Relayd: Log

Article published the17 May 2020 ; modified the9 June 2021
4 minutes to read

This article has 696 words.
RAW source of the article:
Commit version: e21600e

Description

OpenBSD has, by default, in basesystem, since 5.7, the relay server named relayd.

Website: https://bsd.plumbing/
OpenBSD: 6.6, 6.7

The purpose of this article is to learn how to set up a logging of the HTTP(S) stream that passes through relayd.

So very simple!

Configuration

File configuration is: /etc/relayd.conf

Global Configuration

In first, we need to declare the global parameter log into the file config. relayd.conf(5)#log

Explainations

The following log declarations are those signification:

log state changes and log host checks are useful to follow the state of the host or the checks. Those states can be of type:
- up: if state is positive
- down: if the host is down, or the checks are not good.
- unknown: if the host is disable or not yet controled.
log connection: to log all the traffic TCP, only if relayd act as relay. 1 . Note: the option errors is useful when we will log only if TCP connections send errors.

1 In fact, relayd can be configured too as a router, or redirection server.

Filters rules

Relays are able to filter the connections by adding specific filters parameters.

We will use the action match on which we apply the logging option log. relayd.conf(5)#match This corresponding action will apply on:

cookie: an action on a cookie. 2 relayd.conf(5)#cookie
header: to target an HTTP header. relayd.conf(5)#header
path: to scan the asked URL. 2 relayd.conf(5)#path
query: to analyse the URL queries. 2 relayd.conf(5)#query
url: to get complete URL. 2 relayd.conf(5)#url

2 only available on HTTP request.

Configuration: example

The follow exampe show us five filters rules:

the first four on the matching header
the last log the complete URL

File: /etc/relayd.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


### ips externe auth
ip4 = "addresse-ipv4-public"

### manage logs
log state changes
log connection
#log connection errors

http protocol "hw" {
	match header log "Host"
	match header log "X-Forwarded-For"
	match header log "User-Agent"
	match header log "Referer"
	match url log

	block
	
	(…)
}

relay "www" {
	listen on $ip4 port 80
    protocol hw
    forward to 127.0.0.1 port 80
}

Logs

All logs are visibles into:

/var/log/daemon,
/var/log/message.

log daemon: example

Code: sh

$ grep relayd /var/log/daemon
May 17 16:37:21 sh1 relayd[25237]: relay www, session 13 (2 active), 0, 192.168.1.1 -> :80, done
May 17 16:37:21 sh1 relayd[45869]: relay www, session 7 (2 active), 0, 192.168.1.1 -> :80, done
May 17 16:37:21 sh1 relayd[45869]: relay www, session 8 (1 active), 0, 192.168.1.1 -> :80, done
May 17 16:37:22 sh1 relayd[25237]: relay www, session 14 (1 active), 0, 192.168.1.1 -> :80, done
May 17 17:01:19 sh1 relayd[45869]: relay www, session 9 (1 active), 0, 207.180.140.98 -> :80, Forbidden (403 Forbidden), [<em>Stop scanning for PHP: none</em>!, User-Agent: polaris] GET: Invalid argument
May 17 17:01:19 sh1 relayd[45869]: relay www, session 10 (1 active), 0, 207.180.140.98 -> :80, done
May 17 17:02:43 sh1 relayd[7531]: relay www, session 13 (1 active), 0, 84.161.80.36 -> :80, Forbidden (403 Forbidden), [<em>Stop scanning for an admin interface: none</em>!, Host: 88.136.16.221] [<em>Stop scanning for an admin interface: none</em>!, User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36] [<em>Stop scanning for an admin interface: none</em>!, 88.136.16.221/phpmyadmin/] GET: Invalid argument

Into this example, we have:

done connections
failed connections, error 403, bloqued by filters rule block

log message: example

Code: sh

$ grep relayd /var/log/messages
May 17 16:22:23 sh1 relayd[7531]: relay www, session 11 (1 active), 0, 37.49.230.25 -> :80, Forbidden (403 Forbidden), [<em>Stop scanning for PHP: none</em>!, User-Agent: Uirusu/2.0] GET: Invalid argument
May 17 17:01:19 sh1 relayd[45869]: relay www, session 9 (1 active), 0, 207.180.140.98 -> :80, Forbidden (403 Forbidden), [<em>Stop scanning for PHP: none</em>!, User-Agent: polaris] GET: Invalid argument
May 17 17:02:43 sh1 relayd[7531]: relay www, session 13 (1 active), 0, 84.161.80.36 -> :80, Forbidden (403 Forbidden), [<em>Stop scanning for an admin interface: none</em>!, Host: 88.136.16.221] [<em>Stop scanning for an admin interface: none</em>!, User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36] [<em>Stop scanning for an admin interface: none</em>!, 88.136.16.221/phpmyadmin/] GET: Invalid argument

In this other example, we see 3 writing about bloqued rules, with error 403.

Documentations

Manpages

relayd.conf(5)