httpd rewrite and REQUEST_URI value

2018-06-23 Thread Scott Vanderbilt
I was very eager to implement the new rewrite functionality in httpd. 
However, I've run into an issue, and I am uncertain whether the new 
behavior is CGI-compliant or not.


The app I am attempting to convert to httpd is currently built on nginx, 
and the rewrite functionality it offers satisfies all of my app's needs. 
But for a variety of reasons, I would prefer to use httpd. My goal is to 
implement a RESTful API, which involves rewriting all requests for 
"virtual" resources to target an index.php page, which uses the SlimPHP 
micro framework to handle routing and all other tasks related to 
servicing requests. That routing relies on the value of the REQUEST_URI 
parameter to perform its work.


In httpd.conf, I have this rewrite rule:

    location match "/hello/.*" {
    request rewrite "/index.php"
    }

while in nginx, I have this one:

    try_files  $uri /index.php;

    location /index.php {
    fastcgi_pass unix:run/php-fpm.sock;
    fastcgi_param   SCRIPT_FILENAME 
$document_root$fastcgi_script_name;

    include fastcgi_params;
    }

For the URL: http://example.com/hello/fred, here are the differing 
values of REQUEST_URI:


    nginx: /hello/fred

    httpd: /index.php

Based on the definition in the httpd.conf(5) man page,  which says 
$REQUEST_URI contains "the request path and optional query string", I 
would have expected that the original value of REQUEST_URI would have 
been preserved even after the rewrite. Otherwise, there is no way for 
the target resource to know the original (pre-rewrite) URI. Unless, of 
course, it was embedded within the rewritten URI as a query string by 
the rewrite directive in the .conf file. But that's not very practical 
if the original URI already has a query string.


Am I correct in assuming the REQUEST_URI's value should not be altered 
by the rewrite operation? If the post-rewrite URI is meant to be borne 
by DOCUMENT_URI, why also change the value of REQUEST_URI? This makes no 
sense to me.


Many thanks in advance for any enlightenment you can provide.





Re: How to build with VMM_DEBUG

2018-06-23 Thread Ax0n
On Sat, Jun 23, 2018 at 6:10 AM, Stefan Sperling  wrote:

> See https://marc.info/?l=openbsd-bugs=152960299009667=2 for
> a patch you could test.
> (raw patch: https://marc.info/?l=openbsd-bugs=152960299009667=raw)
>

FWIW, that patch didn't apply cleanly to a fresh pull of the tree from
GitHub. I know it's not OFFICIALLY -CURRENT for realsies but it's what I
have been using on this laptop for months. It sounds like it was probably
patched against -STABLE? I didn't read the entire thread on bugs@. I have
tried with 3 daily snapshots in a row and I'm having the same problem. I
haven't actually fired up vmm in a few weeks, so I'm not sure exactly when
it quit working. I'm re-building with VMM_DEBUG first.

Mike, I'll send all relevant info (dmesg, vmd -dvvv, vm.conf) to bugs@ once
I have it, unless this sounds like an ongoing thing you probably have on
your radar already. I'm not in a huge rush, so I can wait a bit if you
think you have something that'll make it into -CURRENT in a while.


Re: How to build with VMM_DEBUG

2018-06-23 Thread Mike Larkin
On Fri, Jun 22, 2018 at 11:41:22PM -0500, Ax0n wrote:
> I'm trying to hunt down a recent breakage with my VMM virtual machines
> refusing to start, and I'm getting errors like this:
> 
> vcpu_run_loop: vm 5 / vcpu 0 run ioctl failed: Invalid argument
> 
> It looks like previous requests for help with this error have resulted in
> being asked to build with the VMM_DEBUG macro, but I don't know how to do
> that. I do not see VMM_DEBUG in the GENERIC config, and just a few ifdefs
> in the code.
> 
> I'd like to gather more info to provide a more complete bug report. Ideas?
> 
> --ax0n

uncomment the #define VMM_DEBUG line at the top part of vmm.c

-ml




WHere to put certificates for IKEDv2?

2018-06-23 Thread C. L. Martinez
Hi all,

 I am using Easy-RSA to manage my home's CA (using elliptic curve 
certificates). I have created a certificate for my OpenBSD gw for IKEv2 
connections (using strongswan mainly). My question is where do I need to put 
OpenBSD certs under /etc/iked?

 I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and 
myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns me 
the following error:

ikev2_msg_auth: initiator auth data length 960
ikev2_msg_authverify: method SIG keylen 962 type X509_CERT
_dsa_verify_init: signature scheme 4 selected
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b 
cert,certvalid,auth,authvalid,sa)
ikev2_sa_negotiate: score 0
ikev2_sa_negotiate: score 10
ikev2_sa_negotiate: score 0
ikev2_sa_negotiate: score 4
sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b 
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
config_free_proposals: free 0xb9bb7e8a80
config_free_proposals: free 0xb9bb7e8700
config_free_proposals: free 0xb965e22400
config_free_proposals: free 0xba238e1e80
ca_getreq: found CA /C=ES/ST=Barcelona..
ca_getreq: no valid local certificate found
ca_setauth: auth length 256
ca_validate_pubkey: unsupported public key type ASN1_DN
ca_validate_cert: /C=ES/... ok

 Do i need to install user certificates also in OpenBSD gw?

thanks
-- 
Greetings,
C. L. Martinez



Re: How to build with VMM_DEBUG

2018-06-23 Thread Ax0n
On Sat, Jun 23, 2018 at 5:56 AM, Christian Barthel  wrote:

> I am having the same problem after installing "010_intelfpu" on OpenBSD
> 6.3 stable.  If you revert back, does it work for you again?
>

The only vmm(4) capable machine I have is running -CURRENT, so no reverting
syspatches.


> I think you have to uncomment the following line in vmm.c (for amd64,
> this is /usr/src/sys/arch/amd64/amd64/vmm.c):
>
> /* #define VMM_DEBUG */
>
> Then, recompile as usually (release(8)).
>
>
Thanks! I'll give that a shot if the patch posted up-thread by stsp@
doesn't fix it.


why is this pf rule logging?

2018-06-23 Thread Mike
OpenBSD 6.3, amd64

I am seeing this record being logged by pf.  The rule specified in the
record does not have logging enabled.  I must be missing something
simple as to why it is logging, but I can't see it.



20180623T112712.952EDT sentry pf: rule 12/(match) pass in on em0:
fe80::1a8b:9dff:fed4:7822 > ff02::1: HBH icmp6: multicast listener query
v2 [|icmp6] [class 0xe0] [hlim 1]



# pfctl -s rules -R 12
pass in quick inet6 proto ipv6-icmp all keep state (max 16,
adaptive.start 6, adaptive.end 12)


Actual pf.conf text for the rule:

pass in quick inet6 proto icmp6 from any to any keep state (max 16)


Why is it logging?

thx.



Re: Restoring MIPS32 support as a private project

2018-06-23 Thread Reese
Hello,

I have always thought about running obsd on my ci20
https://en.wikipedia.org/wiki/Imagination_Creator#Creator_Ci20 the v2 is
the one I have. I am not that great of a coder but could try running
some builds or something. I'd like to get more involved with the
project. I learn a lot just reading the list.

Have a good day all :)

On Fri, Jun 22, 2018 at 02:37:46PM -0500, r...@rvx86.net wrote:
> So, I have a mipsel-none-elf32 bare-metal Clang/LLVM cross-compiler (and the
> corresponding bare-metal GNU cross-binutils), and the platform-specific code
> ('sys/mips/mips' and 'sys/mips/broadcom') from the FreeBSD source tree as a
> starting point.
> 
> Are there any other specific considerations to bootstrapping OpenBSD using
> the cross-compiler? The target is a router (128MB flash, 128MB RAM), so a
> native build is probably impractical, I plan to attach urndis(4) devices to
> its lone USB port primarily.
> 
> (Yes, I plan to do the porting myself, just wanted to ask about any build
> system specifics. There isn't much in the way of documentation re: porting
> OpenBSD to a "new" architecture.)
> 
> Thanks
> R
> 
> 
> 



Re: New laptop recommendations

2018-06-23 Thread Rupert Gallagher
I looked into all of your comments, and I thank you for it. The 
coreboot/libreboot way was very tempting, but not competitive pricewise. I no 
longer have a desktop since the past century, spoiled by three MBPs, and need 
something robust, light, and performing. I spotted an offer for a new Lenovo 
T480, i5 series 8, 8GB RAM with an empty slot for easy upgrade, dual storage 
(!!!) with SSD on m.2 and conventional SATA, dual lithium battery for up to 4 
days of work without need to plug the power cord, a 14" display, fingerprint 
and smartcard reader, and a videocamera. Not happy about the clitmouse, and the 
meccanical mouse buttons. The best part is the cost: 999€ plus VAT. An MBP with 
similar specs costs north of 3000€, all soldered in. So long Apple, and hello 
Lenovo! :-)))

On Tue, Jun 19, 2018 at 12:37, Rupert Gallagher  wrote:

> I'm done with my 10 years old 1200EUR MacBookPro. It served me well, every 
> day, but is now falling apart, finally. I would buy a new one if only Steve 
> Jobs would be alive and keeping Apple inspired. The new models are 
> meticulously designed to make you suffer: expensive, slow cpu, soldered ram, 
> soldered disk, small disk, bad keyboard keys, wifi only, must pay extra for 
> standard connectors. I have 1500EUR for a new laptop. What would you buy with 
> it?


Re: OpenSMTPD and tls no-verify

2018-06-23 Thread Craig Skinner
On Sat, 23 Jun 2018 13:11:37 +0200 "Peter J. Philipp" wrote:
> This is more a question to the OpenSMTPD community. 

There's another mailing list Peter:

http://www.OpenSMTPd.Org/list.html

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7



Re: OpenSMTPD and tls no-verify

2018-06-23 Thread Peter J. Philipp
On Sat, Jun 23, 2018 at 01:33:59PM +0200, Sebastien Marie wrote:
> Hi Peter,
> 
> The short response is: no.
> 
> The long one is that currently `tls no-verify' applies only for
> smarthost configuration (`relay' with `host url', when tls is implied).
> 
> smtpd(8) should complains if you try the syntax you mentioned with:
> 
>   tls no-verify may not be specified without host on a dispatcher
> 
> Thanks

Thank you!

-peter

> -- 
> Sebastien Marie



Re: OpenSMTPD and tls no-verify

2018-06-23 Thread Sebastien Marie
On Sat, Jun 23, 2018 at 01:11:37PM +0200, Peter J. Philipp wrote:
> Hi,
> 
> This is more a question to the OpenSMTPD community.  In OpenBSD 6.4 and 
> already
> in -current there is a new config file syntax.  I did the work and converted
> my config:
> 
> http://www.centroid.eu/blog/c?article=1529689653
> 
> That is from my blog.  I have a question though whether my config is indeed
> correct.  In another config I had to add "tls no-verify" in the action "relay"
> for it to deliver to my self-signed opensmtpd.  In order to enjoy wide 
> coverage
> to people who I mail to, do I need to add/replace the following statement?
> 
> action "relay" relay
> 
> to
> 
> action "relay" relay tls no-verify
> 
> Any helping feedback would be appreciated.  Thanks.
> 

Hi Peter,

The short response is: no.

The long one is that currently `tls no-verify' applies only for
smarthost configuration (`relay' with `host url', when tls is implied).

smtpd(8) should complains if you try the syntax you mentioned with:

tls no-verify may not be specified without host on a dispatcher

Thanks
-- 
Sebastien Marie



OpenSMTPD and tls no-verify

2018-06-23 Thread Peter J. Philipp
Hi,

This is more a question to the OpenSMTPD community.  In OpenBSD 6.4 and already
in -current there is a new config file syntax.  I did the work and converted
my config:

http://www.centroid.eu/blog/c?article=1529689653

That is from my blog.  I have a question though whether my config is indeed
correct.  In another config I had to add "tls no-verify" in the action "relay"
for it to deliver to my self-signed opensmtpd.  In order to enjoy wide coverage
to people who I mail to, do I need to add/replace the following statement?

action "relay" relay

to

action "relay" relay tls no-verify

Any helping feedback would be appreciated.  Thanks.

-peter



Re: How to build with VMM_DEBUG

2018-06-23 Thread Stefan Sperling
On Fri, Jun 22, 2018 at 11:41:22PM -0500, Ax0n wrote:
> I'm trying to hunt down a recent breakage with my VMM virtual machines
> refusing to start, and I'm getting errors like this:
> 
> vcpu_run_loop: vm 5 / vcpu 0 run ioctl failed: Invalid argument

See https://marc.info/?l=openbsd-bugs=152960299009667=2 for
a patch you could test.
(raw patch: https://marc.info/?l=openbsd-bugs=152960299009667=raw)



Re: How to build with VMM_DEBUG

2018-06-23 Thread Christian Barthel
> I'm trying to hunt down a recent breakage with my VMM virtual machines
> refusing to start, and I'm getting errors like this:
> 
> vcpu_run_loop: vm 5 / vcpu 0 run ioctl failed: Invalid argument

I am having the same problem after installing "010_intelfpu" on OpenBSD
6.3 stable.  If you revert back, does it work for you again?  

> It looks like previous requests for help with this error have resulted in
> being asked to build with the VMM_DEBUG macro, but I don't know how to do
> that. I do not see VMM_DEBUG in the GENERIC config, and just a few ifdefs
> in the code.

I think you have to uncomment the following line in vmm.c (for amd64,
this is /usr/src/sys/arch/amd64/amd64/vmm.c): 

/* #define VMM_DEBUG */

Then, recompile as usually (release(8)).  

> 
> I'd like to gather more info to provide a more complete bug report. Ideas?
> 
> --ax0n
>