Relayd: Log

Article published the 17 May 2020 ; modified the 10 November 2025
4 minutes to read

This article has 667 words.
RAW source of the article:
Commit version: beb80d0

Description

OpenBSD has, by default, in basesystem, since 5.7, the relay server named relayd.

Website: https://bsd.plumbing/
OpenBSD: 6.6, 6.7

The purpose of this article is to learn how to set up a logging of the HTTP(S) stream that passes through relayd.

So very simple!

Configuration

File configuration is: /etc/relayd.conf

Global Configuration

In first, we need to declare the global parameter log into the file config. relayd.conf(5)#log

Explainations

The following log declarations are those signification:

log state changes and log host checks are useful to follow the state of the host or the checks. Those states can be of type:
- up: if state is positive
- down: if the host is down, or the checks are not good.
- unknown: if the host is disable or not yet controled.
log connection: to log all the traffic TCP, only if relayd act as relay. ¹.
Note: the option errors is useful when we will log only if TCP connections send errors.

¹ In fact, relayd can be configured too as a router, or redirection server.

Filters rules

Relays are able to filter the connections by adding specific filters parameters.

We will use the action match on which we apply the logging option log. relayd.conf(5)#match
This corresponding action will apply on:

cookie: an action on a cookie. ² relayd.conf(5)#cookie
header: to target an HTTP header. relayd.conf(5)#header
path: to scan the asked URL. ² relayd.conf(5)#path
query: to analyse the URL queries. ² relayd.conf(5)#query
url: to get complete URL. ² relayd.conf(5)#url

² only available on HTTP request.

Configuration: example

The follow exampe show us five filters rules:

the first four on the matching header
the last log the complete URL

### ips externe auth
ip4 = "addresse-ipv4-public"

### manage logs
log state changes
log connection
#log connection errors

http protocol "hw" {
    match header log "Host"
    match header log "X-Forwarded-For"
    match header log "User-Agent"
    match header log "Referer"
    match url log

    block

    (…)
}

relay "www" {
    listen on $ip4 port 80
    protocol hw
    forward to 127.0.0.1 port 80
}

Logs

All logs are visibles into:

/var/log/daemon,
/var/log/message.

log daemon: example

$ grep relayd /var/log/daemon
May 17 16:37:21 sh1 relayd[25237]: relay www, session 13 (2 active), 0, 192.168.1.1 -> :80, done
May 17 16:37:21 sh1 relayd[45869]: relay www, session 7 (2 active), 0, 192.168.1.1 -> :80, done
May 17 16:37:21 sh1 relayd[45869]: relay www, session 8 (1 active), 0, 192.168.1.1 -> :80, done
May 17 16:37:22 sh1 relayd[25237]: relay www, session 14 (1 active), 0, 192.168.1.1 -> :80, done
May 17 17:01:19 sh1 relayd[45869]: relay www, session 9 (1 active), 0, 207.180.140.98 -> :80, Forbidden (403 Forbidden), [<em>Stop scanning for PHP: none</em>!, User-Agent: polaris] GET: Invalid argument
May 17 17:01:19 sh1 relayd[45869]: relay www, session 10 (1 active), 0, 207.180.140.98 -> :80, done
May 17 17:02:43 sh1 relayd[7531]: relay www, session 13 (1 active), 0, 84.161.80.36 -> :80, Forbidden (403 Forbidden), [<em>Stop scanning for an admin interface: none</em>!, Host: 88.136.16.221] [<em>Stop scanning for an admin interface: none</em>!, User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36] [<em>Stop scanning for an admin interface: none</em>!, 88.136.16.221/phpmyadmin/] GET: Invalid argument

Into this example, we have:

done connections
failed connections, error 403, bloqued by filters rule block

log message: example

$ grep relayd /var/log/messages
May 17 16:22:23 sh1 relayd[7531]: relay www, session 11 (1 active), 0, 37.49.230.25 -> :80, Forbidden (403 Forbidden), [<em>Stop scanning for PHP: none</em>!, User-Agent: Uirusu/2.0] GET: Invalid argument
May 17 17:01:19 sh1 relayd[45869]: relay www, session 9 (1 active), 0, 207.180.140.98 -> :80, Forbidden (403 Forbidden), [<em>Stop scanning for PHP: none</em>!, User-Agent: polaris] GET: Invalid argument
May 17 17:02:43 sh1 relayd[7531]: relay www, session 13 (1 active), 0, 84.161.80.36 -> :80, Forbidden (403 Forbidden), [<em>Stop scanning for an admin interface: none</em>!, Host: 88.136.16.221] [<em>Stop scanning for an admin interface: none</em>!, User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36] [<em>Stop scanning for an admin interface: none</em>!, 88.136.16.221/phpmyadmin/] GET: Invalid argument

In this other example, we see 3 writing about bloqued rules, with error 403.

Documentations

Manpages

relayd.conf(5)