Re: nginx optimizing

[Dan]

As https is default webserver of OpenBSD I think you out of luck.

But you can start from here:
https://blog.nginx.org/blog/performance-tuning-tips-tricks

remembering that you should test settings one by one as some
of them eg. "aio" are not compatible with OpenBSD.


Jun 15, 2024 13:52:50 Corey Hickman :

> Hello
> 
> Is there any doc for optimizing nginx on openbsd server? for example, to get 
> better performance (QPS, throughput etc).

nginx optimizing

[Corey Hickman]

Hello

Is there any doc for optimizing nginx on openbsd server? for example, to get 
better performance (QPS, throughput etc).

Thanks.

Re: nginx + php = system() not working?

[Noth]

On 25/05/2024 17:51, F Bax wrote:
I tried a few things with nginx not in chroot; but got permission 
errors. The message provided no clue as to which file/directory might 
be causing it; so eventually I gave up.
After some brainstorming; we decided to run inside chroot; use php 
functions other than system() and use a cron job to do the work that 
is outside chroot.
Now a new issue; nginx does not start during boot; yet does start 
manually - why? The following commands were issued immediately after boot.

# cat /etc/rc.conf.local
nginx_flags=""
pkg_scripts=php83_fpm
# /etc/rc.d/nginx start


You forgot to run rcctl enable nginx so that nginx is added to the 
pkg_scripts= line. Only system daemons can be enabled by adding them as 
$daemon_flags= in /etc/rc.conf.local . Package daemons must be 
explicitely added to pkg_scripts= .


Cheers,

Noth



nginx(ok)

On Fri, May 17, 2024 at 10:19 AM Souji Thenria 
 wrote:


On Fri May 17, 2024 at 2:56 PM BST, F Bax wrote:
> In /etc/rc.conf.local - I changed nginx_flags="-u -p /home/Testing"
> (home directory of a real user).
> reboot system and now browser is refused connection
> This site can’t be reached 192.168.1.131 refused to connect.
> Neither /var/www/logs/{access|error}.log is changed.
> What else needs to change?

Can you verify that nginx is running?
You may have an error in your configuration. You can check the nginx
configuration using nginx -t.

Another issue might be that nginx is still running as www and doesn't
have access to /home/Testing.

Regards,
Souji

Re: nginx + php = system() not working?

[F Bax]

I tried a few things with nginx not in chroot; but got permission errors.
The message provided no clue as to which file/directory might be causing
it; so eventually I gave up.
After some brainstorming; we decided to run inside chroot; use php
functions other than system() and use a cron job to do the work that is
outside chroot.
Now a new issue; nginx does not start during boot; yet does start
manually - why? The following commands were issued immediately after boot.
# cat /etc/rc.conf.local
nginx_flags=""
pkg_scripts=php83_fpm
# /etc/rc.d/nginx start


nginx(ok)

On Fri, May 17, 2024 at 10:19 AM Souji Thenria 
wrote:

> On Fri May 17, 2024 at 2:56 PM BST, F Bax wrote:
> > In /etc/rc.conf.local - I changed nginx_flags="-u -p /home/Testing"
> > (home directory of a real user).
> > reboot system and now browser is refused connection
> > This site can’t be reached 192.168.1.131 refused to connect.
> > Neither /var/www/logs/{access|error}.log is changed.
> > What else needs to change?
>
> Can you verify that nginx is running?
> You may have an error in your configuration. You can check the nginx
> configuration using nginx -t.
>
> Another issue might be that nginx is still running as www and doesn't
> have access to /home/Testing.
>
> Regards,
> Souji
>

Re: nginx + php = system() not working?

[Stuart Henderson]

On 2024-05-17, Martijn van Duren  wrote:
> On Thu, 2024-05-16 at 21:58 -0400, F Bax wrote:
>> I think I missed something simple? I installed 7.5 release in a VM. I then 
>> installed nginx and PHP 8.3.3; with pkg_add. I then ran these two commands:
>> # rcctl enable php83_fpm
>> # rcctl start php83_fpm
>> I found an issue with php system() function; so created this simple script 
>> which produces "HiThere"; why is the date not presented?
>> 
>> >   echo 'Hi';
>>   system( 'date' );
>>   echo 'There';
>> ?>
>
> All the advise I've seen is horrible. chroot isn't enabled by default
> without a reason (php and security have a history).
> My first question would by why you need system() in the first place.
> If you need the date/time, just use
> https://www.php.net/manual/en/class.datetime.php. If it's just a proof
> of concept be more precise in what you want to achieve and see if
> there's a PHP library equivalent. If there's no reasonable way to
> achieve it (which I highly doubt) I advise to copy the required binary
> (and dependencies) into the chroot and make a memo to keep them up to
> date.

There's some information about this in PHP's pkg-readme file.

-- 
Please keep replies on the mailing list.

Re: nginx + php = system() not working?

[Dan]

"Souji Thenria"  wrote:

> Another issue might be that nginx is still running as www and doesn't
> have access to /home/Testing.

As per above suggestion double check that the user by which you
run nginx (usually www) has access almost by the group to
to the prefix directory declared by the -p flag, and to the subfolders.
(and clearly you can't manage to do that on an usr home dir..)

Then you should double check your phpfpm user and group by the
php-fpm.conf in the following declarations:

; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default
user's group ;   will be used.
user = www
group = www


-dan

Re: nginx + php = system() not working?

[Souji Thenria]

On Fri May 17, 2024 at 2:56 PM BST, F Bax wrote:

In /etc/rc.conf.local - I changed nginx_flags="-u -p /home/Testing"
(home directory of a real user).
reboot system and now browser is refused connection
This site can’t be reached 192.168.1.131 refused to connect.
Neither /var/www/logs/{access|error}.log is changed.
What else needs to change?


Can you verify that nginx is running?
You may have an error in your configuration. You can check the nginx
configuration using nginx -t.

Another issue might be that nginx is still running as www and doesn't
have access to /home/Testing.

Regards,
Souji

Re: nginx + php = system() not working?

[Martijn van Duren]

On Thu, 2024-05-16 at 21:58 -0400, F Bax wrote:
> I think I missed something simple? I installed 7.5 release in a VM. I then 
> installed nginx and PHP 8.3.3; with pkg_add. I then ran these two commands:
> # rcctl enable php83_fpm
> # rcctl start php83_fpm
> I found an issue with php system() function; so created this simple script 
> which produces "HiThere"; why is the date not presented?
> 
>    echo 'Hi';
>   system( 'date' );
>   echo 'There';
> ?>

All the advise I've seen is horrible. chroot isn't enabled by default
without a reason (php and security have a history).
My first question would by why you need system() in the first place.
If you need the date/time, just use
https://www.php.net/manual/en/class.datetime.php. If it's just a proof
of concept be more precise in what you want to achieve and see if
there's a PHP library equivalent. If there's no reasonable way to
achieve it (which I highly doubt) I advise to copy the required binary
(and dependencies) into the chroot and make a memo to keep them up to
date.

martijn@

Re: nginx + php = system() not working?

[F Bax]

Thanks for the tips and security warnings Mike, Souji and Dan,
In php-fpm.conf - I changed "; chroot = /var/www" to comment.
In /etc/rc.conf.local - I changed nginx_flags="-u -p /home/Testing"
(home directory of a real user).
reboot system and now browser is refused connection
This site can’t be reached 192.168.1.131 refused to connect.
Neither /var/www/logs/{access|error}.log is changed.
 /var/log/php-fpm.log show normal startup; then nothing in any /var/log/
files.
[17-May-2024 09:41:59] NOTICE: fpm is running, pid 8072
[17-May-2024 09:41:59] NOTICE: ready to handle connections
What else needs to change?

Re: nginx + php = system() not working?

[Dan]

It can even help to run nginx in "unsecure mode" if you want to stay
not chrooted:

nginx_flags="-u -p /home/mytests"

man nginx

; while php-fpm.conf should remain with the default values 
; in this case..


-dan


Mike Fischer  wrote:

> 
> > Am 17.05.2024 um 03:58 schrieb F Bax :
> > 
> > I think I missed something simple? I installed 7.5 release in a VM.
> > I then installed nginx and PHP 8.3.3; with pkg_add. I then ran
> > these two commands: # rcctl enable php83_fpm # rcctl start php83_fpm
> > I found an issue with php system() function; so created this simple
> > script which produces "HiThere"; why is the date not presented?
> >  >   system( 'date' );
> >   echo 'There';
> > ?>
> 
> You are probably running the php83_fpm process accessed from nginx in
> the default chroot(2) environment? 

Re: nginx + php = system() not working?

[Dan]

May 17, 2024 11:30:25 Souji Thenria :

> -u   By default nginx will chroot(2) to the home
>  directory of the user running the daemon, typically
>  "www", or to the home directory of user in
>  nginx.conf.  The -u option disables this behaviour,
>      and returns nginx to the original "unsecure"
>  behaviour.
>
> But it doesn't do it on other systems; I cross-checked with nginx
> installed on a FreeBSD, where this option doesn't exist.


Indeed take care about this option as I use it every day in my dev 
environment.. ;-)

Re: nginx + php = system() not working?

[Souji Thenria]

On Fri May 17, 2024 at 4:38 AM BST, Mike Fischer wrote:

OpenBSD httpd would be a different situation because it runs in a
chroot(2) environment by default. You can’t call on a PHP-FPM process
that is not also running in the chroot(2) environment. The
communication between httpd(8) and PHP-FPM fails due to differing
opinions about the root of the filesystem when applied to the paths
passed from httpd to PHP-FPM. At least I have not managed to get this
to work.

But AFAIK nginx does not run chroot(2)ed by default. So PHP-FPM does
not need to either.


On OpenBSD, nginx chroots its process by default. Here is a snippet from
the man page nginx(8).

-u   By default nginx will chroot(2) to the home
directory of the user running the daemon, typically
"www", or to the home directory of user in
nginx.conf.  The -u option disables this behaviour,
and returns nginx to the original "unsecure"
behaviour.

But it doesn't do it on other systems; I cross-checked with nginx
installed on a FreeBSD, where this option doesn't exist.

Since nginx and php_fpm chroot their processes to the same directory (if
not changed), nginx should be able to write to the php_fpm socket.

Re: nginx + php = system() not working?

[Mike Fischer]

> Am 17.05.2024 um 03:58 schrieb F Bax :
> 
> I think I missed something simple? I installed 7.5 release in a VM. I then 
> installed nginx and PHP 8.3.3; with pkg_add. I then ran these two commands:
> # rcctl enable php83_fpm
> # rcctl start php83_fpm
> I found an issue with php system() function; so created this simple script 
> which produces "HiThere"; why is the date not presented?
>echo 'Hi';
>   system( 'date' );
>   echo 'There';
> ?>

You are probably running the php83_fpm process accessed from nginx in the 
default chroot(2) environment? If so you need to reconfigure your 
/etc/php-fpm.conf to not use chroot(2) — comment the line »chroot = /var/www« — 
or install /bin/date and a /bin/sh into /var/www. (Note that PHP needs a shell 
to execute shell commands and the date command is not present in the chroot(2) 
environment by default either.)

Your test script works for me in Apache httpd and a php-fpm.conf without 
chroot(2) (in a non-public setting).

So I don’t think this is related to nginx specifically. Could happen with 
OpenBSD httpd and PHP-FPM as well. Basically in any situation where PHP-FPM is 
running chroot(2)ed.

OpenBSD httpd would be a different situation because it runs in a chroot(2) 
environment by default. You can’t call on a PHP-FPM process that is not also 
running in the chroot(2) environment. The communication between httpd(8) and 
PHP-FPM fails due to differing opinions about the root of the filesystem when 
applied to the paths passed from httpd to PHP-FPM. At least I have not managed 
to get this to work.

But AFAIK nginx does not run chroot(2)ed by default. So PHP-FPM does not need 
to either.

Note: If you need both you can configure your /etc/php-fpm.conf to spawn both 
chroot(2)ed and non-chroot(2)ed workers with differing sockets. I’m doing this 
on a machine running both OpenBSD httpd and Apache httpd with PHP based web 
pages.


HTH
Mike

PS. Hopefully you are aware that running shell commands from a publicly 
accessible web server can lead to serious security issues? Be very careful when 
configuring access restrictions to the affected URLs and when constructing the 
UNIX commands you plan to execute.

nginx + php = system() not working?

[F Bax]

I think I missed something simple? I installed 7.5 release in a VM. I then
installed nginx and PHP 8.3.3; with pkg_add. I then ran these two commands:
# rcctl enable php83_fpm
# rcctl start php83_fpm
I found an issue with php system() function; so created this simple script
which produces "HiThere"; why is the date not presented?

Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)

[Stuart Henderson]

On 2023-09-25, Tobias Fiebig  wrote:
> On Mon, 2023-09-25 at 18:15 +0200, Rudolf Leitgeb wrote:
>> Either this, or the TLS 1.3 code was always buggy, but now
>> it was actually used per default.
> Yes, setting up nginx with enabled tlsv1.3 on 7.2 and earlier is also
> on the todo. Similarly, disabling tlsv1.3 and forcing tlsv1.3 on
> earlier versions.
>
> Still, the earlier versions i had been running seemed to support
> tlsv1.3, at least according to s_client. But the use as default might
> change things.

The www/nginx port has had working TLS 1.3 since 2020, I've been using
it pretty much since that happened.

It will be difficult to get reports from others about this on 7.3
because nginx was not updated to 1.24.0 in ports until after 7.3.

FWIW I'm using 1.24.0 on -current from Jul 31st with no issues.

I would try updating the problematic system to new -current (7.4-beta)
with snapshot packages rather than self-built nginx. If that fixes it
anyway then good. If not then we have a data point more likely to be
reproducible by others, and maybe a chance of fixing before 7.4 is
totally locked down.

> pdns itself is not leaking, the memory is hogged by mariadb. But (given
> everything runs via unix sockets) i am not using TLS in that stack at
> all. This is was initially nudged me a bit towards other functions that
> might be used from libressl (sha* or something used in auth maybe?).

My reasonably busy traccar/mariadb 7.3 box has stable memory use from
mariadb (sitting around 13G, with innodb_buffer_pool_size=12G).

...

"memory leak" doesn't give much of an idea of what's going on, some data
would be good. KB, MB, GB? per minute? hour? if you fire a bunch of requests
at it, does that increase the rate or does it not matter?

>> > > But yes, getting a specific commit there will be helpful.
>> > Sadly it turns out that it is the commit i feared it would be:
>> > 
>> > > commit 7b24b93d67daa9c16d665129fd5d3e7dbc583e4f
>> > > Author: Maxim Dounin 
>> > > Date:   Fri Mar 24 02:57:43 2023 +0300
>> > > 
>> > >     SSL: enabled TLSv1.3 by default.
>> > 
>> > Feared, because it basically puts me back to start w.r.t. what the
>> > root
>> > cause might be; Could be anything that happened to TLSv1.3 code in
>> > either LibreSSL or Nginx.


-- 
Please keep replies on the mailing list.

Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)

[Tobias Fiebig]

On Mon, 2023-09-25 at 18:15 +0200, Rudolf Leitgeb wrote:
> Either this, or the TLS 1.3 code was always buggy, but now
> it was actually used per default.
Yes, setting up nginx with enabled tlsv1.3 on 7.2 and earlier is also
on the todo. Similarly, disabling tlsv1.3 and forcing tlsv1.3 on
earlier versions.

Still, the earlier versions i had been running seemed to support
tlsv1.3, at least according to s_client. But the use as default might
change things.


> Question: is there a similar
> commit in your DNS server? Do you use this DNS server with 
> anything like TLS?
pdns itself is not leaking, the memory is hogged by mariadb. But (given
everything runs via unix sockets) i am not using TLS in that stack at
all. This is was initially nudged me a bit towards other functions that
might be used from libressl (sha* or something used in auth maybe?).
But this will need some more test-setups to run for some time; I will
be able to setup automation for that in the coming weeks.

With best regards,
Tobias

> On Sun, 2023-09-24 at 21:31 +0200, Tobias Fiebig wrote:
> > 
> > > But yes, getting a specific commit there will be helpful.
> > Sadly it turns out that it is the commit i feared it would be:
> > 
> > > commit 7b24b93d67daa9c16d665129fd5d3e7dbc583e4f
> > > Author: Maxim Dounin 
> > > Date:   Fri Mar 24 02:57:43 2023 +0300
> > > 
> > >     SSL: enabled TLSv1.3 by default.
> > 
> > Feared, because it basically puts me back to start w.r.t. what the
> > root
> > cause might be; Could be anything that happened to TLSv1.3 code in
> > either LibreSSL or Nginx.
> 

-- 
Dr.-Ing. Tobias Fiebig
T +31 616 80 98 99
M tob...@fiebig.nl

Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)

[Rudolf Leitgeb]

Either this, or the TLS 1.3 code was always buggy, but now
it was actually used per default. Question: is there a similar
commit in your DNS server? Do you use this DNS server with 
anything like TLS?

On Sun, 2023-09-24 at 21:31 +0200, Tobias Fiebig wrote:
> 
> > But yes, getting a specific commit there will be helpful.
> Sadly it turns out that it is the commit i feared it would be:
> 
> > commit 7b24b93d67daa9c16d665129fd5d3e7dbc583e4f
> > Author: Maxim Dounin 
> > Date:   Fri Mar 24 02:57:43 2023 +0300
> > 
> >     SSL: enabled TLSv1.3 by default.
> 
> Feared, because it basically puts me back to start w.r.t. what the
> root
> cause might be; Could be anything that happened to TLSv1.3 code in
> either LibreSSL or Nginx.

Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)

[Tobias Fiebig]

> But yes, getting a specific commit there will be helpful.
Sadly it turns out that it is the commit i feared it would be:

> commit 7b24b93d67daa9c16d665129fd5d3e7dbc583e4f
> Author: Maxim Dounin 
> Date:   Fri Mar 24 02:57:43 2023 +0300
> 
> SSL: enabled TLSv1.3 by default.

Feared, because it basically puts me back to start w.r.t. what the root
cause might be; Could be anything that happened to TLSv1.3 code in
either LibreSSL or Nginx.

I guess the next step is going through all commits of libressl between
what is in 7.2 and 7.3.

With best regards,
Tobias

Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)

[Daniele B.]

My dev environment on 7.3 is completely different but a little more standard
I share about my nginx:

wiz$ pkg_info nginx

Information for inst:nginx-1.22.0p0

Comment:
robust and small HTTP server and mail proxy server

Description:
This is the stable branch of nginx, as distributed by nginx.org.

nginx provides FastCGI and reverse HTTP proxying, with or without caching,
including simple load balancing and fault tolerance.

It has a modular architecture.  Filters include gzipping, byte ranges,
chunked responses, and SSI.  Multiple SSI inclusions within a single page
can be processed in parallel if they are handled by FastCGI or proxied
servers.  SSL and TLS SNI are supported.

Maintainer: Robert Nagy 

WWW: https://nginx.org/

wiz$ ldd /usr/local/sbin/nginx
/usr/local/sbin/nginx:
StartEnd  Type  Open Ref GrpRef Name
0f5043481000 0f50435b4000 exe   10   0  /usr/local/sbin/nginx
0f52fcc29000 0f52fcc6f000 rlib  01   0  
/usr/local/lib/libpcre.so.3.0
0f52dabca000 0f52dac3a000 rlib  01   0  /usr/lib/libssl.so.53.2
0f52b0c0e000 0f52b0e69000 rlib  02   0  
/usr/lib/libcrypto.so.50.2
0f52e1cf9000 0f52e1d17000 rlib  01   0  /usr/lib/libz.so.7.0
0f531de9f000 0f531df95000 rlib  01   0  /usr/lib/libc.so.97.0
0f53165dc000 0f53165dc000 ld.so 01   0  /usr/libexec/ld.so

I also own MariaDB, 10.9.4.

I underline that on my system "pkg_info mysql" or "pkg_info mariadb" return 
blank and back to cursor.


-- Daniele Bonini


Tobias Fiebig  wrote:

> Moin,
> 
> I have been dealing with memory-leaks on a host running an nginx
> reverse proxy for some time. The host had been running 7.2 with nginx
> 1.23.1 (self compiled as i need some features not in the package)
> until May, which was fine.
> 
> After upgrading to 7.3 and nginx-1.24.0, i started to see heavy memory
> leakage over time. I initially attributed this to nginx, and solved
> the issue by ignoring it/throwing a bit more memory at the box for
> some time. However, I started debugging it now and could trace it to
> some commit between nginx 1.23.3 and 1.23.4; Currently, I am going
> through all commits to see with which version it first appears.
> 
> However, clicking around this morning, i noticed that my primary NS
> shows a similar memory leakage for mysql/mariadb (runs powerdns with a
> mysql backend, both from packages) since the upgrade to 7.3 in May as
> well. One further host seems to show a significantly higher use of
> inactive memory since 7.3. I found one more host with mariadb that now
> shows a higher utilization of inactive memory (gitea+maria); However,
> other maria+X instances on 7.3 run fine.
> 
> On the PowerDNS+Mysql host I also see gradually increasing CPU load
> along with the memory leakage.
> 
> Restarting mysql and/or nginx resolves the issue for some time. I also
> saw the issue on a host running maria+nextcloud, where i fixed it by
> switching to postgres. Maria is still running there, but not receiving
> any requests, and the memory leak is gone.
> 
> Images:
> 
> https://rincewind.home.aperture-labs.org/~tfiebig/pdns-maria-cpu-year.png
> https://rincewind.home.aperture-labs.org/~tfiebig/pdns-maria-memory-year.png
> 
> https://rincewind.home.aperture-labs.org/~tfiebig/nginx-rev-proxy-memory-year.png
> 
> https://rincewind.home.aperture-labs.org/~tfiebig/gitea-maria-memory-year.png
> 
> https://rincewind.home.aperture-labs.org/~tfiebig/nextcloud-maria-switched-to-postgres-memory-year.png
> 
> All hosts are VMs on Linux/KVM hosts (proxmox), with a generic
> qemu-kvm processor as CPU type, running 7.3. 
> 
> Hence, I am no longer 100% convinced that this is an nginx problem. To
> help circling this in a bit closer (and maybe get it reproducible in a
> first step): 
> 
> Did anyone else experience memory leakage on openbsd with mariadb or a
> self-build >=nginx-1.23.4 (or other applications) since the upgrade to
> 7.3?
> 
> With best regards,
> Tobias
> 

Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)

[Tobias Fiebig]

On Sun, 2023-09-24 at 13:07 +0200, Rudolf Leitgeb wrote:
> This libpcre2 library seems to be the only one, which is not
> used all over the place. The library itself may not even be buggy, it
> may just return something, which the new versions of the caller can't
> handle, or it may be unhappy with something the new callers send.
> 
> Still: if you can tie this memory/cpu leak to the interaction between
> application and that library, it should be much easier to identify
> the offending commit in nginx and all the other affected programs.
Yes, _if_ it is that library. I would not fully set my sights on that
yet. Nginx has the benefit of having a cut somewhere that triggers
this; Hopefully the tests are done soon (i went for brute force instead
of binary search; takes four days but requires no interaction).

But yes, getting a specific commit there will be helpful.

> I just saw, that the version 8 of libpcre2 seems to be quite a bit
> behind the current version: 
> https://github.com/PCRE2Project/pcre2/releases
> 
> Is this intentional?
I am using what comes from the packages/ports. So the intentions on
that are with the maintainers there.

With best regards,
Tobias

Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)

[Rudolf Leitgeb]

This libpcre2 library seems to be the only one, which is not
used all over the place. The library itself may not even be buggy, it
may just return something, which the new versions of the caller can't 
handle, or it may be unhappy with something the new callers send.

Still: if you can tie this memory/cpu leak to the interaction between
application and that library, it should be much easier to identify
the offending commit in nginx and all the other affected programs.

I just saw, that the version 8 of libpcre2 seems to be quite a bit
behind the current version: 
https://github.com/PCRE2Project/pcre2/releases


Is this intentional?


On Sun, 2023-09-24 at 12:59 +0200, Tobias Fiebig wrote:
> They do, but nothing special. The common set between nginx and mysqld
> is:
> 
> /usr/local/lib/libpcre2-8.so.0.6
> /usr/lib/libssl.so.53.2
> /usr/lib/libcrypto.so.50.2
> /usr/lib/libz.so.7.0
> /usr/lib/libc.so.97.0
> /usr/libexec/ld.so
> 
> However, an affected nginx (1.24.0) does not differ from an
> unaffected
> nginx (1.23.1). 
> 
> I somewhat hope that my testing through nginx commits will yield what
> calls are actually involved, and may allow me to see whether mysql is
> pushed into similar codepaths on affected systems (and not on
> unaffected ones), likely giving a better hint as to where the issue
> is.
> 
> With best regards,
> Tobias
> 
> On Sun, 2023-09-24 at 12:53 +0200, Rudolf Leitgeb wrote:
> > Do the affected programs use the same libraries?
> > 
> > On Sun, 2023-09-24 at 09:32 +0200, Tobias Fiebig wrote:
> > > After upgrading to 7.3 and nginx-1.24.0, i started to see heavy
> > > memory
> > > leakage over time. I initially attributed this to nginx, and
> > > solved
> > > the
> > > issue by ignoring it/throwing a bit more memory at the box for
> > > some
> > > time. However, I started debugging it now and could trace it to
> > > some
> > > commit between nginx 1.23.3 and 1.23.4; Currently, I am going
> > > through
> > > all commits to see with which version it first appears.
> > > 
> > > However, clicking around this morning, i noticed that my primary
> > > NS
> > > shows a similar memory leakage for mysql/mariadb (runs powerdns
> > > with
> > > a
> > > mysql backend, both from packages) since the upgrade to 7.3 in
> > > May
> > > as
> > > well. One further host seems to show a significantly higher use
> > > of
> > > inactive memory since 7.3. I found one more host with mariadb
> > > that
> > > now
> > > shows a higher utilization of inactive memory (gitea+maria);
> > > However,
> > > other maria+X instances on 7.3 run fine.
> > 
> 

Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)

[Tobias Fiebig]

They do, but nothing special. The common set between nginx and mysqld
is:

/usr/local/lib/libpcre2-8.so.0.6
/usr/lib/libssl.so.53.2
/usr/lib/libcrypto.so.50.2
/usr/lib/libz.so.7.0
/usr/lib/libc.so.97.0
/usr/libexec/ld.so

However, an affected nginx (1.24.0) does not differ from an unaffected
nginx (1.23.1). 

I somewhat hope that my testing through nginx commits will yield what
calls are actually involved, and may allow me to see whether mysql is
pushed into similar codepaths on affected systems (and not on
unaffected ones), likely giving a better hint as to where the issue is.

With best regards,
Tobias

On Sun, 2023-09-24 at 12:53 +0200, Rudolf Leitgeb wrote:
> Do the affected programs use the same libraries?
> 
> On Sun, 2023-09-24 at 09:32 +0200, Tobias Fiebig wrote:
> > After upgrading to 7.3 and nginx-1.24.0, i started to see heavy
> > memory
> > leakage over time. I initially attributed this to nginx, and solved
> > the
> > issue by ignoring it/throwing a bit more memory at the box for some
> > time. However, I started debugging it now and could trace it to
> > some
> > commit between nginx 1.23.3 and 1.23.4; Currently, I am going
> > through
> > all commits to see with which version it first appears.
> > 
> > However, clicking around this morning, i noticed that my primary NS
> > shows a similar memory leakage for mysql/mariadb (runs powerdns
> > with
> > a
> > mysql backend, both from packages) since the upgrade to 7.3 in May
> > as
> > well. One further host seems to show a significantly higher use of
> > inactive memory since 7.3. I found one more host with mariadb that
> > now
> > shows a higher utilization of inactive memory (gitea+maria);
> > However,
> > other maria+X instances on 7.3 run fine.
> 

Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)

[Rudolf Leitgeb]

Do the affected programs use the same libraries?

On Sun, 2023-09-24 at 09:32 +0200, Tobias Fiebig wrote:
> After upgrading to 7.3 and nginx-1.24.0, i started to see heavy
> memory
> leakage over time. I initially attributed this to nginx, and solved
> the
> issue by ignoring it/throwing a bit more memory at the box for some
> time. However, I started debugging it now and could trace it to some
> commit between nginx 1.23.3 and 1.23.4; Currently, I am going through
> all commits to see with which version it first appears.
> 
> However, clicking around this morning, i noticed that my primary NS
> shows a similar memory leakage for mysql/mariadb (runs powerdns with
> a
> mysql backend, both from packages) since the upgrade to 7.3 in May as
> well. One further host seems to show a significantly higher use of
> inactive memory since 7.3. I found one more host with mariadb that
> now
> shows a higher utilization of inactive memory (gitea+maria); However,
> other maria+X instances on 7.3 run fine.

Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)

[Tobias Fiebig]

Moin,

I have been dealing with memory-leaks on a host running an nginx
reverse proxy for some time. The host had been running 7.2 with nginx
1.23.1 (self compiled as i need some features not in the package) until
May, which was fine.

After upgrading to 7.3 and nginx-1.24.0, i started to see heavy memory
leakage over time. I initially attributed this to nginx, and solved the
issue by ignoring it/throwing a bit more memory at the box for some
time. However, I started debugging it now and could trace it to some
commit between nginx 1.23.3 and 1.23.4; Currently, I am going through
all commits to see with which version it first appears.

However, clicking around this morning, i noticed that my primary NS
shows a similar memory leakage for mysql/mariadb (runs powerdns with a
mysql backend, both from packages) since the upgrade to 7.3 in May as
well. One further host seems to show a significantly higher use of
inactive memory since 7.3. I found one more host with mariadb that now
shows a higher utilization of inactive memory (gitea+maria); However,
other maria+X instances on 7.3 run fine.

On the PowerDNS+Mysql host I also see gradually increasing CPU load
along with the memory leakage.

Restarting mysql and/or nginx resolves the issue for some time. I also
saw the issue on a host running maria+nextcloud, where i fixed it by
switching to postgres. Maria is still running there, but not receiving
any requests, and the memory leak is gone.

Images:

https://rincewind.home.aperture-labs.org/~tfiebig/pdns-maria-cpu-year.png
https://rincewind.home.aperture-labs.org/~tfiebig/pdns-maria-memory-year.png

https://rincewind.home.aperture-labs.org/~tfiebig/nginx-rev-proxy-memory-year.png

https://rincewind.home.aperture-labs.org/~tfiebig/gitea-maria-memory-year.png

https://rincewind.home.aperture-labs.org/~tfiebig/nextcloud-maria-switched-to-postgres-memory-year.png

All hosts are VMs on Linux/KVM hosts (proxmox), with a generic qemu-kvm
processor as CPU type, running 7.3. 

Hence, I am no longer 100% convinced that this is an nginx problem. To
help circling this in a bit closer (and maybe get it reproducible in a
first step): 

Did anyone else experience memory leakage on openbsd with mariadb or a
self-build >=nginx-1.23.4 (or other applications) since the upgrade to
7.3?

With best regards,
Tobias

Re: Nginx + Syslog Question

[David Anthony]

Thank you Stuart - this worked wonderfully!

(I did have to mkdir /var/www/dev)

Respectfully,
David Anthony

On 4/17/22 05:54, Stuart Henderson wrote:

rcctl set syslogd flags -a /var/www/dev/log

Re: Nginx + Syslog Question

[Stuart Henderson]

On 2022-04-17, David Anthony  wrote:
> I'm trying to send Nginx access logs to syslog. I've tried examples in 
> the default nginx configuration file and man page to no avail. Can 
> anyone help identify why I'm not seeing access logs?

It runs in /var/www chroot, and uses its own code to write to the
/dev/log unix socket (rather than using the OS syslog functions
which don't require the socket as there is a different interface
with the kernel).)

So you need to set syslogd to create a socket in the chroot:

rcctl set syslogd flags -a /var/www/dev/log


-- 
Please keep replies on the mailing list.

Nginx + Syslog Question

[David Anthony]

Hello List,

I'm trying to send Nginx access logs to syslog. I've tried examples in 
the default nginx configuration file and man page to no avail. Can 
anyone help identify why I'm not seeing access logs?


Respectfully,

David Anthony

- - -

*syslog.conf*

|*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
kern.debug;syslog,user.info /var/log/messages
auth.info /var/log/authlog
authpriv.debug /var/log/secure
cron.info /var/cron/log
daemon.info /var/log/daemon
ftp.info /var/log/xferlog
lpr.debug /var/log/lpd-errs
mail.info /var/log/maillog

|

*nginx.conf*

error_log syslog:server=unix:/dev/log,severity=notice;
worker_processes 1;
worker_rlimit_nofile 1024;
user www;

events {
    worker_connections 800;
}

http {
    include mime.types;
    default_type application/octet-stream;
    keepalive_timeout 65;
    server_tokens off;

    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  syslog:server=unix:/dev/log,severity=debug main;

    server {
    listen 80 default_server;
    server_name _;
    location / {
/            REMOVED/
    }
    }
}

Re: Best way to increase openfiles-max and -cur for NGINX/PHP?

[Unicorn]

Todd C. Miller wrote:
> Error 24 is EMFILE, too many open files for the process (not the
> system).
> [...]
> That would only work if you were getting error 23, ENFILE which is
> the system limit.

Thank you for pointing that out! So it was the login.conf afterall.

> The recommended way to increase a limit is to add a new login class
> with the same name as the daemon.  For example:
> 
> nginx:\
> :openfiles=4096:\
> :tc=daemon:
> 
> This will be used automatically by the rc.d startup script.  See
> the rc.d man page for more details.

Wow, I would not have thought to look at the bottom of the rc.d man
page, thank you so much for mentioning that! I did what you suggested
for php73_fpm in my case and it works like a charm, no more errors.
Thank you!


Marc Peters wrote:
> If you really ran into problems with nginx and php_fpm while running
> nextcloud, you could either do this or change the user the service 
> use and assign this user the daemon class or some special class.
> I am running a similar setup with the default configuration and no
> issues (since a week i use php-7.4, but had 7.3 before)

This occurred when scrolling top to bottom in a folder of 200+ images,
perhaps you don't usually have that kind of use? Either way I managed
to reproduce the errors by repeating this procedure, so I am pretty
sure it was the cause. Cranking up the openfiles limit for php73_fpm
did end up making the errors disappear.


Maurice McCarthy wrote:
> Have a look at man ksh - the section on the command "ulimit".

I was actually looking for a ulimit manpage but was unsuccessful -
thanks for pointing out it is part of ksh(1)!

Best way to increase openfiles-max and -cur for NGINX/PHP?

[Unicorn]

Hello,

I am getting a bunch of error messages of this kind in my NGINX error
log:

2021/01/16 13:40:45 [alert] 68769#0: *1 socket() failed (24: Too many
open files) while connecting to upstream, client: 123.45.67.89,
server: cloud.mydomainhere.tld, request: "GET /core/preview?blah=1
HTTP/2.0", upstream: "fastcgi://127.0.0.1:9000", host:
"cloud.mydomainhere.tld"

I am running a Nextcloud server with NGINX and PHP 7.3. Since OpenBSD
Is quite conservative with open file limits by default, I assume that
NGINX/PHP is running into this limit.

I have already significantly increased 'kern.maxfiles' in sysctl.conf,
but the problem persists after a reboot, leading me to believe that it
is a login.conf limit that I am running into.

Both PHP and NGINX are running as user 'www', which does not have a
login class. Since I have not been in this situation before and
struggled to find a pointer online, I'd be thankful if you could tell
me the "recommended" or "best practice" way of doing this. 

- Should I simply assign a login class to user 'www' and then change
my limits through that class?
- Should I run the processes as a different user & login class?
- Is there perhaps some other way to set limits just for specific
processes?

Thanks in advance for any pointers!

Re: Best way to increase openfiles-max and -cur for NGINX/PHP?

[Todd C . Miller]

On Sat, 16 Jan 2021 18:05:57 +0100, Unicorn wrote:

> 2021/01/16 13:40:45 [alert] 68769#0: *1 socket() failed (24: Too many
> open files) while connecting to upstream, client: 123.45.67.89,
> server: cloud.mydomainhere.tld, request: "GET /core/preview?blah=1
> HTTP/2.0", upstream: "fastcgi://127.0.0.1:9000", host:
> "cloud.mydomainhere.tld"

Error 24 is EMFILE, too many open files for the process (not the system).

> I am running a Nextcloud server with NGINX and PHP 7.3. Since OpenBSD
> Is quite conservative with open file limits by default, I assume that
> NGINX/PHP is running into this limit.
>
> I have already significantly increased 'kern.maxfiles' in sysctl.conf,
> but the problem persists after a reboot, leading me to believe that it
> is a login.conf limit that I am running into.

That would only work if you were getting error 23, ENFILE which is
the system limit.

> Both PHP and NGINX are running as user 'www', which does not have a
> login class. Since I have not been in this situation before and
> struggled to find a pointer online, I'd be thankful if you could tell
> me the "recommended" or "best practice" way of doing this. 

The recommended way to increase a limit is to add a new login class
with the same name as the daemon.  For example:

nginx:\
:openfiles=4096:\
:tc=daemon:

This will be used automatically by the rc.d startup script.  See
the rc.d man page for more details.

 - todd

Re: Best way to increase openfiles-max and -cur for NGINX/PHP?

[Maurice McCarthy]

Please forgive an ignoramus butting in with a suggestion.

Have a look at man ksh - the section on the command "ulimit".

Best

Re: From nginx to openbsd httpd

[Edgar Pettijohn]

On Jan 16, 2020 9:27 AM, Michael Hekeler  wrote:
>
> > 
> > Hello,
> > 
> > I use poudriere pkg builder on FreeBSD and I use nginx to get poudriere web
> > status interface.
> > 
> > I'm looking for a less complex httpd server and obhttpd seems to be right
> > choice. I have installed obhttpd <https://www.freshports.org/www/obhttpd/>
> > port
> > 
> > nginx httpd.conf is:
> > 

> > server {
> >   listen 80 default;
> >   server_name server_domain_or_IP;
> >   root /usr/local/share/poudriere/html;
> > 
> >   location /data {
> >   alias /usr/local/poudriere/data/logs/bulk;
> >   autoindex on;
> >   }
> > 
> >   location /packages {
> >   root /usr/local/poudriere/data;
> >   autoindex on;
> >   }
> >   }
> > }
> > 
> > obhttpd uses chroot, so I will have to point it to /usr/local/poudriere.
> > 
> > Any hints on getting this on openbsd httpd conf file?
> > 
> > Thanks,
> > 
> > Nuno
>
> Teach poudriere to store logs to /var/www/usr/local/poudriere/data/logs/bulk
>

Or the less safe easier way...

chroot "/"

Re: From nginx to openbsd httpd

[Michael Hekeler]

> 
> Hello,
> 
> I use poudriere pkg builder on FreeBSD and I use nginx to get poudriere web
> status interface.
> 
> I'm looking for a less complex httpd server and obhttpd seems to be right
> choice. I have installed obhttpd <https://www.freshports.org/www/obhttpd/>
> port
> 
> nginx httpd.conf is:
> 
> server {
>   listen 80 default;
>   server_name server_domain_or_IP;
>   root /usr/local/share/poudriere/html;
> 
>   location /data {
>   alias /usr/local/poudriere/data/logs/bulk;
>   autoindex on;
>   }
> 
>   location /packages {
>   root /usr/local/poudriere/data;
>   autoindex on;
>   }
>   }
> }
> 
> obhttpd uses chroot, so I will have to point it to /usr/local/poudriere.
> 
> Any hints on getting this on openbsd httpd conf file?
> 
> Thanks,
> 
> Nuno

Teach poudriere to store logs to /var/www/usr/local/poudriere/data/logs/bulk

From nginx to openbsd httpd

[Nuno Teixeira]

Hello,

I use poudriere pkg builder on FreeBSD and I use nginx to get poudriere web
status interface.

I'm looking for a less complex httpd server and obhttpd seems to be right
choice. I have installed obhttpd <https://www.freshports.org/www/obhttpd/>
port

nginx httpd.conf is:

server {
listen 80 default;
server_name server_domain_or_IP;
root /usr/local/share/poudriere/html;

location /data {
alias /usr/local/poudriere/data/logs/bulk;
autoindex on;
}

location /packages {
root /usr/local/poudriere/data;
autoindex on;
}
}
}

obhttpd uses chroot, so I will have to point it to /usr/local/poudriere.

Any hints on getting this on openbsd httpd conf file?

Thanks,

Nuno

Nginx error EMERG

[PengouinBSD]

Hi

I've this problem with Nginx (v.1.14.2) on OpenBSD 6.5:

# nginx -t
nginx: [emerg] BIO_new_file("/etc/nginx/$file_fullchain") failed (SSL:
error:02FFF002:system library:func(4095):No such file or
directory:fopen('/etc/nginx/$file_fullchain', 'r') error:20FFF080:BIO
routines:CRYPTO_internal:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

How did I do that?
I just wanted to test TLS v1.3.
but I didn't pay attention to the fact that the LibreSSL didn't support.
(if I have understood correctly)

The server Nginx can't restart, and the service web is down…
Even, by restoring my oldier functional configuration only with TLS
v1.2: it failed!



My functionnal TLS v1.2 config:

ssl_buffer_size 4k; # 16k, for throughput, video applications

ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_session_timeout 1h;

ssl_certificate /etc/ssl/acme/stephane-huc.net.fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/stephane-huc.net.privkey.pem;
ssl_dhparam /etc/nginx/cfg/stephane-huc.net/dhp_4096.pem;

ssl_ecdh_curve X25519:P-521:P-384;

# Mozilla Modern Config
ssl_protocols TLSv1.2;
ssl_ciphers
'EECDH+CHACHA20:EECDH+AESGCM:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/acme/stephane-huc.net.chain.pem;

resolver 80.67.169.12 80.67.169.40 [2001:910:800::12] [2001:910:800::40]
valid=300s;



For TLS v1.3, I had just modified the lines, as:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers
'TLS13+AESGCM+AES128:EECDH+CHACHA20:EECDH+AESGCM:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

-- 
~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<<

Stephane HUC as PengouinBSD or CIOTBSD
b...@stephane-huc.net

Problem installing port ruby24-passenger / nginx

[Mik J]

Hello,

It's been a few releases that I noticed I can't install nginx from the ports.
The problem is not nginx itself but the package ruby24-passenger-5.1.11p0

I make install in the nginx port directory, I get the crash messages below.
mv: 
/usr/ports/pobj/passenger-5.1.11-ruby24/gem-tmp/.gem/ruby/2.4/gems/passenger-5.1.11/src/.passenger/support-binaries/5.1.11/*:
 No such file or directory

I install ruby24-passenger-5.1.11p0 with pkg_add and I restart to install in 
the nginx port directory. That's my workaround.

The problem is present from at least 6.2

checking for alloca.h... no
checking for ruby/version.h... yes
checking for ruby/io.h... yes
checking for ruby/thread.h... yes
checking for ruby_version... no
checking for rb_thread_io_blocking_region() in ruby/io.h... yes
checking for rb_thread_call_without_gvl() in ruby/thread.h... yes
creating Makefile
cd 'buildout/ruby/ruby-2.4.4-x86_64-openbsd6.4/' && make
compiling 
/usr/ports/pobj/passenger-5.1.11-ruby24/gem-tmp/.gem/ruby/2.4/gems/passenger-5.1.11/src/ruby_native_extension/passenger_native_support.c
linking shared-object passenger_native_support.so
rm -r 
/usr/ports/pobj/passenger-5.1.11-ruby24/gem-tmp/.gem/ruby/2.4/gems/passenger-5.1.11/nginx-1.12.1
  
/usr/ports/pobj/passenger-5.1.11-ruby24/gem-tmp/.gem/ruby/2.4/gems/passenger-5.1.11/bin/passenger-install-*-module
  
/usr/ports/pobj/passenger-5.1.11-ruby24/gem-tmp/.gem/ruby/2.4/bin/passenger-install-*-module*
mv 
/usr/ports/pobj/passenger-5.1.11-ruby24/gem-tmp/.gem/ruby/2.4/gems/passenger-5.1.11/src/.passenger/support-binaries/5.1.11/*
  
/usr/ports/pobj/passenger-5.1.11-ruby24/gem-tmp/.gem/ruby/2.4/gems/passenger-5.1.11/buildout/support-binaries/
mv: 
/usr/ports/pobj/passenger-5.1.11-ruby24/gem-tmp/.gem/ruby/2.4/gems/passenger-5.1.11/src/.passenger/support-binaries/5.1.11/*:
 No such file or directory
*** Error 1 in /usr/ports/www/ruby-passenger (Makefile:69 'post-build')
*** Error 1 in /usr/ports/www/ruby-passenger 
(/usr/ports/infrastructure/mk/bsd.port.mk:2761 
'/usr/ports/pobj/passenger-5.1.11-ruby24/.build_done')
*** Error 1 in /usr/ports/www/ruby-passenger 
(/usr/ports/infrastructure/mk/bsd.port.mk:2003 
'/usr/ports/packages/amd64/all/ruby24-passenger-5.1.11p2.tgz')
*** Error 1 in /usr/ports/www/ruby-passenger 
(/usr/ports/infrastructure/mk/bsd.port.mk:2465 '_internal-package')
*** Error 1 in /usr/ports/www/ruby-passenger 
(/usr/ports/infrastructure/mk/bsd.port.mk:2444 'package')
*** Error 1 in /usr/ports/www/ruby-passenger 
(/usr/ports/infrastructure/mk/bsd.port.mk:2021 
'/var/db/pkg/ruby24-passenger-5.1.11p2/+CONTENTS')
*** Error 1 in /usr/ports/www/ruby-passenger 
(/usr/ports/infrastructure/mk/bsd.port.mk:2444 'install')
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2132 
'/usr/ports/pobj/nginx-1.14.0/.dep-ruby24-passenger-ANY-www-ruby-passenger')
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2523 
'/usr/ports/pobj/nginx-1.14.0/.extract_done')
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2003 
'/usr/ports/packages/amd64/all/nginx-1.14.0p1.tgz')
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2465 
'_internal-package')
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2444 'package')
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2021 
'/var/db/pkg/nginx-1.14.0p1/+CONTENTS')
*** Error 1 in /usr/ports/www/nginx 
(/usr/ports/infrastructure/mk/bsd.port.mk:2444 'install')

Regards

Re: Migrating nginx config to OpenBSD's httpd

[Henrik Friedrichsen]

Thanks again.

This worked in case anyone is looking for it:

http protocol "monit" {
match request forward to 
match request header "Host" value "status.affekt.org" forward to 
}

The order is important, if put in reversed the "status.affekt.org"
forward will be overwritten.

Now all I need to investigate is why HTTP responses are erroneous,
though you might be right that it could be a Monit problem.

Re: Migrating nginx config to OpenBSD's httpd

[Pavel Korovin]

On 04/16, Henrik Friedrichsen wrote:
> - Is there a way to match all hosts that are not "status.affekt.org"?
>   That way I don't have to write a filter rule for every subdomain

Didn't test, just the idea:

1. You put your default host (i.e. one that will respond to all http
requests which do not fall into specific configurations) first in
httpd.conf.

2. In relayd configure http protocol like this:
http protocol "monit" {
 match request header "Host" value "status.affekt.org" forward to 
 forward to  port 80
}

So the requests that match Host header will go to monit, all other
requests will go to httpd, where default site will respond.

> - Relayed HTTP output is cut off. As you can see below the HTTP DOM is not
>   closed and most of the HTTP response headers are missing (status code,
>   content-length, etc.)
> 
> Any idea what I'm doing wrong?
 
I guess something is wrong on monit side.. I set up relayd with varous stuff
in the backend, but have seen anything like this.
 
-- 
With best regards,
Pavel Korovin

Re: Migrating nginx config to OpenBSD's httpd

[Henrik Friedrichsen]

Hey Pavel,

thanks for your response. I have adapted my configuration and came up
with this:


ext4="51.15.10.194"
ext6="2001:bc8:2d08::1"

table  { "127.0.0.1" }
table  { "127.0.0.1" }

http protocol "monit" {
match request header "Host" value "status.affekt.org" forward to 
match request header "Host" value "affekt.org" forward to 
}

relay "proxy" {
listen on $ext4 port 80
protocol "monit"
forward to  port 2812
forward to  port 80
}


I have a local monit instance listening on 127.0.0.1:2812

This configuration works, sort of:
- Is there a way to match all hosts that are not "status.affekt.org"?
  That way I don't have to write a filter rule for every subdomain
- Relayed HTTP output is cut off. As you can see below the HTTP DOM is not
  closed and most of the HTTP response headers are missing (status code,
  content-length, etc.)

Any idea what I'm doing wrong?

Thanks!

hera ~ % curl -v "http://status.affekt.org/;
*   Trying 51.15.10.194...
* TCP_NODELAY set
* Connected to status.affekt.org (51.15.10.194) port 80 (#0)
> GET / HTTP/1.1
> Host: status.affekt.org
> User-Agent: curl/7.58.0
> Accept: */*
> 
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="monit"

* Connection #0 to host status.affekt.org left intact
401 UnauthorizedUnauthorizedYou are not authorized to access
monit. Either you supplied the wrong credentials (e.g. bad password), or
your browser doesn't understand how to supply the credentials required

Re: Migrating nginx config to OpenBSD's httpd

[Pavel Korovin]

Henrik,

Regarding cut off responses, I didn't have such problems, maybe it was fixed
since 2016.

Regarding multi-site setup, I have something like this:

--- httpd.conf ---
### default site behind relayd
server "waste.tristero.se" {
alias "tristero.se"
listen on 127.0.0.1 port 80
listen on ::1 port 80
root "/htdocs/waste.tristero.se"
}

server "openbsd.tristero.se" {
listen on 127.0.0.1 port 80
listen on ::1 port 80
root "/htdocs/openbsd.tristero.se"
}

### this one is not behind relayd, used for http to https redirection
server "waste.tristero.se" {
alias "openbsd.tristero.se"
alias "tristero.se"
listen on 188.244.46.111 port 80
listen on 2001:470:1f15:1492::2 port 80
root "/htdocs/waste.tristero.se"
block return 301 "https://$HTTP_HOST/$DOCUMENT_URI;
}

--- relayd.conf ---

ext4="188.244.46.111"
ext6="2001:470:1f15:1492::2"
localhost4="127.0.0.1"
localhost6="::1"

table  { $localhost4 }
table  { $localhost6 }
table  { $localhost4 }
table  { $localhost6 }

http protocol "https4" {
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" value 
"[$SERVER_ADDR]:$SERVER_PORT"
match request header "Host" value "tristero.se" forward to 
match request header "Host" value "waste.tristero.se" forward to 
match request header "Host" value "openbsd.tristero.se" forward to 

tls { no tlsv1.0, ciphers 
EECDH+AESGCM:EECDH+CHACHA20:EECDH+SHA256:EECDH+SHA384:ECDHE+SHA256 }
}

http protocol "https6" {
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" value 
"[$SERVER_ADDR]:$SERVER_PORT"
match request header "Host" value "tristero.se" forward to 
match request header "Host" value "waste.tristero.se" forward to 
match request header "Host" value "openbsd.tristero.se" forward to 

tls { no tlsv1.0, ciphers 
EECDH+AESGCM:EECDH+CHACHA20:EECDH+SHA256:EECDH+SHA384:ECDHE+SHA256 }
}

relay "https4" {
listen on $ext4 port 443 tls
protocol "https4"
forward to  port 80
forward to  port 80
}

relay "https6" {
listen on $ext6 port 443 tls
protocol "https6"
forward to  port 80
forward to  port 80
}

--- end cut ---

The only problem I have was configuring specific security headers for
specific hosts, i.e. I cannot have specific http protocol sections with
different responses for specific hosts, like:

http protocol "https4-flex" {
match request header "Host" value "not-secure.domain" forward to 

match response header set "Content-Security-Policy" value 
""
}
http protocol "https4-strict" {
match request header "Host" value "secure.domain" forward to 
match response header set "Content-Security-Policy" value 
""
}

-- 
With best regards,
Pavel Korovin

On 04/16, Henrik Friedrichsen wrote:
> 
> So far I have not been able to emulate proxy_pass with relayd.
> 
> I came across two issues:
> - relayed HTTP requests resulted in cut off responses, similar to this
>   issue: https://github.com/reyk/relayd/issues/12
> - I have not been able to come up with a configuration/filter setting
>   that will only match for a specific subdomain and will pass the
>   non-matching requests to the regular httpd listening on port 80
> 
> Did anyone have success in setting this up?

Re: Migrating nginx config to OpenBSD's httpd

[Bogdan Kulbida]

Hi Carlos,

HAproxy project exists and serves much better as load balancer and reverse
proxy server. It is more efficient than engine X. Any concerns using it?

- Bogdan

On Fri, Apr 13, 2018 at 04:47 Pavel Korovin <p...@tristero.se> wrote:

> Hi Carlos,
>
> There's no analog of proxy_pass in httpd(8). relayd(8) is your friend.
>
> On 04/13, C. L. Martinez wrote:
> >  I am trying to migrate nginx configuration to OpenBSD's httpd. All it is
> > working ok, except for some proxy reverse config that I use with nginx's
> > config, like for example:
> >
> > server {
> > listen 80;
> > server_name internal.w01.domain.org;
> >
> > location / {
> > proxy_pass http://192.168.30.4;
> > }
> > }
> >
> >  I don't see what is the option to use with httpd.conf or is it best
> > option to use relayd.conf for this type of configs?
>
> --
> With best regards,
> Pavel Korovin
>
> --

---
Best regards,
Bogdan Kulbida
CEO/CTO, Konstankino LLC <http://konstankino.com>
+1.802.793.8295

Re: Migrating nginx config to OpenBSD's httpd

[Pavel Korovin]

Hi Carlos,

There's no analog of proxy_pass in httpd(8). relayd(8) is your friend.

On 04/13, C. L. Martinez wrote:
>  I am trying to migrate nginx configuration to OpenBSD's httpd. All it is
> working ok, except for some proxy reverse config that I use with nginx's
> config, like for example:
> 
> server {
> listen 80;
> server_name internal.w01.domain.org;
> 
> location / {
> proxy_pass http://192.168.30.4;
> }
> }
> 
>  I don't see what is the option to use with httpd.conf or is it best
> option to use relayd.conf for this type of configs?

-- 
With best regards,
Pavel Korovin

Migrating nginx config to OpenBSD's httpd

[C. L. Martinez]

Hi all,

 I am trying to migrate nginx configuration to OpenBSD's httpd. All it is
working ok, except for some proxy reverse config that I use with nginx's
config, like for example:

server {
listen 80;
server_name internal.w01.domain.org;

location / {
proxy_pass http://192.168.30.4;
}
}

 I don't see what is the option to use with httpd.conf or is it best
option to use relayd.conf for this type of configs?

Thanks.

Re: nginx chroot with a proxy_pass unix socket

[Maurizio De Magnis]

Hi Stuart,

> On 9 Aug 2017, at 14:08, Stuart Henderson <s...@spacehopper.org> wrote:
> 
> On 2017-08-09, Maurizio De Magnis <r...@olisti.co> wrote:
>>server {
>>  server_name myapp.com;
>>  access_log /var/www/apps/my_app/logs/access.log;
>>  error_log /var/www/apps/my_app/logs/error.log;
>>  root /var/www/apps/my_app/current;
>>  location / {
>>proxy_pass http://unix:/var/www/apps/my_app/application.socket;
> 
> That seems wrong, why would you have http://unix:/…?

That’s per the documentation of proxy_pass:

https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass

I get a syntax error `doas nginx -t` when I use `proxy_pass unix:/mypath`.
I need to either set the “https://; or “https://; prefix.

>> Do you have any suggestions on how to implement a unix socket connection 
>> with NGINX chroot enabled?
> 
> You may need to use the path inside the chroot (/apps/... rather than
> /var/www/apps/…),

And that nails it in the head! :-)
The path is actually related to the inner chroot environment (`/var/www` in my 
case). #duh
I reset the flags, updated the socket path and now it works.

Thanks a lot <3

> especially if you reload rather than restart nginx to reconfigure.

I don’t understand this piece, could you expand it a bit further?

> But it might be simpler to just add symlinks so that
> the path /var/www/whatever works whether you're inside or outside the
> chroot:
> 
> cd /var/www
> mkdir var
> ln -s .. var/www 

Thanks for this advice as well but I think I’ll opt for the simpler chroot-only 
use case :-)

Re: nginx chroot with a proxy_pass unix socket

[Stuart Henderson]

On 2017-08-09, Maurizio De Magnis <r...@olisti.co> wrote:
> server {
>   server_name myapp.com;
>   access_log /var/www/apps/my_app/logs/access.log;
>   error_log /var/www/apps/my_app/logs/error.log;
>   root /var/www/apps/my_app/current;
>   location / {
> proxy_pass http://unix:/var/www/apps/my_app/application.socket;

That seems wrong, why would you have http://unix:/...?

> Do you have any suggestions on how to implement a unix socket connection with 
> NGINX chroot enabled?

You may need to use the path inside the chroot (/apps/... rather than
/var/www/apps/...), especially if you reload rather than restart nginx
to reconfigure. But it might be simpler to just add symlinks so that
the path /var/www/whatever works whether you're inside or outside the
chroot:

cd /var/www
mkdir var
ln -s .. var/www 

nginx chroot with a proxy_pass unix socket

[Maurizio De Magnis]

Hello everybody, I’m on 6.1 and trying to configure NGINX.
I’m posting this issue here because it may be peculiar to OpenBSD but I know it 
could be more appropriate to post it on an NGINX specific mailing list.
Please let me know if I’m in topic.

I successfully installed NGINX (`$ doas pkg_add nginx`) and managed to setup a 
pure static vhost:


/etc/nginx/nginx.conf:
```
# ...
server {
  listen 80;
  server_name myapp.com;
  access_log /var/www/apps/my_app/logs/access.log;
  error_log /var/www/apps/my_app/logs/error.log;
  root /var/www/apps/my_app/current;
}
# ...
```

And it works just fine.

Then I tried to implement a reverse proxy with the `proxy_pass` directive 
toward a local Ruby-based application server (Puma, booting a Ruby app).

If I define a proxy_pass toward a TCP port then the requests correctly reach 
the application server but when I try to migrate the setup into a unix socket 
binding, then I get an error due to NGINX being chrooted.


/etc/nginx/nginx.conf:
```
# ...
server {
  server_name myapp.com;
  access_log /var/www/apps/my_app/logs/access.log;
  error_log /var/www/apps/my_app/logs/error.log;
  root /var/www/apps/my_app/current;
  location / {
proxy_pass http://unix:/var/www/apps/my_app/application.socket;
  }
}
# ...
```

/var/log/nginx/error.log:
```
2017/08/05 23:17:34 [crit] 58554#0: *5 connect() to 
unix:/var/www/apps/my_app/application.socket failed (2: No such file or 
directory) while connecting to upstream, client: 192.168.1.3, server: 
myapp.com, request: "GET / HTTP/1.1", upstream: 
"http://unix:/var/www/apps/my_app/application.socket:/;, host: “myapp.com"
```

```
$ ls -al /var/www
drwxr-xr-x  4 olistik  olistik  512 Aug  3 18:17 apps
drwxr-xr-x  3 www  www  512 Jul 16 22:48 htdocs
drwxr-xr-x  2 root daemon   512 Apr  1 21:38 run
drwx--  2 www  www  512 Jul 15 20:51 tmp
```

This is how I start the application server:

```
$ bundle exec puma --debug -v -e production -b 
unix:///var/www/apps/my_app/application.socket -v
Puma starting in single mode...
* Version 3.9.1 (ruby 2.4.1-p111), codename: Private Caller
* Min threads: 0, max threads: 16
* Environment: production
* Listening on unix:///var/www/apps/my_app/application.socket
Use Ctrl-C to stop
```

The only way I found to work around this issue is to disable NGINX chroot:

```
$ doas rcctl enable nginx
$ doas rcctl set nginx flags -u
$ doas rcctl restart nginx
```

But it’s not ideal to lose the isolation chroot gives.

Do you have any suggestions on how to implement a unix socket connection with 
NGINX chroot enabled?

Thank in advance,
olistik

Re: [OpenBSD 6.1] acme-client + nginx

[Stephane HUC "PengouinBSD"]

Le 07/06/17 à 12:03, Stuart Henderson a écrit :
(...)
> 
> /usr/local/www seems unlikely on OpenBSD.
> 
> I just have
> 
> location /.well-known/acme-challenge { root /var/www/letsencrypt/; }
> 
> and
> 
> challengedir "/var/www/letsencrypt/.well-known/acme-challenge"
>  
> but there are several ways you can configure this. (e.g. you might want
> to use a different directory layout if you have anything else that uses
> the RFC5785 .well-known URIs). It doesn't matter what you use as long as
> letsencrypt can fetch the file that acme-client wrote.
> 
> 

OK, it's run correctly as you wrote.

I changed nginx:

location ^~ /.well-known/acme-challenge {
allow all;
#default_type "text/plain";
root /var/www/acme/test.obsd4a.net/;
}

I changed acme-client.conf:

challengedir "/var/www/acme/test.obsd4a.net/.well-known/acme-challenge"

And, the result is:

$ doas acme-client -vAD test.obsd4a.net
acme-client: /etc/ssl/acme/private/test.obsd4a.net-privkey.pem: domain
key exists (not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not
creating)
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 184.87.72.109
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
req-auth: test.obsd4a.net
acme-client:
/var/www/acme/test.obsd4a.net/.well-known/acme-challenge/cugIljWXyalHSHnsOa51W4BoBEW5n0_JctHP8Y59l8U:
created
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/_8nN0V__nplwfEcqpwa698yd4bKBywHRWrOj8Hl33I8/1489582140:
challenge
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/_8nN0V__nplwfEcqpwa698yd4bKBywHRWrOj8Hl33I8/1489582140:
status
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate
acme-client: http://cert.int-x3.letsencrypt.org/: full chain
acme-client: cert.int-x3.letsencrypt.org: DNS: 88.221.234.34
acme-client: /etc/ssl/acme//test.obsd4a.net-chain.pem: created
acme-client: /etc/ssl/acme/test.obsd4a.net-cert.pem: created
acme-client: /etc/ssl/acme//test.obsd4a.net-fullchain.pem: created

Thank you! :D


-- 
~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<<

Stephane HUC as PengouinBSD or CIOTBSD
b...@stephane-huc.net



signature.asc
Description: OpenPGP digital signature

Re: [OpenBSD 6.1] acme-client + nginx

[Stuart Henderson]

On 2017-07-06, Stephane HUC "PengouinBSD" <b...@stephane-huc.net> wrote:
> This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
> --rkBdQXDqolEAWWU60OD3iD4CWuma05dgb
> From: "Stephane HUC \"PengouinBSD\"" <b...@stephane-huc.net>
> Reply-To: b...@stephane-huc.net
> To: misc@openbsd.org
> Message-ID: <629618fb-cc48-f929-d285-46f9d08e8...@stephane-huc.net>
> Subject: [OpenBSD 6.1] acme-client + nginx
> Content-Language: fr-xx-classique+reforme1990
> Content-Type: text/plain; charset=utf-8
> Content-Transfer-Encoding: quoted-printable
>
> Hi, I attempt to use acme-client on server OpenBSD 6.1, with nginx runing.
>
> But it fail with a bad response.

...

> acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid",
> "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid
> response from
> http://test.obsd4a.net/.well-known/acme-challenge/L-pjGy6umVejj6q78_P_gW7rb=
> hyJrV0AuLhjfsqI3aU:
> \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not
> Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody

...

LE fetches from http://test.obsd4a.net/.well-known/acme-challenge/(filename)
but gets 404 Not Found.

> I try with this nginx config:
>
> location ^~ /.well-known/acme-challenge {
> #alias /var/www/acme;
> #try_files $uri =3D404;
> allow all;
> default_type "text/plain";
> proxy_redirect off;
> root /var/www/acme;
> }

With "root" it will look in /var/www/acme/.well-known/acme-challenge.
Either adjust acme-client config to place the files there, or adjust nginx
config to serve files from the actual location.

Test by writing a file to the directory acme-client uses and make sure you
can fetch it yourself. Only reattempt acme-client when this works, they have a
rate-limit for bad auths and will blacklist you for a while if you exceed it.

> or this:
>
> location ^~ /.well-known/acme-challenge {
>alias /usr/local/www/acme;
>   try_files $uri =3D404;
> }

/usr/local/www seems unlikely on OpenBSD.

I just have

location /.well-known/acme-challenge { root /var/www/letsencrypt/; }

and

challengedir "/var/www/letsencrypt/.well-known/acme-challenge"
 
but there are several ways you can configure this. (e.g. you might want
to use a different directory layout if you have anything else that uses
the RFC5785 .well-known URIs). It doesn't matter what you use as long as
letsencrypt can fetch the file that acme-client wrote.

[OpenBSD 6.1] acme-client + nginx

[Stephane HUC "PengouinBSD"]

Hi, I attempt to use acme-client on server OpenBSD 6.1, with nginx runing.

But it fail with a bad response.


doas acme-client -vAD test.obsd4a.net
acme-client: /etc/ssl/acme/private/test.obsd4a.net-privkey.pem: domain
key exists (not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not
creating)
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.206.21.80
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
req-auth: test.obsd4a.net
acme-client:
/var/www/htdocs/test.obsd4a.net/www/L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU:
created
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/hf0gCJFBvVlSBRp877_PVmTYLGNYmZDXC9eH2E_I0GE/1485696367:
challenge
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/hf0gCJFBvVlSBRp877_PVmTYLGNYmZDXC9eH2E_I0GE/1485696367:
status
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/hf0gCJFBvVlSBRp877_PVmTYLGNYmZDXC9eH2E_I0GE/1485696367:
bad response
acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid",
"error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid
response from
http://test.obsd4a.net/.well-known/acme-challenge/L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU:
\"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not
Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody
bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not
Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e\"",
"status": 403 }, "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/hf0gCJFBvVlSBRp877_PVmTYLGNYmZDXC9eH2E_I0GE/1485696367;,
"token": "L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU",
"keyAuthorization":
"L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU.btIkQ8owertOE1LvXr1mezl9i5h6KptZrzIehfgwdcg",
"validationRecord": [ { "url":
"http://test.obsd4a.net/.well-known/acme-challenge/L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU;,
"hostname": "test.obsd4a.net", "port": "80", "addressesResolved": [
"213.246.39.160" ], "addressUsed": "213.246.39.160", "addressesTried":
[] } ] }] (1149 bytes)
acme-client: bad exit: netproc(32816): 1


I try with this nginx config:

location ^~ /.well-known/acme-challenge {
#alias /var/www/acme;
#try_files $uri =404;
allow all;
default_type "text/plain";
proxy_redirect off;
root /var/www/acme;
}

or this:

location ^~ /.well-known/acme-challenge {
   alias /usr/local/www/acme;
  try_files $uri =404;
}

But, same result, bad status.



FIY, i can obtain certs - in mode test - with cerbot ;)
(and first setting location).


-- 
~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<<

Stephane HUC as PengouinBSD or CIOTBSD
b...@stephane-huc.net



signature.asc
Description: OpenPGP digital signature

Re: reverse proxy with relayd(8) (but not nginx)

[Alistair Meney]

There's many example configs online, one example like yours is at

https://www.reddit.com/r/openbsd/comments/3qb2c4/some_observations_about_relayd/



On Thu, Jun 29, 2017 at 4:40 PM, Manuel Giraud  wrote:
> Hi,
>
> I'd like to setup a http reverse proxy where http://foo.org/someapp is
> forwarded to 127.0.0.1:8081 and http://foo.org/* is forwarded to
> somewhere else.
>
> AFAIU, it is not possible with httpd(8) so I'm trying to do this with
> relayd(8). There is an example in httpfiler protocol in
> /etc/examples/relayd.conf that does this to block an url:
>
> # Block disallowed sites
> match request label "URL filtered!"
> block request quick url "www.example.com/" value "*"
>
> But, I can't make it to forward to a server and port. Does anyone have
> such a config?
> --
> Manuel Giraud
>

reverse proxy with relayd(8) (but not nginx)

[Manuel Giraud]

Hi,

I'd like to setup a http reverse proxy where http://foo.org/someapp is
forwarded to 127.0.0.1:8081 and http://foo.org/* is forwarded to
somewhere else.

AFAIU, it is not possible with httpd(8) so I'm trying to do this with
relayd(8). There is an example in httpfiler protocol in
/etc/examples/relayd.conf that does this to block an url:

# Block disallowed sites
match request label "URL filtered!"
block request quick url "www.example.com/" value "*"

But, I can't make it to forward to a server and port. Does anyone have
such a config?
-- 
Manuel Giraud

Re: permisson of .htpasswd of 5.9's nginx

[ludovic coues]

2016-04-30 4:37 GMT+02:00 Nick Holland <n...@holland-consulting.net>:
> On 04/29/16 21:27, Tuyosi Takesima wrote:
>> thanks for ludovic
>>
>> # ls -l /var/www/1/
>> total 16
>> -rw-r-  1 www   www 65 Apr 29 11:19 .htpasswd
>>
>> # chmod 640 /var/www/1/.htpasswd
>>
>> this go well .
>
> *sigh*
>
> Do you really want your /security/ file writable by the very user that
> should trust the least?  Might as well be 666 for what you are doing to
> your system's "security".
>
> Please stay off the 'net until you understand this stuff.  It's not just
> YOUR feet you are shooting at.
>
> Nick.
>

A bit of my message might have been unclear. The file should be owned
by user root and group www.
As Nick have written, if the user and group owning a file is the same,
there is no point in having different permission. Also, you don't want
nginx having the ability to alter the file, in case it get
compromised.

-- 

Cordialement, Coues Ludovic
+336 148 743 42

Re: permisson of .htpasswd of 5.9's nginx

[Nick Holland]

On 04/29/16 21:27, Tuyosi Takesima wrote:
> thanks for ludovic
> 
> # ls -l /var/www/1/
> total 16
> -rw-r-  1 www   www 65 Apr 29 11:19 .htpasswd
> 
> # chmod 640 /var/www/1/.htpasswd
> 
> this go well .

*sigh*

Do you really want your /security/ file writable by the very user that
should trust the least?  Might as well be 666 for what you are doing to
your system's "security".

Please stay off the 'net until you understand this stuff.  It's not just
YOUR feet you are shooting at.

Nick.

Re: permisson of .htpasswd of 5.9's nginx

[Tuyosi Takesima]

thanks for ludovic

# ls -l /var/www/1/
total 16
-rw-r-  1 www   www 65 Apr 29 11:19 .htpasswd

# chmod 640 /var/www/1/.htpasswd

this go well .

tuyosi

Re: permisson of .htpasswd of 5.9's nginx

[ludovic coues]

2016-04-29 5:48 GMT+02:00 Tuyosi Takesima <nakajin.fu...@gmail.com>:
> Hi all .
>
> i do
> chmod 777  /var/www/1/.htpasswd
>
> and so
> nginx works  with basic authentification.
>
> but this setting is too open .
> are there any idea ?
>

First check the file is owned by the group nginx is running as, probably www.
I assume nginx doesn't execute .htpasswd file, so you can drop the execute bit.
Only root need to alter the file, so drop write bit for group and other.
The data are sensitive, so remove read bit for other.
chmod 640 /var/www/1/.htpasswd

You can read details on what the number means in the chmod manual.

-- 

Cordialement, Coues Ludovic
+336 148 743 42

permisson of .htpasswd of 5.9's nginx

[Tuyosi Takesima]

Hi all .

i do
chmod 777  /var/www/1/.htpasswd

and so
nginx works  with basic authentification.

but this setting is too open .
are there any idea ?

#
/etc/nginx/nginx.conf

events {
worker_connections  800;
   }
http {
include   mime.types;
default_type  application/octet-stream;
index index.html index.htm;
keepalive_timeout  65;
server_tokens off;
server {
listen   80;
server_name  localhost;#<-for test
root /var/www/d1;
  }
server {
listen   80;
server_name  abcxyz.jp;
root /var/www/d1;
auth_basic   "closed site";
auth_basic_user_file /var/www/1/.htpasswd;
  }
}
---
regards

nginx & Perl on 5.6

[L. V. Lammert]

What is the prefered configuration for using Perl & Nginx? php is fairly
straightforward, .. but can't find anything for perl except some Linux
notes to recompile.

Thanks!

Lee

nginx doesn't run (5.7 pkg_add)

[joe king]

hi all .
i've been using nginx well until now .
but pkg_add nginx(5.7) and lynx localhost , then  response is 
 'HTTP request sent; waiting for response.'

when i  make from source , lynx localhost go well .
(http://wiki.nginx.org/OnOpenBSD)

does something changed? 


1) /etc/nginx/nginx.conf  
worker_processes  1;
events {
worker_connections  1024;
}
http {
include   mime.types;
default_type  application/octet-stream;
sendfileon;
keepalive_timeout  65;
server {
listen   80;
server_name  localhost;
location / {
root   /var/www;
index  index.html index.htm;
}
error_page   500 502 503 504  /50x.html;
location = /50x.html {
root   /var/www;
}
}
}


2) cat  /var/www/index.html 

test

---
joe

Re: report:intranet PXE network install (by nginx...)

[Jiri B]

On Thu, May 07, 2015 at 05:24:14PM +0900, Tuyosi Takesima wrote:
 hi all .
 i install 5.7 using intranet (internet is unnesesary)
 i expense some time .
 for covinience i report it.

No need for such report, man 8 pxeboot is sufficient.

j.

report:intranet PXE network install (by nginx...)

[Tuyosi Takesima]

hi all .
i install 5.7 using intranet (internet is unnesesary)
i expense some time .
for covinience i report it.

sis0
openbsd PXE server
ne3 :192.168.11.1
|
PC ( openbsd will be installed)

1) dhcpd
# cat
/etc/hostname.ne3
inet 192.168.11.1 255.255.255.0

# cat /etc/dhcpd.interfaces
ne3

# cat
/etc/dhcpd.conf
option  domain-name example.com;
option  domain-name-servers 8.8.8.8;
subnet 192.168.11.0 netmask 255.255.255.0 {
option routers 192.168.11.1;
filename pxeboot;
range 192.168.11.30 192.168.11.31;
default-lease-time 86400;
max-lease-time 9;
}

2)tftpb
# ls -l
/tftpboot/
total 13860
-rw-r--r--  1 root  wheel  6987854 Apr 30 01:21 bsd.rd
drwxr-xr-x  2 root  wheel  512 Apr 30 09:04 etc
-rw-r--r--  1 root  wheel81108 Apr 30 01:04 pxeboot

# cat
/tftpboot/etc/boot.conf
boot tftp:/bsd.rd

AND
tftpd  /tftpboot


3)nginx --
  cat
/etc/nginx/nginx.conf
worker_processes  1;
worker_rlimit_nofile 1024;
events {
worker_connections  800;
}
http {
include   mime.types;
default_type  application/octet-stream;
index index.html index.htm;
keepalive_timeout  65;
server_tokens off;
server {
listen   80;
listen   [::]:80;
server_name  192.168.11.1;
root /var/www/htdocs;
error_page   500 502 503 504  /50x.html;
location = /50x.html {
root  /var/www/htdocs;
}
}
}


ls /var/www/htdocs/pub/5.7
INSTALL.i386 base57.tgz   bsd.rd
index.txt   --- important, i think.
xbase57.tgz  xshare57.tgz
SHA256   bsd  comp57.tgz   man57.tgzxfont57.tgz
SHA256.sig   bsd.mp   game57.tgz   pxeboot  xserv57.tgz

that is all .
i try automatic install , but how to make partition is hard to be
controlled .
and this method is adopeted in case of upgrade .
_
regards
 in case of
/etc/httpd.conf
ext_addr=192.168.11.1
server www.intranet.com {
listen on $ext_addr port 80
root /htdocs/5.7
}

Re: report:intranet PXE network install (by nginx...)

[Paolo Aglialoro]

If it's correct and not against man pages it can be helpful for beginners
to have a ready recipe, just like FAQs.
Il 07/mag/2015 10:43, Jiri B ji...@devio.us ha scritto:

 On Thu, May 07, 2015 at 05:24:14PM +0900, Tuyosi Takesima wrote:
  hi all .
  i install 5.7 using intranet (internet is unnesesary)
  i expense some time .
  for covinience i report it.

 No need for such report, man 8 pxeboot is sufficient.

 j.

Re: report:intranet PXE network install (by nginx...)

[Tuyosi Takesima]

securiy is most inportant for airplain.
my writing unperfect ,so may be dangerous .

by the way i have little expirience of domain name server .
so, i have three question.

in dnsmasq
1) does /etc/hosts alow alias ?

2) is /etc/resolv.conf important ?

3) soft link  perhaps fail
   example
   cd /var/www/htdocs/pub/OpenBSD/5.7/
   ln -s /home/Auser/i386 i386
   what should i do ?


i use dnsmaq in pxe server ,because it is simple .
(/etc/rc.d/dhcpd stop , don't run tftpd)

network is next.

sis0
openbsd PXE server=dnsmasq
ne3 :192.168.11.1
|
PC ( openbsd will be installed)


A) /etc/dnsmasq.conf
listen-address=127.0.0.1
listen-address=192.168.11.1
interface=fxp0
dhcp-range=192.168.11.10,192.168.11.12,12
hdhcp-boot=pxeboot
enable-tftp
tftp-root=/tftpboot

B) /etc/hosts
127.0.0.1   localhost
::1 localhost
192.168.11.101.net
192.168.11.102.net  ---alias OK?

C)/etc/nginx/nginx.conf

worker_processes  1;
worker_rlimit_nofile 1024;
events {
worker_connections  800;
}

http {
include   mime.types;
default_type  application/octet-stream;
index index.html index.htm;
keepalive_timeout  65;
server_tokens off;

server {
listen   80;
listen   [::]:80;
server_name  01.net;
root /var/www/htdocs;
error_page   500 502 503 504  /50x.html;
location = /50x.html {
root  /var/www/htdocs;
 }
   }

server {
listen   80;
listen   [::]:80;
server_name  02.net;
root /var/www/htdocs/pub/OpenBSD/5.7/i386;
error_page   500 502 503 504  /50x.html;
location = /50x.html {
root /var/www/htdocs/pub/OpenBSD/5.7/i386;
 }
   }


shell script
-
ifconfig fxp0 192.168.11.1/24
/etc/rc.d/dnsmasq  restart
/etc/rc.d/nginxrestart


to upgrade
-
use 01.net - /pub/OpenBSD/5.7/i386
use 02.net - /

this plane fly , but it may drop .
-
regards

Re: report:intranet PXE network install (by nginx...)

[dan mclaughlin]

On Thu, 07 May 2015 08:13:55 -0400 Nick Holland n...@holland-consulting.net 
wrote:
 On 05/07/15 07:51, Paolo Aglialoro wrote:
  If it's correct and not against man pages it can be helpful for beginners
  to have a ready recipe, just like FAQs.
 
 IF it is correct, maybe.  But OpenBSD's philosophy has never been more
 places of docs is better!.  We really want one authoritative source.
 
 Unfortunately, he's been posting a lot of his experiences which
 involve reinventing wheels with some really oddly shapes and making some
 simple things complicated.  That's not helpful.
 
 Nick.
 

given how often a certain site has given people bad information, and it
doesn't get corrected until people ask questions here, it's at least
slightly better. at least here you are aware of it and have a chance to
respond and correct it, for posterity, while that certain site is still
out there causing trouble.

Re: report:intranet PXE network install (by nginx...)

[Nick Holland]

On 05/07/15 07:51, Paolo Aglialoro wrote:
 If it's correct and not against man pages it can be helpful for beginners
 to have a ready recipe, just like FAQs.

IF it is correct, maybe.  But OpenBSD's philosophy has never been more
places of docs is better!.  We really want one authoritative source.

Unfortunately, he's been posting a lot of his experiences which
involve reinventing wheels with some really oddly shapes and making some
simple things complicated.  That's not helpful.

Nick.


 Il 07/mag/2015 10:43, Jiri B ji...@devio.us ha scritto:
 
 On Thu, May 07, 2015 at 05:24:14PM +0900, Tuyosi Takesima wrote:
  hi all .
  i install 5.7 using intranet (internet is unnesesary)
  i expense some time .
  for covinience i report it.

 No need for such report, man 8 pxeboot is sufficient.

 j.

Re: SSL working with nginx, not with httpd. Any ideas?

[Ezequiel Garzon]

Hi, Hugo!

 Are yuo sure that's right? I don't see the ssl keyword anywhere in the
 docs

I see what you're saying... I'm using 5.6-release, which is really not 
recommended for httpd as it's moving quite fast. I wonder if that would 
fix it.

 You also seem to be missing TLS certificate/key is you're going to use 
 TLS.

I'm using the default files, /etc/ssl/private/server.key and 
/etc/ssl/server.crt. I failed to mention that under (Ubuntu) Chrome I get 
a green lock. By now I'm pretty sure I'm missing the intermediate 
certificate.

Thanks for looking into it!

Best,

Ezequiel

SSL working with nginx, not with httpd. Any ideas?

[Ezequiel Garzon]

Greetings! For some reason I'm able to set up SSL support for my domain 
using nginx, but not httpd. I have combined my certificates like this:

# cat ssl.crt sub.class1.server.ca.pem ca.pem  /etc/ssl/server.crt

However, if I stop nginx and start httpd I get:

$ curl -I https://ezequiel-garzon.net 
curl: (60) SSL certificate problem: unable to get local issuer 
certificate

I have attempted to write a minimal config file at /etc/httpd.config:

server defaults {listen on egress ssl port 443}

Any ideas on what I'm doing wrong? Thanks for your help!

Cheers,

Ezequiel

Re: SSL working with nginx, not with httpd. Any ideas?

[Hugo Osvaldo Barrera]

On 2015-03-14 18:41, Ezequiel Garzon wrote:
 Greetings! For some reason I'm able to set up SSL support for my domain
 using nginx, but not httpd. I have combined my certificates like this:

 # cat ssl.crt sub.class1.server.ca.pem ca.pem  /etc/ssl/server.crt

 However, if I stop nginx and start httpd I get:

 $ curl -I https://ezequiel-garzon.net
 curl: (60) SSL certificate problem: unable to get local issuer
 certificate

 I have attempted to write a minimal config file at /etc/httpd.config:

 server defaults {listen on egress ssl port 443}


Are yuo sure that's right? I don't see the ssl keyword anywhere in the
docs:

http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/httpd.conf.5

You also seem to be missing TLS certificate/key is you're going to use TLS.

 Any ideas on what I'm doing wrong? Thanks for your help!

 Cheers,

 Ezequiel


Cheers,

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: nginx question...

[Alexander Hall]

On 01/19/15 23:25, worik wrote:

Summary:

The files under /var/www/htdocs are by default it seems all owned by
root:wheel.  What are the issues with changing that to be a normal user?

The long version

My work flow involves building a directory structure on another machine
and using 'rsync' when I am ready to transfer it to the OpenBSD machine
to be served by the public facing webserver.

Having the files owned by a user other than the one I log in as for a
rsync session is causing all sorts of headaches and warnings from rsync.

So I have changed the ownership of all the files and directories to be
foo:foo where 'foo' is the user/group name I login as.  This makes my
life much simpler.  But I have a nagging doubt that I am doing some
thing I will regret.


As long as the files are not modifiable by the webserver, you should be 
fine.


Now and then I create user:user directories somewhere under /var/www/... 
and create a symlink to it from ~user/www.


/Alexander



Perhaps I need to use rsync differently or modify my workflow

Worik

Re: nginx question...

[Fred]

On 01/19/15 22:25, worik wrote:

Summary:

The files under /var/www/htdocs are by default it seems all owned by
root:wheel.  What are the issues with changing that to be a normal user?

The long version

My work flow involves building a directory structure on another machine
and using 'rsync' when I am ready to transfer it to the OpenBSD machine
to be served by the public facing webserver.

Having the files owned by a user other than the one I log in as for a
rsync session is causing all sorts of headaches and warnings from rsync.

So I have changed the ownership of all the files and directories to be
foo:foo where 'foo' is the user/group name I login as.  This makes my
life much simpler.  But I have a nagging doubt that I am doing some
thing I will regret.

Perhaps I need to use rsync differently or modify my workflow

Worik



rsync [OPTION...] SRC... rsync://user@[WEBSERVER]/var/www/htdocs

should allow you to set the user on the webserver - what errors are you 
getting?


nginx runs chrooted by default, which should limit exploits.

I also chmod 644 or 640 if I'm feeling more paranoid all the files below 
/var/www/htdocs - although the files are in group www.


hth

Fred

nginx question...

[worik]

Summary:

The files under /var/www/htdocs are by default it seems all owned by
root:wheel.  What are the issues with changing that to be a normal user?

The long version

My work flow involves building a directory structure on another machine
and using 'rsync' when I am ready to transfer it to the OpenBSD machine
to be served by the public facing webserver.

Having the files owned by a user other than the one I log in as for a
rsync session is causing all sorts of headaches and warnings from rsync.

So I have changed the ownership of all the files and directories to be
foo:foo where 'foo' is the user/group name I login as.  This makes my
life much simpler.  But I have a nagging doubt that I am doing some
thing I will regret.

Perhaps I need to use rsync differently or modify my workflow

Worik
-- 
Why is the legal status of chardonnay different to that of cannabis?
   worik.stan...@gmail.com 021-1680650, (03) 4821804
  Aotearoa (New Zealand)
 I voted for love

Re: Best way forward w.r.t. apache/nginx/httpd?

[Reyk Floeter]

On Mon, Dec 29, 2014 at 10:41:26PM +, Stuart Henderson wrote:
  b) Migrate to nginx
 This seems to be the least interesting option - not only do I have to
 migrate now, but once more in the future, as nginx is also on the way
 out (so, the same developer attention caveat applies as with
 apache)
 
 This might be a reasonable choice, especially if the CMS you're looking
 at already documents how to use it with nginx.
 

We already got some of the most common CMS / web things working.  But
I'm interested in examples from users who created such configurations
with httpd (and please make sure to mention httpd in the subject to
let me find them in my inbox).

  c) Migrate to httpd
 From what I've gathered so far from this list, this would basically
 require me to switch to -current, as the 5.6 version is too fresh and
 too many changes have happened since - or am I being pessimistic
 here? I've never run -current before, hence, I'm a bit hesitant...
 
 Personally I don't think httpd is quite ready for use with a typical
 PHP-based CMS yet (including -current). Two big issues for this type
 of use: clean urls functionality in most CMS needs rewrite support
 which httpd doesn't have. httpd's fastcgi support passes every url
 matching a location block to the handler meaning there's no mitigation
 for the issue described in
 http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
 (which also affects naive nginx configurations).
 

And I personally disagree with the conclusion that httpd is not ready.
It is not finished but it is ready for many common things.

- People are using it with different CMS, including Wordpress,
CVSWeb, different Wikis, etc.  I even tested it with node-fastcgi (I
know, it's weird, but I had to satisfy my inner web hipster).  I'm
looking forward to hear about more examples (hint: send me your
testimonials).

- Some features are missing, and will be implemented, but there are
ways to deal with them:

1. redirects / return 301 etc.: This can be done without regex by
using a few built-in variables.  Current workaround is to either do it
in the fastcgi backend or with, ahem, html refresh.  btw., nginx'
return 444; is such an ugly workaround...

2. basic auth: We don't have a satisfying implementation for
authentication yet.  But it is needed and will be done.

3. deny: We cannot deny access to specific locations but the current
workaround is to set a non-accessible root:

location */.* {
# mkdir -m 0 /var/www/forbidden
root /forbidden
}

4. Server aliases and a few restrictions of the grammar: Individual
server blocks can currently only have one name and listen statement.
This will be fixed in the parser later.  To avoid too much repeating
configuration, I currently use includes:

server www.example.com {
listen on $ip4_addr port 80
include /etc/httpd/example.com.inc
}
server www.example.com {
listen on $ip6_addr port 80
include /etc/httpd/example.com.inc
}
server www.example.com {
listen on $ip4_addr tls port 443
include /etc/httpd/example.com.ssl
include /etc/httpd/example.com.inc
}
server www.example.com {
listen on $ip6_addr tls port 443
include /etc/httpd/example.com.ssl
include /etc/httpd/example.com.inc
}

5. Some minor things, eg. charsets (for auto index), fixes, ...

6. The web server needs some more FAQ-style documentation in addition
to our excellent man pages and examples.  Examples for each CMS would
go beyond the scope of them, and probably don't fit into the OpenBSD
FAQ.  So I'm thinking about putting something on http://bsd.plumbing/.

- Like nginx describes, there are also various ways to safely handle
#Passing_Uncontrolled_Requests_to_PHP in httpd:

1. It's a non-issue for OpenBSD because php-fpm rejects execution of
non-php files by default.  See php-fpm.conf:

; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; exectute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5

2. You can write locations as a ruleset in first-matching order, eg.

location */.* {
root /forbidden
}
location /cms/*.jpg {
no fastcgi
}
location /cms/uploads/* {
no fastcgi
}
location /cms/* {
fastcgi socket run/php-fpm.sock
}

3. Don't use PATH_INFO and only match PHP files (fnmatch has an implicit $).

location /cms/*.php {
fastcgi socket run/php-fpm.sock
}

- I

Re: Best way forward w.r.t. apache/nginx/httpd?

[Clint Sand]

On Mon, Dec 29, 2014 at 10:41:26PM +, Stuart Henderson wrote:
 On 2014-12-29, T. Ribbrock emga...@gmx.net wrote:
  Given the current state of development in OpenBSD, I'm now wondering
  what the best way forward is for me:
 
  a) Install apache-httpd-openbsd from ports and keep my configuration
 basically as is
 Advantage: Less work to get everything running - I've done OpenBSD
 re-installs like that several times over the past years
 Disadvantage: I guess that the new httpd will get a lot more
 developer attention, so this does not seem the ideal option longterm,
 but I could always migrate to httpd later, e.g. when upgrading to 5.7
 or (more likely) 5.8
 
 apache-httpd-openbsd is a dead-end, it's not actively developed, ssl
 support is poor, third-party documentation relating to use of webapps
 with Apache has long since moved to Apache 2. It's mainly there to
 provide a quick migration path for existing OpenBSD users and to
 ease the pain in ports.
 
  b) Migrate to nginx
 This seems to be the least interesting option - not only do I have to
 migrate now, but once more in the future, as nginx is also on the way
 out (so, the same developer attention caveat applies as with
 apache)
 
 This might be a reasonable choice, especially if the CMS you're looking
 at already documents how to use it with nginx.
 
  c) Migrate to httpd
 From what I've gathered so far from this list, this would basically
 require me to switch to -current, as the 5.6 version is too fresh and
 too many changes have happened since - or am I being pessimistic
 here? I've never run -current before, hence, I'm a bit hesitant...
 
 Personally I don't think httpd is quite ready for use with a typical
 PHP-based CMS yet (including -current). Two big issues for this type
 of use: clean urls functionality in most CMS needs rewrite support
 which httpd doesn't have. httpd's fastcgi support passes every url
 matching a location block to the handler meaning there's no mitigation
 for the issue described in
 http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
 (which also affects naive nginx configurations).
 

Yep. Lack of a mod_rewrite functionality in httpd is the only thing at this 
point keeping me from using it in production. MVC frameworks usually rely 
on some sort of rewrite to force URLs to a signle front controller file. 

I went with the OP's option a) and installed the apache 1 port just to get 
through the 5.6 upgrade. I'll likely switch to nginx long term unless httpd 
gets a rewrite functionality. Big thanks for the apache-httpd-openbsd option 
to make these migrations easier to phase in over time on busy sites. 

-Clint

Re: nginx how to run first site as open , and second

[Tuyosi Takesima]

thanks  for einfach's kind advise , i at last do it.

final nginx.conf is


worker_processes  1;
worker_rlimit_nofile 1024;

events {
worker_connections  800;
}

#h
http {

include   mime.types;
default_type  application/octet-stream;
index index.html index.htm;
keepalive_timeout  65;
server_tokens off;


server {
listen   80;
listen   [::]:80;
server_name  localhost;#-for test
root /var/www/d1;
auth_basic Restricted;
auth_basic_user_file /var/www/1/.htpasswd;
  }

#0
server {
listen   80;
listen   [::]:80;
server_name  a.mydns.jp;
root /var/www/d0;
auth_basic Restricted;
auth_basic_user_file /var/www/1/.htpasswd;
  }

#1
server {
listen   80;
listen   [::]:80;
server_name  s.sun.ddns.vc;
root /var/www/d1;
auth_basic Restricted;
auth_basic_user_file /var/www/1/.htpasswd;
  }

#2
server {
listen   80;
listen   [::]:80;
server_name  k.sun.ddns.vc;
root /var/www/d2;
auth_basic Restricted;
auth_basic_user_file /var/www/2/.htpasswd;
  }

#11
server {
listen   80;
listen   [::]:80;
server_name  member.planex.ddns.vc;
root /var/www/d11;
auth_basic Restricted;
auth_basic_user_file /var/www/11/.htpasswd;
  }

#12
server {
listen   80;
listen   [::]:80;
server_name  n.luna.ddns.vc;
root /var/www/d12;
auth_basic Restricted;
auth_basic_user_file /var/www/12/.htpasswd;
  }
#h
}

and i run openbsd on USB only about 4GB .
so i must use hard sisk .

Filesystem  512-blocks  Used Avail Capacity  Mounted on
/dev/sd1a  8293692   5045444   283356464%/
/dev/sd0a 58566000  30109240  2548143254%/var/www

so

# cat /etc/rc.local
umount /var/www
mount_ext2fs /dev/sd0a /var/www   # -ext2fs
if [  -x /usr/local/sbin/nginx ]; then
echo ' -   Starting nginx -  ';  /etc/rc.d/nginx -f start
fi


because
cat /etc/rc.d/nginx
#!/bin/sh
#
# $OpenBSD: nginx,v 1.1 2012/02/19 11:34:36 robert Exp $

daemon=/usr/local/sbin/nginx   #--

. /etc/rc.d/rc.subr

pexp=nginx:.*master.*process

rc_reload() {
${daemon} -s reload
}

rc_stop() {
${daemon} -s stop || pkill -f ^${pexp}
}

rc_cmd $1


and
 cat
/etc/rc.shutdown

umount  /var/www/


thanks thanks
--
tuyosi
* http://marc.info/?a=14167909673r=1w=2*

Re: Best way forward w.r.t. apache/nginx/httpd?

[T. Ribbrock]

I'll answer to this one, but I'll start with a big thanks to all who
responded - some interesting points were made!

On Mon, Dec 29, 2014 at 10:41:26PM +, Stuart Henderson wrote:
 apache-httpd-openbsd is a dead-end, it's not actively developed, ssl
 support is poor, third-party documentation relating to use of webapps
 with Apache has long since moved to Apache 2. It's mainly there to
 provide a quick migration path for existing OpenBSD users and to
 ease the pain in ports.

In fact, the Apache 1 vs. 2 problem has already hit me in the past and
forced me not to use a photogallery application I wanted to use. You
make a very valid point here: Contrary to nginx, there is indeed nobody
developing Apache 1 anymore (not even the OpenBSD developers who kept it
running for so long).


  b) Migrate to nginx
[...]

 This might be a reasonable choice, especially if the CMS you're looking
 at already documents how to use it with nginx.

I had a quick look - CMS Made Simple (which is what I'm using) has
aparently been used with nginx by some people, so there is some
documentation around. phpGedView (which is another application I use) is
no longer developed anymore and I was thinking about replacing it
anyway, so this might be a good time. Same goes for the gallery I'm
currently using. There will be some work involved, but this has been
coming a long time now... Time for some clean-up work.


  c) Migrate to httpd
[...]

 Personally I don't think httpd is quite ready for use with a typical
 PHP-based CMS yet (including -current). Two big issues for this type
 of use: clean urls functionality in most CMS needs rewrite support
 which httpd doesn't have. httpd's fastcgi support passes every url
 matching a location block to the handler meaning there's no mitigation
 for the issue described in
 http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
 (which also affects naive nginx configurations).

Thanks for those two insights. Based on what I've read so far, I will
give nginx a try - that will at least place me on a server that is a)
well known on OpenBSD and b) still under active development - that
should buy me enough time to wait for the day that httpd can take over
this job - given the track record of OpenBSD, I very much like to stay
within base where possible.

Thanks again!

And now off to read up on how to use nginx with PHP etc.pp ;-)

Cheerio,

Thomas
-- 
-
 Thomas Ribbrockhttp://www.ribbrock.org/ 
   You have to live on the edge of reality - to make your dreams come true!

Re: nginx how to run first site as open , and second

[Tuyosi Takesima]

Hi ,all .

how to compile nginx who has ability of basic auth using ports ?

according to http://wiki.nginx.org/Modules ,
  if auth_basic is not wanted,
  compile nginx --without-http_auth_basic_module .
---
i need basic auth because of family privacy photos ,
   i run nginx on arch linux  out of need .

nginx.conf is
worker_processes  1;
events {
worker_connections  1024;
}

http {
include   mime.types;
default_type  application/octet-stream;
sendfileon;
keepalive_timeout  65;

# local
server {
listen   80;
server_name  localhost;
root /mnt-nginx/d3;
index  index.html index.htm;
auth_basic Restricted;
auth_basic_user_file /etc/nginx/13/.htpasswd;
# 13 insted of require
}

#-open-mydns
server {
listen   80;
server_name  a.mydns.jp;
root   /mnt-nginx/d1;
index  index.html index.htm;
   }

#-basic auth---ddns
server {
listen   80;
server_name  s.sun.ddns.vc;
root /mnt-nginx/htdocs/Fam;
index  index.html index.htm;
auth_basic Restricted;
auth_basic_user_file /etc/nginx/1/.htpasswd;
# 1 insted of require
  }
}
---
tuyosi

Best way forward w.r.t. apache/nginx/httpd?

[T. Ribbrock]

Hi all,

I'm finally getting round to updating my home server (gets a fresh 5.6
install).

Of course, there were a lot of changes over the past versions, one of
them being the whole apache - nginx - httpd migration. My webserver
has a CMS running which requires PHP and MySQL, plus a few more
PHP-applications. Also, I have two or three virtual sites running and
I'm currently considering having a look at something like Owncloud
and/or Citadel.

Given the current state of development in OpenBSD, I'm now wondering
what the best way forward is for me:

a) Install apache-httpd-openbsd from ports and keep my configuration
   basically as is
   Advantage: Less work to get everything running - I've done OpenBSD
   re-installs like that several times over the past years
   Disadvantage: I guess that the new httpd will get a lot more
   developer attention, so this does not seem the ideal option longterm,
   but I could always migrate to httpd later, e.g. when upgrading to 5.7
   or (more likely) 5.8

b) Migrate to nginx
   This seems to be the least interesting option - not only do I have to
   migrate now, but once more in the future, as nginx is also on the way
   out (so, the same developer attention caveat applies as with
   apache)

c) Migrate to httpd
   From what I've gathered so far from this list, this would basically
   require me to switch to -current, as the 5.6 version is too fresh and
   too many changes have happened since - or am I being pessimistic
   here? I've never run -current before, hence, I'm a bit hesitant...

I tend to go for a) because I do not want to migrate twice - but maybe
somebody else has some interesting points that I have not considered
yet? I'd appreciate the input!

Regards,

Thomas
-- 
-
 Thomas Ribbrockhttp://www.ribbrock.org/ 
   You have to live on the edge of reality - to make your dreams come true!

Re: Best way forward w.r.t. apache/nginx/httpd?

[Jeff St. George]

In more or less the same boat, without php as our virtual sites are simple
display only.

However for future business developement we have wondered the same.

I am inn agreement with your choice of (1) as that would be ours pending
feedback here from those who know.


On Mon, Dec 29, 2014 at 7:30 AM, T. Ribbrock emga...@gmx.net wrote:

 Hi all,

 I'm finally getting round to updating my home server (gets a fresh 5.6
 install).

 Of course, there were a lot of changes over the past versions, one of
 them being the whole apache - nginx - httpd migration. My webserver
 has a CMS running which requires PHP and MySQL, plus a few more
 PHP-applications. Also, I have two or three virtual sites running and
 I'm currently considering having a look at something like Owncloud
 and/or Citadel.

 Given the current state of development in OpenBSD, I'm now wondering
 what the best way forward is for me:

 a) Install apache-httpd-openbsd from ports and keep my configuration
basically as is
Advantage: Less work to get everything running - I've done OpenBSD
re-installs like that several times over the past years
Disadvantage: I guess that the new httpd will get a lot more
developer attention, so this does not seem the ideal option longterm,
but I could always migrate to httpd later, e.g. when upgrading to 5.7
or (more likely) 5.8

 b) Migrate to nginx
This seems to be the least interesting option - not only do I have to
migrate now, but once more in the future, as nginx is also on the way
out (so, the same developer attention caveat applies as with
apache)

 c) Migrate to httpd
From what I've gathered so far from this list, this would basically
require me to switch to -current, as the 5.6 version is too fresh and
too many changes have happened since - or am I being pessimistic
here? I've never run -current before, hence, I'm a bit hesitant...

 I tend to go for a) because I do not want to migrate twice - but maybe
 somebody else has some interesting points that I have not considered
 yet? I'd appreciate the input!

 Regards,

 Thomas
 --

 -
  Thomas Ribbrockhttp://www.ribbrock.org/
You have to live on the edge of reality - to make your dreams come
 true!

Re: Best way forward w.r.t. apache/nginx/httpd?

[jungle Boogie]

Hi Thomas,
On 29 December 2014 at 05:30, T. Ribbrock emga...@gmx.net wrote:
 Hi all,

 I'm finally getting round to updating my home server (gets a fresh 5.6
 install).

 Of course, there were a lot of changes over the past versions, one of
 them being the whole apache - nginx - httpd migration. My webserver
 has a CMS running which requires PHP and MySQL, plus a few more
 PHP-applications. Also, I have two or three virtual sites running and
 I'm currently considering having a look at something like Owncloud
 and/or Citadel.


 c) Migrate to httpd
From what I've gathered so far from this list, this would basically
require me to switch to -current, as the 5.6 version is too fresh and
too many changes have happened since - or am I being pessimistic
here? I've never run -current before, hence, I'm a bit hesitant...

Well you could try 5.6 with this patch:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/009_httpd.patch.sig

Of course, visualize everything and test it out before going live!

But you are right, httpd is very fast moving:
https://secure.freshbsd.org/search?project=openbsdq=httpd



 Regards,

 Thomas
 --

Best,
jungle


 -
  Thomas Ribbrockhttp://www.ribbrock.org/
You have to live on the edge of reality - to make your dreams come true!



---
inum: 883510009027723
sip: jungleboo...@sip2sip.info
xmpp: jungle-boo...@jit.si

Re: Best way forward w.r.t. apache/nginx/httpd?

[Ted Unangst]

On Mon, Dec 29, 2014 at 14:30, T. Ribbrock wrote:
 
 b) Migrate to nginx
 This seems to be the least interesting option - not only do I have to
 migrate now, but once more in the future, as nginx is also on the way
 out (so, the same developer attention caveat applies as with
 apache)

nginx hasn't disappeared entirely. It's still in ports. If you're
running PHP, you're obviously not afraid of installing a few packages.

nginx at least receives attention from its own team of developers.
Their priorities are not always in alignment with OpenBSD (hence the
new httpd), but it has a lot more of a future than apache1 does.

Re: Best way forward w.r.t. apache/nginx/httpd?

[Marcus MERIGHI]

emga...@gmx.net (T. Ribbrock), 2015.12.29 (Mon) 14:30 (CET):
 Hi all,
 
 I'm finally getting round to updating my home server (gets a fresh 5.6
 install).
 
 Of course, there were a lot of changes over the past versions, one of
 them being the whole apache - nginx - httpd migration. My webserver
 has a CMS running which requires PHP and MySQL, plus a few more
 PHP-applications. Also, I have two or three virtual sites running and
 I'm currently considering having a look at something like Owncloud
 and/or Citadel.
 
 Given the current state of development in OpenBSD, I'm now wondering
 what the best way forward is for me:
 
 a) Install apache-httpd-openbsd from ports and keep my configuration
basically as is
Advantage: Less work to get everything running - I've done OpenBSD
re-installs like that several times over the past years
Disadvantage: I guess that the new httpd will get a lot more
developer attention, so this does not seem the ideal option longterm,
but I could always migrate to httpd later, e.g. when upgrading to 5.7
or (more likely) 5.8
 
 b) Migrate to nginx
This seems to be the least interesting option - not only do I have to
migrate now, but once more in the future, as nginx is also on the way
out (so, the same developer attention caveat applies as with
apache)
 
 c) Migrate to httpd
From what I've gathered so far from this list, this would basically
require me to switch to -current, as the 5.6 version is too fresh and
too many changes have happened since - or am I being pessimistic
here? I've never run -current before, hence, I'm a bit hesitant...

As I've understood it, there's no need to run -current to get a
(fairly?) recent httpd(8):

http://www.openbsd.org/errata56.html
009: RELIABILITY FIX: November 18, 2014   All architectures
httpd was developed very rapidly in the weeks before 5.6 release, and
it has a few flaws. It would be nice to get these flaws fully
remediated before the next release, and that requires the community to
want to use it. Therefore here is a jumbo patch that brings in the
most important fixes. 
A source code patch exists which remedies this problem.
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/009_httpd.patch.sig

Do you know of http://stable.mtier.org/ , especially openup:
http://www.mtier.org/index.php/solutions/apps/openup/ ?

 I tend to go for a) because I do not want to migrate twice - but maybe
 somebody else has some interesting points that I have not considered
 yet? I'd appreciate the input!

For just your own business, I'd do a) and deal with httpd(8) later. For
our all benefit, please run httpd(8) now, reyk@ will love your reports
and you'd raise our chances for httpd(8) in 5.7.

Bye, Marcus

 !DSPAM:54a157c8270671055614085!

Re: Best way forward w.r.t. apache/nginx/httpd?

[Edgar Pettijohn]

I'm not experiencing any problems with httpd and php, but I don't have a 
need for any of the extras you can get with the other two. It actually 
seems to be performing better than nginx from what I can tell.


On 12/29/14 10:07, Ted Unangst wrote:

On Mon, Dec 29, 2014 at 14:30, T. Ribbrock wrote:

b) Migrate to nginx
This seems to be the least interesting option - not only do I have to
migrate now, but once more in the future, as nginx is also on the way
out (so, the same developer attention caveat applies as with
apache)

nginx hasn't disappeared entirely. It's still in ports. If you're
running PHP, you're obviously not afraid of installing a few packages.

nginx at least receives attention from its own team of developers.
Their priorities are not always in alignment with OpenBSD (hence the
new httpd), but it has a lot more of a future than apache1 does.

Re: Best way forward w.r.t. apache/nginx/httpd?

[Stuart Henderson]

On 2014-12-29, T. Ribbrock emga...@gmx.net wrote:
 Given the current state of development in OpenBSD, I'm now wondering
 what the best way forward is for me:

 a) Install apache-httpd-openbsd from ports and keep my configuration
basically as is
Advantage: Less work to get everything running - I've done OpenBSD
re-installs like that several times over the past years
Disadvantage: I guess that the new httpd will get a lot more
developer attention, so this does not seem the ideal option longterm,
but I could always migrate to httpd later, e.g. when upgrading to 5.7
or (more likely) 5.8

apache-httpd-openbsd is a dead-end, it's not actively developed, ssl
support is poor, third-party documentation relating to use of webapps
with Apache has long since moved to Apache 2. It's mainly there to
provide a quick migration path for existing OpenBSD users and to
ease the pain in ports.

 b) Migrate to nginx
This seems to be the least interesting option - not only do I have to
migrate now, but once more in the future, as nginx is also on the way
out (so, the same developer attention caveat applies as with
apache)

This might be a reasonable choice, especially if the CMS you're looking
at already documents how to use it with nginx.

 c) Migrate to httpd
From what I've gathered so far from this list, this would basically
require me to switch to -current, as the 5.6 version is too fresh and
too many changes have happened since - or am I being pessimistic
here? I've never run -current before, hence, I'm a bit hesitant...

Personally I don't think httpd is quite ready for use with a typical
PHP-based CMS yet (including -current). Two big issues for this type
of use: clean urls functionality in most CMS needs rewrite support
which httpd doesn't have. httpd's fastcgi support passes every url
matching a location block to the handler meaning there's no mitigation
for the issue described in
http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
(which also affects naive nginx configurations).

 I tend to go for a) because I do not want to migrate twice - but maybe
 somebody else has some interesting points that I have not considered
 yet? I'd appreciate the input!

Another option is to migrate to apache 2, this tends to be quite well
supported by webapp authors, though it's not very widely used in OpenBSD
land. Or other servers like lighttpd are available.

What would I choose? Depends on the particular webapp...

Re: nginx how to run first site as open , and second

[Einfach Jemand]

On 2014-12-29 at 08:59 CET Tuyosi Takesima wrote:
 Hi ,all .
 
 how to compile nginx who has ability of basic auth using ports ?
 
 according to http://wiki.nginx.org/Modules ,
   if auth_basic is not wanted,
   compile nginx --without-http_auth_basic_module .
 ---
 i need basic auth because of family privacy photos ,
i run nginx on arch linux  out of need .
 
 nginx.conf is
 worker_processes  1;
 events {
 worker_connections  1024;
 }
 
 http {
 include   mime.types;
 default_type  application/octet-stream;
 sendfileon;
 keepalive_timeout  65;
 
 # local
 server {
 listen   80;
 server_name  localhost;
 root /mnt-nginx/d3;
 index  index.html index.htm;
 auth_basic Restricted;
 auth_basic_user_file /etc/nginx/13/.htpasswd;
 # 13 insted of require
 }
 
 #-open-mydns
 server {
 listen   80;
 server_name  a.mydns.jp;
 root   /mnt-nginx/d1;
 index  index.html index.htm;
}
 
 #-basic auth---ddns
 server {
 listen   80;
 server_name  s.sun.ddns.vc;
 root /mnt-nginx/htdocs/Fam;
 index  index.html index.htm;
 auth_basic Restricted;
 auth_basic_user_file /etc/nginx/1/.htpasswd;
 # 1 insted of require
   }
 }
 ---
 tuyosi
 

Hiya,

basic_auth is available by default in nginx on OpenBSD.
You do not need to compile it with any special flags/settings.

Thus you can set your PACKAGE_PATH to a mirror near you and simply do

# pkg_add nginx

or if you really want to compile it (why?) you can build it from ports

$ cd /usr/ports/www/nginx
$ make
$ sudo make install

See http://www.openbsd.org/faq/faq15.html for the documentation of the
package and ports system.


Be aware that nginx on OpenBSD runs in a proper chroot under /var/www,
thus you need to create the directories

/var/www/etc/nginx/1
  and
/var/www/etc/nginx/13

and put your .htpasswd files there if you want to use your configuration
as quoted above.  Otherwise you will get errors like

*1 open() /etc/nginx/conf/13/.htpasswd failed (2: No such file or
directory)

in /var/www/logs/error.log

The same goes for the document roots. You will need the directories
/var/www/mnt-nginx/d1
/var/www/mnt-nginx/d3
/var/www/mnt-nginx/htdocs/Fam
for your unaltered configuration to work.

Note that basic_auth over unencrypted http might be a weak
authentication mechanism for your purpose.

Also note that the nginx-package does not bring you the htpasswd program
to generate your .htaccess files.
htpasswd is in the OpenBSD base system since OpenBSD 5.6

HTH
rru

Re: nginx how to run first site as open , and second

[Tuyosi Takesima]

thanks for good advise .
surely no need to compile to obtain basic auth .

my test nginx.conf is next .

cat /etc/nginx
/nginx.conf


worker_processes  1;
worker_rlimit_nofile 1024;
events {
worker_connections  800;
}

http {
include   mime.types;
default_type  application/octet-stream;
index index.html index.htm;
keepalive_timeout  65;
server_tokens off;

server {
listen   80;
listen   [::]:80
server_name  s.sun.ddns.vc;
root /var/www/htdocs;
error_page   500 502 503 504  /50x.html;

auth_basic Restricted;
auth_basic_user_file /var/www/1/.htpasswd;
location = /50x.html {
root  /var/www/htdocs;
 }
   }
}


when intenal server error occur .i overcom by
   ' chown -R www /var/www ' .
is this right ?

--
tuyosi

Re: nginx how to run first site as open , and second

[Einfach Jemand]

Hi,

On 2014-12-30 on 05:30  CET Tuyosi Takesima wrote :
 thanks for good advise .
 surely no need to compile to obtain basic auth .
 
 my test nginx.conf is next .
 
 cat /etc/nginx
 /nginx.conf
 
 
 worker_processes  1;
 worker_rlimit_nofile 1024;
 events {
 worker_connections  800;
 }
 
 http {
 include   mime.types;
 default_type  application/octet-stream;
 index index.html index.htm;
 keepalive_timeout  65;
 server_tokens off;
 
 server {
 listen   80;
 listen   [::]:80
You are missing a ; here--^

 server_name  s.sun.ddns.vc;
 root /var/www/htdocs;
 error_page   500 502 503 504  /50x.html;
 
 auth_basic Restricted;
 auth_basic_user_file /var/www/1/.htpasswd;
 location = /50x.html {
 root  /var/www/htdocs;
  }
}
 }
 
 
 when intenal server error occur .i overcom by
' chown -R www /var/www ' .
 is this right ?

No. You just need to check the entries in /var/www/logs/error.log
where you will probably find something like

 *1 open() /1/.htpasswd failed (13: Permission denied),

and so you should check the ownership of /var/www/1/.htpasswd .
This file must be readable by user www. It should be something like

$ ls -l /var/www/1/.htpasswd
-r  1 www  daemon  67 Dec 30 05:50 .htpasswd

If you created .htpasswd as root or another user the ownership will
probably be wrong.

No need to change the ownership of the whole tree under /var/www .

 
 --
 tuyosi

Cheers,
rru

nginx how to run first site as open , and second as basic auth .

[Tuyosi Takesima]

hi,all .

i use name based virtual host (=server block).
i want to run first site as open  and second site as ristricted (basic
auth),
but it is hard to do and there is little information on internet about this
.


it is easy to run only name based virtualhost (=server block) .
nginx.conf is next .

worker_processes  1;
worker_rlimit_nofile 1024;
events {
worker_connections  800;
}


http {
include   mime.types;
default_type  application/octet-stream;
index index.html index.htm;
keepalive_timeout  65;
server_tokens off;

   server {
listen   80;
listen   [::]:80;
server_name  a.mydns.jp;   --- 1st site
root /var/www/htdocs/d1;
}

   server {
listen   80;
listen   [::]:80;
server_name  s.sun.ddns.vc; --- 2nd site
root /var/www/htdocs/d2;
  }
}
---

give me some hints .

Re: nginx how to run first site as open , and second as basic auth .

[Alexandr Borisenko]

 i want to run first site as open  and second site as ristricted (basic
auth),
 but it is hard to do and there is little information on internet about
this

Just add
auth_basic Test site;
auth_basic_user_file  .htpasswd;
to second server { ... } block.

Re: nginx how to run first site as open , and second

[Tuyosi Takesima]

thanks for kind reply .

i rewrite /etc/nginx/nginx.conf .


worker_processes  1;
worker_rlimit_nofile 1024;
events {
worker_connections  800;
}

http {
include   mime.types;
default_type  application/octet-stream;
index index.html index.htm;
keepalive_timeout  65;
server_tokens off;

   server {
listen   80;
listen   [::]:80;
server_name  aoiyuma.mydns.jp;
root /var/apache2/d1;

  }



   server {
listen   80;
listen   [::]:80;
server_name  saigyou.sun.ddns.vc;
root /var/apache2/d2;
auth_basic Test site;
auth_basic_user_file  /etc/nginx/.htpasswd;
  }

}

but by using walking telephone , internal server error happens .
about apache2 ,  ' Require user XXX ' is needed
in nginx , is it not nessesary ?
---
tuyosi

Re: nginx how to run first site as open , and second

[Tuyosi Takesima]

i think , think ,so i try archlinux's nginx .

the following /etc/nginx/nginx.conf goes well.

--
worker_processes  1;
events {
worker_connections  1024;
}


http {
include   mime.types;
default_type  application/octet-stream;
sendfileon;
keepalive_timeout  65;

server {
listen   80;
server_name  a.mydns.jp;
root   /srv/http;
index  index.html index.htm;
   }

server {
listen   80;
server_name  s.sun.ddns.vc;
  root /srv/http/Fam/;
  index  index.html index.htm;
  auth_basic Restricted; #For Basic
Auth
  auth_basic_user_file /etc/nginx/.htpasswd;   #For Basic
Auth
}
}


in archlinux
 21 nginx -V | tr -- - '\n' | grep _module is next
(see
http://serverfault.com/questions/223509/how-can-i-see-which-flags-nginx-was-compiled-with
)

imap_ssl_module
http_dav_module
http_gunzip_module
http_gzip_static_module
http_realip_module
http_spdy_module
http_ssl_module
http_stub_status_module
http_addition_module
http_degradation_module
http_flv_module
http_mp4_module
http_secure_link_module
http_sub_module

but in openbsd , there are much less modules  by security first policy .
so basic auth except ssl is ineffective in openbsd , so i think .
-
tuyosi

clean URL's want enable using NginX

[Salim Shaw]

I've tried a number of things with no success. Any help would be greatly 
appreciated.



#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pidlogs/nginx.pid;


events {
worker_connections  1024;
}


http {
include   mime.types;
default_type  application/octet-stream;

#log_format  main  '$remote_addr - $remote_user [$time_local] 
$request '

#  '$status $body_bytes_sent $http_referer '
#  '$http_user_agent $http_x_forwarded_for';

#access_log  logs/access.log  main;

sendfileon;
#tcp_nopush on;

#keepalive_timeout  0;
keepalive_timeout  65;

#gzip  on;

server {
listen   80;
server_name  localhost;

#charset koi8-r;

#access_log  logs/host.access.log  main;

location / {
root   /htdocs;
index  index.html index.htm index.php;
}
#error_page  404  /404.html;

# redirect server error pages to the static page /50x.html
#
error_page   500 502 503 504  /50x.html;
location = /50x.html {
root  /htdocs;
}

location @rewrite {
# Some modules enforce no slash (/) at the end of the URL
# Else this rewrite block wouldn#39;t be needed 
(GlobalRedirect)

rewrite ^/(.*)$ /index.php?q=$1;

}

# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
#proxy_pass   http://127.0.0.1;
#}

# pass the PHP scripts to FastCGI server listening on 
127.0.0.1:9000

#
location ~ \.php$ {
root   /htdocs;
fastcgi_pass   unix:/tmp/php.sock;
fastcgi_index  index.php;
fastcgi_param  SCRIPT_FILENAME /htdocs$fastcgi_script_name;
includefastcgi_params;
}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
#deny  all;
#}
}


# another virtual host using mix of IP-, name-, and port-based 
configuration

#
#server {
#listen   8000;
#listen   somename:8080;
#server_name  somename  alias  another.alias;

#location / {
#root   /htdocs;
#index  index.html index.htm;
#}
#}


# HTTPS server
#
#server {
#listen   443;
#server_name  localhost;

#ssl  on;
#ssl_certificate  /etc/ssl/server.crt;
#ssl_certificate_key  /etc/ssl/private/server.key;

#ssl_session_timeout  5m;

#ssl_protocols  SSLv2 SSLv3 TLSv1;
#ssl_ciphers  HIGH:!aNULL:!MD5;
#ssl_prefer_server_ciphers   on;

#location / {
#root   /htdocs;
#index  index.html index.htm;
#}
#}

}


--
ss

Re: Apache 1.3 vs. nginx vs. base httpd

[Bogdan Andu]

Hi,
Thank you for insights,
I see that scripts written in Perl need a special Perl that supports FastCGI
(see FastCGI Programmer's Guide - Chapter 3, Developing FastCGI Applications
in Perl)
..snip..
The FastCGI-savvy binaries are extensions of standard Perl, and are intended
to replace your existing Perl installation...snip..
This is not something I want. I want to use OS's Perl distribution with tools
that work directly with standard distribution.
May be it is time to consider the possibility to convert Perl/Apache/mod_perl
scripts to Erlang Yaws/Mochiweb/WebMachine/Cowboy or even Nitrogen framework.
Another question because I use Erlang on OpenBSD ...
I applied patches from R15B02 to OTP 17.3 and it seems to work as expected
(stress tests, etc). Do you think it is safe this for production environment
as I want to migrate the R14B04 applications to OTP 17.3 ?

It is scheduled for near future to upgrade OTP from R15B02 to 17.3 ?

Bogdan

|   |
|   |   |   |   |   |
| FastCGI Programmer's Guide - Chapter 3, Developing FastCGI Applications in
Perl[Top] [Prev] [Next] [Bottom] 3 Developing FastCGI Applications in Perl
This chapter explains how to code FastCGI applications in Perl.  |
|  |
| View on www.fastcgi.com | Preview by Yahoo |
|  |
|   |

  

 On Thursday, November 13, 2014 9:36 PM, Stuart Henderson
s...@spacehopper.org wrote:


 On 2014-11-13, Bogdan Andu bo...@yahoo.com wrote:
 Are Perl scripts in FastCGI evaluated in same manner like in mod_perl, or
 everytime a script is invoked by the server the Perl interpreter is invoked
 also ?

If you run them via slowcgi, the interpreter+script will be started from
scratch each time.

To have a persistent Perl process, convert your script to talk FastCGI
directly (see ports/www/fcgi) or via PSGI and a fastcgi adapter, or use
some framework that supports it (in Perl-land you might want to look at
frameworks like Mojolicious, Dancer etc).

 I want to setup a 5.6 machine and test all these cool stuff but for the
moment
 I don't have access to such machine and I would like to see what other
poeple
 experienced with this httpd(8) daemon .

httpd was *very* new in 5.6, you want something newer (-current, or
keep your eye out for patches). If you want to play with fcgi before
updating, nginx and lighttpd support it natively, and apache via a
module - it isn't something new, it has been around for years, it's
pretty much the only standard way to handle cgi-like scripting in a
non-forking webserver. Config methods differ, but scripts should be
portable between all the various http servers.

Re: Apache 1.3 vs. nginx vs. base httpd

[Bogdan Andu]

Hi,
thanks for input.
is the new httpd daemon ready for production?
For example is it safe to migrate Perl scripts from Apache 1.3/mod_perl1.3 to
httpd/FastCGI?
Are Perl scripts in FastCGI evaluated in same manner like in mod_perl, or
everytime a script is invoked by the server the Perl interpreter is invoked
also ?
From manual pages:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.6/man5/httpd.conf.5?query=ht
tpd.confsec=5arch=amd64manpath=OpenBSD-5.6

looks very impressive and I see that httpd(8) uses slowcgi(8) - an
implementation of FastCGI protocol - to execute cgi scripts, Perl or
otherwise.

I want to setup a 5.6 machine and test all these cool stuff but for the moment
I don't have access to such machine and I would like to see what other poeple
experienced with this httpd(8) daemon .

For me these new stuff looks very exciting and I can't wait to try it.
Thanks for any thoughts,
Bogdan


 On Thursday, November 6, 2014 6:48 PM, li...@ggp2.com li...@ggp2.com
wrote:


 On Thu, Nov 06, 2014 at 09:24:24AM +, Bogdan Andu wrote:
 4) will httpd be able to support Perl script processing without the need to
 talk to an external (FasCGI) daemon?

Just my 2c about the new httpd daemon.  It's brand new in 5.6, and is
shaping up to be an awesome and simple server.  I fully intend on
replacing nginx with it in production when 5.7 is released.

That being said, the 5.6 implementation has some issues that you may
want to research further if you'd like to use it.  They've already been
fixed in -current.

Re: Apache 1.3 vs. nginx vs. base httpd

[Stuart Henderson]

On 2014-11-13, Bogdan Andu bo...@yahoo.com wrote:
 Are Perl scripts in FastCGI evaluated in same manner like in mod_perl, or
 everytime a script is invoked by the server the Perl interpreter is invoked
 also ?

If you run them via slowcgi, the interpreter+script will be started from
scratch each time.

To have a persistent Perl process, convert your script to talk FastCGI
directly (see ports/www/fcgi) or via PSGI and a fastcgi adapter, or use
some framework that supports it (in Perl-land you might want to look at
frameworks like Mojolicious, Dancer etc).

 I want to setup a 5.6 machine and test all these cool stuff but for the moment
 I don't have access to such machine and I would like to see what other poeple
 experienced with this httpd(8) daemon .

httpd was *very* new in 5.6, you want something newer (-current, or
keep your eye out for patches). If you want to play with fcgi before
updating, nginx and lighttpd support it natively, and apache via a
module - it isn't something new, it has been around for years, it's
pretty much the only standard way to handle cgi-like scripting in a
non-forking webserver. Config methods differ, but scripts should be
portable between all the various http servers.

Re: syweb nginx

[Antoine Jacoutot]

 Testing rrdtool: 
 
 apache or php setup faulty: cannot execute /bin/rrdtool
 
 However I did copy rrdtool binaries to /var/www/bin/ and they have
 correct permission. 

That's not enough.
As documented in the rrdtool pkg-readme, you must do:
/usr/local/share/examples/rrdtool/rrdtool-chroot enable

You should look under /usr/local/share/doc/pkg-readmes/, it comes with a *lot* 
of OpenBSD specific information...

-- 
Antoine

syweb nginx

[Predrag Punosevac]

I am running amd 5.6 and playing little bit with sysutils/symon
Thinks are looking good and I have close to 100 MB of data in 

/var/www/symon/rrds/localhost

I am trying to plot the data using syweb. I am sure that my installation
of php_fpm and nginx is works correctly as I am nfsen working properly.
Pointing browser

http://localhost/syweb/configtest.php

Gives 

Testing rrdtool: 

apache or php setup faulty: cannot execute /bin/rrdtool

However I did copy rrdtool binaries to /var/www/bin/ and they have
correct permission. 

I am just wondering if syweb works with Nginx or require Apache as the

setup.inc

indicates.

Thanks,
Predrag

P.S. I also found phpSymon 

http://ryanflannery.net/hacking/phpsymon/

which looks dormant. Any other alternatives?

Re: syweb nginx

[g . lister]

On Wed Nov 12 2014 05:04:02 GMT+0100 (CET), Predrag Punosevac wrote:
 I am running amd 5.6 and playing little bit with sysutils/symon
 Thinks are looking good and I have close to 100 MB of data in 
 
 /var/www/symon/rrds/localhost
 
 I am trying to plot the data using syweb. I am sure that my installation
 of php_fpm and nginx is works correctly as I am nfsen working properly.
 Pointing browser
 
 http://localhost/syweb/configtest.php
 
 Gives 
 
 Testing rrdtool: 
 
 apache or php setup faulty: cannot execute /bin/rrdtool

Note here the path '/bin/rrdtool' not '/var/www/...'

 
 However I did copy rrdtool binaries to /var/www/bin/ and they have
 correct permission.

Right, but how do you know that's what is being used. Have you tried a symlink 
from bin...? I assume it is a webapp script that calls rrdtool, does it have a 
conf to say where to find it?

HTH, george
 
 
 I am just wondering if syweb works with Nginx or require Apache as the
 
 setup.inc
 
 indicates.
 
 Thanks,
 Predrag
 
 P.S. I also found phpSymon 
 
 http://ryanflannery.net/hacking/phpsymon/
 
 which looks dormant. Any other alternatives?
 


-- 

Apache 1.3 vs. nginx vs. base httpd

[Bogdan Andu]

Hi,
There are some confusing info about which won the base-webserver in OpenBSD:
In 5.6 it seems to be nginx 1.6.0 (http://www.openbsd.org/plus56.html) :
Unhooked httpd(8) from build: use of nginx(8) is encouraged now.
Removed Apache from base (replaced by nginx(8)). 
and

In current (http://www.openbsd.org/plus.html):Removed nginx from the base
system in favour of OpenBSD's homegrown httpd(8).

and now I am confused.

I was planning to migrate some Perl scripts from mod_perl 1.3/Apache 1.3 to
Nginx styleusing the Perl Module Nginx having direct access to Nginx internals
which is almost
like doing cgi programming in C.
It would made a wonderful combination between speed and security (running on
OpenBSD).

My questions...
1) why Apache 1.3 (OpenBSD patched version) was also considered to be no more
a viable options as base web server?

2) why nginx has been considered a good candidate for base web server in 5.6
   and, in -current,  lost this place?
3) what would be the performance of running Perl scripts through
FastCGI+httpd, compared to Apache1.3/mod_perl1.3 compared to nginx/Nginx perl
module?

4) will httpd be able to support Perl script processing without the need to
talk to an external (FasCGI) daemon?
5) what would be the best option to run Perl scripts in OpenBSD 5.6 + ?

Thank you,
Bogdan

Re: Apache 1.3 vs. nginx vs. base httpd

[Jiri B]

On Thu, Nov 06, 2014 at 09:24:24AM +, Bogdan Andu wrote:
 Hi,
 There are some confusing info about which won the base-webserver in OpenBSD:
 In 5.6 it seems to be nginx 1.6.0 (http://www.openbsd.org/plus56.html) :
 Unhooked httpd(8) from build: use of nginx(8) is encouraged now.
 Removed Apache from base (replaced by nginx(8)).??

There's no confusion. Search archives and/or check undeadly.org.

j.

Re: Apache 1.3 vs. nginx vs. base httpd

[Mike Burns]

On 2014-11-06 09.24.24 +, Bogdan Andu wrote:
 3) what would be the performance of running Perl scripts through
 FastCGI+httpd, compared to Apache1.3/mod_perl1.3 compared to
 nginx/Nginx perl module?

You need to run these benchmarks yourself, on your scripts and data.

-Mike

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: Apache 1.3 vs. nginx vs. base httpd

[lists]

On Thu, Nov 06, 2014 at 09:24:24AM +, Bogdan Andu wrote:
 4) will httpd be able to support Perl script processing without the need to
 talk to an external (FasCGI) daemon?

Just my 2c about the new httpd daemon.  It's brand new in 5.6, and is
shaping up to be an awesome and simple server.  I fully intend on
replacing nginx with it in production when 5.7 is released.

That being said, the 5.6 implementation has some issues that you may
want to research further if you'd like to use it.  They've already been
fixed in -current.