Re: httpd fail to serve page with default httpd.conf; it shows: 403 Forbidden.

2021-01-15 Thread Joseph Olatt 
On Sun, Jan 10, 2021 at 07:09:21PM -0800, latincom wrote:
> Hello misc list:
> 
> I have had a Web Server at home for 20 years, and this time, i am not able
> to discover the error! I am Agronomist, then my knowledge is in other field.
> 
> I rented a server at vultr, with clean installation, because i lost my
> Laptop and back ups.
> 
> I created rc.conf.local and added httpd_flags="" and without any change i
> did a reboot.
> 
> After that, acme-client -v my_domain, then did the test with default
> httpd.conf! it worked for 1 second and 403 Forbidden message appeared! httpd
> -n says OK, permissions seem ok to me, i have not touche them.
> 
> Your help and OS are very much appreciated
> 
> The new httpd.conf using my_domain:
> 
> # $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $
> 
> server "my_domain" {
>   listen on * port 80
>   location "/.well-known/acme-challenge/*" {
>   root "/acme"
>   request strip 2
>   }
>   location * {
>   block return 302 "https://$HTTP_HOST$REQUEST_URI;
>   }
> }
> 
> server "my_domain" {
>   listen on * tls port 443
>   tls {
>   certificate "/etc/ssl/fullchain.pem"
>   key "/etc/ssl/private/key"
>   }
>   location "/pub/*" {
>   directory auto index
>   }
>   location "/.well-known/acme-challenge/*" {
>   root "/acme"
>   request strip 2
>   }
> }

If you still haven't overcome the above issue, try adding a location
block for "/" like:

location "/*" {
root "/"
}

and then place a simple index.html file there and restart httpd.

Re: httpd fail to serve page with default httpd.conf; it shows: 403 Forbidden.

2021-01-15 Thread latincom 

Thanks Joseph

I made it to work, copying my index.html directly to /htdocs, and adding 
location did the trck! thanks again!:


location "/*" {
root "/agroena"
}

On 2021-01-15 12:16 p.m., Joseph Olatt wrote:

location "/*" {
 root "/"
 }

httpd fail to serve page with default httpd.conf; it shows: 403 Forbidden.

2021-01-10 Thread latincom 

Hello misc list:

I have had a Web Server at home for 20 years, and this time, i am not 
able to discover the error! I am Agronomist, then my knowledge is in 
other field.


I rented a server at vultr, with clean installation, because i lost my 
Laptop and back ups.


I created rc.conf.local and added httpd_flags="" and without any change 
i did a reboot.


After that, acme-client -v my_domain, then did the test with default 
httpd.conf! it worked for 1 second and 403 Forbidden message appeared! 
httpd -n says OK, permissions seem ok to me, i have not touche them.


Your help and OS are very much appreciated

The new httpd.conf using my_domain:

# $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $

server "my_domain" {
listen on * port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location * {
block return 302 "https://$HTTP_HOST$REQUEST_URI;
}
}

server "my_domain" {
listen on * tls port 443
tls {
certificate "/etc/ssl/fullchain.pem"
key "/etc/ssl/private/key"
}
location "/pub/*" {
directory auto index
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}

Re: no default httpd.conf?

2018-05-17 Thread justina colmena 
On Thu, 17 May 2018 11:26:54 + (UTC)
Stuart Henderson  wrote:
> No need to run multiple copies of php-fpm yourself, it handles multi
> uid itself. Various ways to handle chroot as well, you can chroot them
> separately, or use a shared chroot and rely on permissions. This
> should give you some ideas:

I rather like the idea of separate chroots, or at least a chroot that
would keep the listening socket out of reach. Separate sockets for
separate users are not very useful if, for example, one user is allowed
to fopen() another user's socket, for which the PHP function is just a
thin wrapper over the C call. I'm quoting here from OpenBSD's stock
configuration file (from ports & packages.)

==%<-- /etc/php-fpm.conf
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web
; server. Many BSD-derived systems allow connections regardless of
; permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = www
listen.group = www
listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
==%<--

I'm not trying to be hung up on PHP especially, either. This is rather
a general issue, because we would have exactly the same problem in
Perl, Python, Ruby, or any of several other popular web languages out
there.

On Thu, 17 May 2018 11:20:29 +0300
Vadim Zhukov  wrote:
> Regarding su-php, I'd go with per-user php-fpm process, actually,
> that's much safer, and rarely used ones can easily wait in swap
Do you think I have thousands of customers, and the little people's web
pages are taking too long to load? No, that's a whole other issue ...

> (I feel that you're trying to pack as much users as possible).

Ok, sure, but if you can't do that, then what is the point of a
multi-user operating system, anyways? A one-user webserver? Because
everybody has permission somehow or another to read everybody else's
scripts and database passwords.

So let's start with a much simpler use case: I need to be able to add a
test user and try out some stupid or crazy web programming project or
idea without risking my production stuff that happens to be hosted on
the same machine. Customers do that anyways at any web hosting
provider.

> Did you ever looked in /etc/examples?

"Jesus saith unto them, Did ye never read in the scriptures, ... ?"

That's almost a little bit of a mess, because these are not actual
settings applied to system configuration, and I would not have expected
to find them in the /etc directory. I was looking for examples more
in /usr/share somewhere before my system locate database was populated.
That one (/etc/examples/httpd.conf) somewhat "encourages" https-only,
without actually using hsts.

That would be okay, except a lot of times I am at a coffee shop or
similar, and I have to visit a plain http page to trigger a redirect
for login, because I am not willing to waive the certificate validation
error that I get when I try to visit a secure site from public wifi
somewhere.

> OpenBSD HTTPd is a web server, but not each web server is
> fully-featured Apache HTTP Server replacement. So, yes, no UserDir.
> If you need this functionality, then just install apache-httpd from
> packages.

Apache has plenty of its own shortcomings, and I'm sure there was good
cause to throw it out of base OpenBSD.

Re: no default httpd.conf?

2018-05-17 Thread Vadim Zhukov 
2018-05-17 14:26 GMT+03:00 Stuart Henderson :
> On 2018-05-17, Vadim Zhukov  wrote:
>> 17 мая 2018 г. 5:50:16 GMT+03:00, justina colmena  
>> пишет:
>>
>> Regarding su-php, I'd go with per-user php-fpm process, actually,
>> that's much safer, and rarely used ones can easily wait in swap (I
>> feel that you're trying to pack as much users as possible). You
>> can ever use symlinks to create, e.g., /etc/rc.d/phpXY_fpm_USER1,
>> /etc/rc.d/phpXY_fpm_USER2 and so on, and then set up different flags
>> like "-u USER1" for those in rc.conf.
>
> No need to run multiple copies of php-fpm yourself, it handles multi
> uid itself. Various ways to handle chroot as well, you can chroot them
> separately, or use a shared chroot and rely on permissions. This should
> give you some ideas:
>
> [global]
> error_log = syslog
> syslog.facility = daemon
> log_level = notice
>
> [www]
> user = www
> group = www
> listen = /var/www/run/php-fpm.sock
> listen.owner = www
> listen.group = www
> listen.mode = 0600
> pm = dynamic
> pm.max_children = 20
> pm.start_servers = 2
> pm.min_spare_servers = 1
> pm.max_spare_servers = 3
> chroot = /var/www
>
> [web1]
> user = _web1
> group = _web1
> listen = /var/www/run/php-fpm-web1.sock
> listen.owner = www
> listen.group = www
> listen.mode = 0600
> pm = dynamic
> pm.max_children = 20
> pm.start_servers = 2
> pm.min_spare_servers = 1
> pm.max_spare_servers = 2
> chroot = /var/www
> env[TMP] = /var/www/web1/tmp
> env[TMPDIR] = /var/www/web1/tmp

Now that breakfast is gone I start to think you (and Josh earlier) are
right: single php-fpm process should be fine. :)

--
  WBR,
  Vadim Zhukov

Re: no default httpd.conf?

2018-05-17 Thread Stuart Henderson 
On 2018-05-17, Vadim Zhukov  wrote:
> 17 мая 2018 г. 5:50:16 GMT+03:00, justina colmena  пишет:
>
> Regarding su-php, I'd go with per-user php-fpm process, actually,
> that's much safer, and rarely used ones can easily wait in swap (I
> feel that you're trying to pack as much users as possible). You
> can ever use symlinks to create, e.g., /etc/rc.d/phpXY_fpm_USER1,
> /etc/rc.d/phpXY_fpm_USER2 and so on, and then set up different flags
> like "-u USER1" for those in rc.conf.

No need to run multiple copies of php-fpm yourself, it handles multi
uid itself. Various ways to handle chroot as well, you can chroot them
separately, or use a shared chroot and rely on permissions. This should
give you some ideas:

[global]
error_log = syslog
syslog.facility = daemon
log_level = notice

[www]
user = www
group = www
listen = /var/www/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0600
pm = dynamic
pm.max_children = 20
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chroot = /var/www

[web1]
user = _web1
group = _web1
listen = /var/www/run/php-fpm-web1.sock
listen.owner = www
listen.group = www
listen.mode = 0600
pm = dynamic
pm.max_children = 20
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 2
chroot = /var/www
env[TMP] = /var/www/web1/tmp
env[TMPDIR] = /var/www/web1/tmp

Re: no default httpd.conf?

2018-05-17 Thread Vadim Zhukov 
17 мая 2018 г. 5:50:16 GMT+03:00, justina colmena  пишет:
>I just recently installed OpenBSD 6.3, and I was looking for an example
>httpd.conf, but I did not find one. The manual page does document
>more or less how to create one, but there still appears to be some lack
>of ease and safety putting up a basic web page with dynamic content (I
>am most used to PHP and PostgreSQL for that purpose, but of course
>there are many options that more or less replace the ubiquitous "LAMP"
>or "Linux/Apache/MySQL/PHP" stack.
>
>Now there is nothing in OpenBSD's httpd really like Apache's "UserDir"
>directive. Of course the real user directory has to dwell somewhere in
>the "/var/www" chroot on OpenBSD. The alternative to "UserDirs" of
>course, is wildcard subdomains, but those do not really cooperate all
>that well with https, dnssec, or caa records, or with certain other
>general goals of security.
>
>The other thing I am curious about is something like "su-php" which
>appears to be deprecated and outdated. So, assuming some sort of
>UserDir
>scenario, (probably more sophisticated than my very basic one I
>have hacked together below,) does php-fpm have a way to prevent one
>user's malicious php script from reading another user's database
>access credentials?
>
>%<
># /etc/httpd.conf for amarillo.colmena.biz
>
>server "default" {
>listen on * port 80
>listen on :: port 80
>listen on * tls port 443
>listen on :: tls port 443
>tls certificate "/etc/ssl/fullchain.pem"
>directory index index.php
>location "/.well-known/acme-challenge/*" {
>root "/acme"
>root strip 2
>}
>location match "/~justina/.*%.php" {
>root "/justina"
>root strip 1
>fastcgi socket "/run/php-fpm.sock"
>}
>location "*.php" {
>fastcgi socket "/run/php-fpm.sock"
>}
>location "/~justina/*" {
>root "/justina"
>root strip 1
>directory auto index
>}
>location "/~justina" {
>block return 301 "/~justina/"
>}
>}
>types {
>include "/usr/share/misc/mime.types"
>}

Did you ever looked in /etc/examples?

OpenBSD HTTPd is a web server, but not each web server is fully-featured Apache 
HTTP Server replacement. So, yes, no UserDir. If you need this functionality, 
then just install apache-httpd from packages.

Regarding su-php, I'd go with per-user php-fpm process, actually, that's much 
safer, and rarely used ones can easily wait in swap (I feel that you're trying 
to pack as much users as possible). You can ever use symlinks to create, e.g., 
/etc/rc.d/phpXY_fpm_USER1, /etc/rc.d/phpXY_fpm_USER2 and so on, and then set up 
different flags like "-u USER1" for those in rc.conf.

-- 
  WBR,
Vadim Zhukov

Re: no default httpd.conf?

2018-05-16 Thread Josh 

Hey there.

With the su-php question, try looking into php-fpm's pools. In there you 
can define a socket / port to listen on, and a username/group to run 
that pool as. So that means in httpd.conf you can assign different 
locations/virtualhosts to different php sockets/ports, and thereby 
assigning different uid/gid's.


Cheers

Josh


On 17/05/18 14:50, justina colmena wrote:

I just recently installed OpenBSD 6.3, and I was looking for an example
httpd.conf, but I did not find one. The manual page does document
more or less how to create one, but there still appears to be some lack
of ease and safety putting up a basic web page with dynamic content (I
am most used to PHP and PostgreSQL for that purpose, but of course
there are many options that more or less replace the ubiquitous "LAMP"
or "Linux/Apache/MySQL/PHP" stack.

Now there is nothing in OpenBSD's httpd really like Apache's "UserDir"
directive. Of course the real user directory has to dwell somewhere in
the "/var/www" chroot on OpenBSD. The alternative to "UserDirs" of
course, is wildcard subdomains, but those do not really cooperate all
that well with https, dnssec, or caa records, or with certain other
general goals of security.

The other thing I am curious about is something like "su-php" which
appears to be deprecated and outdated. So, assuming some sort of UserDir
scenario, (probably more sophisticated than my very basic one I
have hacked together below,) does php-fpm have a way to prevent one
user's malicious php script from reading another user's database
access credentials?

%<
# /etc/httpd.conf for amarillo.colmena.biz

server "default" {
 listen on * port 80
 listen on :: port 80
 listen on * tls port 443
 listen on :: tls port 443
 tls certificate "/etc/ssl/fullchain.pem"
 directory index index.php
 location "/.well-known/acme-challenge/*" {
 root "/acme"
 root strip 2
 }
 location match "/~justina/.*%.php" {
 root "/justina"
 root strip 1
 fastcgi socket "/run/php-fpm.sock"
 }
 location "*.php" {
 fastcgi socket "/run/php-fpm.sock"
 }
 location "/~justina/*" {
 root "/justina"
 root strip 1
 directory auto index
 }
 location "/~justina" {
 block return 301 "/~justina/"
 }
}
types {
 include "/usr/share/misc/mime.types"
}

no default httpd.conf?

2018-05-16 Thread justina colmena 
I just recently installed OpenBSD 6.3, and I was looking for an example
httpd.conf, but I did not find one. The manual page does document
more or less how to create one, but there still appears to be some lack
of ease and safety putting up a basic web page with dynamic content (I
am most used to PHP and PostgreSQL for that purpose, but of course
there are many options that more or less replace the ubiquitous "LAMP"
or "Linux/Apache/MySQL/PHP" stack.

Now there is nothing in OpenBSD's httpd really like Apache's "UserDir"
directive. Of course the real user directory has to dwell somewhere in
the "/var/www" chroot on OpenBSD. The alternative to "UserDirs" of
course, is wildcard subdomains, but those do not really cooperate all
that well with https, dnssec, or caa records, or with certain other
general goals of security.

The other thing I am curious about is something like "su-php" which
appears to be deprecated and outdated. So, assuming some sort of UserDir
scenario, (probably more sophisticated than my very basic one I
have hacked together below,) does php-fpm have a way to prevent one
user's malicious php script from reading another user's database
access credentials?

%<
# /etc/httpd.conf for amarillo.colmena.biz

server "default" {
listen on * port 80
listen on :: port 80
listen on * tls port 443
listen on :: tls port 443
tls certificate "/etc/ssl/fullchain.pem"
directory index index.php
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
location match "/~justina/.*%.php" {
root "/justina"
root strip 1
fastcgi socket "/run/php-fpm.sock"
}
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
location "/~justina/*" {
root "/justina"
root strip 1
directory auto index
}
location "/~justina" {
block return 301 "/~justina/"
}
}
types {
include "/usr/share/misc/mime.types"
}