Re: httpd fail to serve page with default httpd.conf; it shows: 403 Forbidden.
On Sun, Jan 10, 2021 at 07:09:21PM -0800, latincom wrote: > Hello misc list: > > I have had a Web Server at home for 20 years, and this time, i am not able > to discover the error! I am Agronomist, then my knowledge is in other field. > > I rented a server at vultr, with clean installation, because i lost my > Laptop and back ups. > > I created rc.conf.local and added httpd_flags="" and without any change i > did a reboot. > > After that, acme-client -v my_domain, then did the test with default > httpd.conf! it worked for 1 second and 403 Forbidden message appeared! httpd > -n says OK, permissions seem ok to me, i have not touche them. > > Your help and OS are very much appreciated > > The new httpd.conf using my_domain: > > # $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $ > > server "my_domain" { > listen on * port 80 > location "/.well-known/acme-challenge/*" { > root "/acme" > request strip 2 > } > location * { > block return 302 "https://$HTTP_HOST$REQUEST_URI; > } > } > > server "my_domain" { > listen on * tls port 443 > tls { > certificate "/etc/ssl/fullchain.pem" > key "/etc/ssl/private/key" > } > location "/pub/*" { > directory auto index > } > location "/.well-known/acme-challenge/*" { > root "/acme" > request strip 2 > } > } If you still haven't overcome the above issue, try adding a location block for "/" like: location "/*" { root "/" } and then place a simple index.html file there and restart httpd.
Re: httpd fail to serve page with default httpd.conf; it shows: 403 Forbidden.
Thanks Joseph I made it to work, copying my index.html directly to /htdocs, and adding location did the trck! thanks again!: location "/*" { root "/agroena" } On 2021-01-15 12:16 p.m., Joseph Olatt wrote: location "/*" { root "/" }
httpd fail to serve page with default httpd.conf; it shows: 403 Forbidden.
Hello misc list: I have had a Web Server at home for 20 years, and this time, i am not able to discover the error! I am Agronomist, then my knowledge is in other field. I rented a server at vultr, with clean installation, because i lost my Laptop and back ups. I created rc.conf.local and added httpd_flags="" and without any change i did a reboot. After that, acme-client -v my_domain, then did the test with default httpd.conf! it worked for 1 second and 403 Forbidden message appeared! httpd -n says OK, permissions seem ok to me, i have not touche them. Your help and OS are very much appreciated The new httpd.conf using my_domain: # $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $ server "my_domain" { listen on * port 80 location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location * { block return 302 "https://$HTTP_HOST$REQUEST_URI; } } server "my_domain" { listen on * tls port 443 tls { certificate "/etc/ssl/fullchain.pem" key "/etc/ssl/private/key" } location "/pub/*" { directory auto index } location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } }
Re: no default httpd.conf?
On Thu, 17 May 2018 11:26:54 + (UTC) Stuart Hendersonwrote: > No need to run multiple copies of php-fpm yourself, it handles multi > uid itself. Various ways to handle chroot as well, you can chroot them > separately, or use a shared chroot and rely on permissions. This > should give you some ideas: I rather like the idea of separate chroots, or at least a chroot that would keep the listening socket out of reach. Separate sockets for separate users are not very useful if, for example, one user is allowed to fopen() another user's socket, for which the PHP function is just a thin wrapper over the C call. I'm quoting here from OpenBSD's stock configuration file (from ports & packages.) ==%<-- /etc/php-fpm.conf ; Set permissions for unix socket, if one is used. In Linux, read/write ; permissions must be set in order to allow connections from a web ; server. Many BSD-derived systems allow connections regardless of ; permissions. ; Default Values: user and group are set as the running user ; mode is set to 0660 listen.owner = www listen.group = www listen.mode = 0660 ; When POSIX Access Control Lists are supported you can set them using ; these options, value is a comma separated list of user/group names. ; When set, listen.owner and listen.group are ignored ;listen.acl_users = ;listen.acl_groups = ==%<-- I'm not trying to be hung up on PHP especially, either. This is rather a general issue, because we would have exactly the same problem in Perl, Python, Ruby, or any of several other popular web languages out there. On Thu, 17 May 2018 11:20:29 +0300 Vadim Zhukov wrote: > Regarding su-php, I'd go with per-user php-fpm process, actually, > that's much safer, and rarely used ones can easily wait in swap Do you think I have thousands of customers, and the little people's web pages are taking too long to load? No, that's a whole other issue ... > (I feel that you're trying to pack as much users as possible). Ok, sure, but if you can't do that, then what is the point of a multi-user operating system, anyways? A one-user webserver? Because everybody has permission somehow or another to read everybody else's scripts and database passwords. So let's start with a much simpler use case: I need to be able to add a test user and try out some stupid or crazy web programming project or idea without risking my production stuff that happens to be hosted on the same machine. Customers do that anyways at any web hosting provider. > Did you ever looked in /etc/examples? "Jesus saith unto them, Did ye never read in the scriptures, ... ?" That's almost a little bit of a mess, because these are not actual settings applied to system configuration, and I would not have expected to find them in the /etc directory. I was looking for examples more in /usr/share somewhere before my system locate database was populated. That one (/etc/examples/httpd.conf) somewhat "encourages" https-only, without actually using hsts. That would be okay, except a lot of times I am at a coffee shop or similar, and I have to visit a plain http page to trigger a redirect for login, because I am not willing to waive the certificate validation error that I get when I try to visit a secure site from public wifi somewhere. > OpenBSD HTTPd is a web server, but not each web server is > fully-featured Apache HTTP Server replacement. So, yes, no UserDir. > If you need this functionality, then just install apache-httpd from > packages. Apache has plenty of its own shortcomings, and I'm sure there was good cause to throw it out of base OpenBSD.
Re: no default httpd.conf?
2018-05-17 14:26 GMT+03:00 Stuart Henderson: > On 2018-05-17, Vadim Zhukov wrote: >> 17 мая 2018 г. 5:50:16 GMT+03:00, justina colmena >> пишет: >> >> Regarding su-php, I'd go with per-user php-fpm process, actually, >> that's much safer, and rarely used ones can easily wait in swap (I >> feel that you're trying to pack as much users as possible). You >> can ever use symlinks to create, e.g., /etc/rc.d/phpXY_fpm_USER1, >> /etc/rc.d/phpXY_fpm_USER2 and so on, and then set up different flags >> like "-u USER1" for those in rc.conf. > > No need to run multiple copies of php-fpm yourself, it handles multi > uid itself. Various ways to handle chroot as well, you can chroot them > separately, or use a shared chroot and rely on permissions. This should > give you some ideas: > > [global] > error_log = syslog > syslog.facility = daemon > log_level = notice > > [www] > user = www > group = www > listen = /var/www/run/php-fpm.sock > listen.owner = www > listen.group = www > listen.mode = 0600 > pm = dynamic > pm.max_children = 20 > pm.start_servers = 2 > pm.min_spare_servers = 1 > pm.max_spare_servers = 3 > chroot = /var/www > > [web1] > user = _web1 > group = _web1 > listen = /var/www/run/php-fpm-web1.sock > listen.owner = www > listen.group = www > listen.mode = 0600 > pm = dynamic > pm.max_children = 20 > pm.start_servers = 2 > pm.min_spare_servers = 1 > pm.max_spare_servers = 2 > chroot = /var/www > env[TMP] = /var/www/web1/tmp > env[TMPDIR] = /var/www/web1/tmp Now that breakfast is gone I start to think you (and Josh earlier) are right: single php-fpm process should be fine. :) -- WBR, Vadim Zhukov
Re: no default httpd.conf?
On 2018-05-17, Vadim Zhukovwrote: > 17 мая 2018 г. 5:50:16 GMT+03:00, justina colmena пишет: > > Regarding su-php, I'd go with per-user php-fpm process, actually, > that's much safer, and rarely used ones can easily wait in swap (I > feel that you're trying to pack as much users as possible). You > can ever use symlinks to create, e.g., /etc/rc.d/phpXY_fpm_USER1, > /etc/rc.d/phpXY_fpm_USER2 and so on, and then set up different flags > like "-u USER1" for those in rc.conf. No need to run multiple copies of php-fpm yourself, it handles multi uid itself. Various ways to handle chroot as well, you can chroot them separately, or use a shared chroot and rely on permissions. This should give you some ideas: [global] error_log = syslog syslog.facility = daemon log_level = notice [www] user = www group = www listen = /var/www/run/php-fpm.sock listen.owner = www listen.group = www listen.mode = 0600 pm = dynamic pm.max_children = 20 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 chroot = /var/www [web1] user = _web1 group = _web1 listen = /var/www/run/php-fpm-web1.sock listen.owner = www listen.group = www listen.mode = 0600 pm = dynamic pm.max_children = 20 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 2 chroot = /var/www env[TMP] = /var/www/web1/tmp env[TMPDIR] = /var/www/web1/tmp
Re: no default httpd.conf?
17 мая 2018 г. 5:50:16 GMT+03:00, justina colmenaпишет: >I just recently installed OpenBSD 6.3, and I was looking for an example >httpd.conf, but I did not find one. The manual page does document >more or less how to create one, but there still appears to be some lack >of ease and safety putting up a basic web page with dynamic content (I >am most used to PHP and PostgreSQL for that purpose, but of course >there are many options that more or less replace the ubiquitous "LAMP" >or "Linux/Apache/MySQL/PHP" stack. > >Now there is nothing in OpenBSD's httpd really like Apache's "UserDir" >directive. Of course the real user directory has to dwell somewhere in >the "/var/www" chroot on OpenBSD. The alternative to "UserDirs" of >course, is wildcard subdomains, but those do not really cooperate all >that well with https, dnssec, or caa records, or with certain other >general goals of security. > >The other thing I am curious about is something like "su-php" which >appears to be deprecated and outdated. So, assuming some sort of >UserDir >scenario, (probably more sophisticated than my very basic one I >have hacked together below,) does php-fpm have a way to prevent one >user's malicious php script from reading another user's database >access credentials? > >%< ># /etc/httpd.conf for amarillo.colmena.biz > >server "default" { >listen on * port 80 >listen on :: port 80 >listen on * tls port 443 >listen on :: tls port 443 >tls certificate "/etc/ssl/fullchain.pem" >directory index index.php >location "/.well-known/acme-challenge/*" { >root "/acme" >root strip 2 >} >location match "/~justina/.*%.php" { >root "/justina" >root strip 1 >fastcgi socket "/run/php-fpm.sock" >} >location "*.php" { >fastcgi socket "/run/php-fpm.sock" >} >location "/~justina/*" { >root "/justina" >root strip 1 >directory auto index >} >location "/~justina" { >block return 301 "/~justina/" >} >} >types { >include "/usr/share/misc/mime.types" >} Did you ever looked in /etc/examples? OpenBSD HTTPd is a web server, but not each web server is fully-featured Apache HTTP Server replacement. So, yes, no UserDir. If you need this functionality, then just install apache-httpd from packages. Regarding su-php, I'd go with per-user php-fpm process, actually, that's much safer, and rarely used ones can easily wait in swap (I feel that you're trying to pack as much users as possible). You can ever use symlinks to create, e.g., /etc/rc.d/phpXY_fpm_USER1, /etc/rc.d/phpXY_fpm_USER2 and so on, and then set up different flags like "-u USER1" for those in rc.conf. -- WBR, Vadim Zhukov
Re: no default httpd.conf?
Hey there. With the su-php question, try looking into php-fpm's pools. In there you can define a socket / port to listen on, and a username/group to run that pool as. So that means in httpd.conf you can assign different locations/virtualhosts to different php sockets/ports, and thereby assigning different uid/gid's. Cheers Josh On 17/05/18 14:50, justina colmena wrote: I just recently installed OpenBSD 6.3, and I was looking for an example httpd.conf, but I did not find one. The manual page does document more or less how to create one, but there still appears to be some lack of ease and safety putting up a basic web page with dynamic content (I am most used to PHP and PostgreSQL for that purpose, but of course there are many options that more or less replace the ubiquitous "LAMP" or "Linux/Apache/MySQL/PHP" stack. Now there is nothing in OpenBSD's httpd really like Apache's "UserDir" directive. Of course the real user directory has to dwell somewhere in the "/var/www" chroot on OpenBSD. The alternative to "UserDirs" of course, is wildcard subdomains, but those do not really cooperate all that well with https, dnssec, or caa records, or with certain other general goals of security. The other thing I am curious about is something like "su-php" which appears to be deprecated and outdated. So, assuming some sort of UserDir scenario, (probably more sophisticated than my very basic one I have hacked together below,) does php-fpm have a way to prevent one user's malicious php script from reading another user's database access credentials? %< # /etc/httpd.conf for amarillo.colmena.biz server "default" { listen on * port 80 listen on :: port 80 listen on * tls port 443 listen on :: tls port 443 tls certificate "/etc/ssl/fullchain.pem" directory index index.php location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } location match "/~justina/.*%.php" { root "/justina" root strip 1 fastcgi socket "/run/php-fpm.sock" } location "*.php" { fastcgi socket "/run/php-fpm.sock" } location "/~justina/*" { root "/justina" root strip 1 directory auto index } location "/~justina" { block return 301 "/~justina/" } } types { include "/usr/share/misc/mime.types" }
no default httpd.conf?
I just recently installed OpenBSD 6.3, and I was looking for an example httpd.conf, but I did not find one. The manual page does document more or less how to create one, but there still appears to be some lack of ease and safety putting up a basic web page with dynamic content (I am most used to PHP and PostgreSQL for that purpose, but of course there are many options that more or less replace the ubiquitous "LAMP" or "Linux/Apache/MySQL/PHP" stack. Now there is nothing in OpenBSD's httpd really like Apache's "UserDir" directive. Of course the real user directory has to dwell somewhere in the "/var/www" chroot on OpenBSD. The alternative to "UserDirs" of course, is wildcard subdomains, but those do not really cooperate all that well with https, dnssec, or caa records, or with certain other general goals of security. The other thing I am curious about is something like "su-php" which appears to be deprecated and outdated. So, assuming some sort of UserDir scenario, (probably more sophisticated than my very basic one I have hacked together below,) does php-fpm have a way to prevent one user's malicious php script from reading another user's database access credentials? %< # /etc/httpd.conf for amarillo.colmena.biz server "default" { listen on * port 80 listen on :: port 80 listen on * tls port 443 listen on :: tls port 443 tls certificate "/etc/ssl/fullchain.pem" directory index index.php location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } location match "/~justina/.*%.php" { root "/justina" root strip 1 fastcgi socket "/run/php-fpm.sock" } location "*.php" { fastcgi socket "/run/php-fpm.sock" } location "/~justina/*" { root "/justina" root strip 1 directory auto index } location "/~justina" { block return 301 "/~justina/" } } types { include "/usr/share/misc/mime.types" }