Re: nginx optimizing
As https is default webserver of OpenBSD I think you out of luck. But you can start from here: https://blog.nginx.org/blog/performance-tuning-tips-tricks remembering that you should test settings one by one as some of them eg. "aio" are not compatible with OpenBSD. Jun 15, 2024 13:52:50 Corey Hickman : > Hello > > Is there any doc for optimizing nginx on openbsd server? for example, to get > better performance (QPS, throughput etc).
nginx optimizing
Hello Is there any doc for optimizing nginx on openbsd server? for example, to get better performance (QPS, throughput etc). Thanks.
Re: nginx + php = system() not working?
On 25/05/2024 17:51, F Bax wrote: I tried a few things with nginx not in chroot; but got permission errors. The message provided no clue as to which file/directory might be causing it; so eventually I gave up. After some brainstorming; we decided to run inside chroot; use php functions other than system() and use a cron job to do the work that is outside chroot. Now a new issue; nginx does not start during boot; yet does start manually - why? The following commands were issued immediately after boot. # cat /etc/rc.conf.local nginx_flags="" pkg_scripts=php83_fpm # /etc/rc.d/nginx start You forgot to run rcctl enable nginx so that nginx is added to the pkg_scripts= line. Only system daemons can be enabled by adding them as $daemon_flags= in /etc/rc.conf.local . Package daemons must be explicitely added to pkg_scripts= . Cheers, Noth nginx(ok) On Fri, May 17, 2024 at 10:19 AM Souji Thenria wrote: On Fri May 17, 2024 at 2:56 PM BST, F Bax wrote: > In /etc/rc.conf.local - I changed nginx_flags="-u -p /home/Testing" > (home directory of a real user). > reboot system and now browser is refused connection > This site can’t be reached 192.168.1.131 refused to connect. > Neither /var/www/logs/{access|error}.log is changed. > What else needs to change? Can you verify that nginx is running? You may have an error in your configuration. You can check the nginx configuration using nginx -t. Another issue might be that nginx is still running as www and doesn't have access to /home/Testing. Regards, Souji
Re: nginx + php = system() not working?
I tried a few things with nginx not in chroot; but got permission errors. The message provided no clue as to which file/directory might be causing it; so eventually I gave up. After some brainstorming; we decided to run inside chroot; use php functions other than system() and use a cron job to do the work that is outside chroot. Now a new issue; nginx does not start during boot; yet does start manually - why? The following commands were issued immediately after boot. # cat /etc/rc.conf.local nginx_flags="" pkg_scripts=php83_fpm # /etc/rc.d/nginx start nginx(ok) On Fri, May 17, 2024 at 10:19 AM Souji Thenria wrote: > On Fri May 17, 2024 at 2:56 PM BST, F Bax wrote: > > In /etc/rc.conf.local - I changed nginx_flags="-u -p /home/Testing" > > (home directory of a real user). > > reboot system and now browser is refused connection > > This site can’t be reached 192.168.1.131 refused to connect. > > Neither /var/www/logs/{access|error}.log is changed. > > What else needs to change? > > Can you verify that nginx is running? > You may have an error in your configuration. You can check the nginx > configuration using nginx -t. > > Another issue might be that nginx is still running as www and doesn't > have access to /home/Testing. > > Regards, > Souji >
Re: nginx + php = system() not working?
On 2024-05-17, Martijn van Duren wrote: > On Thu, 2024-05-16 at 21:58 -0400, F Bax wrote: >> I think I missed something simple? I installed 7.5 release in a VM. I then >> installed nginx and PHP 8.3.3; with pkg_add. I then ran these two commands: >> # rcctl enable php83_fpm >> # rcctl start php83_fpm >> I found an issue with php system() function; so created this simple script >> which produces "HiThere"; why is the date not presented? >> >> > echo 'Hi'; >> system( 'date' ); >> echo 'There'; >> ?> > > All the advise I've seen is horrible. chroot isn't enabled by default > without a reason (php and security have a history). > My first question would by why you need system() in the first place. > If you need the date/time, just use > https://www.php.net/manual/en/class.datetime.php. If it's just a proof > of concept be more precise in what you want to achieve and see if > there's a PHP library equivalent. If there's no reasonable way to > achieve it (which I highly doubt) I advise to copy the required binary > (and dependencies) into the chroot and make a memo to keep them up to > date. There's some information about this in PHP's pkg-readme file. -- Please keep replies on the mailing list.
Re: nginx + php = system() not working?
"Souji Thenria" wrote: > Another issue might be that nginx is still running as www and doesn't > have access to /home/Testing. As per above suggestion double check that the user by which you run nginx (usually www) has access almost by the group to to the prefix directory declared by the -p flag, and to the subfolders. (and clearly you can't manage to do that on an usr home dir..) Then you should double check your phpfpm user and group by the php-fpm.conf in the following declarations: ; Unix user/group of processes ; Note: The user is mandatory. If the group is not set, the default user's group ; will be used. user = www group = www -dan
Re: nginx + php = system() not working?
On Fri May 17, 2024 at 2:56 PM BST, F Bax wrote: In /etc/rc.conf.local - I changed nginx_flags="-u -p /home/Testing" (home directory of a real user). reboot system and now browser is refused connection This site can’t be reached 192.168.1.131 refused to connect. Neither /var/www/logs/{access|error}.log is changed. What else needs to change? Can you verify that nginx is running? You may have an error in your configuration. You can check the nginx configuration using nginx -t. Another issue might be that nginx is still running as www and doesn't have access to /home/Testing. Regards, Souji
Re: nginx + php = system() not working?
On Thu, 2024-05-16 at 21:58 -0400, F Bax wrote: > I think I missed something simple? I installed 7.5 release in a VM. I then > installed nginx and PHP 8.3.3; with pkg_add. I then ran these two commands: > # rcctl enable php83_fpm > # rcctl start php83_fpm > I found an issue with php system() function; so created this simple script > which produces "HiThere"; why is the date not presented? > > echo 'Hi'; > system( 'date' ); > echo 'There'; > ?> All the advise I've seen is horrible. chroot isn't enabled by default without a reason (php and security have a history). My first question would by why you need system() in the first place. If you need the date/time, just use https://www.php.net/manual/en/class.datetime.php. If it's just a proof of concept be more precise in what you want to achieve and see if there's a PHP library equivalent. If there's no reasonable way to achieve it (which I highly doubt) I advise to copy the required binary (and dependencies) into the chroot and make a memo to keep them up to date. martijn@
Re: nginx + php = system() not working?
Thanks for the tips and security warnings Mike, Souji and Dan, In php-fpm.conf - I changed "; chroot = /var/www" to comment. In /etc/rc.conf.local - I changed nginx_flags="-u -p /home/Testing" (home directory of a real user). reboot system and now browser is refused connection This site can’t be reached 192.168.1.131 refused to connect. Neither /var/www/logs/{access|error}.log is changed. /var/log/php-fpm.log show normal startup; then nothing in any /var/log/ files. [17-May-2024 09:41:59] NOTICE: fpm is running, pid 8072 [17-May-2024 09:41:59] NOTICE: ready to handle connections What else needs to change?
Re: nginx + php = system() not working?
It can even help to run nginx in "unsecure mode" if you want to stay not chrooted: nginx_flags="-u -p /home/mytests" man nginx ; while php-fpm.conf should remain with the default values ; in this case.. -dan Mike Fischer wrote: > > > Am 17.05.2024 um 03:58 schrieb F Bax : > > > > I think I missed something simple? I installed 7.5 release in a VM. > > I then installed nginx and PHP 8.3.3; with pkg_add. I then ran > > these two commands: # rcctl enable php83_fpm # rcctl start php83_fpm > > I found an issue with php system() function; so created this simple > > script which produces "HiThere"; why is the date not presented? > > > system( 'date' ); > > echo 'There'; > > ?> > > You are probably running the php83_fpm process accessed from nginx in > the default chroot(2) environment?
Re: nginx + php = system() not working?
May 17, 2024 11:30:25 Souji Thenria : > -u By default nginx will chroot(2) to the home > directory of the user running the daemon, typically > "www", or to the home directory of user in > nginx.conf. The -u option disables this behaviour, > and returns nginx to the original "unsecure" > behaviour. > > But it doesn't do it on other systems; I cross-checked with nginx > installed on a FreeBSD, where this option doesn't exist. Indeed take care about this option as I use it every day in my dev environment.. ;-)
Re: nginx + php = system() not working?
On Fri May 17, 2024 at 4:38 AM BST, Mike Fischer wrote: OpenBSD httpd would be a different situation because it runs in a chroot(2) environment by default. You can’t call on a PHP-FPM process that is not also running in the chroot(2) environment. The communication between httpd(8) and PHP-FPM fails due to differing opinions about the root of the filesystem when applied to the paths passed from httpd to PHP-FPM. At least I have not managed to get this to work. But AFAIK nginx does not run chroot(2)ed by default. So PHP-FPM does not need to either. On OpenBSD, nginx chroots its process by default. Here is a snippet from the man page nginx(8). -u By default nginx will chroot(2) to the home directory of the user running the daemon, typically "www", or to the home directory of user in nginx.conf. The -u option disables this behaviour, and returns nginx to the original "unsecure" behaviour. But it doesn't do it on other systems; I cross-checked with nginx installed on a FreeBSD, where this option doesn't exist. Since nginx and php_fpm chroot their processes to the same directory (if not changed), nginx should be able to write to the php_fpm socket.
Re: nginx + php = system() not working?
> Am 17.05.2024 um 03:58 schrieb F Bax : > > I think I missed something simple? I installed 7.5 release in a VM. I then > installed nginx and PHP 8.3.3; with pkg_add. I then ran these two commands: > # rcctl enable php83_fpm > # rcctl start php83_fpm > I found an issue with php system() function; so created this simple script > which produces "HiThere"; why is the date not presented? >echo 'Hi'; > system( 'date' ); > echo 'There'; > ?> You are probably running the php83_fpm process accessed from nginx in the default chroot(2) environment? If so you need to reconfigure your /etc/php-fpm.conf to not use chroot(2) — comment the line »chroot = /var/www« — or install /bin/date and a /bin/sh into /var/www. (Note that PHP needs a shell to execute shell commands and the date command is not present in the chroot(2) environment by default either.) Your test script works for me in Apache httpd and a php-fpm.conf without chroot(2) (in a non-public setting). So I don’t think this is related to nginx specifically. Could happen with OpenBSD httpd and PHP-FPM as well. Basically in any situation where PHP-FPM is running chroot(2)ed. OpenBSD httpd would be a different situation because it runs in a chroot(2) environment by default. You can’t call on a PHP-FPM process that is not also running in the chroot(2) environment. The communication between httpd(8) and PHP-FPM fails due to differing opinions about the root of the filesystem when applied to the paths passed from httpd to PHP-FPM. At least I have not managed to get this to work. But AFAIK nginx does not run chroot(2)ed by default. So PHP-FPM does not need to either. Note: If you need both you can configure your /etc/php-fpm.conf to spawn both chroot(2)ed and non-chroot(2)ed workers with differing sockets. I’m doing this on a machine running both OpenBSD httpd and Apache httpd with PHP based web pages. HTH Mike PS. Hopefully you are aware that running shell commands from a publicly accessible web server can lead to serious security issues? Be very careful when configuring access restrictions to the affected URLs and when constructing the UNIX commands you plan to execute.
nginx + php = system() not working?
I think I missed something simple? I installed 7.5 release in a VM. I then installed nginx and PHP 8.3.3; with pkg_add. I then ran these two commands: # rcctl enable php83_fpm # rcctl start php83_fpm I found an issue with php system() function; so created this simple script which produces "HiThere"; why is the date not presented?
Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)
On 2023-09-25, Tobias Fiebig wrote: > On Mon, 2023-09-25 at 18:15 +0200, Rudolf Leitgeb wrote: >> Either this, or the TLS 1.3 code was always buggy, but now >> it was actually used per default. > Yes, setting up nginx with enabled tlsv1.3 on 7.2 and earlier is also > on the todo. Similarly, disabling tlsv1.3 and forcing tlsv1.3 on > earlier versions. > > Still, the earlier versions i had been running seemed to support > tlsv1.3, at least according to s_client. But the use as default might > change things. The www/nginx port has had working TLS 1.3 since 2020, I've been using it pretty much since that happened. It will be difficult to get reports from others about this on 7.3 because nginx was not updated to 1.24.0 in ports until after 7.3. FWIW I'm using 1.24.0 on -current from Jul 31st with no issues. I would try updating the problematic system to new -current (7.4-beta) with snapshot packages rather than self-built nginx. If that fixes it anyway then good. If not then we have a data point more likely to be reproducible by others, and maybe a chance of fixing before 7.4 is totally locked down. > pdns itself is not leaking, the memory is hogged by mariadb. But (given > everything runs via unix sockets) i am not using TLS in that stack at > all. This is was initially nudged me a bit towards other functions that > might be used from libressl (sha* or something used in auth maybe?). My reasonably busy traccar/mariadb 7.3 box has stable memory use from mariadb (sitting around 13G, with innodb_buffer_pool_size=12G). ... "memory leak" doesn't give much of an idea of what's going on, some data would be good. KB, MB, GB? per minute? hour? if you fire a bunch of requests at it, does that increase the rate or does it not matter? >> > > But yes, getting a specific commit there will be helpful. >> > Sadly it turns out that it is the commit i feared it would be: >> > >> > > commit 7b24b93d67daa9c16d665129fd5d3e7dbc583e4f >> > > Author: Maxim Dounin >> > > Date: Fri Mar 24 02:57:43 2023 +0300 >> > > >> > > SSL: enabled TLSv1.3 by default. >> > >> > Feared, because it basically puts me back to start w.r.t. what the >> > root >> > cause might be; Could be anything that happened to TLSv1.3 code in >> > either LibreSSL or Nginx. -- Please keep replies on the mailing list.
Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)
On Mon, 2023-09-25 at 18:15 +0200, Rudolf Leitgeb wrote: > Either this, or the TLS 1.3 code was always buggy, but now > it was actually used per default. Yes, setting up nginx with enabled tlsv1.3 on 7.2 and earlier is also on the todo. Similarly, disabling tlsv1.3 and forcing tlsv1.3 on earlier versions. Still, the earlier versions i had been running seemed to support tlsv1.3, at least according to s_client. But the use as default might change things. > Question: is there a similar > commit in your DNS server? Do you use this DNS server with > anything like TLS? pdns itself is not leaking, the memory is hogged by mariadb. But (given everything runs via unix sockets) i am not using TLS in that stack at all. This is was initially nudged me a bit towards other functions that might be used from libressl (sha* or something used in auth maybe?). But this will need some more test-setups to run for some time; I will be able to setup automation for that in the coming weeks. With best regards, Tobias > On Sun, 2023-09-24 at 21:31 +0200, Tobias Fiebig wrote: > > > > > But yes, getting a specific commit there will be helpful. > > Sadly it turns out that it is the commit i feared it would be: > > > > > commit 7b24b93d67daa9c16d665129fd5d3e7dbc583e4f > > > Author: Maxim Dounin > > > Date: Fri Mar 24 02:57:43 2023 +0300 > > > > > > SSL: enabled TLSv1.3 by default. > > > > Feared, because it basically puts me back to start w.r.t. what the > > root > > cause might be; Could be anything that happened to TLSv1.3 code in > > either LibreSSL or Nginx. > -- Dr.-Ing. Tobias Fiebig T +31 616 80 98 99 M tob...@fiebig.nl
Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)
Either this, or the TLS 1.3 code was always buggy, but now it was actually used per default. Question: is there a similar commit in your DNS server? Do you use this DNS server with anything like TLS? On Sun, 2023-09-24 at 21:31 +0200, Tobias Fiebig wrote: > > > But yes, getting a specific commit there will be helpful. > Sadly it turns out that it is the commit i feared it would be: > > > commit 7b24b93d67daa9c16d665129fd5d3e7dbc583e4f > > Author: Maxim Dounin > > Date: Fri Mar 24 02:57:43 2023 +0300 > > > > SSL: enabled TLSv1.3 by default. > > Feared, because it basically puts me back to start w.r.t. what the > root > cause might be; Could be anything that happened to TLSv1.3 code in > either LibreSSL or Nginx.
Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)
> But yes, getting a specific commit there will be helpful. Sadly it turns out that it is the commit i feared it would be: > commit 7b24b93d67daa9c16d665129fd5d3e7dbc583e4f > Author: Maxim Dounin > Date: Fri Mar 24 02:57:43 2023 +0300 > > SSL: enabled TLSv1.3 by default. Feared, because it basically puts me back to start w.r.t. what the root cause might be; Could be anything that happened to TLSv1.3 code in either LibreSSL or Nginx. I guess the next step is going through all commits of libressl between what is in 7.2 and 7.3. With best regards, Tobias
Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)
My dev environment on 7.3 is completely different but a little more standard I share about my nginx: wiz$ pkg_info nginx Information for inst:nginx-1.22.0p0 Comment: robust and small HTTP server and mail proxy server Description: This is the stable branch of nginx, as distributed by nginx.org. nginx provides FastCGI and reverse HTTP proxying, with or without caching, including simple load balancing and fault tolerance. It has a modular architecture. Filters include gzipping, byte ranges, chunked responses, and SSI. Multiple SSI inclusions within a single page can be processed in parallel if they are handled by FastCGI or proxied servers. SSL and TLS SNI are supported. Maintainer: Robert Nagy WWW: https://nginx.org/ wiz$ ldd /usr/local/sbin/nginx /usr/local/sbin/nginx: StartEnd Type Open Ref GrpRef Name 0f5043481000 0f50435b4000 exe 10 0 /usr/local/sbin/nginx 0f52fcc29000 0f52fcc6f000 rlib 01 0 /usr/local/lib/libpcre.so.3.0 0f52dabca000 0f52dac3a000 rlib 01 0 /usr/lib/libssl.so.53.2 0f52b0c0e000 0f52b0e69000 rlib 02 0 /usr/lib/libcrypto.so.50.2 0f52e1cf9000 0f52e1d17000 rlib 01 0 /usr/lib/libz.so.7.0 0f531de9f000 0f531df95000 rlib 01 0 /usr/lib/libc.so.97.0 0f53165dc000 0f53165dc000 ld.so 01 0 /usr/libexec/ld.so I also own MariaDB, 10.9.4. I underline that on my system "pkg_info mysql" or "pkg_info mariadb" return blank and back to cursor. -- Daniele Bonini Tobias Fiebig wrote: > Moin, > > I have been dealing with memory-leaks on a host running an nginx > reverse proxy for some time. The host had been running 7.2 with nginx > 1.23.1 (self compiled as i need some features not in the package) > until May, which was fine. > > After upgrading to 7.3 and nginx-1.24.0, i started to see heavy memory > leakage over time. I initially attributed this to nginx, and solved > the issue by ignoring it/throwing a bit more memory at the box for > some time. However, I started debugging it now and could trace it to > some commit between nginx 1.23.3 and 1.23.4; Currently, I am going > through all commits to see with which version it first appears. > > However, clicking around this morning, i noticed that my primary NS > shows a similar memory leakage for mysql/mariadb (runs powerdns with a > mysql backend, both from packages) since the upgrade to 7.3 in May as > well. One further host seems to show a significantly higher use of > inactive memory since 7.3. I found one more host with mariadb that now > shows a higher utilization of inactive memory (gitea+maria); However, > other maria+X instances on 7.3 run fine. > > On the PowerDNS+Mysql host I also see gradually increasing CPU load > along with the memory leakage. > > Restarting mysql and/or nginx resolves the issue for some time. I also > saw the issue on a host running maria+nextcloud, where i fixed it by > switching to postgres. Maria is still running there, but not receiving > any requests, and the memory leak is gone. > > Images: > > https://rincewind.home.aperture-labs.org/~tfiebig/pdns-maria-cpu-year.png > https://rincewind.home.aperture-labs.org/~tfiebig/pdns-maria-memory-year.png > > https://rincewind.home.aperture-labs.org/~tfiebig/nginx-rev-proxy-memory-year.png > > https://rincewind.home.aperture-labs.org/~tfiebig/gitea-maria-memory-year.png > > https://rincewind.home.aperture-labs.org/~tfiebig/nextcloud-maria-switched-to-postgres-memory-year.png > > All hosts are VMs on Linux/KVM hosts (proxmox), with a generic > qemu-kvm processor as CPU type, running 7.3. > > Hence, I am no longer 100% convinced that this is an nginx problem. To > help circling this in a bit closer (and maybe get it reproducible in a > first step): > > Did anyone else experience memory leakage on openbsd with mariadb or a > self-build >=nginx-1.23.4 (or other applications) since the upgrade to > 7.3? > > With best regards, > Tobias >
Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)
On Sun, 2023-09-24 at 13:07 +0200, Rudolf Leitgeb wrote: > This libpcre2 library seems to be the only one, which is not > used all over the place. The library itself may not even be buggy, it > may just return something, which the new versions of the caller can't > handle, or it may be unhappy with something the new callers send. > > Still: if you can tie this memory/cpu leak to the interaction between > application and that library, it should be much easier to identify > the offending commit in nginx and all the other affected programs. Yes, _if_ it is that library. I would not fully set my sights on that yet. Nginx has the benefit of having a cut somewhere that triggers this; Hopefully the tests are done soon (i went for brute force instead of binary search; takes four days but requires no interaction). But yes, getting a specific commit there will be helpful. > I just saw, that the version 8 of libpcre2 seems to be quite a bit > behind the current version: > https://github.com/PCRE2Project/pcre2/releases > > Is this intentional? I am using what comes from the packages/ports. So the intentions on that are with the maintainers there. With best regards, Tobias
Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)
This libpcre2 library seems to be the only one, which is not used all over the place. The library itself may not even be buggy, it may just return something, which the new versions of the caller can't handle, or it may be unhappy with something the new callers send. Still: if you can tie this memory/cpu leak to the interaction between application and that library, it should be much easier to identify the offending commit in nginx and all the other affected programs. I just saw, that the version 8 of libpcre2 seems to be quite a bit behind the current version: https://github.com/PCRE2Project/pcre2/releases Is this intentional? On Sun, 2023-09-24 at 12:59 +0200, Tobias Fiebig wrote: > They do, but nothing special. The common set between nginx and mysqld > is: > > /usr/local/lib/libpcre2-8.so.0.6 > /usr/lib/libssl.so.53.2 > /usr/lib/libcrypto.so.50.2 > /usr/lib/libz.so.7.0 > /usr/lib/libc.so.97.0 > /usr/libexec/ld.so > > However, an affected nginx (1.24.0) does not differ from an > unaffected > nginx (1.23.1). > > I somewhat hope that my testing through nginx commits will yield what > calls are actually involved, and may allow me to see whether mysql is > pushed into similar codepaths on affected systems (and not on > unaffected ones), likely giving a better hint as to where the issue > is. > > With best regards, > Tobias > > On Sun, 2023-09-24 at 12:53 +0200, Rudolf Leitgeb wrote: > > Do the affected programs use the same libraries? > > > > On Sun, 2023-09-24 at 09:32 +0200, Tobias Fiebig wrote: > > > After upgrading to 7.3 and nginx-1.24.0, i started to see heavy > > > memory > > > leakage over time. I initially attributed this to nginx, and > > > solved > > > the > > > issue by ignoring it/throwing a bit more memory at the box for > > > some > > > time. However, I started debugging it now and could trace it to > > > some > > > commit between nginx 1.23.3 and 1.23.4; Currently, I am going > > > through > > > all commits to see with which version it first appears. > > > > > > However, clicking around this morning, i noticed that my primary > > > NS > > > shows a similar memory leakage for mysql/mariadb (runs powerdns > > > with > > > a > > > mysql backend, both from packages) since the upgrade to 7.3 in > > > May > > > as > > > well. One further host seems to show a significantly higher use > > > of > > > inactive memory since 7.3. I found one more host with mariadb > > > that > > > now > > > shows a higher utilization of inactive memory (gitea+maria); > > > However, > > > other maria+X instances on 7.3 run fine. > > >
Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)
They do, but nothing special. The common set between nginx and mysqld is: /usr/local/lib/libpcre2-8.so.0.6 /usr/lib/libssl.so.53.2 /usr/lib/libcrypto.so.50.2 /usr/lib/libz.so.7.0 /usr/lib/libc.so.97.0 /usr/libexec/ld.so However, an affected nginx (1.24.0) does not differ from an unaffected nginx (1.23.1). I somewhat hope that my testing through nginx commits will yield what calls are actually involved, and may allow me to see whether mysql is pushed into similar codepaths on affected systems (and not on unaffected ones), likely giving a better hint as to where the issue is. With best regards, Tobias On Sun, 2023-09-24 at 12:53 +0200, Rudolf Leitgeb wrote: > Do the affected programs use the same libraries? > > On Sun, 2023-09-24 at 09:32 +0200, Tobias Fiebig wrote: > > After upgrading to 7.3 and nginx-1.24.0, i started to see heavy > > memory > > leakage over time. I initially attributed this to nginx, and solved > > the > > issue by ignoring it/throwing a bit more memory at the box for some > > time. However, I started debugging it now and could trace it to > > some > > commit between nginx 1.23.3 and 1.23.4; Currently, I am going > > through > > all commits to see with which version it first appears. > > > > However, clicking around this morning, i noticed that my primary NS > > shows a similar memory leakage for mysql/mariadb (runs powerdns > > with > > a > > mysql backend, both from packages) since the upgrade to 7.3 in May > > as > > well. One further host seems to show a significantly higher use of > > inactive memory since 7.3. I found one more host with mariadb that > > now > > shows a higher utilization of inactive memory (gitea+maria); > > However, > > other maria+X instances on 7.3 run fine. >
Re: Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)
Do the affected programs use the same libraries? On Sun, 2023-09-24 at 09:32 +0200, Tobias Fiebig wrote: > After upgrading to 7.3 and nginx-1.24.0, i started to see heavy > memory > leakage over time. I initially attributed this to nginx, and solved > the > issue by ignoring it/throwing a bit more memory at the box for some > time. However, I started debugging it now and could trace it to some > commit between nginx 1.23.3 and 1.23.4; Currently, I am going through > all commits to see with which version it first appears. > > However, clicking around this morning, i noticed that my primary NS > shows a similar memory leakage for mysql/mariadb (runs powerdns with > a > mysql backend, both from packages) since the upgrade to 7.3 in May as > well. One further host seems to show a significantly higher use of > inactive memory since 7.3. I found one more host with mariadb that > now > shows a higher utilization of inactive memory (gitea+maria); However, > other maria+X instances on 7.3 run fine.
Unclear Memory Leakage since OpenBSD 7.3 upgrade (nginx and MariaDB; Not consistent)
Moin, I have been dealing with memory-leaks on a host running an nginx reverse proxy for some time. The host had been running 7.2 with nginx 1.23.1 (self compiled as i need some features not in the package) until May, which was fine. After upgrading to 7.3 and nginx-1.24.0, i started to see heavy memory leakage over time. I initially attributed this to nginx, and solved the issue by ignoring it/throwing a bit more memory at the box for some time. However, I started debugging it now and could trace it to some commit between nginx 1.23.3 and 1.23.4; Currently, I am going through all commits to see with which version it first appears. However, clicking around this morning, i noticed that my primary NS shows a similar memory leakage for mysql/mariadb (runs powerdns with a mysql backend, both from packages) since the upgrade to 7.3 in May as well. One further host seems to show a significantly higher use of inactive memory since 7.3. I found one more host with mariadb that now shows a higher utilization of inactive memory (gitea+maria); However, other maria+X instances on 7.3 run fine. On the PowerDNS+Mysql host I also see gradually increasing CPU load along with the memory leakage. Restarting mysql and/or nginx resolves the issue for some time. I also saw the issue on a host running maria+nextcloud, where i fixed it by switching to postgres. Maria is still running there, but not receiving any requests, and the memory leak is gone. Images: https://rincewind.home.aperture-labs.org/~tfiebig/pdns-maria-cpu-year.png https://rincewind.home.aperture-labs.org/~tfiebig/pdns-maria-memory-year.png https://rincewind.home.aperture-labs.org/~tfiebig/nginx-rev-proxy-memory-year.png https://rincewind.home.aperture-labs.org/~tfiebig/gitea-maria-memory-year.png https://rincewind.home.aperture-labs.org/~tfiebig/nextcloud-maria-switched-to-postgres-memory-year.png All hosts are VMs on Linux/KVM hosts (proxmox), with a generic qemu-kvm processor as CPU type, running 7.3. Hence, I am no longer 100% convinced that this is an nginx problem. To help circling this in a bit closer (and maybe get it reproducible in a first step): Did anyone else experience memory leakage on openbsd with mariadb or a self-build >=nginx-1.23.4 (or other applications) since the upgrade to 7.3? With best regards, Tobias
Re: Nginx + Syslog Question
Thank you Stuart - this worked wonderfully! (I did have to mkdir /var/www/dev) Respectfully, David Anthony On 4/17/22 05:54, Stuart Henderson wrote: rcctl set syslogd flags -a /var/www/dev/log
Re: Nginx + Syslog Question
On 2022-04-17, David Anthony wrote: > I'm trying to send Nginx access logs to syslog. I've tried examples in > the default nginx configuration file and man page to no avail. Can > anyone help identify why I'm not seeing access logs? It runs in /var/www chroot, and uses its own code to write to the /dev/log unix socket (rather than using the OS syslog functions which don't require the socket as there is a different interface with the kernel).) So you need to set syslogd to create a socket in the chroot: rcctl set syslogd flags -a /var/www/dev/log -- Please keep replies on the mailing list.
Nginx + Syslog Question
Hello List, I'm trying to send Nginx access logs to syslog. I've tried examples in the default nginx configuration file and man page to no avail. Can anyone help identify why I'm not seeing access logs? Respectfully, David Anthony - - - *syslog.conf* |*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages kern.debug;syslog,user.info /var/log/messages auth.info /var/log/authlog authpriv.debug /var/log/secure cron.info /var/cron/log daemon.info /var/log/daemon ftp.info /var/log/xferlog lpr.debug /var/log/lpd-errs mail.info /var/log/maillog | *nginx.conf* error_log syslog:server=unix:/dev/log,severity=notice; worker_processes 1; worker_rlimit_nofile 1024; user www; events { worker_connections 800; } http { include mime.types; default_type application/octet-stream; keepalive_timeout 65; server_tokens off; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log syslog:server=unix:/dev/log,severity=debug main; server { listen 80 default_server; server_name _; location / { / REMOVED/ } } }
Re: Best way to increase openfiles-max and -cur for NGINX/PHP?
Todd C. Miller wrote: > Error 24 is EMFILE, too many open files for the process (not the > system). > [...] > That would only work if you were getting error 23, ENFILE which is > the system limit. Thank you for pointing that out! So it was the login.conf afterall. > The recommended way to increase a limit is to add a new login class > with the same name as the daemon. For example: > > nginx:\ > :openfiles=4096:\ > :tc=daemon: > > This will be used automatically by the rc.d startup script. See > the rc.d man page for more details. Wow, I would not have thought to look at the bottom of the rc.d man page, thank you so much for mentioning that! I did what you suggested for php73_fpm in my case and it works like a charm, no more errors. Thank you! Marc Peters wrote: > If you really ran into problems with nginx and php_fpm while running > nextcloud, you could either do this or change the user the service > use and assign this user the daemon class or some special class. > I am running a similar setup with the default configuration and no > issues (since a week i use php-7.4, but had 7.3 before) This occurred when scrolling top to bottom in a folder of 200+ images, perhaps you don't usually have that kind of use? Either way I managed to reproduce the errors by repeating this procedure, so I am pretty sure it was the cause. Cranking up the openfiles limit for php73_fpm did end up making the errors disappear. Maurice McCarthy wrote: > Have a look at man ksh - the section on the command "ulimit". I was actually looking for a ulimit manpage but was unsuccessful - thanks for pointing out it is part of ksh(1)!
Best way to increase openfiles-max and -cur for NGINX/PHP?
Hello, I am getting a bunch of error messages of this kind in my NGINX error log: 2021/01/16 13:40:45 [alert] 68769#0: *1 socket() failed (24: Too many open files) while connecting to upstream, client: 123.45.67.89, server: cloud.mydomainhere.tld, request: "GET /core/preview?blah=1 HTTP/2.0", upstream: "fastcgi://127.0.0.1:9000", host: "cloud.mydomainhere.tld" I am running a Nextcloud server with NGINX and PHP 7.3. Since OpenBSD Is quite conservative with open file limits by default, I assume that NGINX/PHP is running into this limit. I have already significantly increased 'kern.maxfiles' in sysctl.conf, but the problem persists after a reboot, leading me to believe that it is a login.conf limit that I am running into. Both PHP and NGINX are running as user 'www', which does not have a login class. Since I have not been in this situation before and struggled to find a pointer online, I'd be thankful if you could tell me the "recommended" or "best practice" way of doing this. - Should I simply assign a login class to user 'www' and then change my limits through that class? - Should I run the processes as a different user & login class? - Is there perhaps some other way to set limits just for specific processes? Thanks in advance for any pointers!
Re: Best way to increase openfiles-max and -cur for NGINX/PHP?
On Sat, 16 Jan 2021 18:05:57 +0100, Unicorn wrote: > 2021/01/16 13:40:45 [alert] 68769#0: *1 socket() failed (24: Too many > open files) while connecting to upstream, client: 123.45.67.89, > server: cloud.mydomainhere.tld, request: "GET /core/preview?blah=1 > HTTP/2.0", upstream: "fastcgi://127.0.0.1:9000", host: > "cloud.mydomainhere.tld" Error 24 is EMFILE, too many open files for the process (not the system). > I am running a Nextcloud server with NGINX and PHP 7.3. Since OpenBSD > Is quite conservative with open file limits by default, I assume that > NGINX/PHP is running into this limit. > > I have already significantly increased 'kern.maxfiles' in sysctl.conf, > but the problem persists after a reboot, leading me to believe that it > is a login.conf limit that I am running into. That would only work if you were getting error 23, ENFILE which is the system limit. > Both PHP and NGINX are running as user 'www', which does not have a > login class. Since I have not been in this situation before and > struggled to find a pointer online, I'd be thankful if you could tell > me the "recommended" or "best practice" way of doing this. The recommended way to increase a limit is to add a new login class with the same name as the daemon. For example: nginx:\ :openfiles=4096:\ :tc=daemon: This will be used automatically by the rc.d startup script. See the rc.d man page for more details. - todd
Re: Best way to increase openfiles-max and -cur for NGINX/PHP?
Please forgive an ignoramus butting in with a suggestion. Have a look at man ksh - the section on the command "ulimit". Best
Re: From nginx to openbsd httpd
On Jan 16, 2020 9:27 AM, Michael Hekeler wrote: > > > > > Hello, > > > > I use poudriere pkg builder on FreeBSD and I use nginx to get poudriere web > > status interface. > > > > I'm looking for a less complex httpd server and obhttpd seems to be right > > choice. I have installed obhttpd <https://www.freshports.org/www/obhttpd/> > > port > > > > nginx httpd.conf is: > > > > server { > > listen 80 default; > > server_name server_domain_or_IP; > > root /usr/local/share/poudriere/html; > > > > location /data { > > alias /usr/local/poudriere/data/logs/bulk; > > autoindex on; > > } > > > > location /packages { > > root /usr/local/poudriere/data; > > autoindex on; > > } > > } > > } > > > > obhttpd uses chroot, so I will have to point it to /usr/local/poudriere. > > > > Any hints on getting this on openbsd httpd conf file? > > > > Thanks, > > > > Nuno > > Teach poudriere to store logs to /var/www/usr/local/poudriere/data/logs/bulk > Or the less safe easier way... chroot "/"
Re: From nginx to openbsd httpd
> > Hello, > > I use poudriere pkg builder on FreeBSD and I use nginx to get poudriere web > status interface. > > I'm looking for a less complex httpd server and obhttpd seems to be right > choice. I have installed obhttpd <https://www.freshports.org/www/obhttpd/> > port > > nginx httpd.conf is: > > server { > listen 80 default; > server_name server_domain_or_IP; > root /usr/local/share/poudriere/html; > > location /data { > alias /usr/local/poudriere/data/logs/bulk; > autoindex on; > } > > location /packages { > root /usr/local/poudriere/data; > autoindex on; > } > } > } > > obhttpd uses chroot, so I will have to point it to /usr/local/poudriere. > > Any hints on getting this on openbsd httpd conf file? > > Thanks, > > Nuno Teach poudriere to store logs to /var/www/usr/local/poudriere/data/logs/bulk
From nginx to openbsd httpd
Hello, I use poudriere pkg builder on FreeBSD and I use nginx to get poudriere web status interface. I'm looking for a less complex httpd server and obhttpd seems to be right choice. I have installed obhttpd <https://www.freshports.org/www/obhttpd/> port nginx httpd.conf is: server { listen 80 default; server_name server_domain_or_IP; root /usr/local/share/poudriere/html; location /data { alias /usr/local/poudriere/data/logs/bulk; autoindex on; } location /packages { root /usr/local/poudriere/data; autoindex on; } } } obhttpd uses chroot, so I will have to point it to /usr/local/poudriere. Any hints on getting this on openbsd httpd conf file? Thanks, Nuno
Nginx error EMERG
Hi I've this problem with Nginx (v.1.14.2) on OpenBSD 6.5: # nginx -t nginx: [emerg] BIO_new_file("/etc/nginx/$file_fullchain") failed (SSL: error:02FFF002:system library:func(4095):No such file or directory:fopen('/etc/nginx/$file_fullchain', 'r') error:20FFF080:BIO routines:CRYPTO_internal:no such file) nginx: configuration file /etc/nginx/nginx.conf test failed How did I do that? I just wanted to test TLS v1.3. but I didn't pay attention to the fact that the LibreSSL didn't support. (if I have understood correctly) The server Nginx can't restart, and the service web is down… Even, by restoring my oldier functional configuration only with TLS v1.2: it failed! My functionnal TLS v1.2 config: ssl_buffer_size 4k; # 16k, for throughput, video applications ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_session_timeout 1h; ssl_certificate /etc/ssl/acme/stephane-huc.net.fullchain.pem; ssl_certificate_key /etc/ssl/acme/private/stephane-huc.net.privkey.pem; ssl_dhparam /etc/nginx/cfg/stephane-huc.net/dhp_4096.pem; ssl_ecdh_curve X25519:P-521:P-384; # Mozilla Modern Config ssl_protocols TLSv1.2; ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/ssl/acme/stephane-huc.net.chain.pem; resolver 80.67.169.12 80.67.169.40 [2001:910:800::12] [2001:910:800::40] valid=300s; For TLS v1.3, I had just modified the lines, as: ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+CHACHA20:EECDH+AESGCM:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; -- ~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<< Stephane HUC as PengouinBSD or CIOTBSD b...@stephane-huc.net
Problem installing port ruby24-passenger / nginx
Hello, It's been a few releases that I noticed I can't install nginx from the ports. The problem is not nginx itself but the package ruby24-passenger-5.1.11p0 I make install in the nginx port directory, I get the crash messages below. mv: /usr/ports/pobj/passenger-5.1.11-ruby24/gem-tmp/.gem/ruby/2.4/gems/passenger-5.1.11/src/.passenger/support-binaries/5.1.11/*: No such file or directory I install ruby24-passenger-5.1.11p0 with pkg_add and I restart to install in the nginx port directory. That's my workaround. The problem is present from at least 6.2 checking for alloca.h... no checking for ruby/version.h... yes checking for ruby/io.h... yes checking for ruby/thread.h... yes checking for ruby_version... no checking for rb_thread_io_blocking_region() in ruby/io.h... yes checking for rb_thread_call_without_gvl() in ruby/thread.h... yes creating Makefile cd 'buildout/ruby/ruby-2.4.4-x86_64-openbsd6.4/' && make compiling /usr/ports/pobj/passenger-5.1.11-ruby24/gem-tmp/.gem/ruby/2.4/gems/passenger-5.1.11/src/ruby_native_extension/passenger_native_support.c linking shared-object passenger_native_support.so rm -r /usr/ports/pobj/passenger-5.1.11-ruby24/gem-tmp/.gem/ruby/2.4/gems/passenger-5.1.11/nginx-1.12.1 /usr/ports/pobj/passenger-5.1.11-ruby24/gem-tmp/.gem/ruby/2.4/gems/passenger-5.1.11/bin/passenger-install-*-module /usr/ports/pobj/passenger-5.1.11-ruby24/gem-tmp/.gem/ruby/2.4/bin/passenger-install-*-module* mv /usr/ports/pobj/passenger-5.1.11-ruby24/gem-tmp/.gem/ruby/2.4/gems/passenger-5.1.11/src/.passenger/support-binaries/5.1.11/* /usr/ports/pobj/passenger-5.1.11-ruby24/gem-tmp/.gem/ruby/2.4/gems/passenger-5.1.11/buildout/support-binaries/ mv: /usr/ports/pobj/passenger-5.1.11-ruby24/gem-tmp/.gem/ruby/2.4/gems/passenger-5.1.11/src/.passenger/support-binaries/5.1.11/*: No such file or directory *** Error 1 in /usr/ports/www/ruby-passenger (Makefile:69 'post-build') *** Error 1 in /usr/ports/www/ruby-passenger (/usr/ports/infrastructure/mk/bsd.port.mk:2761 '/usr/ports/pobj/passenger-5.1.11-ruby24/.build_done') *** Error 1 in /usr/ports/www/ruby-passenger (/usr/ports/infrastructure/mk/bsd.port.mk:2003 '/usr/ports/packages/amd64/all/ruby24-passenger-5.1.11p2.tgz') *** Error 1 in /usr/ports/www/ruby-passenger (/usr/ports/infrastructure/mk/bsd.port.mk:2465 '_internal-package') *** Error 1 in /usr/ports/www/ruby-passenger (/usr/ports/infrastructure/mk/bsd.port.mk:2444 'package') *** Error 1 in /usr/ports/www/ruby-passenger (/usr/ports/infrastructure/mk/bsd.port.mk:2021 '/var/db/pkg/ruby24-passenger-5.1.11p2/+CONTENTS') *** Error 1 in /usr/ports/www/ruby-passenger (/usr/ports/infrastructure/mk/bsd.port.mk:2444 'install') *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2132 '/usr/ports/pobj/nginx-1.14.0/.dep-ruby24-passenger-ANY-www-ruby-passenger') *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2523 '/usr/ports/pobj/nginx-1.14.0/.extract_done') *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2003 '/usr/ports/packages/amd64/all/nginx-1.14.0p1.tgz') *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2465 '_internal-package') *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2444 'package') *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2021 '/var/db/pkg/nginx-1.14.0p1/+CONTENTS') *** Error 1 in /usr/ports/www/nginx (/usr/ports/infrastructure/mk/bsd.port.mk:2444 'install') Regards
Re: Migrating nginx config to OpenBSD's httpd
Thanks again. This worked in case anyone is looking for it: http protocol "monit" { match request forward to match request header "Host" value "status.affekt.org" forward to } The order is important, if put in reversed the "status.affekt.org" forward will be overwritten. Now all I need to investigate is why HTTP responses are erroneous, though you might be right that it could be a Monit problem.
Re: Migrating nginx config to OpenBSD's httpd
On 04/16, Henrik Friedrichsen wrote: > - Is there a way to match all hosts that are not "status.affekt.org"? > That way I don't have to write a filter rule for every subdomain Didn't test, just the idea: 1. You put your default host (i.e. one that will respond to all http requests which do not fall into specific configurations) first in httpd.conf. 2. In relayd configure http protocol like this: http protocol "monit" { match request header "Host" value "status.affekt.org" forward to forward to port 80 } So the requests that match Host header will go to monit, all other requests will go to httpd, where default site will respond. > - Relayed HTTP output is cut off. As you can see below the HTTP DOM is not > closed and most of the HTTP response headers are missing (status code, > content-length, etc.) > > Any idea what I'm doing wrong? I guess something is wrong on monit side.. I set up relayd with varous stuff in the backend, but have seen anything like this. -- With best regards, Pavel Korovin
Re: Migrating nginx config to OpenBSD's httpd
Hey Pavel, thanks for your response. I have adapted my configuration and came up with this: ext4="51.15.10.194" ext6="2001:bc8:2d08::1" table { "127.0.0.1" } table { "127.0.0.1" } http protocol "monit" { match request header "Host" value "status.affekt.org" forward to match request header "Host" value "affekt.org" forward to } relay "proxy" { listen on $ext4 port 80 protocol "monit" forward to port 2812 forward to port 80 } I have a local monit instance listening on 127.0.0.1:2812 This configuration works, sort of: - Is there a way to match all hosts that are not "status.affekt.org"? That way I don't have to write a filter rule for every subdomain - Relayed HTTP output is cut off. As you can see below the HTTP DOM is not closed and most of the HTTP response headers are missing (status code, content-length, etc.) Any idea what I'm doing wrong? Thanks! hera ~ % curl -v "http://status.affekt.org/; * Trying 51.15.10.194... * TCP_NODELAY set * Connected to status.affekt.org (51.15.10.194) port 80 (#0) > GET / HTTP/1.1 > Host: status.affekt.org > User-Agent: curl/7.58.0 > Accept: */* > Connection: close Content-Type: text/html WWW-Authenticate: Basic realm="monit" * Connection #0 to host status.affekt.org left intact 401 UnauthorizedUnauthorizedYou are not authorized to access monit. Either you supplied the wrong credentials (e.g. bad password), or your browser doesn't understand how to supply the credentials required
Re: Migrating nginx config to OpenBSD's httpd
Henrik, Regarding cut off responses, I didn't have such problems, maybe it was fixed since 2016. Regarding multi-site setup, I have something like this: --- httpd.conf --- ### default site behind relayd server "waste.tristero.se" { alias "tristero.se" listen on 127.0.0.1 port 80 listen on ::1 port 80 root "/htdocs/waste.tristero.se" } server "openbsd.tristero.se" { listen on 127.0.0.1 port 80 listen on ::1 port 80 root "/htdocs/openbsd.tristero.se" } ### this one is not behind relayd, used for http to https redirection server "waste.tristero.se" { alias "openbsd.tristero.se" alias "tristero.se" listen on 188.244.46.111 port 80 listen on 2001:470:1f15:1492::2 port 80 root "/htdocs/waste.tristero.se" block return 301 "https://$HTTP_HOST/$DOCUMENT_URI; } --- relayd.conf --- ext4="188.244.46.111" ext6="2001:470:1f15:1492::2" localhost4="127.0.0.1" localhost6="::1" table { $localhost4 } table { $localhost6 } table { $localhost4 } table { $localhost6 } http protocol "https4" { match request header set "X-Forwarded-For" value "$REMOTE_ADDR" match request header set "X-Forwarded-By" value "[$SERVER_ADDR]:$SERVER_PORT" match request header "Host" value "tristero.se" forward to match request header "Host" value "waste.tristero.se" forward to match request header "Host" value "openbsd.tristero.se" forward to tls { no tlsv1.0, ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+SHA256:EECDH+SHA384:ECDHE+SHA256 } } http protocol "https6" { match request header set "X-Forwarded-For" value "$REMOTE_ADDR" match request header set "X-Forwarded-By" value "[$SERVER_ADDR]:$SERVER_PORT" match request header "Host" value "tristero.se" forward to match request header "Host" value "waste.tristero.se" forward to match request header "Host" value "openbsd.tristero.se" forward to tls { no tlsv1.0, ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+SHA256:EECDH+SHA384:ECDHE+SHA256 } } relay "https4" { listen on $ext4 port 443 tls protocol "https4" forward to port 80 forward to port 80 } relay "https6" { listen on $ext6 port 443 tls protocol "https6" forward to port 80 forward to port 80 } --- end cut --- The only problem I have was configuring specific security headers for specific hosts, i.e. I cannot have specific http protocol sections with different responses for specific hosts, like: http protocol "https4-flex" { match request header "Host" value "not-secure.domain" forward to match response header set "Content-Security-Policy" value "" } http protocol "https4-strict" { match request header "Host" value "secure.domain" forward to match response header set "Content-Security-Policy" value "" } -- With best regards, Pavel Korovin On 04/16, Henrik Friedrichsen wrote: > > So far I have not been able to emulate proxy_pass with relayd. > > I came across two issues: > - relayed HTTP requests resulted in cut off responses, similar to this > issue: https://github.com/reyk/relayd/issues/12 > - I have not been able to come up with a configuration/filter setting > that will only match for a specific subdomain and will pass the > non-matching requests to the regular httpd listening on port 80 > > Did anyone have success in setting this up?
Re: Migrating nginx config to OpenBSD's httpd
Hi Carlos, HAproxy project exists and serves much better as load balancer and reverse proxy server. It is more efficient than engine X. Any concerns using it? - Bogdan On Fri, Apr 13, 2018 at 04:47 Pavel Korovin <p...@tristero.se> wrote: > Hi Carlos, > > There's no analog of proxy_pass in httpd(8). relayd(8) is your friend. > > On 04/13, C. L. Martinez wrote: > > I am trying to migrate nginx configuration to OpenBSD's httpd. All it is > > working ok, except for some proxy reverse config that I use with nginx's > > config, like for example: > > > > server { > > listen 80; > > server_name internal.w01.domain.org; > > > > location / { > > proxy_pass http://192.168.30.4; > > } > > } > > > > I don't see what is the option to use with httpd.conf or is it best > > option to use relayd.conf for this type of configs? > > -- > With best regards, > Pavel Korovin > > -- --- Best regards, Bogdan Kulbida CEO/CTO, Konstankino LLC <http://konstankino.com> +1.802.793.8295
Re: Migrating nginx config to OpenBSD's httpd
Hi Carlos, There's no analog of proxy_pass in httpd(8). relayd(8) is your friend. On 04/13, C. L. Martinez wrote: > I am trying to migrate nginx configuration to OpenBSD's httpd. All it is > working ok, except for some proxy reverse config that I use with nginx's > config, like for example: > > server { > listen 80; > server_name internal.w01.domain.org; > > location / { > proxy_pass http://192.168.30.4; > } > } > > I don't see what is the option to use with httpd.conf or is it best > option to use relayd.conf for this type of configs? -- With best regards, Pavel Korovin
Migrating nginx config to OpenBSD's httpd
Hi all, I am trying to migrate nginx configuration to OpenBSD's httpd. All it is working ok, except for some proxy reverse config that I use with nginx's config, like for example: server { listen 80; server_name internal.w01.domain.org; location / { proxy_pass http://192.168.30.4; } } I don't see what is the option to use with httpd.conf or is it best option to use relayd.conf for this type of configs? Thanks.
Re: nginx chroot with a proxy_pass unix socket
Hi Stuart, > On 9 Aug 2017, at 14:08, Stuart Henderson <s...@spacehopper.org> wrote: > > On 2017-08-09, Maurizio De Magnis <r...@olisti.co> wrote: >>server { >> server_name myapp.com; >> access_log /var/www/apps/my_app/logs/access.log; >> error_log /var/www/apps/my_app/logs/error.log; >> root /var/www/apps/my_app/current; >> location / { >>proxy_pass http://unix:/var/www/apps/my_app/application.socket; > > That seems wrong, why would you have http://unix:/…? That’s per the documentation of proxy_pass: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass I get a syntax error `doas nginx -t` when I use `proxy_pass unix:/mypath`. I need to either set the “https://; or “https://; prefix. >> Do you have any suggestions on how to implement a unix socket connection >> with NGINX chroot enabled? > > You may need to use the path inside the chroot (/apps/... rather than > /var/www/apps/…), And that nails it in the head! :-) The path is actually related to the inner chroot environment (`/var/www` in my case). #duh I reset the flags, updated the socket path and now it works. Thanks a lot <3 > especially if you reload rather than restart nginx to reconfigure. I don’t understand this piece, could you expand it a bit further? > But it might be simpler to just add symlinks so that > the path /var/www/whatever works whether you're inside or outside the > chroot: > > cd /var/www > mkdir var > ln -s .. var/www Thanks for this advice as well but I think I’ll opt for the simpler chroot-only use case :-)
Re: nginx chroot with a proxy_pass unix socket
On 2017-08-09, Maurizio De Magnis <r...@olisti.co> wrote: > server { > server_name myapp.com; > access_log /var/www/apps/my_app/logs/access.log; > error_log /var/www/apps/my_app/logs/error.log; > root /var/www/apps/my_app/current; > location / { > proxy_pass http://unix:/var/www/apps/my_app/application.socket; That seems wrong, why would you have http://unix:/...? > Do you have any suggestions on how to implement a unix socket connection with > NGINX chroot enabled? You may need to use the path inside the chroot (/apps/... rather than /var/www/apps/...), especially if you reload rather than restart nginx to reconfigure. But it might be simpler to just add symlinks so that the path /var/www/whatever works whether you're inside or outside the chroot: cd /var/www mkdir var ln -s .. var/www
nginx chroot with a proxy_pass unix socket
Hello everybody, I’m on 6.1 and trying to configure NGINX. I’m posting this issue here because it may be peculiar to OpenBSD but I know it could be more appropriate to post it on an NGINX specific mailing list. Please let me know if I’m in topic. I successfully installed NGINX (`$ doas pkg_add nginx`) and managed to setup a pure static vhost: /etc/nginx/nginx.conf: ``` # ... server { listen 80; server_name myapp.com; access_log /var/www/apps/my_app/logs/access.log; error_log /var/www/apps/my_app/logs/error.log; root /var/www/apps/my_app/current; } # ... ``` And it works just fine. Then I tried to implement a reverse proxy with the `proxy_pass` directive toward a local Ruby-based application server (Puma, booting a Ruby app). If I define a proxy_pass toward a TCP port then the requests correctly reach the application server but when I try to migrate the setup into a unix socket binding, then I get an error due to NGINX being chrooted. /etc/nginx/nginx.conf: ``` # ... server { server_name myapp.com; access_log /var/www/apps/my_app/logs/access.log; error_log /var/www/apps/my_app/logs/error.log; root /var/www/apps/my_app/current; location / { proxy_pass http://unix:/var/www/apps/my_app/application.socket; } } # ... ``` /var/log/nginx/error.log: ``` 2017/08/05 23:17:34 [crit] 58554#0: *5 connect() to unix:/var/www/apps/my_app/application.socket failed (2: No such file or directory) while connecting to upstream, client: 192.168.1.3, server: myapp.com, request: "GET / HTTP/1.1", upstream: "http://unix:/var/www/apps/my_app/application.socket:/;, host: “myapp.com" ``` ``` $ ls -al /var/www drwxr-xr-x 4 olistik olistik 512 Aug 3 18:17 apps drwxr-xr-x 3 www www 512 Jul 16 22:48 htdocs drwxr-xr-x 2 root daemon 512 Apr 1 21:38 run drwx-- 2 www www 512 Jul 15 20:51 tmp ``` This is how I start the application server: ``` $ bundle exec puma --debug -v -e production -b unix:///var/www/apps/my_app/application.socket -v Puma starting in single mode... * Version 3.9.1 (ruby 2.4.1-p111), codename: Private Caller * Min threads: 0, max threads: 16 * Environment: production * Listening on unix:///var/www/apps/my_app/application.socket Use Ctrl-C to stop ``` The only way I found to work around this issue is to disable NGINX chroot: ``` $ doas rcctl enable nginx $ doas rcctl set nginx flags -u $ doas rcctl restart nginx ``` But it’s not ideal to lose the isolation chroot gives. Do you have any suggestions on how to implement a unix socket connection with NGINX chroot enabled? Thank in advance, olistik
Re: [OpenBSD 6.1] acme-client + nginx
Le 07/06/17 à 12:03, Stuart Henderson a écrit : (...) > > /usr/local/www seems unlikely on OpenBSD. > > I just have > > location /.well-known/acme-challenge { root /var/www/letsencrypt/; } > > and > > challengedir "/var/www/letsencrypt/.well-known/acme-challenge" > > but there are several ways you can configure this. (e.g. you might want > to use a different directory layout if you have anything else that uses > the RFC5785 .well-known URIs). It doesn't matter what you use as long as > letsencrypt can fetch the file that acme-client wrote. > > OK, it's run correctly as you wrote. I changed nginx: location ^~ /.well-known/acme-challenge { allow all; #default_type "text/plain"; root /var/www/acme/test.obsd4a.net/; } I changed acme-client.conf: challengedir "/var/www/acme/test.obsd4a.net/.well-known/acme-challenge" And, the result is: $ doas acme-client -vAD test.obsd4a.net acme-client: /etc/ssl/acme/private/test.obsd4a.net-privkey.pem: domain key exists (not creating) acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not creating) acme-client: https://acme-v01.api.letsencrypt.org/directory: directories acme-client: acme-v01.api.letsencrypt.org: DNS: 184.87.72.109 acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: test.obsd4a.net acme-client: /var/www/acme/test.obsd4a.net/.well-known/acme-challenge/cugIljWXyalHSHnsOa51W4BoBEW5n0_JctHP8Y59l8U: created acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/_8nN0V__nplwfEcqpwa698yd4bKBywHRWrOj8Hl33I8/1489582140: challenge acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/_8nN0V__nplwfEcqpwa698yd4bKBywHRWrOj8Hl33I8/1489582140: status acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate acme-client: http://cert.int-x3.letsencrypt.org/: full chain acme-client: cert.int-x3.letsencrypt.org: DNS: 88.221.234.34 acme-client: /etc/ssl/acme//test.obsd4a.net-chain.pem: created acme-client: /etc/ssl/acme/test.obsd4a.net-cert.pem: created acme-client: /etc/ssl/acme//test.obsd4a.net-fullchain.pem: created Thank you! :D -- ~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<< Stephane HUC as PengouinBSD or CIOTBSD b...@stephane-huc.net signature.asc Description: OpenPGP digital signature
Re: [OpenBSD 6.1] acme-client + nginx
On 2017-07-06, Stephane HUC "PengouinBSD" <b...@stephane-huc.net> wrote: > This is an OpenPGP/MIME signed message (RFC 4880 and 3156) > --rkBdQXDqolEAWWU60OD3iD4CWuma05dgb > From: "Stephane HUC \"PengouinBSD\"" <b...@stephane-huc.net> > Reply-To: b...@stephane-huc.net > To: misc@openbsd.org > Message-ID: <629618fb-cc48-f929-d285-46f9d08e8...@stephane-huc.net> > Subject: [OpenBSD 6.1] acme-client + nginx > Content-Language: fr-xx-classique+reforme1990 > Content-Type: text/plain; charset=utf-8 > Content-Transfer-Encoding: quoted-printable > > Hi, I attempt to use acme-client on server OpenBSD 6.1, with nginx runing. > > But it fail with a bad response. ... > acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", > "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid > response from > http://test.obsd4a.net/.well-known/acme-challenge/L-pjGy6umVejj6q78_P_gW7rb= > hyJrV0AuLhjfsqI3aU: > \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not > Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody ... LE fetches from http://test.obsd4a.net/.well-known/acme-challenge/(filename) but gets 404 Not Found. > I try with this nginx config: > > location ^~ /.well-known/acme-challenge { > #alias /var/www/acme; > #try_files $uri =3D404; > allow all; > default_type "text/plain"; > proxy_redirect off; > root /var/www/acme; > } With "root" it will look in /var/www/acme/.well-known/acme-challenge. Either adjust acme-client config to place the files there, or adjust nginx config to serve files from the actual location. Test by writing a file to the directory acme-client uses and make sure you can fetch it yourself. Only reattempt acme-client when this works, they have a rate-limit for bad auths and will blacklist you for a while if you exceed it. > or this: > > location ^~ /.well-known/acme-challenge { >alias /usr/local/www/acme; > try_files $uri =3D404; > } /usr/local/www seems unlikely on OpenBSD. I just have location /.well-known/acme-challenge { root /var/www/letsencrypt/; } and challengedir "/var/www/letsencrypt/.well-known/acme-challenge" but there are several ways you can configure this. (e.g. you might want to use a different directory layout if you have anything else that uses the RFC5785 .well-known URIs). It doesn't matter what you use as long as letsencrypt can fetch the file that acme-client wrote.
[OpenBSD 6.1] acme-client + nginx
Hi, I attempt to use acme-client on server OpenBSD 6.1, with nginx runing. But it fail with a bad response. doas acme-client -vAD test.obsd4a.net acme-client: /etc/ssl/acme/private/test.obsd4a.net-privkey.pem: domain key exists (not creating) acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not creating) acme-client: https://acme-v01.api.letsencrypt.org/directory: directories acme-client: acme-v01.api.letsencrypt.org: DNS: 23.206.21.80 acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: test.obsd4a.net acme-client: /var/www/htdocs/test.obsd4a.net/www/L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU: created acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/hf0gCJFBvVlSBRp877_PVmTYLGNYmZDXC9eH2E_I0GE/1485696367: challenge acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/hf0gCJFBvVlSBRp877_PVmTYLGNYmZDXC9eH2E_I0GE/1485696367: status acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/hf0gCJFBvVlSBRp877_PVmTYLGNYmZDXC9eH2E_I0GE/1485696367: bad response acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid response from http://test.obsd4a.net/.well-known/acme-challenge/L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU: \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e\"", "status": 403 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/hf0gCJFBvVlSBRp877_PVmTYLGNYmZDXC9eH2E_I0GE/1485696367;, "token": "L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU", "keyAuthorization": "L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU.btIkQ8owertOE1LvXr1mezl9i5h6KptZrzIehfgwdcg", "validationRecord": [ { "url": "http://test.obsd4a.net/.well-known/acme-challenge/L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU;, "hostname": "test.obsd4a.net", "port": "80", "addressesResolved": [ "213.246.39.160" ], "addressUsed": "213.246.39.160", "addressesTried": [] } ] }] (1149 bytes) acme-client: bad exit: netproc(32816): 1 I try with this nginx config: location ^~ /.well-known/acme-challenge { #alias /var/www/acme; #try_files $uri =404; allow all; default_type "text/plain"; proxy_redirect off; root /var/www/acme; } or this: location ^~ /.well-known/acme-challenge { alias /usr/local/www/acme; try_files $uri =404; } But, same result, bad status. FIY, i can obtain certs - in mode test - with cerbot ;) (and first setting location). -- ~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<< Stephane HUC as PengouinBSD or CIOTBSD b...@stephane-huc.net signature.asc Description: OpenPGP digital signature
Re: reverse proxy with relayd(8) (but not nginx)
There's many example configs online, one example like yours is at https://www.reddit.com/r/openbsd/comments/3qb2c4/some_observations_about_relayd/ On Thu, Jun 29, 2017 at 4:40 PM, Manuel Giraudwrote: > Hi, > > I'd like to setup a http reverse proxy where http://foo.org/someapp is > forwarded to 127.0.0.1:8081 and http://foo.org/* is forwarded to > somewhere else. > > AFAIU, it is not possible with httpd(8) so I'm trying to do this with > relayd(8). There is an example in httpfiler protocol in > /etc/examples/relayd.conf that does this to block an url: > > # Block disallowed sites > match request label "URL filtered!" > block request quick url "www.example.com/" value "*" > > But, I can't make it to forward to a server and port. Does anyone have > such a config? > -- > Manuel Giraud >
reverse proxy with relayd(8) (but not nginx)
Hi, I'd like to setup a http reverse proxy where http://foo.org/someapp is forwarded to 127.0.0.1:8081 and http://foo.org/* is forwarded to somewhere else. AFAIU, it is not possible with httpd(8) so I'm trying to do this with relayd(8). There is an example in httpfiler protocol in /etc/examples/relayd.conf that does this to block an url: # Block disallowed sites match request label "URL filtered!" block request quick url "www.example.com/" value "*" But, I can't make it to forward to a server and port. Does anyone have such a config? -- Manuel Giraud
Re: permisson of .htpasswd of 5.9's nginx
2016-04-30 4:37 GMT+02:00 Nick Holland <n...@holland-consulting.net>: > On 04/29/16 21:27, Tuyosi Takesima wrote: >> thanks for ludovic >> >> # ls -l /var/www/1/ >> total 16 >> -rw-r- 1 www www 65 Apr 29 11:19 .htpasswd >> >> # chmod 640 /var/www/1/.htpasswd >> >> this go well . > > *sigh* > > Do you really want your /security/ file writable by the very user that > should trust the least? Might as well be 666 for what you are doing to > your system's "security". > > Please stay off the 'net until you understand this stuff. It's not just > YOUR feet you are shooting at. > > Nick. > A bit of my message might have been unclear. The file should be owned by user root and group www. As Nick have written, if the user and group owning a file is the same, there is no point in having different permission. Also, you don't want nginx having the ability to alter the file, in case it get compromised. -- Cordialement, Coues Ludovic +336 148 743 42
Re: permisson of .htpasswd of 5.9's nginx
On 04/29/16 21:27, Tuyosi Takesima wrote: > thanks for ludovic > > # ls -l /var/www/1/ > total 16 > -rw-r- 1 www www 65 Apr 29 11:19 .htpasswd > > # chmod 640 /var/www/1/.htpasswd > > this go well . *sigh* Do you really want your /security/ file writable by the very user that should trust the least? Might as well be 666 for what you are doing to your system's "security". Please stay off the 'net until you understand this stuff. It's not just YOUR feet you are shooting at. Nick.
Re: permisson of .htpasswd of 5.9's nginx
thanks for ludovic # ls -l /var/www/1/ total 16 -rw-r- 1 www www 65 Apr 29 11:19 .htpasswd # chmod 640 /var/www/1/.htpasswd this go well . tuyosi
Re: permisson of .htpasswd of 5.9's nginx
2016-04-29 5:48 GMT+02:00 Tuyosi Takesima <nakajin.fu...@gmail.com>: > Hi all . > > i do > chmod 777 /var/www/1/.htpasswd > > and so > nginx works with basic authentification. > > but this setting is too open . > are there any idea ? > First check the file is owned by the group nginx is running as, probably www. I assume nginx doesn't execute .htpasswd file, so you can drop the execute bit. Only root need to alter the file, so drop write bit for group and other. The data are sensitive, so remove read bit for other. chmod 640 /var/www/1/.htpasswd You can read details on what the number means in the chmod manual. -- Cordialement, Coues Ludovic +336 148 743 42
permisson of .htpasswd of 5.9's nginx
Hi all . i do chmod 777 /var/www/1/.htpasswd and so nginx works with basic authentification. but this setting is too open . are there any idea ? # /etc/nginx/nginx.conf events { worker_connections 800; } http { include mime.types; default_type application/octet-stream; index index.html index.htm; keepalive_timeout 65; server_tokens off; server { listen 80; server_name localhost;#<-for test root /var/www/d1; } server { listen 80; server_name abcxyz.jp; root /var/www/d1; auth_basic "closed site"; auth_basic_user_file /var/www/1/.htpasswd; } } --- regards
nginx & Perl on 5.6
What is the prefered configuration for using Perl & Nginx? php is fairly straightforward, .. but can't find anything for perl except some Linux notes to recompile. Thanks! Lee
nginx doesn't run (5.7 pkg_add)
hi all . i've been using nginx well until now . but pkg_add nginx(5.7) and lynx localhost , then response is 'HTTP request sent; waiting for response.' when i make from source , lynx localhost go well . (http://wiki.nginx.org/OnOpenBSD) does something changed? 1) /etc/nginx/nginx.conf worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfileon; keepalive_timeout 65; server { listen 80; server_name localhost; location / { root /var/www; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root /var/www; } } } 2) cat /var/www/index.html test --- joe
Re: report:intranet PXE network install (by nginx...)
On Thu, May 07, 2015 at 05:24:14PM +0900, Tuyosi Takesima wrote: hi all . i install 5.7 using intranet (internet is unnesesary) i expense some time . for covinience i report it. No need for such report, man 8 pxeboot is sufficient. j.
report:intranet PXE network install (by nginx...)
hi all . i install 5.7 using intranet (internet is unnesesary) i expense some time . for covinience i report it. sis0 openbsd PXE server ne3 :192.168.11.1 | PC ( openbsd will be installed) 1) dhcpd # cat /etc/hostname.ne3 inet 192.168.11.1 255.255.255.0 # cat /etc/dhcpd.interfaces ne3 # cat /etc/dhcpd.conf option domain-name example.com; option domain-name-servers 8.8.8.8; subnet 192.168.11.0 netmask 255.255.255.0 { option routers 192.168.11.1; filename pxeboot; range 192.168.11.30 192.168.11.31; default-lease-time 86400; max-lease-time 9; } 2)tftpb # ls -l /tftpboot/ total 13860 -rw-r--r-- 1 root wheel 6987854 Apr 30 01:21 bsd.rd drwxr-xr-x 2 root wheel 512 Apr 30 09:04 etc -rw-r--r-- 1 root wheel81108 Apr 30 01:04 pxeboot # cat /tftpboot/etc/boot.conf boot tftp:/bsd.rd AND tftpd /tftpboot 3)nginx -- cat /etc/nginx/nginx.conf worker_processes 1; worker_rlimit_nofile 1024; events { worker_connections 800; } http { include mime.types; default_type application/octet-stream; index index.html index.htm; keepalive_timeout 65; server_tokens off; server { listen 80; listen [::]:80; server_name 192.168.11.1; root /var/www/htdocs; error_page 500 502 503 504 /50x.html; location = /50x.html { root /var/www/htdocs; } } } ls /var/www/htdocs/pub/5.7 INSTALL.i386 base57.tgz bsd.rd index.txt --- important, i think. xbase57.tgz xshare57.tgz SHA256 bsd comp57.tgz man57.tgzxfont57.tgz SHA256.sig bsd.mp game57.tgz pxeboot xserv57.tgz that is all . i try automatic install , but how to make partition is hard to be controlled . and this method is adopeted in case of upgrade . _ regards in case of /etc/httpd.conf ext_addr=192.168.11.1 server www.intranet.com { listen on $ext_addr port 80 root /htdocs/5.7 }
Re: report:intranet PXE network install (by nginx...)
If it's correct and not against man pages it can be helpful for beginners to have a ready recipe, just like FAQs. Il 07/mag/2015 10:43, Jiri B ji...@devio.us ha scritto: On Thu, May 07, 2015 at 05:24:14PM +0900, Tuyosi Takesima wrote: hi all . i install 5.7 using intranet (internet is unnesesary) i expense some time . for covinience i report it. No need for such report, man 8 pxeboot is sufficient. j.
Re: report:intranet PXE network install (by nginx...)
securiy is most inportant for airplain. my writing unperfect ,so may be dangerous . by the way i have little expirience of domain name server . so, i have three question. in dnsmasq 1) does /etc/hosts alow alias ? 2) is /etc/resolv.conf important ? 3) soft link perhaps fail example cd /var/www/htdocs/pub/OpenBSD/5.7/ ln -s /home/Auser/i386 i386 what should i do ? i use dnsmaq in pxe server ,because it is simple . (/etc/rc.d/dhcpd stop , don't run tftpd) network is next. sis0 openbsd PXE server=dnsmasq ne3 :192.168.11.1 | PC ( openbsd will be installed) A) /etc/dnsmasq.conf listen-address=127.0.0.1 listen-address=192.168.11.1 interface=fxp0 dhcp-range=192.168.11.10,192.168.11.12,12 hdhcp-boot=pxeboot enable-tftp tftp-root=/tftpboot B) /etc/hosts 127.0.0.1 localhost ::1 localhost 192.168.11.101.net 192.168.11.102.net ---alias OK? C)/etc/nginx/nginx.conf worker_processes 1; worker_rlimit_nofile 1024; events { worker_connections 800; } http { include mime.types; default_type application/octet-stream; index index.html index.htm; keepalive_timeout 65; server_tokens off; server { listen 80; listen [::]:80; server_name 01.net; root /var/www/htdocs; error_page 500 502 503 504 /50x.html; location = /50x.html { root /var/www/htdocs; } } server { listen 80; listen [::]:80; server_name 02.net; root /var/www/htdocs/pub/OpenBSD/5.7/i386; error_page 500 502 503 504 /50x.html; location = /50x.html { root /var/www/htdocs/pub/OpenBSD/5.7/i386; } } shell script - ifconfig fxp0 192.168.11.1/24 /etc/rc.d/dnsmasq restart /etc/rc.d/nginxrestart to upgrade - use 01.net - /pub/OpenBSD/5.7/i386 use 02.net - / this plane fly , but it may drop . - regards
Re: report:intranet PXE network install (by nginx...)
On Thu, 07 May 2015 08:13:55 -0400 Nick Holland n...@holland-consulting.net wrote: On 05/07/15 07:51, Paolo Aglialoro wrote: If it's correct and not against man pages it can be helpful for beginners to have a ready recipe, just like FAQs. IF it is correct, maybe. But OpenBSD's philosophy has never been more places of docs is better!. We really want one authoritative source. Unfortunately, he's been posting a lot of his experiences which involve reinventing wheels with some really oddly shapes and making some simple things complicated. That's not helpful. Nick. given how often a certain site has given people bad information, and it doesn't get corrected until people ask questions here, it's at least slightly better. at least here you are aware of it and have a chance to respond and correct it, for posterity, while that certain site is still out there causing trouble.
Re: report:intranet PXE network install (by nginx...)
On 05/07/15 07:51, Paolo Aglialoro wrote: If it's correct and not against man pages it can be helpful for beginners to have a ready recipe, just like FAQs. IF it is correct, maybe. But OpenBSD's philosophy has never been more places of docs is better!. We really want one authoritative source. Unfortunately, he's been posting a lot of his experiences which involve reinventing wheels with some really oddly shapes and making some simple things complicated. That's not helpful. Nick. Il 07/mag/2015 10:43, Jiri B ji...@devio.us ha scritto: On Thu, May 07, 2015 at 05:24:14PM +0900, Tuyosi Takesima wrote: hi all . i install 5.7 using intranet (internet is unnesesary) i expense some time . for covinience i report it. No need for such report, man 8 pxeboot is sufficient. j.
Re: SSL working with nginx, not with httpd. Any ideas?
Hi, Hugo! Are yuo sure that's right? I don't see the ssl keyword anywhere in the docs I see what you're saying... I'm using 5.6-release, which is really not recommended for httpd as it's moving quite fast. I wonder if that would fix it. You also seem to be missing TLS certificate/key is you're going to use TLS. I'm using the default files, /etc/ssl/private/server.key and /etc/ssl/server.crt. I failed to mention that under (Ubuntu) Chrome I get a green lock. By now I'm pretty sure I'm missing the intermediate certificate. Thanks for looking into it! Best, Ezequiel
SSL working with nginx, not with httpd. Any ideas?
Greetings! For some reason I'm able to set up SSL support for my domain using nginx, but not httpd. I have combined my certificates like this: # cat ssl.crt sub.class1.server.ca.pem ca.pem /etc/ssl/server.crt However, if I stop nginx and start httpd I get: $ curl -I https://ezequiel-garzon.net curl: (60) SSL certificate problem: unable to get local issuer certificate I have attempted to write a minimal config file at /etc/httpd.config: server defaults {listen on egress ssl port 443} Any ideas on what I'm doing wrong? Thanks for your help! Cheers, Ezequiel
Re: SSL working with nginx, not with httpd. Any ideas?
On 2015-03-14 18:41, Ezequiel Garzon wrote: Greetings! For some reason I'm able to set up SSL support for my domain using nginx, but not httpd. I have combined my certificates like this: # cat ssl.crt sub.class1.server.ca.pem ca.pem /etc/ssl/server.crt However, if I stop nginx and start httpd I get: $ curl -I https://ezequiel-garzon.net curl: (60) SSL certificate problem: unable to get local issuer certificate I have attempted to write a minimal config file at /etc/httpd.config: server defaults {listen on egress ssl port 443} Are yuo sure that's right? I don't see the ssl keyword anywhere in the docs: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/httpd.conf.5 You also seem to be missing TLS certificate/key is you're going to use TLS. Any ideas on what I'm doing wrong? Thanks for your help! Cheers, Ezequiel Cheers, -- Hugo Osvaldo Barrera A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text? [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: nginx question...
On 01/19/15 23:25, worik wrote: Summary: The files under /var/www/htdocs are by default it seems all owned by root:wheel. What are the issues with changing that to be a normal user? The long version My work flow involves building a directory structure on another machine and using 'rsync' when I am ready to transfer it to the OpenBSD machine to be served by the public facing webserver. Having the files owned by a user other than the one I log in as for a rsync session is causing all sorts of headaches and warnings from rsync. So I have changed the ownership of all the files and directories to be foo:foo where 'foo' is the user/group name I login as. This makes my life much simpler. But I have a nagging doubt that I am doing some thing I will regret. As long as the files are not modifiable by the webserver, you should be fine. Now and then I create user:user directories somewhere under /var/www/... and create a symlink to it from ~user/www. /Alexander Perhaps I need to use rsync differently or modify my workflow Worik
Re: nginx question...
On 01/19/15 22:25, worik wrote: Summary: The files under /var/www/htdocs are by default it seems all owned by root:wheel. What are the issues with changing that to be a normal user? The long version My work flow involves building a directory structure on another machine and using 'rsync' when I am ready to transfer it to the OpenBSD machine to be served by the public facing webserver. Having the files owned by a user other than the one I log in as for a rsync session is causing all sorts of headaches and warnings from rsync. So I have changed the ownership of all the files and directories to be foo:foo where 'foo' is the user/group name I login as. This makes my life much simpler. But I have a nagging doubt that I am doing some thing I will regret. Perhaps I need to use rsync differently or modify my workflow Worik rsync [OPTION...] SRC... rsync://user@[WEBSERVER]/var/www/htdocs should allow you to set the user on the webserver - what errors are you getting? nginx runs chrooted by default, which should limit exploits. I also chmod 644 or 640 if I'm feeling more paranoid all the files below /var/www/htdocs - although the files are in group www. hth Fred
nginx question...
Summary: The files under /var/www/htdocs are by default it seems all owned by root:wheel. What are the issues with changing that to be a normal user? The long version My work flow involves building a directory structure on another machine and using 'rsync' when I am ready to transfer it to the OpenBSD machine to be served by the public facing webserver. Having the files owned by a user other than the one I log in as for a rsync session is causing all sorts of headaches and warnings from rsync. So I have changed the ownership of all the files and directories to be foo:foo where 'foo' is the user/group name I login as. This makes my life much simpler. But I have a nagging doubt that I am doing some thing I will regret. Perhaps I need to use rsync differently or modify my workflow Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
Re: Best way forward w.r.t. apache/nginx/httpd?
On Mon, Dec 29, 2014 at 10:41:26PM +, Stuart Henderson wrote: b) Migrate to nginx This seems to be the least interesting option - not only do I have to migrate now, but once more in the future, as nginx is also on the way out (so, the same developer attention caveat applies as with apache) This might be a reasonable choice, especially if the CMS you're looking at already documents how to use it with nginx. We already got some of the most common CMS / web things working. But I'm interested in examples from users who created such configurations with httpd (and please make sure to mention httpd in the subject to let me find them in my inbox). c) Migrate to httpd From what I've gathered so far from this list, this would basically require me to switch to -current, as the 5.6 version is too fresh and too many changes have happened since - or am I being pessimistic here? I've never run -current before, hence, I'm a bit hesitant... Personally I don't think httpd is quite ready for use with a typical PHP-based CMS yet (including -current). Two big issues for this type of use: clean urls functionality in most CMS needs rewrite support which httpd doesn't have. httpd's fastcgi support passes every url matching a location block to the handler meaning there's no mitigation for the issue described in http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP (which also affects naive nginx configurations). And I personally disagree with the conclusion that httpd is not ready. It is not finished but it is ready for many common things. - People are using it with different CMS, including Wordpress, CVSWeb, different Wikis, etc. I even tested it with node-fastcgi (I know, it's weird, but I had to satisfy my inner web hipster). I'm looking forward to hear about more examples (hint: send me your testimonials). - Some features are missing, and will be implemented, but there are ways to deal with them: 1. redirects / return 301 etc.: This can be done without regex by using a few built-in variables. Current workaround is to either do it in the fastcgi backend or with, ahem, html refresh. btw., nginx' return 444; is such an ugly workaround... 2. basic auth: We don't have a satisfying implementation for authentication yet. But it is needed and will be done. 3. deny: We cannot deny access to specific locations but the current workaround is to set a non-accessible root: location */.* { # mkdir -m 0 /var/www/forbidden root /forbidden } 4. Server aliases and a few restrictions of the grammar: Individual server blocks can currently only have one name and listen statement. This will be fixed in the parser later. To avoid too much repeating configuration, I currently use includes: server www.example.com { listen on $ip4_addr port 80 include /etc/httpd/example.com.inc } server www.example.com { listen on $ip6_addr port 80 include /etc/httpd/example.com.inc } server www.example.com { listen on $ip4_addr tls port 443 include /etc/httpd/example.com.ssl include /etc/httpd/example.com.inc } server www.example.com { listen on $ip6_addr tls port 443 include /etc/httpd/example.com.ssl include /etc/httpd/example.com.inc } 5. Some minor things, eg. charsets (for auto index), fixes, ... 6. The web server needs some more FAQ-style documentation in addition to our excellent man pages and examples. Examples for each CMS would go beyond the scope of them, and probably don't fit into the OpenBSD FAQ. So I'm thinking about putting something on http://bsd.plumbing/. - Like nginx describes, there are also various ways to safely handle #Passing_Uncontrolled_Requests_to_PHP in httpd: 1. It's a non-issue for OpenBSD because php-fpm rejects execution of non-php files by default. See php-fpm.conf: ; Limits the extensions of the main script FPM will allow to parse. This can ; prevent configuration mistakes on the web server side. You should only limit ; FPM to .php extensions to prevent malicious users to use other extensions to ; exectute php code. ; Note: set an empty value to allow all extensions. ; Default Value: .php ;security.limit_extensions = .php .php3 .php4 .php5 2. You can write locations as a ruleset in first-matching order, eg. location */.* { root /forbidden } location /cms/*.jpg { no fastcgi } location /cms/uploads/* { no fastcgi } location /cms/* { fastcgi socket run/php-fpm.sock } 3. Don't use PATH_INFO and only match PHP files (fnmatch has an implicit $). location /cms/*.php { fastcgi socket run/php-fpm.sock } - I
Re: Best way forward w.r.t. apache/nginx/httpd?
On Mon, Dec 29, 2014 at 10:41:26PM +, Stuart Henderson wrote: On 2014-12-29, T. Ribbrock emga...@gmx.net wrote: Given the current state of development in OpenBSD, I'm now wondering what the best way forward is for me: a) Install apache-httpd-openbsd from ports and keep my configuration basically as is Advantage: Less work to get everything running - I've done OpenBSD re-installs like that several times over the past years Disadvantage: I guess that the new httpd will get a lot more developer attention, so this does not seem the ideal option longterm, but I could always migrate to httpd later, e.g. when upgrading to 5.7 or (more likely) 5.8 apache-httpd-openbsd is a dead-end, it's not actively developed, ssl support is poor, third-party documentation relating to use of webapps with Apache has long since moved to Apache 2. It's mainly there to provide a quick migration path for existing OpenBSD users and to ease the pain in ports. b) Migrate to nginx This seems to be the least interesting option - not only do I have to migrate now, but once more in the future, as nginx is also on the way out (so, the same developer attention caveat applies as with apache) This might be a reasonable choice, especially if the CMS you're looking at already documents how to use it with nginx. c) Migrate to httpd From what I've gathered so far from this list, this would basically require me to switch to -current, as the 5.6 version is too fresh and too many changes have happened since - or am I being pessimistic here? I've never run -current before, hence, I'm a bit hesitant... Personally I don't think httpd is quite ready for use with a typical PHP-based CMS yet (including -current). Two big issues for this type of use: clean urls functionality in most CMS needs rewrite support which httpd doesn't have. httpd's fastcgi support passes every url matching a location block to the handler meaning there's no mitigation for the issue described in http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP (which also affects naive nginx configurations). Yep. Lack of a mod_rewrite functionality in httpd is the only thing at this point keeping me from using it in production. MVC frameworks usually rely on some sort of rewrite to force URLs to a signle front controller file. I went with the OP's option a) and installed the apache 1 port just to get through the 5.6 upgrade. I'll likely switch to nginx long term unless httpd gets a rewrite functionality. Big thanks for the apache-httpd-openbsd option to make these migrations easier to phase in over time on busy sites. -Clint
Re: nginx how to run first site as open , and second
thanks for einfach's kind advise , i at last do it. final nginx.conf is worker_processes 1; worker_rlimit_nofile 1024; events { worker_connections 800; } #h http { include mime.types; default_type application/octet-stream; index index.html index.htm; keepalive_timeout 65; server_tokens off; server { listen 80; listen [::]:80; server_name localhost;#-for test root /var/www/d1; auth_basic Restricted; auth_basic_user_file /var/www/1/.htpasswd; } #0 server { listen 80; listen [::]:80; server_name a.mydns.jp; root /var/www/d0; auth_basic Restricted; auth_basic_user_file /var/www/1/.htpasswd; } #1 server { listen 80; listen [::]:80; server_name s.sun.ddns.vc; root /var/www/d1; auth_basic Restricted; auth_basic_user_file /var/www/1/.htpasswd; } #2 server { listen 80; listen [::]:80; server_name k.sun.ddns.vc; root /var/www/d2; auth_basic Restricted; auth_basic_user_file /var/www/2/.htpasswd; } #11 server { listen 80; listen [::]:80; server_name member.planex.ddns.vc; root /var/www/d11; auth_basic Restricted; auth_basic_user_file /var/www/11/.htpasswd; } #12 server { listen 80; listen [::]:80; server_name n.luna.ddns.vc; root /var/www/d12; auth_basic Restricted; auth_basic_user_file /var/www/12/.htpasswd; } #h } and i run openbsd on USB only about 4GB . so i must use hard sisk . Filesystem 512-blocks Used Avail Capacity Mounted on /dev/sd1a 8293692 5045444 283356464%/ /dev/sd0a 58566000 30109240 2548143254%/var/www so # cat /etc/rc.local umount /var/www mount_ext2fs /dev/sd0a /var/www # -ext2fs if [ -x /usr/local/sbin/nginx ]; then echo ' - Starting nginx - '; /etc/rc.d/nginx -f start fi because cat /etc/rc.d/nginx #!/bin/sh # # $OpenBSD: nginx,v 1.1 2012/02/19 11:34:36 robert Exp $ daemon=/usr/local/sbin/nginx #-- . /etc/rc.d/rc.subr pexp=nginx:.*master.*process rc_reload() { ${daemon} -s reload } rc_stop() { ${daemon} -s stop || pkill -f ^${pexp} } rc_cmd $1 and cat /etc/rc.shutdown umount /var/www/ thanks thanks -- tuyosi * http://marc.info/?a=14167909673r=1w=2*
Re: Best way forward w.r.t. apache/nginx/httpd?
I'll answer to this one, but I'll start with a big thanks to all who responded - some interesting points were made! On Mon, Dec 29, 2014 at 10:41:26PM +, Stuart Henderson wrote: apache-httpd-openbsd is a dead-end, it's not actively developed, ssl support is poor, third-party documentation relating to use of webapps with Apache has long since moved to Apache 2. It's mainly there to provide a quick migration path for existing OpenBSD users and to ease the pain in ports. In fact, the Apache 1 vs. 2 problem has already hit me in the past and forced me not to use a photogallery application I wanted to use. You make a very valid point here: Contrary to nginx, there is indeed nobody developing Apache 1 anymore (not even the OpenBSD developers who kept it running for so long). b) Migrate to nginx [...] This might be a reasonable choice, especially if the CMS you're looking at already documents how to use it with nginx. I had a quick look - CMS Made Simple (which is what I'm using) has aparently been used with nginx by some people, so there is some documentation around. phpGedView (which is another application I use) is no longer developed anymore and I was thinking about replacing it anyway, so this might be a good time. Same goes for the gallery I'm currently using. There will be some work involved, but this has been coming a long time now... Time for some clean-up work. c) Migrate to httpd [...] Personally I don't think httpd is quite ready for use with a typical PHP-based CMS yet (including -current). Two big issues for this type of use: clean urls functionality in most CMS needs rewrite support which httpd doesn't have. httpd's fastcgi support passes every url matching a location block to the handler meaning there's no mitigation for the issue described in http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP (which also affects naive nginx configurations). Thanks for those two insights. Based on what I've read so far, I will give nginx a try - that will at least place me on a server that is a) well known on OpenBSD and b) still under active development - that should buy me enough time to wait for the day that httpd can take over this job - given the track record of OpenBSD, I very much like to stay within base where possible. Thanks again! And now off to read up on how to use nginx with PHP etc.pp ;-) Cheerio, Thomas -- - Thomas Ribbrockhttp://www.ribbrock.org/ You have to live on the edge of reality - to make your dreams come true!
Re: nginx how to run first site as open , and second
Hi ,all . how to compile nginx who has ability of basic auth using ports ? according to http://wiki.nginx.org/Modules , if auth_basic is not wanted, compile nginx --without-http_auth_basic_module . --- i need basic auth because of family privacy photos , i run nginx on arch linux out of need . nginx.conf is worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfileon; keepalive_timeout 65; # local server { listen 80; server_name localhost; root /mnt-nginx/d3; index index.html index.htm; auth_basic Restricted; auth_basic_user_file /etc/nginx/13/.htpasswd; # 13 insted of require } #-open-mydns server { listen 80; server_name a.mydns.jp; root /mnt-nginx/d1; index index.html index.htm; } #-basic auth---ddns server { listen 80; server_name s.sun.ddns.vc; root /mnt-nginx/htdocs/Fam; index index.html index.htm; auth_basic Restricted; auth_basic_user_file /etc/nginx/1/.htpasswd; # 1 insted of require } } --- tuyosi
Best way forward w.r.t. apache/nginx/httpd?
Hi all, I'm finally getting round to updating my home server (gets a fresh 5.6 install). Of course, there were a lot of changes over the past versions, one of them being the whole apache - nginx - httpd migration. My webserver has a CMS running which requires PHP and MySQL, plus a few more PHP-applications. Also, I have two or three virtual sites running and I'm currently considering having a look at something like Owncloud and/or Citadel. Given the current state of development in OpenBSD, I'm now wondering what the best way forward is for me: a) Install apache-httpd-openbsd from ports and keep my configuration basically as is Advantage: Less work to get everything running - I've done OpenBSD re-installs like that several times over the past years Disadvantage: I guess that the new httpd will get a lot more developer attention, so this does not seem the ideal option longterm, but I could always migrate to httpd later, e.g. when upgrading to 5.7 or (more likely) 5.8 b) Migrate to nginx This seems to be the least interesting option - not only do I have to migrate now, but once more in the future, as nginx is also on the way out (so, the same developer attention caveat applies as with apache) c) Migrate to httpd From what I've gathered so far from this list, this would basically require me to switch to -current, as the 5.6 version is too fresh and too many changes have happened since - or am I being pessimistic here? I've never run -current before, hence, I'm a bit hesitant... I tend to go for a) because I do not want to migrate twice - but maybe somebody else has some interesting points that I have not considered yet? I'd appreciate the input! Regards, Thomas -- - Thomas Ribbrockhttp://www.ribbrock.org/ You have to live on the edge of reality - to make your dreams come true!
Re: Best way forward w.r.t. apache/nginx/httpd?
In more or less the same boat, without php as our virtual sites are simple display only. However for future business developement we have wondered the same. I am inn agreement with your choice of (1) as that would be ours pending feedback here from those who know. On Mon, Dec 29, 2014 at 7:30 AM, T. Ribbrock emga...@gmx.net wrote: Hi all, I'm finally getting round to updating my home server (gets a fresh 5.6 install). Of course, there were a lot of changes over the past versions, one of them being the whole apache - nginx - httpd migration. My webserver has a CMS running which requires PHP and MySQL, plus a few more PHP-applications. Also, I have two or three virtual sites running and I'm currently considering having a look at something like Owncloud and/or Citadel. Given the current state of development in OpenBSD, I'm now wondering what the best way forward is for me: a) Install apache-httpd-openbsd from ports and keep my configuration basically as is Advantage: Less work to get everything running - I've done OpenBSD re-installs like that several times over the past years Disadvantage: I guess that the new httpd will get a lot more developer attention, so this does not seem the ideal option longterm, but I could always migrate to httpd later, e.g. when upgrading to 5.7 or (more likely) 5.8 b) Migrate to nginx This seems to be the least interesting option - not only do I have to migrate now, but once more in the future, as nginx is also on the way out (so, the same developer attention caveat applies as with apache) c) Migrate to httpd From what I've gathered so far from this list, this would basically require me to switch to -current, as the 5.6 version is too fresh and too many changes have happened since - or am I being pessimistic here? I've never run -current before, hence, I'm a bit hesitant... I tend to go for a) because I do not want to migrate twice - but maybe somebody else has some interesting points that I have not considered yet? I'd appreciate the input! Regards, Thomas -- - Thomas Ribbrockhttp://www.ribbrock.org/ You have to live on the edge of reality - to make your dreams come true!
Re: Best way forward w.r.t. apache/nginx/httpd?
Hi Thomas, On 29 December 2014 at 05:30, T. Ribbrock emga...@gmx.net wrote: Hi all, I'm finally getting round to updating my home server (gets a fresh 5.6 install). Of course, there were a lot of changes over the past versions, one of them being the whole apache - nginx - httpd migration. My webserver has a CMS running which requires PHP and MySQL, plus a few more PHP-applications. Also, I have two or three virtual sites running and I'm currently considering having a look at something like Owncloud and/or Citadel. c) Migrate to httpd From what I've gathered so far from this list, this would basically require me to switch to -current, as the 5.6 version is too fresh and too many changes have happened since - or am I being pessimistic here? I've never run -current before, hence, I'm a bit hesitant... Well you could try 5.6 with this patch: http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/009_httpd.patch.sig Of course, visualize everything and test it out before going live! But you are right, httpd is very fast moving: https://secure.freshbsd.org/search?project=openbsdq=httpd Regards, Thomas -- Best, jungle - Thomas Ribbrockhttp://www.ribbrock.org/ You have to live on the edge of reality - to make your dreams come true! --- inum: 883510009027723 sip: jungleboo...@sip2sip.info xmpp: jungle-boo...@jit.si
Re: Best way forward w.r.t. apache/nginx/httpd?
On Mon, Dec 29, 2014 at 14:30, T. Ribbrock wrote: b) Migrate to nginx This seems to be the least interesting option - not only do I have to migrate now, but once more in the future, as nginx is also on the way out (so, the same developer attention caveat applies as with apache) nginx hasn't disappeared entirely. It's still in ports. If you're running PHP, you're obviously not afraid of installing a few packages. nginx at least receives attention from its own team of developers. Their priorities are not always in alignment with OpenBSD (hence the new httpd), but it has a lot more of a future than apache1 does.
Re: Best way forward w.r.t. apache/nginx/httpd?
emga...@gmx.net (T. Ribbrock), 2015.12.29 (Mon) 14:30 (CET): Hi all, I'm finally getting round to updating my home server (gets a fresh 5.6 install). Of course, there were a lot of changes over the past versions, one of them being the whole apache - nginx - httpd migration. My webserver has a CMS running which requires PHP and MySQL, plus a few more PHP-applications. Also, I have two or three virtual sites running and I'm currently considering having a look at something like Owncloud and/or Citadel. Given the current state of development in OpenBSD, I'm now wondering what the best way forward is for me: a) Install apache-httpd-openbsd from ports and keep my configuration basically as is Advantage: Less work to get everything running - I've done OpenBSD re-installs like that several times over the past years Disadvantage: I guess that the new httpd will get a lot more developer attention, so this does not seem the ideal option longterm, but I could always migrate to httpd later, e.g. when upgrading to 5.7 or (more likely) 5.8 b) Migrate to nginx This seems to be the least interesting option - not only do I have to migrate now, but once more in the future, as nginx is also on the way out (so, the same developer attention caveat applies as with apache) c) Migrate to httpd From what I've gathered so far from this list, this would basically require me to switch to -current, as the 5.6 version is too fresh and too many changes have happened since - or am I being pessimistic here? I've never run -current before, hence, I'm a bit hesitant... As I've understood it, there's no need to run -current to get a (fairly?) recent httpd(8): http://www.openbsd.org/errata56.html 009: RELIABILITY FIX: November 18, 2014 All architectures httpd was developed very rapidly in the weeks before 5.6 release, and it has a few flaws. It would be nice to get these flaws fully remediated before the next release, and that requires the community to want to use it. Therefore here is a jumbo patch that brings in the most important fixes. A source code patch exists which remedies this problem. http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/009_httpd.patch.sig Do you know of http://stable.mtier.org/ , especially openup: http://www.mtier.org/index.php/solutions/apps/openup/ ? I tend to go for a) because I do not want to migrate twice - but maybe somebody else has some interesting points that I have not considered yet? I'd appreciate the input! For just your own business, I'd do a) and deal with httpd(8) later. For our all benefit, please run httpd(8) now, reyk@ will love your reports and you'd raise our chances for httpd(8) in 5.7. Bye, Marcus !DSPAM:54a157c8270671055614085!
Re: Best way forward w.r.t. apache/nginx/httpd?
I'm not experiencing any problems with httpd and php, but I don't have a need for any of the extras you can get with the other two. It actually seems to be performing better than nginx from what I can tell. On 12/29/14 10:07, Ted Unangst wrote: On Mon, Dec 29, 2014 at 14:30, T. Ribbrock wrote: b) Migrate to nginx This seems to be the least interesting option - not only do I have to migrate now, but once more in the future, as nginx is also on the way out (so, the same developer attention caveat applies as with apache) nginx hasn't disappeared entirely. It's still in ports. If you're running PHP, you're obviously not afraid of installing a few packages. nginx at least receives attention from its own team of developers. Their priorities are not always in alignment with OpenBSD (hence the new httpd), but it has a lot more of a future than apache1 does.
Re: Best way forward w.r.t. apache/nginx/httpd?
On 2014-12-29, T. Ribbrock emga...@gmx.net wrote: Given the current state of development in OpenBSD, I'm now wondering what the best way forward is for me: a) Install apache-httpd-openbsd from ports and keep my configuration basically as is Advantage: Less work to get everything running - I've done OpenBSD re-installs like that several times over the past years Disadvantage: I guess that the new httpd will get a lot more developer attention, so this does not seem the ideal option longterm, but I could always migrate to httpd later, e.g. when upgrading to 5.7 or (more likely) 5.8 apache-httpd-openbsd is a dead-end, it's not actively developed, ssl support is poor, third-party documentation relating to use of webapps with Apache has long since moved to Apache 2. It's mainly there to provide a quick migration path for existing OpenBSD users and to ease the pain in ports. b) Migrate to nginx This seems to be the least interesting option - not only do I have to migrate now, but once more in the future, as nginx is also on the way out (so, the same developer attention caveat applies as with apache) This might be a reasonable choice, especially if the CMS you're looking at already documents how to use it with nginx. c) Migrate to httpd From what I've gathered so far from this list, this would basically require me to switch to -current, as the 5.6 version is too fresh and too many changes have happened since - or am I being pessimistic here? I've never run -current before, hence, I'm a bit hesitant... Personally I don't think httpd is quite ready for use with a typical PHP-based CMS yet (including -current). Two big issues for this type of use: clean urls functionality in most CMS needs rewrite support which httpd doesn't have. httpd's fastcgi support passes every url matching a location block to the handler meaning there's no mitigation for the issue described in http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP (which also affects naive nginx configurations). I tend to go for a) because I do not want to migrate twice - but maybe somebody else has some interesting points that I have not considered yet? I'd appreciate the input! Another option is to migrate to apache 2, this tends to be quite well supported by webapp authors, though it's not very widely used in OpenBSD land. Or other servers like lighttpd are available. What would I choose? Depends on the particular webapp...
Re: nginx how to run first site as open , and second
On 2014-12-29 at 08:59 CET Tuyosi Takesima wrote: Hi ,all . how to compile nginx who has ability of basic auth using ports ? according to http://wiki.nginx.org/Modules , if auth_basic is not wanted, compile nginx --without-http_auth_basic_module . --- i need basic auth because of family privacy photos , i run nginx on arch linux out of need . nginx.conf is worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfileon; keepalive_timeout 65; # local server { listen 80; server_name localhost; root /mnt-nginx/d3; index index.html index.htm; auth_basic Restricted; auth_basic_user_file /etc/nginx/13/.htpasswd; # 13 insted of require } #-open-mydns server { listen 80; server_name a.mydns.jp; root /mnt-nginx/d1; index index.html index.htm; } #-basic auth---ddns server { listen 80; server_name s.sun.ddns.vc; root /mnt-nginx/htdocs/Fam; index index.html index.htm; auth_basic Restricted; auth_basic_user_file /etc/nginx/1/.htpasswd; # 1 insted of require } } --- tuyosi Hiya, basic_auth is available by default in nginx on OpenBSD. You do not need to compile it with any special flags/settings. Thus you can set your PACKAGE_PATH to a mirror near you and simply do # pkg_add nginx or if you really want to compile it (why?) you can build it from ports $ cd /usr/ports/www/nginx $ make $ sudo make install See http://www.openbsd.org/faq/faq15.html for the documentation of the package and ports system. Be aware that nginx on OpenBSD runs in a proper chroot under /var/www, thus you need to create the directories /var/www/etc/nginx/1 and /var/www/etc/nginx/13 and put your .htpasswd files there if you want to use your configuration as quoted above. Otherwise you will get errors like *1 open() /etc/nginx/conf/13/.htpasswd failed (2: No such file or directory) in /var/www/logs/error.log The same goes for the document roots. You will need the directories /var/www/mnt-nginx/d1 /var/www/mnt-nginx/d3 /var/www/mnt-nginx/htdocs/Fam for your unaltered configuration to work. Note that basic_auth over unencrypted http might be a weak authentication mechanism for your purpose. Also note that the nginx-package does not bring you the htpasswd program to generate your .htaccess files. htpasswd is in the OpenBSD base system since OpenBSD 5.6 HTH rru
Re: nginx how to run first site as open , and second
thanks for good advise . surely no need to compile to obtain basic auth . my test nginx.conf is next . cat /etc/nginx /nginx.conf worker_processes 1; worker_rlimit_nofile 1024; events { worker_connections 800; } http { include mime.types; default_type application/octet-stream; index index.html index.htm; keepalive_timeout 65; server_tokens off; server { listen 80; listen [::]:80 server_name s.sun.ddns.vc; root /var/www/htdocs; error_page 500 502 503 504 /50x.html; auth_basic Restricted; auth_basic_user_file /var/www/1/.htpasswd; location = /50x.html { root /var/www/htdocs; } } } when intenal server error occur .i overcom by ' chown -R www /var/www ' . is this right ? -- tuyosi
Re: nginx how to run first site as open , and second
Hi, On 2014-12-30 on 05:30 CET Tuyosi Takesima wrote : thanks for good advise . surely no need to compile to obtain basic auth . my test nginx.conf is next . cat /etc/nginx /nginx.conf worker_processes 1; worker_rlimit_nofile 1024; events { worker_connections 800; } http { include mime.types; default_type application/octet-stream; index index.html index.htm; keepalive_timeout 65; server_tokens off; server { listen 80; listen [::]:80 You are missing a ; here--^ server_name s.sun.ddns.vc; root /var/www/htdocs; error_page 500 502 503 504 /50x.html; auth_basic Restricted; auth_basic_user_file /var/www/1/.htpasswd; location = /50x.html { root /var/www/htdocs; } } } when intenal server error occur .i overcom by ' chown -R www /var/www ' . is this right ? No. You just need to check the entries in /var/www/logs/error.log where you will probably find something like *1 open() /1/.htpasswd failed (13: Permission denied), and so you should check the ownership of /var/www/1/.htpasswd . This file must be readable by user www. It should be something like $ ls -l /var/www/1/.htpasswd -r 1 www daemon 67 Dec 30 05:50 .htpasswd If you created .htpasswd as root or another user the ownership will probably be wrong. No need to change the ownership of the whole tree under /var/www . -- tuyosi Cheers, rru
nginx how to run first site as open , and second as basic auth .
hi,all . i use name based virtual host (=server block). i want to run first site as open and second site as ristricted (basic auth), but it is hard to do and there is little information on internet about this . it is easy to run only name based virtualhost (=server block) . nginx.conf is next . worker_processes 1; worker_rlimit_nofile 1024; events { worker_connections 800; } http { include mime.types; default_type application/octet-stream; index index.html index.htm; keepalive_timeout 65; server_tokens off; server { listen 80; listen [::]:80; server_name a.mydns.jp; --- 1st site root /var/www/htdocs/d1; } server { listen 80; listen [::]:80; server_name s.sun.ddns.vc; --- 2nd site root /var/www/htdocs/d2; } } --- give me some hints .
Re: nginx how to run first site as open , and second as basic auth .
i want to run first site as open and second site as ristricted (basic auth), but it is hard to do and there is little information on internet about this Just add auth_basic Test site; auth_basic_user_file .htpasswd; to second server { ... } block.
Re: nginx how to run first site as open , and second
thanks for kind reply . i rewrite /etc/nginx/nginx.conf . worker_processes 1; worker_rlimit_nofile 1024; events { worker_connections 800; } http { include mime.types; default_type application/octet-stream; index index.html index.htm; keepalive_timeout 65; server_tokens off; server { listen 80; listen [::]:80; server_name aoiyuma.mydns.jp; root /var/apache2/d1; } server { listen 80; listen [::]:80; server_name saigyou.sun.ddns.vc; root /var/apache2/d2; auth_basic Test site; auth_basic_user_file /etc/nginx/.htpasswd; } } but by using walking telephone , internal server error happens . about apache2 , ' Require user XXX ' is needed in nginx , is it not nessesary ? --- tuyosi
Re: nginx how to run first site as open , and second
i think , think ,so i try archlinux's nginx . the following /etc/nginx/nginx.conf goes well. -- worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfileon; keepalive_timeout 65; server { listen 80; server_name a.mydns.jp; root /srv/http; index index.html index.htm; } server { listen 80; server_name s.sun.ddns.vc; root /srv/http/Fam/; index index.html index.htm; auth_basic Restricted; #For Basic Auth auth_basic_user_file /etc/nginx/.htpasswd; #For Basic Auth } } in archlinux 21 nginx -V | tr -- - '\n' | grep _module is next (see http://serverfault.com/questions/223509/how-can-i-see-which-flags-nginx-was-compiled-with ) imap_ssl_module http_dav_module http_gunzip_module http_gzip_static_module http_realip_module http_spdy_module http_ssl_module http_stub_status_module http_addition_module http_degradation_module http_flv_module http_mp4_module http_secure_link_module http_sub_module but in openbsd , there are much less modules by security first policy . so basic auth except ssl is ineffective in openbsd , so i think . - tuyosi
clean URL's want enable using NginX
I've tried a number of things with no success. Any help would be greatly appreciated. #user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pidlogs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] $request ' # '$status $body_bytes_sent $http_referer ' # '$http_user_agent $http_x_forwarded_for'; #access_log logs/access.log main; sendfileon; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root /htdocs; index index.html index.htm index.php; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /htdocs; } location @rewrite { # Some modules enforce no slash (/) at the end of the URL # Else this rewrite block wouldn#39;t be needed (GlobalRedirect) rewrite ^/(.*)$ /index.php?q=$1; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { #proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # location ~ \.php$ { root /htdocs; fastcgi_pass unix:/tmp/php.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /htdocs$fastcgi_script_name; includefastcgi_params; } # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { #deny all; #} } # another virtual host using mix of IP-, name-, and port-based configuration # #server { #listen 8000; #listen somename:8080; #server_name somename alias another.alias; #location / { #root /htdocs; #index index.html index.htm; #} #} # HTTPS server # #server { #listen 443; #server_name localhost; #ssl on; #ssl_certificate /etc/ssl/server.crt; #ssl_certificate_key /etc/ssl/private/server.key; #ssl_session_timeout 5m; #ssl_protocols SSLv2 SSLv3 TLSv1; #ssl_ciphers HIGH:!aNULL:!MD5; #ssl_prefer_server_ciphers on; #location / { #root /htdocs; #index index.html index.htm; #} #} } -- ss
Re: Apache 1.3 vs. nginx vs. base httpd
Hi, Thank you for insights, I see that scripts written in Perl need a special Perl that supports FastCGI (see FastCGI Programmer's Guide - Chapter 3, Developing FastCGI Applications in Perl) ..snip.. The FastCGI-savvy binaries are extensions of standard Perl, and are intended to replace your existing Perl installation...snip.. This is not something I want. I want to use OS's Perl distribution with tools that work directly with standard distribution. May be it is time to consider the possibility to convert Perl/Apache/mod_perl scripts to Erlang Yaws/Mochiweb/WebMachine/Cowboy or even Nitrogen framework. Another question because I use Erlang on OpenBSD ... I applied patches from R15B02 to OTP 17.3 and it seems to work as expected (stress tests, etc). Do you think it is safe this for production environment as I want to migrate the R14B04 applications to OTP 17.3 ? It is scheduled for near future to upgrade OTP from R15B02 to 17.3 ? Bogdan | Â | | Â | Â | Â | Â | Â | | FastCGI Programmer's Guide - Chapter 3, Developing FastCGI Applications in Perl[Top] [Prev] [Next] [Bottom] 3 Developing FastCGI Applications in Perl This chapter explains how to code FastCGI applications in Perl. | | | | View on www.fastcgi.com | Preview by Yahoo | | | | Â | Â On Thursday, November 13, 2014 9:36 PM, Stuart Henderson s...@spacehopper.org wrote: On 2014-11-13, Bogdan Andu bo...@yahoo.com wrote: Are Perl scripts in FastCGI evaluated in same manner like in mod_perl, or everytime a script is invoked by the server the Perl interpreter is invoked also ? If you run them via slowcgi, the interpreter+script will be started from scratch each time. To have a persistent Perl process, convert your script to talk FastCGI directly (see ports/www/fcgi) or via PSGI and a fastcgi adapter, or use some framework that supports it (in Perl-land you might want to look at frameworks like Mojolicious, Dancer etc). I want to setup a 5.6 machine and test all these cool stuff but for the moment I don't have access to such machine and I would like to see what other poeple experienced with this httpd(8) daemon . httpd was *very* new in 5.6, you want something newer (-current, or keep your eye out for patches). If you want to play with fcgi before updating, nginx and lighttpd support it natively, and apache via a module - it isn't something new, it has been around for years, it's pretty much the only standard way to handle cgi-like scripting in a non-forking webserver. Config methods differ, but scripts should be portable between all the various http servers.
Re: Apache 1.3 vs. nginx vs. base httpd
Hi, thanks for input. is the new httpd daemon ready for production? For example is it safe to migrate Perl scripts from Apache 1.3/mod_perl1.3 to httpd/FastCGI? Are Perl scripts in FastCGI evaluated in same manner like in mod_perl, or everytime a script is invoked by the server the Perl interpreter is invoked also ? From manual pages: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.6/man5/httpd.conf.5?query=ht tpd.confsec=5arch=amd64manpath=OpenBSD-5.6 looks very impressive and I see that httpd(8) uses slowcgi(8) - an implementation of FastCGI protocol - to execute cgi scripts, Perl or otherwise. I want to setup a 5.6 machine and test all these cool stuff but for the moment I don't have access to such machine and I would like to see what other poeple experienced with this httpd(8) daemon . For me these new stuff looks very exciting and I can't wait to try it. Thanks for any thoughts, Bogdan On Thursday, November 6, 2014 6:48 PM, li...@ggp2.com li...@ggp2.com wrote: On Thu, Nov 06, 2014 at 09:24:24AM +, Bogdan Andu wrote: 4) will httpd be able to support Perl script processing without the need to talk to an external (FasCGI) daemon? Just my 2c about the new httpd daemon. It's brand new in 5.6, and is shaping up to be an awesome and simple server. I fully intend on replacing nginx with it in production when 5.7 is released. That being said, the 5.6 implementation has some issues that you may want to research further if you'd like to use it. They've already been fixed in -current.
Re: Apache 1.3 vs. nginx vs. base httpd
On 2014-11-13, Bogdan Andu bo...@yahoo.com wrote: Are Perl scripts in FastCGI evaluated in same manner like in mod_perl, or everytime a script is invoked by the server the Perl interpreter is invoked also ? If you run them via slowcgi, the interpreter+script will be started from scratch each time. To have a persistent Perl process, convert your script to talk FastCGI directly (see ports/www/fcgi) or via PSGI and a fastcgi adapter, or use some framework that supports it (in Perl-land you might want to look at frameworks like Mojolicious, Dancer etc). I want to setup a 5.6 machine and test all these cool stuff but for the moment I don't have access to such machine and I would like to see what other poeple experienced with this httpd(8) daemon . httpd was *very* new in 5.6, you want something newer (-current, or keep your eye out for patches). If you want to play with fcgi before updating, nginx and lighttpd support it natively, and apache via a module - it isn't something new, it has been around for years, it's pretty much the only standard way to handle cgi-like scripting in a non-forking webserver. Config methods differ, but scripts should be portable between all the various http servers.
Re: syweb nginx
Testing rrdtool: apache or php setup faulty: cannot execute /bin/rrdtool However I did copy rrdtool binaries to /var/www/bin/ and they have correct permission. That's not enough. As documented in the rrdtool pkg-readme, you must do: /usr/local/share/examples/rrdtool/rrdtool-chroot enable You should look under /usr/local/share/doc/pkg-readmes/, it comes with a *lot* of OpenBSD specific information... -- Antoine
syweb nginx
I am running amd 5.6 and playing little bit with sysutils/symon Thinks are looking good and I have close to 100 MB of data in /var/www/symon/rrds/localhost I am trying to plot the data using syweb. I am sure that my installation of php_fpm and nginx is works correctly as I am nfsen working properly. Pointing browser http://localhost/syweb/configtest.php Gives Testing rrdtool: apache or php setup faulty: cannot execute /bin/rrdtool However I did copy rrdtool binaries to /var/www/bin/ and they have correct permission. I am just wondering if syweb works with Nginx or require Apache as the setup.inc indicates. Thanks, Predrag P.S. I also found phpSymon http://ryanflannery.net/hacking/phpsymon/ which looks dormant. Any other alternatives?
Re: syweb nginx
On Wed Nov 12 2014 05:04:02 GMT+0100 (CET), Predrag Punosevac wrote: I am running amd 5.6 and playing little bit with sysutils/symon Thinks are looking good and I have close to 100 MB of data in /var/www/symon/rrds/localhost I am trying to plot the data using syweb. I am sure that my installation of php_fpm and nginx is works correctly as I am nfsen working properly. Pointing browser http://localhost/syweb/configtest.php Gives Testing rrdtool: apache or php setup faulty: cannot execute /bin/rrdtool Note here the path '/bin/rrdtool' not '/var/www/...' However I did copy rrdtool binaries to /var/www/bin/ and they have correct permission. Right, but how do you know that's what is being used. Have you tried a symlink from bin...? I assume it is a webapp script that calls rrdtool, does it have a conf to say where to find it? HTH, george I am just wondering if syweb works with Nginx or require Apache as the setup.inc indicates. Thanks, Predrag P.S. I also found phpSymon http://ryanflannery.net/hacking/phpsymon/ which looks dormant. Any other alternatives? --
Apache 1.3 vs. nginx vs. base httpd
Hi, There are some confusing info about which won the base-webserver in OpenBSD: In 5.6 it seems to be nginx 1.6.0 (http://www.openbsd.org/plus56.html) : Unhooked httpd(8) from build: use of nginx(8) is encouraged now. Removed Apache from base (replaced by nginx(8)). and In current (http://www.openbsd.org/plus.html):Removed nginx from the base system in favour of OpenBSD's homegrown httpd(8). and now I am confused. I was planning to migrate some Perl scripts from mod_perl 1.3/Apache 1.3 to Nginx styleusing the Perl Module Nginx having direct access to Nginx internals which is almost like doing cgi programming in C. It would made a wonderful combination between speed and security (running on OpenBSD). My questions... 1) why Apache 1.3 (OpenBSD patched version) was also considered to be no more a viable options as base web server? 2) why nginx has been considered a good candidate for base web server in 5.6   and, in -current, lost this place? 3) what would be the performance of running Perl scripts through FastCGI+httpd, compared to Apache1.3/mod_perl1.3 compared to nginx/Nginx perl module? 4) will httpd be able to support Perl script processing without the need to talk to an external (FasCGI) daemon? 5) what would be the best option to run Perl scripts in OpenBSD 5.6 + ? Thank you, Bogdan
Re: Apache 1.3 vs. nginx vs. base httpd
On Thu, Nov 06, 2014 at 09:24:24AM +, Bogdan Andu wrote: Hi, There are some confusing info about which won the base-webserver in OpenBSD: In 5.6 it seems to be nginx 1.6.0 (http://www.openbsd.org/plus56.html) : Unhooked httpd(8) from build: use of nginx(8) is encouraged now. Removed Apache from base (replaced by nginx(8)).?? There's no confusion. Search archives and/or check undeadly.org. j.
Re: Apache 1.3 vs. nginx vs. base httpd
On 2014-11-06 09.24.24 +, Bogdan Andu wrote: 3) what would be the performance of running Perl scripts through FastCGI+httpd, compared to Apache1.3/mod_perl1.3 compared to nginx/Nginx perl module? You need to run these benchmarks yourself, on your scripts and data. -Mike [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Apache 1.3 vs. nginx vs. base httpd
On Thu, Nov 06, 2014 at 09:24:24AM +, Bogdan Andu wrote: 4) will httpd be able to support Perl script processing without the need to talk to an external (FasCGI) daemon? Just my 2c about the new httpd daemon. It's brand new in 5.6, and is shaping up to be an awesome and simple server. I fully intend on replacing nginx with it in production when 5.7 is released. That being said, the 5.6 implementation has some issues that you may want to research further if you'd like to use it. They've already been fixed in -current.