Branch: MAIN
Changes since 1.82: +4 -2 lines
Diff to previous 1.82 (colored)
tweak previous;
Revision 1.82 / (download) - annotate - [select for diffs], Tue May 6 12:58:00 2008 UTC (16 years ago) by reyk
Branch: MAIN
Changes since 1.81: +3 -3 lines
Diff to previous 1.81 (colored)
the manpage mentioned "timeout" in relay sections, while the grammar expected the keywords "forward timeout". rename it to "session timeout" and sync the documentation with reality.
Revision 1.81 / (download) - annotate - [select for diffs], Tue May 6 12:24:12 2008 UTC (16 years ago) by reyk
Branch: MAIN
Changes since 1.80: +4 -2 lines
Diff to previous 1.80 (colored)
the message digest http check does not work on binary content, add manpage clarification. From bsd at openbsd dot rutgers dot edu, closes pr5801 ok pyr@
Revision 1.80 / (download) - annotate - [select for diffs], Mon Mar 3 23:15:55 2008 UTC (16 years, 3 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.79: +4 -4 lines
Diff to previous 1.79 (colored)
tweak previous;
Revision 1.79 / (download) - annotate - [select for diffs], Mon Mar 3 16:58:41 2008 UTC (16 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.78: +5 -2 lines
Diff to previous 1.78 (colored)
log a different notification message when the tcp check times out. also adjust the documentation a little bit to decrease confusion about the check timeout. From pyr@ ok deraadt@
Revision 1.78 / (download) - annotate - [select for diffs], Mon Feb 11 13:59:57 2008 UTC (16 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.77: +4 -4 lines
Diff to previous 1.77 (colored)
tweak previous;
Revision 1.77 / (download) - annotate - [select for diffs], Mon Feb 11 10:42:50 2008 UTC (16 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.76: +13 -2 lines
Diff to previous 1.76 (colored)
Marry relayd with snmpd using new "send trap" option: Request to send a SNMP trap when the state of a host changes. relayd(8) will try to (re-)connect to snmpd(8) and request it to send a trap to the registered trap receivers, see snmpd.conf(5) for more information about the configuration. ok pyr@ thib@
Revision 1.76 / (download) - annotate - [select for diffs], Wed Dec 12 14:55:12 2007 UTC (16 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.75: +190 -186 lines
Diff to previous 1.75 (colored)
various improvements for the relay pages; ok reyk
Revision 1.75 / (download) - annotate - [select for diffs], Sun Dec 9 09:52:12 2007 UTC (16 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.74: +4 -5 lines
Diff to previous 1.74 (colored)
- kill trailing whitespace - kill useless .Pp
Revision 1.74 / (download) - annotate - [select for diffs], Sat Dec 8 18:00:13 2007 UTC (16 years, 5 months ago) by pyr
Branch: MAIN
Changes since 1.73: +2 -2 lines
Diff to previous 1.73 (colored)
forgotten service -> redirection ok reyk@
Revision 1.73 / (download) - annotate - [select for diffs], Sat Dec 8 17:14:26 2007 UTC (16 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.72: +8 -4 lines
Diff to previous 1.72 (colored)
make the generic handler for TCP-based protocols the default (allows to use "protocol foo" without defining a type).
Revision 1.72 / (download) - annotate - [select for diffs], Sat Dec 8 17:07:09 2007 UTC (16 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.71: +212 -173 lines
Diff to previous 1.71 (colored)
some changes to the relayd.conf configuration language and grammar. the tables will look more like pf tables, it is easier to re-use tables with different options, "services" will become "redirections" (they refer to rdr pf rules), sync configuration directives of redirect (l3, ex-service) relay (l7) sections (for example "virtual host" will become "listen on"), all target definitions will start with "forward to", etc. pp. (see relay.conf(5) and etc/relayd.conf) discussed with pyr and deraadt ok pyr@
Revision 1.71 / (download) - annotate - [select for diffs], Fri Dec 7 17:28:05 2007 UTC (16 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.70: +3 -3 lines
Diff to previous 1.70 (colored)
adjust the manpages to use "Relay daemon"
Revision 1.70 / (download) - annotate - [select for diffs], Fri Dec 7 17:19:42 2007 UTC (16 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.69: +23 -23 lines
Diff to previous 1.69 (colored)
partial update of the man pages to new relayd name
Revision 1.69 / (download) - annotate - [select for diffs], Mon Nov 26 09:38:25 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.68: +16 -2 lines
Diff to previous 1.68 (colored)
allow to add labels to protocol actions, they will be printed in http error pages and can be used to refer to additional information. ok pyr@
Revision 1.68 / (download) - annotate - [select for diffs], Sun Nov 25 20:02:02 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.67: +3 -2 lines
Diff to previous 1.67 (colored)
"canonicalized hostname" instead of just "hostname" for the url action
Revision 1.67 / (download) - annotate - [select for diffs], Sat Nov 24 19:00:44 2007 UTC (16 years, 6 months ago) by jmc
Branch: MAIN
Changes since 1.66: +4 -3 lines
Diff to previous 1.66 (colored)
new sentence, new line;
Revision 1.66 / (download) - annotate - [select for diffs], Sat Nov 24 16:13:50 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.65: +23 -2 lines
Diff to previous 1.65 (colored)
extend the url lookup algorithm to match the full URL and different possible suffix/prefix combinations by stripping subdomains, path components, and the query args. ok and tested by gilles@
Revision 1.65 / (download) - annotate - [select for diffs], Fri Nov 23 09:45:33 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.64: +6 -6 lines
Diff to previous 1.64 (colored)
- use either "host name" or "hostname", i decided to use "hostname" everywhere - a URL instead of an URL (a "you-are-el") suggested by jmc@
Revision 1.64 / (download) - annotate - [select for diffs], Fri Nov 23 09:39:42 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.63: +20 -3 lines
Diff to previous 1.63 (colored)
re-implement the "mark" action and document it in the manpage: it is possible to attach a mark to a session based on matching an entity (header, url, cookie, ...) and add conditional action for this mark. it works a bit like the tag/tagged keywords in pf, but i decided to pick a different name to avoid confusion. ok pyr@ gilles@
Revision 1.63 / (download) - annotate - [select for diffs], Thu Nov 22 10:09:53 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.62: +28 -2 lines
Diff to previous 1.62 (colored)
add (new) "url" protocol action, this can be used to match/filter URL suffix/prefix expressions like "example.com/index.html?args". a digest mode allows to match against anonymized SHA1/MD5 digests of suffix/prefix expressions.
Revision 1.62 / (download) - annotate - [select for diffs], Wed Nov 21 20:24:28 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.61: +30 -4 lines
Diff to previous 1.61 (colored)
extend action grammar with "filter value" and "expect value" as a short form for "filter * from value" or "expect * from value".
Revision 1.61 / (download) - annotate - [select for diffs], Wed Nov 21 14:25:44 2007 UTC (16 years, 6 months ago) by jmc
Branch: MAIN
Changes since 1.60: +4 -4 lines
Diff to previous 1.60 (colored)
tweak previous;
Revision 1.60 / (download) - annotate - [select for diffs], Wed Nov 21 14:12:04 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.59: +18 -4 lines
Diff to previous 1.59 (colored)
rename the "url" filter action to "query" to use the correct term. please update your hoststated.conf configurations. also add more examples to the manpage. alright pyr@
Revision 1.59 / (download) - annotate - [select for diffs], Wed Nov 21 13:04:42 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.58: +6 -4 lines
Diff to previous 1.58 (colored)
allow the http digest type to be either SHA1 or MD5 determined by the digest string length; it is compatible to any existing SHA1-only configurations. ok pyr@ gilles@
Revision 1.58 / (download) - annotate - [select for diffs], Wed Nov 21 10:19:34 2007 UTC (16 years, 6 months ago) by pyr
Branch: MAIN
Changes since 1.57: +6 -2 lines
Diff to previous 1.57 (colored)
document the fact that port can be specified in table statements inside service sections. ok reyk@
Revision 1.57 / (download) - annotate - [select for diffs], Tue Nov 20 18:24:32 2007 UTC (16 years, 6 months ago) by jmc
Branch: MAIN
Changes since 1.56: +2 -2 lines
Diff to previous 1.56 (colored)
tweak previous;
Revision 1.56 / (download) - annotate - [select for diffs], Tue Nov 20 15:54:55 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.55: +17 -2 lines
Diff to previous 1.55 (colored)
it may be desirable to send a HTTP error page with error code and a meaningful message if a HTTP/HTTPS relay closes the connection for some reason. for example, a "403 Forbidden" if the request was rejected by a filter. this will be enabled with the "return error" option and is disabled by default, the standard behaviour is to silently drop the connection; the browser may display an empty page in this case. the look+feel of the HTTP error page can be customized with a CSS style sheet, but we do not intend to allow customization of the error page contents (hoststated is not a webserver!). ok pyr@
Revision 1.55 / (download) - annotate - [select for diffs], Tue Nov 20 15:44:21 2007 UTC (16 years, 6 months ago) by pyr
Branch: MAIN
Changes since 1.54: +4 -1 lines
Diff to previous 1.54 (colored)
Allow overriding the global interval in a table. Table specific intervals must be multiples of the global interval. help and ok reyk@
Revision 1.54 / (download) - annotate - [select for diffs], Mon Oct 22 15:45:40 2007 UTC (16 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.53: +3 -2 lines
Diff to previous 1.53 (colored)
add missing .Ed;
Revision 1.53 / (download) - annotate - [select for diffs], Mon Oct 22 12:18:15 2007 UTC (16 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.52: +11 -1 lines
Diff to previous 1.52 (colored)
add support for the include directive to the configuration file parser, based on the existing hostapd/pfctl code. ok pyr@
Revision 1.52 / (download) - annotate - [select for diffs], Fri Sep 28 13:29:56 2007 UTC (16 years, 8 months ago) by pyr
Branch: MAIN
Changes since 1.51: +3 -3 lines
Diff to previous 1.51 (colored)
Correct my mail address.
Revision 1.51 / (download) - annotate - [select for diffs], Fri Sep 28 07:20:46 2007 UTC (16 years, 8 months ago) by jmc
Branch: MAIN
Changes since 1.50: +2 -2 lines
Diff to previous 1.50 (colored)
"require to +inf." is not a good verb pattern, so reword;
Revision 1.50 / (download) - annotate - [select for diffs], Fri Sep 28 01:11:58 2007 UTC (16 years, 8 months ago) by pascoe
Branch: MAIN
Changes since 1.49: +1 -1 lines
Diff to previous 1.49 (colored)
Add missing "s" to https check description. ok pyr@
Revision 1.49 / (download) - annotate - [select for diffs], Mon Sep 10 11:59:22 2007 UTC (16 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.48: +19 -3 lines
Diff to previous 1.48 (colored)
add support for relaying DNS traffic (with a little bit of packet header randomization). this adds an infrastructure to support UDP-based protocols. ok gilles@, tested by some
Revision 1.48 / (download) - annotate - [select for diffs], Wed Sep 5 09:15:10 2007 UTC (16 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.47: +4 -3 lines
Diff to previous 1.47 (colored)
add my copyright because i added a lot. ok pyr@ (who is the first copyright holder)
Revision 1.47 / (download) - annotate - [select for diffs], Tue Sep 4 14:15:05 2007 UTC (16 years, 9 months ago) by pyr
Branch: MAIN
Changes since 1.46: +31 -5 lines
Diff to previous 1.46 (colored)
Add the ability to specify a host header when using http(s) check methods. Prodded by me, done by Gille Chehade <veins@evilkittens.org> ok reyk, jmc for the manpage bits.
Revision 1.46 / (download) - annotate - [select for diffs], Tue Jul 24 17:51:33 2007 UTC (16 years, 10 months ago) by pyr
Branch: MAIN
Changes since 1.45: +2 -2 lines
Diff to previous 1.45 (colored)
Quote digest otherwise it won't be parsed as a string.
Revision 1.45 / (download) - annotate - [select for diffs], Thu May 31 19:20:24 2007 UTC (17 years ago) by jmc
Branch: MAIN
Changes since 1.44: +2 -2 lines
Diff to previous 1.44 (colored)
convert to new .Dd format;
Revision 1.44 / (download) - annotate - [select for diffs], Tue May 29 17:12:04 2007 UTC (17 years ago) by reyk
Branch: MAIN
Changes since 1.43: +16 -1 lines
Diff to previous 1.43 (colored)
add a new check method which allows to run external scripts/programs for custom evaluations. pyr agrees to put it in now but to do some improvements of the timeout handling later.
Revision 1.43 / (download) - annotate - [select for diffs], Sun May 27 19:21:15 2007 UTC (17 years ago) by reyk
Branch: MAIN
Changes since 1.42: +5 -2 lines
Diff to previous 1.42 (colored)
allow to specify table templates in the configuration file and to inherit them from multiple services or relays. this is useful if you want to use a table with the same list of hosts but different ports as specified in the relay or service section. this makes mcbride more happy ok pyr@
Revision 1.42 / (download) - annotate - [select for diffs], Thu Apr 12 14:45:45 2007 UTC (17 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.41: +8 -1 lines
Diff to previous 1.41 (colored)
add a new relay 'path' action to filter the URL path and arguments. ok pyr@
Revision 1.41 / (download) - annotate - [select for diffs], Tue Apr 10 21:45:11 2007 UTC (17 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.40: +7 -7 lines
Diff to previous 1.40 (colored)
sort entity types
Revision 1.40 / (download) - annotate - [select for diffs], Wed Mar 21 00:08:08 2007 UTC (17 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.39: +13 -4 lines
Diff to previous 1.39 (colored)
in addition to the host retry option in tables, add support for the optional connection "retry" to the forward to, service, and nat lookup options. for example, "nat lookup retry 3" is useful when running hoststated as a transparent proxy when connecting to unreliable frontend/backend servers. ok pyr@
Revision 1.39 / (download) - annotate - [select for diffs], Tue Mar 13 12:04:52 2007 UTC (17 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.38: +13 -3 lines
Diff to previous 1.38 (colored)
allow to specify the IP_TTL and IP_MINTTL options for the relays to support the Generalized TTL Security Mechanism (GTSM) according to RFC 3682. this is especially useful with inbound connections and a fixed distance to the backend servers. ok pyr@
Revision 1.38 / (download) - annotate - [select for diffs], Mon Mar 12 12:21:09 2007 UTC (17 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.37: +3 -3 lines
Diff to previous 1.37 (colored)
hoststated.conf is not a program. thanks to Sebastian Reitenbach, closes pr 5409
Revision 1.37 / (download) - annotate - [select for diffs], Tue Mar 6 19:26:46 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.36: +8 -1 lines
Diff to previous 1.36 (colored)
add support for handling simple HTTP cookies (no per-path/domain cookies yet), for example: cookie hash "JSESSIONID" tested by some people ok pyr@
Revision 1.36 / (download) - annotate - [select for diffs], Tue Feb 27 18:04:51 2007 UTC (17 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.35: +2 -2 lines
Diff to previous 1.35 (colored)
replys -> replies;
Revision 1.35 / (download) - annotate - [select for diffs], Tue Feb 27 13:38:58 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.34: +15 -1 lines
Diff to previous 1.34 (colored)
in addition to actions on request headers, allow to define relay actions on response headers (the reply sent by backend HTTP servers). the default and slightly faster relay streaming mode will be used if no actions are defined. for example: response change "Server" to "OpenBSD-hoststated/4.1" ok pyr@
Revision 1.34 / (download) - annotate - [select for diffs], Tue Feb 27 08:39:00 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.33: +11 -1 lines
Diff to previous 1.33 (colored)
manpage clarification for the "change" and "append" relay actions. from Tamas TEVESZ
Revision 1.33 / (download) - annotate - [select for diffs], Tue Feb 27 08:02:33 2007 UTC (17 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.32: +5 -4 lines
Diff to previous 1.32 (colored)
tweaks;
Revision 1.32 / (download) - annotate - [select for diffs], Mon Feb 26 20:48:48 2007 UTC (17 years, 3 months ago) by pyr
Branch: MAIN
Changes since 1.31: +14 -23 lines
Diff to previous 1.31 (colored)
kill the ``use ssl'' directive for consistency across parser directives. another heads up for testers: you need to change configuration files. ok reyk@
Revision 1.31 / (download) - annotate - [select for diffs], Mon Feb 26 19:25:25 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.30: +26 -32 lines
Diff to previous 1.30 (colored)
sync the documentation with the latest change to require a 'header' keyword for default relay actions. ok pyr@
Revision 1.30 / (download) - annotate - [select for diffs], Mon Feb 26 13:41:52 2007 UTC (17 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.29: +4 -4 lines
Diff to previous 1.29 (colored)
grammar;
Revision 1.29 / (download) - annotate - [select for diffs], Mon Feb 26 13:03:30 2007 UTC (17 years, 3 months ago) by pyr
Branch: MAIN
Changes since 1.28: +4 -4 lines
Diff to previous 1.28 (colored)
Change the ``virtual ip'' directive to ``virtual host''. You will need to update your configuration files accordingly. "just do it", reyk@
Revision 1.28 / (download) - annotate - [select for diffs], Mon Feb 26 11:59:48 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.27: +9 -1 lines
Diff to previous 1.27 (colored)
re-use the retry value from table host entries for inbound relay connections. the relay will retry to connect to the hosts for the specified number of times. this sounds bad, but is a useful "workaround" for unreliable backend servers...
Revision 1.27 / (download) - annotate - [select for diffs], Sun Feb 25 09:04:59 2007 UTC (17 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.26: +5 -6 lines
Diff to previous 1.26 (colored)
tweaks;
Revision 1.26 / (download) - annotate - [select for diffs], Sat Feb 24 16:14:02 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.25: +3 -3 lines
Diff to previous 1.25 (colored)
disable anonymous DH by default (cipher suite HIGH:!ADH instead of HIGH).
Revision 1.25 / (download) - annotate - [select for diffs], Sat Feb 24 15:48:54 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.24: +11 -7 lines
Diff to previous 1.24 (colored)
disable SSLv2 and use "HIGH" crypto cipher suites by default. suggested by dlg@
Revision 1.24 / (download) - annotate - [select for diffs], Sat Feb 24 00:22:32 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.23: +64 -9 lines
Diff to previous 1.23 (colored)
- allow to specify the SSL cipher suite and the SSL protocols (as required by the PCI DSS) - increase the default listen backlog to 10, allow to modify the backlog as a per-protocol tcp option to improve the performance on busy systems (to get less connection failures on heavy load) - close the connection if SSL_accept returned an error - instead of logging _new_ relay sessions to syslog, log the sessions in relay_close() after they have been _finished_. this will allow to collect some additional information - add a new log keyword to log specified header/url entities (useful to track "bad guys" using many session ids or multiple user agents) - some minor fixes, manpage bits, and bump the copyright (by some reason, i didn't realize that we already have 2007...).
Revision 1.23 / (download) - annotate - [select for diffs], Fri Feb 23 14:54:44 2007 UTC (17 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.22: +2 -2 lines
Diff to previous 1.22 (colored)
i.e. -> e.g.; ok reyk
Revision 1.22 / (download) - annotate - [select for diffs], Thu Feb 22 09:34:06 2007 UTC (17 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.21: +6 -4 lines
Diff to previous 1.21 (colored)
put `check ssl' in the right place;
Revision 1.21 / (download) - annotate - [select for diffs], Thu Feb 22 09:20:01 2007 UTC (17 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.20: +46 -45 lines
Diff to previous 1.20 (colored)
various language/macro fixes;
Revision 1.20 / (download) - annotate - [select for diffs], Thu Feb 22 04:13:06 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.19: +9 -2 lines
Diff to previous 1.19 (colored)
document the retry option before setting the state to down for hosts in tables.
Revision 1.19 / (download) - annotate - [select for diffs], Thu Feb 22 04:06:18 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.18: +23 -1 lines
Diff to previous 1.18 (colored)
document the new options to manipulate carp demotion counters.
Revision 1.18 / (download) - annotate - [select for diffs], Thu Feb 22 03:32:39 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.17: +306 -4 lines
Diff to previous 1.17 (colored)
Add layer 7 functionality to hoststated used for layer 7 loadbalancing, SSL acceleration, general-purpose TCP relaying, and transparent proxying. see hoststated.conf(5) and my upcoming article on undeadly.org for details. ok to commit deraadt@ pyr@
Revision 1.17 / (download) - annotate - [select for diffs], Wed Feb 7 15:17:46 2007 UTC (17 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.16: +20 -1 lines
Diff to previous 1.16 (colored)
add new "log (updates|all)" configuration option to log state notifications after completed host checks. either only log the "updates" to new states or log "all" state notifications, even if the state didn't change. the log messages will be reported to syslog or to stderr if the daemon is running in foreground mode. ok claudio@ pyr@
Revision 1.16 / (download) - annotate - [select for diffs], Mon Jan 29 18:38:15 2007 UTC (17 years, 4 months ago) by pyr
Branch: MAIN
Changes since 1.15: +6 -6 lines
Diff to previous 1.15 (colored)
manpage tweaks. advised by and ok jmc@
Revision 1.15 / (download) - annotate - [select for diffs], Mon Jan 29 14:23:31 2007 UTC (17 years, 4 months ago) by pyr
Branch: MAIN
Changes since 1.14: +24 -1 lines
Diff to previous 1.14 (colored)
Add SSL support to hoststated. with help and OK reyk@ with help and advice by claudio@ and Srebrenko Sehic
Revision 1.14 / (download) - annotate - [select for diffs], Wed Jan 10 13:42:19 2007 UTC (17 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.13: +4 -4 lines
Diff to previous 1.13 (colored)
tweaks;
Revision 1.13 / (download) - annotate - [select for diffs], Tue Jan 9 13:50:11 2007 UTC (17 years, 4 months ago) by pyr
Branch: MAIN
Changes since 1.12: +13 -13 lines
Diff to previous 1.12 (colored)
Finish renaming hostated to hoststated. Note to testers: the user the daemon changes its id to is now _hoststated, don't forget to update master.passwd. ok reyk@
Revision 1.12 / (download) - annotate - [select for diffs], Mon Jan 8 20:46:18 2007 UTC (17 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.11: +4 -5 lines
Diff to previous 1.11 (colored)
do NOT use the regexp interface. it is way to complicated, error-prone and we don't know about all the possible security problems. change the check send/expect code to use the fnmatch(3) interface using shell globbing rules instead. this allows simple patterns like "220 * ESMTP*" or "SSH-[12].??-*". suggested by deraadt@ and otto@ ok Pierre-Yves Ritschard (pyr at spootnik dot org)
Revision 1.11 / (download) - annotate - [select for diffs], Mon Jan 8 17:52:27 2007 UTC (17 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.10: +26 -6 lines
Diff to previous 1.10 (colored)
ports can be specified by number or by name
Revision 1.10 / (download) - annotate - [select for diffs], Mon Jan 8 17:05:48 2007 UTC (17 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.9: +9 -8 lines
Diff to previous 1.9 (colored)
timeouts must not exceed the global interval
Revision 1.9 / (download) - annotate - [select for diffs], Mon Jan 8 13:37:26 2007 UTC (17 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.8: +16 -1 lines
Diff to previous 1.8 (colored)
add a generic send/expect check using regular expression (see regex(3)). this allows to define additional checks for other TCP protocols. From Pierre-Yves Ritschard (pyr at spootnik dot org)
Revision 1.8 / (download) - annotate - [select for diffs], Wed Jan 3 09:42:30 2007 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.7: +7 -1 lines
Diff to previous 1.7 (colored)
allow the sticky-address option for round-robin pools. From Pierre-Yves Ritschard (pyr at spootnik dot org)
Revision 1.7 / (download) - annotate - [select for diffs], Mon Dec 25 19:07:34 2006 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored)
the global timeout for checks is specified in milliseconds
Revision 1.6 / (download) - annotate - [select for diffs], Mon Dec 25 18:12:14 2006 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.5: +12 -4 lines
Diff to previous 1.5 (colored)
partial rewrite of the check_* routines to use libevent everywhere instead of nested select() calls and to handle the non-blocking sockets properly. From Pierre-Yves Ritschard (pyr at spootnik dot org) (with a little help by me)
Revision 1.5 / (download) - annotate - [select for diffs], Tue Dec 19 14:39:30 2006 UTC (17 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.4: +30 -30 lines
Diff to previous 1.4 (colored)
sort the various commands; discussed w/ pyr
Revision 1.4 / (download) - annotate - [select for diffs], Mon Dec 18 19:48:04 2006 UTC (17 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.3: +30 -33 lines
Diff to previous 1.3 (colored)
some initial improvements for the hostated pages;
Revision 1.3 / (download) - annotate - [select for diffs], Sat Dec 16 12:42:14 2006 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.2: +5 -5 lines
Diff to previous 1.2 (colored)
knf, spacing please note that some editors will replace tabs with multiple spaces if you cut & paste code from other sections. please try to keep the tabs ;).
Revision 1.2 / (download) - annotate - [select for diffs], Sat Dec 16 11:52:51 2006 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.1: +20 -16 lines
Diff to previous 1.1 (colored)
new sentence, new line
Revision 1.1 / (download) - annotate - [select for diffs], Sat Dec 16 11:45:07 2006 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Import hostated, the host status daemon. This daemon will monitor remote hosts and dynamically alter pf(4) tables and redirection rules for active server load balancing. The daemon has been written by Pierre-Yves Ritschard (pyr at spootnik.org) and was formerly known as "slbd". The daemon is fully functional but it still needs some work and cleanup so we don't link it to the build yet. Some TODOs are a partial rewrite of the check_* routines (use libevent whenever we can), improvement of the manpages, and general knf and cleanup. ok deraadt@ claudio@