Re: npppd - problem with simultaneous sessions
Hi, On Wed, 6 Jan 2021 21:33:49 +0100 Radek wrote: I have a box with relatively fresh install of 68/amd64, fully syspatched. There is a npppd server running on it. The problem is that I can have only one nppp session at one time. If the second vpn user connects the box, the first nppp session hangs/drops. I probably have missed something obvious in my setup but I really can't find what it is. It seems that only last person can use the tunnel. This reminds me problems through NAT. Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base logtype=TUNNELSTART user="rdk" duration=1sec layer2=L2TP layer2from=A.B.C.D:1701 auth=MS-CHAP-V2 ip=10.109.4.1 iface=pppx0 Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base logtype=TUNNELSTART user="rdk-test" duration=1sec layer2=L2TP layer2from=A.B.C.D:1701 auth=MS-CHAP-V2 ip=10.109.4.11 iface=pppx0 Both sessions seem to be connected from A.B.C.D. Are the clients behind a NAT? How about the npppd side? Does the client directly connect to tunnel L2TP protocol l2tp { listen on X.Y.Z.13 } X.Y.Z.13 ? Or a NAT is there? On Wed, 6 Jan 2021 21:33:49 +0100 Radek wrote: Hi @misc, I have a box with relatively fresh install of 68/amd64, fully syspatched. There is a npppd server running on it. The problem is that I can have only one nppp session at one time. If the second vpn user connects the box, the first nppp session hangs/drops. I probably have missed something obvious in my setup but I really can't find what it is. Please help me to solve the problem. Thank you. $cat /etc/npppd/npppd.conf authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP protocol l2tp { listen on X.Y.Z.13 } ipcp IPCP { pool-address 10.109.4.1-10.109.4.32 dns-servers 1.1.1.1 } # use pppx(4) interface. use an interface per a ppp session. interface pppx0 address 10.109.4.254 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to pppx0 $cat /etc/hostname.enc0 up $cat /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet.ipcomp.enable=1 net.inet.esp.enable=1 net.inet.gre.allow=1 net.pipex.enable=1 $cat /etc/rc.conf.local ipsec=YES ipsec_rules=/etc/ipsec.conf isakmpd_flags="-K" npppd_flags="" $cat /etc/ipsec.conf wan_ipv4 = X.Y.Z.13 ike passive esp transport \ proto udp from $wan_ipv4 to any port 1701 \ main auth "hmac-sha1" enc "3des" group modp1024 \ quick auth "hmac-sha1" enc "aes" group modp1024 \ psk "pskpskpsk" $cat /etc/pf.conf [...] vpn_if = "pppx" vpn_local = "10.109.4.0/24" pass in on $ext_if proto udp from any to (egress:0) port {isakmp,ipsec-nat-t,l2tp} pass in on $ext_if proto {ah,esp} pass log proto { gre } from any to any keep state # filter all IPSec traffic on the enc interface pass on enc0 keep state (if-bound) # allow all trafic in on and out to the VPN network pass on $vpn_if from $vpn_local pass on $vpn_if to $vpn_local # NAT VPN traffic going out on the public interface with the public IP match out log on $ext_if inet proto { tcp, udp, icmp } from $vpn_local nat-to ($ext_if) set prio (3,7) some logs... Jan 6 20:53:14 fw-u last message repeated 4 times Jan 6 20:53:16 fw-u isakmpd[11638]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Jan 6 20:53:16 fw-u last message repeated 2 times Jan 6 20:53:16 fw-u isakmpd[11638]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 logtype=Started RecvSCCRQ from=A.B.C.D:1701/udp tunnel_id=1/26 protocol=1.0 winsize=8 hostname=w520 vendor=Microsoft firm=0601 Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 SendSCCRP Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 RecvSCCN Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 SendZLB Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 RecvZLB Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 RecvICRQ session_id=1 Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 SendICRP session_id=6499 Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 RecvICCN session_id=1 calling_number= tx_conn_speed=1 framing=sync Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 logtype=PPPBind ppp=0 Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base logtype=Started tunnel=L2TP(A.B.C.D:1701) Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 SendZLB Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp logtype=Opened mru=1360/1400 auth=MS-CHAP-V2 magic=e916be4d/3c630a24 Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp RecvId magic=3c630a24 text=MSRASV5.20 Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp RecvId magic=3c630a24 text=MSRAS-0-W520 Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp RecvId magic=3c630a24 text=.=. .`.M Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=chap proto=mschap_v2 logtype=Success username="rdk" realm=LOCAL Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=mppe mismatch our=40bit,
Re: help needed with httpd.conf and rewrite directive
httpd's regex is based on Lua's, the following site will help you figure it out: https://riptutorial.com/lua/example/20315/lua-pattern-matching Keep in mind that this list isn't really tolerant of those who just want pre-packaged solutions, you'll have to put in some elbow work. On Wed, Jan 6, 2021 at 6:20 PM Kevin wrote: > > Thanks Edgar, > > Unfortunately, still no dice. > > Maybe there's a bona fide expert who can chime in and pull my ass from the > fire here. :-) > > Kevin > > On Wed, Jan 6, 2021 at 3:46 PM Edgar Pettijohn > wrote: > > > On Wed, Jan 06, 2021 at 02:12:40PM -0800, Kevin wrote: > > > Hey gang, > > > > > > I'm trying to setup some rewrites in httpd that are needed to make some > > > software we just purchased work. > > > > > > The vendor's official docs only support nginx and apache, and I'm having > > a > > > helluva time understanding how to make them work in our beloved OpenBSD. > > > > > > Below is the nginx sample they provide. > > > > > > Anyone with some httpd rewrite foo mind whacking me with a clue stick on > > > how to accomplish this purty please? > > > > > > Thanks, > > > Kevin > > > > > >location /sendy/l/ { > > > rewrite ^/sendy/l/([a-zA-Z0-9/]+)$ /sendy/l.php?i=$1 last; > > > } > > > > I'm not an expert, but I would try: > > > > location match "^/sendy/l/([%w\/]+)$" { > > request rewrite "/sendy/l.php?i=$1" > > } > > > > good luck > > > > Edgar > > > >
Re: help needed with httpd.conf and rewrite directive
Thanks Edgar, Unfortunately, still no dice. Maybe there's a bona fide expert who can chime in and pull my ass from the fire here. :-) Kevin On Wed, Jan 6, 2021 at 3:46 PM Edgar Pettijohn wrote: > On Wed, Jan 06, 2021 at 02:12:40PM -0800, Kevin wrote: > > Hey gang, > > > > I'm trying to setup some rewrites in httpd that are needed to make some > > software we just purchased work. > > > > The vendor's official docs only support nginx and apache, and I'm having > a > > helluva time understanding how to make them work in our beloved OpenBSD. > > > > Below is the nginx sample they provide. > > > > Anyone with some httpd rewrite foo mind whacking me with a clue stick on > > how to accomplish this purty please? > > > > Thanks, > > Kevin > > > >location /sendy/l/ { > > rewrite ^/sendy/l/([a-zA-Z0-9/]+)$ /sendy/l.php?i=$1 last; > > } > > I'm not an expert, but I would try: > > location match "^/sendy/l/([%w\/]+)$" { > request rewrite "/sendy/l.php?i=$1" > } > > good luck > > Edgar > >
Re: msdos partition is too small in arm64/miniroot68.img
On Wed, Jan 06, 2021 at 03:53:53PM +, tech-lists wrote: > Hi, > > I'm trying to install openbsd 6.8 on a raspberry pi 4/8GB. The files I need > to add to the msdos partition are, in total, too > large to fit (the partition is only 4MB) > > Is there some method of increasing the msdos partition size > of the miniroot.fs image? I'd be doing this from either a freebsd > or linux desktop. On freebsd, I can virtualise the image with mdconfig. Or > is there some other way round this, like re-writing the image. I've been testing openbsd on a raspberry pi 4 8GB, on the sd card. I use only openbsd, but you can virtualize it with qemu to format and copy the partitions. This is my experience: * Download the current miniroot.fs (I've used only current). * Create a vnode disk with vnconfig(8) of the miniroot image to mount its partitions. * Format the sd card with fdisk, using mbr partitions: +8M fat. rest for openbsd. * Disklabel the sd card and create the file systems. * Copy the content of the miniroot partitions to the sd card. * Copy the content of the uefi firmware to the fat partition of the sd card: https://github.com/pftf/RPi4/releases * Boot the rpi, press Esc to enter the uefi menu. Disable the RAM limit. Set acpi+dtb. * At the installer prompt, set the tty to the framebuffer: set tty fb0 * Install OpenBSD like any other arm board. I suggest to use a mfs disk for tmp, the performance of iridium is enormously improved. I've problems with some applications been killed randomly. At first I thought that the limits on login.conf were responsible, but it doesn't look like that. If I found the problem I'll post it. Regards, adr.
Re: help needed with httpd.conf and rewrite directive
On Wed, Jan 06, 2021 at 02:12:40PM -0800, Kevin wrote: > Hey gang, > > I'm trying to setup some rewrites in httpd that are needed to make some > software we just purchased work. > > The vendor's official docs only support nginx and apache, and I'm having a > helluva time understanding how to make them work in our beloved OpenBSD. > > Below is the nginx sample they provide. > > Anyone with some httpd rewrite foo mind whacking me with a clue stick on > how to accomplish this purty please? > > Thanks, > Kevin > >location /sendy/l/ { > rewrite ^/sendy/l/([a-zA-Z0-9/]+)$ /sendy/l.php?i=$1 last; > } I'm not an expert, but I would try: location match "^/sendy/l/([%w\/]+)$" { request rewrite "/sendy/l.php?i=$1" } good luck Edgar
Bug in pkgtools version parsing logic?
Hi there, I'm looking through the pkgtools code to determine how the version comparison logic works, and I came across this block of code at /usr/libdata/perl5/OpenBSD/PackageName.pm:385: sub from_string { my ($class, $string) = @_; my $o = bless { deweys => [ split(/\./o, $string) ], suffix => '', suffix_value => 0}, $class; if ($o->{deweys}->[-1] =~ m/^(\d+)(rc|alpha|beta|pre|pl)(\d*)$/) { $o->{deweys}->[-1] = $1; $o->{suffix} = $2; $o->{suffix_value} = $3; } return $o; } >From what I understand, this is looking for one of OpenBSD "special" suffixes >for a given version part of a package version. This code seems to only match >cases where the "special" portion (rc, alpha, beta etc) of the version sits >between a required decimal on the left and an optional decimal on the right. >Looking through the current package listing, I found this one: clementine-1.4.0rc1p0.tgz Given the above regex, the rc1 portion of the package name will not be pulled into the suffix, and I believe that (given a comparison where the 1.4.0 portion of the version doesn't change) a future version comparison with this package version will potentially be done alphabetically? Is this intentional? Or perhaps I'm missing something here or elsewhere with this code. Thank you, Jeremy
help needed with httpd.conf and rewrite directive
Hey gang, I'm trying to setup some rewrites in httpd that are needed to make some software we just purchased work. The vendor's official docs only support nginx and apache, and I'm having a helluva time understanding how to make them work in our beloved OpenBSD. Below is the nginx sample they provide. Anyone with some httpd rewrite foo mind whacking me with a clue stick on how to accomplish this purty please? Thanks, Kevin location /sendy/l/ { rewrite ^/sendy/l/([a-zA-Z0-9/]+)$ /sendy/l.php?i=$1 last; }
npppd - problem with simultaneous sessions
Hi @misc, I have a box with relatively fresh install of 68/amd64, fully syspatched. There is a npppd server running on it. The problem is that I can have only one nppp session at one time. If the second vpn user connects the box, the first nppp session hangs/drops. I probably have missed something obvious in my setup but I really can't find what it is. Please help me to solve the problem. Thank you. $cat /etc/npppd/npppd.conf authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP protocol l2tp { listen on X.Y.Z.13 } ipcp IPCP { pool-address 10.109.4.1-10.109.4.32 dns-servers 1.1.1.1 } # use pppx(4) interface. use an interface per a ppp session. interface pppx0 address 10.109.4.254 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to pppx0 $cat /etc/hostname.enc0 up $cat /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet.ipcomp.enable=1 net.inet.esp.enable=1 net.inet.gre.allow=1 net.pipex.enable=1 $cat /etc/rc.conf.local ipsec=YES ipsec_rules=/etc/ipsec.conf isakmpd_flags="-K" npppd_flags="" $cat /etc/ipsec.conf wan_ipv4 = X.Y.Z.13 ike passive esp transport \ proto udp from $wan_ipv4 to any port 1701 \ main auth "hmac-sha1" enc "3des" group modp1024 \ quick auth "hmac-sha1" enc "aes" group modp1024 \ psk "pskpskpsk" $cat /etc/pf.conf [...] vpn_if = "pppx" vpn_local = "10.109.4.0/24" pass in on $ext_if proto udp from any to (egress:0) port {isakmp,ipsec-nat-t,l2tp} pass in on $ext_if proto {ah,esp} pass log proto { gre } from any to any keep state # filter all IPSec traffic on the enc interface pass on enc0 keep state (if-bound) # allow all trafic in on and out to the VPN network pass on $vpn_if from $vpn_local pass on $vpn_if to $vpn_local # NAT VPN traffic going out on the public interface with the public IP match out log on $ext_if inet proto { tcp, udp, icmp } from $vpn_local nat-to ($ext_if) set prio (3,7) some logs... Jan 6 20:53:14 fw-u last message repeated 4 times Jan 6 20:53:16 fw-u isakmpd[11638]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Jan 6 20:53:16 fw-u last message repeated 2 times Jan 6 20:53:16 fw-u isakmpd[11638]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 logtype=Started RecvSCCRQ from=A.B.C.D:1701/udp tunnel_id=1/26 protocol=1.0 winsize=8 hostname=w520 vendor=Microsoft firm=0601 Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 SendSCCRP Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 RecvSCCN Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 SendZLB Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 RecvZLB Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 RecvICRQ session_id=1 Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 SendICRP session_id=6499 Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 RecvICCN session_id=1 calling_number= tx_conn_speed=1 framing=sync Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 logtype=PPPBind ppp=0 Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base logtype=Started tunnel=L2TP(A.B.C.D:1701) Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 SendZLB Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp logtype=Opened mru=1360/1400 auth=MS-CHAP-V2 magic=e916be4d/3c630a24 Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp RecvId magic=3c630a24 text=MSRASV5.20 Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp RecvId magic=3c630a24 text=MSRAS-0-W520 Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp RecvId magic=3c630a24 text=.=. .`.M Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=chap proto=mschap_v2 logtype=Success username="rdk" realm=LOCAL Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=mppe mismatch our=40bit,128bit,56bit,stateless peer=stateless Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=ipcp IP Address peer=0.0.0.0 our=10.109.4.1. Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=ipcp logtype=Opened ip=10.109.4.1 assignType=dynamic Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base logtype=TUNNELSTART user="rdk" duration=1sec layer2=L2TP layer2from=A.B.C.D:1701 auth=MS-CHAP-V2 ip=10.109.4.1 iface=pppx0 Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=mppe logtype=Opened our=128bit,stateless peer=128bit,stateless Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base Using pipex=yes Jan 6 20:53:43 fw-u isakmpd[11638]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Jan 6 20:53:43 fw-u last message repeated 2 times Jan 6 20:53:43 fw-u isakmpd[11638]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 logtype=Started RecvSCCRQ from=A.B.C.D:1701/udp tunnel_id=2/20 protocol=1.0 winsize=8 hostname=x vendor=Microsoft firm=0601 Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 SendSCCRP Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 Re
Re: httpd configuration.
consultor [2021-01-06 08:43:16 -0800]: >I did some changes, and it does not work yet! I receive a 404 page Not >Found. We can’t help you based on these wee fragments of information. You receive a 404 for what? What is the request? Does the requested file actually exist where it should? Does the requested file have the right permissions (at least 0444 for a file and 0755 for directories)? Bertalan -- Bertalan Z. Péter PGP: FB9B 34FE 3500 3977 92AE 4809 935C 3BEB 44C1 0F89
Re: msdos partition is too small in arm64/miniroot68.img
On Wed, Jan 6, 2021 at 5:39 PM Theo de Raadt wrote: > The miniroot is 33MB because it contains many install firmwares, and > it is 97% full. > > True, but the miniroot has space available to expand the msdos partition. OP: Search the list, I've described a way to do that after you've written the image to a USB drive/stick.
Snort for httpd’s https sessions?!
Is there a way for a hook(?) for snort to read plaintext https sessions in OpenBSD’s httpd?! That’d be SUPER SWEET!-- -Luke
Re: Git Daemon rc Script Not Stopping
It was merely a hunch. Thinking of it, I believe there is some magic to cope with that. Never mind my likely red herring. /Alexander On January 6, 2021 3:49:46 PM GMT+01:00, ben wrote: >>Without looking too far, check what pgrep gives. My first suspicion is >>the initial space in your 'daemon_flags'. > >Why does daemon_flags not permit spaces? rc.subr(8) has no information on >including or lack of whitespace in daemon_flags.
Re: httpd configuration.
I did some changes, and it does not work yet! I receive a 404 page Not Found. # httpd -n ok # $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $ server "example.com" { listen on * port 80 root "/htdocs/example/" location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location * { block return 302 "https://$HTTP_HOST$REQUEST_URI"; } } server "example.com" { listen on * tls port 443 root "/htdocs/example/" tls { certificate "/etc/letsencrypt/live/consultores.ca/fullchain.pem" key "/etc/letsencrypt/live/consultores.ca/privkey.pem" } location "/ENA/*" { root "/htdocs/ENA/" } } On 2021-01-05 6:43 p.m., consultor wrote: Hello I have a server 6.8 that works correctly with the main domain, but it does not work with the second. Could you please help? httpd.conf # $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $ server "consultores.ca" { listen on * port 80 root "/htdocs/consultores/" location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location * { block return 302 "https://$HTTP_HOST$REQUEST_URI"; } } server "consultores.ca" { listen on * tls port 443 root "/htdocs/consultores" tls { certificate "/etc/letsencrypt/live/consultores.ca/fullchain.pem" key "/etc/letsencrypt/live/consultores.ca/privkey.pem" } location "/pub/*" { directory auto index } location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } } server "consultores.ca/ENA" { listen on * port 80 root "/htdocs/ENA/" location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location * { block return 302 "https://$HTTP_HOST$REQUEST_URI"; } } server "consultores.ca/ENA" { listen on * tls port 443 root "/htdocs/ENA" tls { certificate "/etc/letsencrypt/live/consultores.ca/fullchain.pem" key "/etc/letsencrypt/live/consultores.ca/privkey.pem" } location "/pub/*" { directory auto index } location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } } OpenPGP_signature Description: OpenPGP digital signature
Re: msdos partition is too small in arm64/miniroot68.img
The miniroot is 33MB because it contains many install firmwares, and it is 97% full. I suggest you find another way of installing. > I'm trying to install openbsd 6.8 on a raspberry pi 4/8GB. The files I > need to add to the msdos partition are, in total, too > large to fit (the partition is only 4MB) > > Is there some method of increasing the msdos partition size > of the miniroot.fs image? I'd be doing this from either a freebsd > or linux desktop. On freebsd, I can virtualise the image with > mdconfig. Or is there some other way round this, like re-writing the > image. > > thanks, > -- > J.
msdos partition is too small in arm64/miniroot68.img
Hi, I'm trying to install openbsd 6.8 on a raspberry pi 4/8GB. The files I need to add to the msdos partition are, in total, too large to fit (the partition is only 4MB) Is there some method of increasing the msdos partition size of the miniroot.fs image? I'd be doing this from either a freebsd or linux desktop. On freebsd, I can virtualise the image with mdconfig. Or is there some other way round this, like re-writing the image. thanks, -- J. signature.asc Description: PGP signature
Re: Git Daemon rc Script Not Stopping
>Without looking too far, check what pgrep gives. My first suspicion is >the initial space in your 'daemon_flags'. Why does daemon_flags not permit spaces? rc.subr(8) has no information on including or lack of whitespace in daemon_flags.
Re: Wireguard config and confusions
On 2021-01-05, Peter Fraser wrote: > I did get it work, but it took a lot of tries caused by my confusion. > I hope this message speed up other who try to configure wireguard. > I was trying to connect a windows 10 computer to an OpenBsd computer. > The problem was the OpenBSD computer was a 20 minute drive away, > And I didn't want to lock myself and others out if I made a mistake. > Which I did once and had to make the drive. > > 1) Ifconfig wg0 debug is not useful > 2) Ifconfig wg0 -debug is not documented, admittedly it is easy > guess it existence, but the other - options are documented It is documented, though only in ifconfig(8) not wg(4). It might be worth adding this to wg(4) and saying where the debug messages will appear. > 3) If IP address give to wg0 on the server has to be available to the outside > world to allow establishing connections > This can be done by giving it an external IP address or using a rdr-to in > PF. > 4) the IP address of client interface is what will appear as the source > address of client, independent of whatever NATing goes on. Can you expand on this - appear where as the source address? Are you skipping PF processing (which includes NAT) somewhere e.g. "set skip on wg"? > 5) You can't use the same wgpeer for multiple clients, each one has to be > unique. > 6) The wgpeer and wgaip have be set together, you cannot set the separately. The WIREGUARD section in ifconfig is really required reading when configuring wg(4), I think this covers both of these cases, it has: wgpeer publickey Select the peer to perform the subsequent operations on. This creates a peer with the associated 32-byte, base64-encoded publickey if it does not yet exist. This option can be specified multiple times in a single command. ... The following options configure peers for the interface. Each interface can have multiple peers. In order to add a peer, a wgpeer option must be specified, followed by its configuration options. ... wgaip allowed-ip/prefix
Re: osp6d p2p send_ls_update
On Tue, Dec 29, 2020 at 06:39:36PM +0200, Kapetanakis Giannis wrote: > Hi, > > I've changed today my config from broadcast to p2p for both ipv4 and ipv6. > > In ospf6d I get this quite often: > > Dec 29 17:39:00 ospf6d[40695]: send_packet: error sending packet on interface > vlanX: Network is unreachable > Dec 29 17:39:00 ospf6d[40695]: send_ls_update: Network is unreachable > > debugging send_packet shows: > Dec 29 18:12:57 ospf6d[65033]: send_packet: error sending packet on interface > vlanX to ::: Network is unreachable > Dec 29 18:12:57 ospf6d[65033]: send_ls_update: Network is unreachable > > The dst_address of send_packet is ::: > This comes from send_ls_update > > system is current (20 dec). > > maybe something more is missing for P2P? > I just sent a patch for this to tech@. I included the diff here as well. With this my P2P link works now. -- :wq Claudio Index: lsupdate.c === RCS file: /cvs/src/usr.sbin/ospf6d/lsupdate.c,v retrieving revision 1.18 diff -u -p -r1.18 lsupdate.c --- lsupdate.c 15 Jul 2020 14:47:41 - 1.18 +++ lsupdate.c 6 Jan 2021 11:28:43 - @@ -474,7 +474,7 @@ ls_retrans_timer(int fd, short event, vo /* ls_retrans_list_free retriggers the timer */ return; } else if (nbr->iface->type == IF_TYPE_POINTOPOINT) - memcpy(&addr, &nbr->iface->dst, sizeof(addr)); + memcpy(&addr, &nbr->addr, sizeof(addr)); else inet_pton(AF_INET6, AllDRouters, &addr); } else Index: packet.c === RCS file: /cvs/src/usr.sbin/ospf6d/packet.c,v retrieving revision 1.17 diff -u -p -r1.17 packet.c --- packet.c23 Dec 2019 07:33:49 - 1.17 +++ packet.c6 Jan 2021 11:52:08 - @@ -82,12 +82,9 @@ send_packet(struct iface *iface, struct struct in6_addr *dst) { struct sockaddr_in6 sa6; - struct msghdr msg; - struct ioveciov[1]; - /* setup buffer */ + /* setup sockaddr */ bzero(&sa6, sizeof(sa6)); - sa6.sin6_family = AF_INET6; sa6.sin6_len = sizeof(sa6); sa6.sin6_addr = *dst; @@ -104,15 +101,8 @@ send_packet(struct iface *iface, struct return (-1); } - bzero(&msg, sizeof(msg)); - msg.msg_name = &sa6; - msg.msg_namelen = sizeof(sa6); - iov[0].iov_base = buf->buf; - iov[0].iov_len = ibuf_size(buf); - msg.msg_iov = iov; - msg.msg_iovlen = 1; - - if (sendmsg(iface->fd, &msg, 0) == -1) { + if (sendto(iface->fd, buf->buf, ibuf_size(buf), 0, + (struct sockaddr *)&sa6, sizeof(sa6)) == -1) { log_warn("send_packet: error sending packet on interface %s", iface->name); return (-1); @@ -186,11 +176,16 @@ recv_packet(int fd, short event, void *b * AllDRouters is only valid for DR and BDR but this is checked later. */ inet_pton(AF_INET6, AllSPFRouters, &addr); - if (!IN6_ARE_ADDR_EQUAL(&dest, &addr)) { inet_pton(AF_INET6, AllDRouters, &addr); if (!IN6_ARE_ADDR_EQUAL(&dest, &addr)) { - if (!IN6_ARE_ADDR_EQUAL(&dest, &iface->addr)) { + struct iface_addr *ia; + + TAILQ_FOREACH(ia, &iface->ifa_list, entry) { + if (IN6_ARE_ADDR_EQUAL(&dest, &ia->addr)) + break; + } + if (ia == NULL) { log_debug("recv_packet: packet sent to wrong " "address %s, interface %s", log_in6addr(&dest), iface->name);
Re: httpd configuration.
Hi, consultor [2021-01-05 18:43:26 -0800]: >works correctly with the main domain, but not with the second >server "consultores.ca/ENA" { >server "consultores.ca" { These are not different domains. The domain part is ‘consultores.ca’. If you would like requests made to consultores.ca/ENA/* to be served from a different directory, you could do this, employing more location blocks: server "consultores.ca" { listen on * port 80 root "/htdocs/consultores/" location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location * { block return 302 "https://$HTTP_HOST$REQUEST_URI"; } } server "consultores.ca" { listen on * tls port 443 root "/htdocs/consultores" tls { certificate "/etc/letsencrypt/live/consultores.ca/fullchain.pem" key "/etc/letsencrypt/live/consultores.ca/privkey.pem" } location "/pub/*" { directory auto index } location "/ENA/*" { root "/htdocs/ENA" } location "/ENA/pub/*" { directory auto index } } I tried to replicate your config how I think you meant it. Perhaps there is a way to somehow express the two ‘directory auto index’ blocks in one block but this should get you started. I don’t think you actually need to handle ACME challenges in consultores.ca/ETA/.well-known/acme-challenge, as your domain is consultores.ca and these challenges will go to consultores.ca/.well-known/acme-challenge instead. Furthermore, I think you only need to handle acme-challenges over HTTP, not over TLS. Best regards Bertalan -- Bertalan Z. Péter PGP: FB9B 34FE 3500 3977 92AE 4809 935C 3BEB 44C1 0F89 signature.asc Description: PGP signature
Re: httpd configuration.
On Tue, 05 Jan 2021, consultor wrote: > Hello > > I have a server 6.8 that works correctly with the main domain, but it does > not work with the second. Could you please help? > > httpd.conf > > # $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $ > > server "consultores.ca" { > listen on * port 80 > root "/htdocs/consultores/" > location "/.well-known/acme-challenge/*" { > root "/acme" > request strip 2 > } > location * { > block return 302 "https://$HTTP_HOST$REQUEST_URI"; > } > } > > server "consultores.ca" { > listen on * tls port 443 > root "/htdocs/consultores" > tls { > certificate "/etc/letsencrypt/live/consultores.ca/fullchain.pem" > key "/etc/letsencrypt/live/consultores.ca/privkey.pem" > } > location "/pub/*" { > directory auto index > } > location "/.well-known/acme-challenge/*" { > root "/acme" > request strip 2 > } > } > > server "consultores.ca/ENA" { > listen on * port 80 > root "/htdocs/ENA/" > location "/.well-known/acme-challenge/*" { > root "/acme" > request strip 2 > } > location * { > block return 302 "https://$HTTP_HOST$REQUEST_URI"; > } > } > > server "consultores.ca/ENA" { > listen on * tls port 443 > root "/htdocs/ENA" > tls { > certificate "/etc/letsencrypt/live/consultores.ca/fullchain.pem" > key "/etc/letsencrypt/live/consultores.ca/privkey.pem" > } > location "/pub/*" { > directory auto index > } > location "/.well-known/acme-challenge/*" { > root "/acme" > request strip 2 > } > } > You are only using one domain, thus all should go into one server block. Use locations to set different parameters for "/" vs "/ENA". That does not belong on the server name. I usually go for a single server block listening on port 80 with pretty much the same redirection you have, and one server block per domain listening on 443, with as many locations as needed. Something like: server "default" { listen on * port 80 log { access "default.access.log" error "default.error.log" style combined } location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location "/*" { block return 301 "https://$HTTP_HOST$REQUEST_URI"; } root "/htdocs/null" } And then: server "mydomain.com" { listen on * tls port 443 alias www.mydomain.com tls { certificate "/etc/ssl/letsencrypt/mydomain.com/fullchain.pem" key "/etc/ssl/letsencrypt/mydomain.com/privkey.pem" } log { access "access.log" error "error.log" style combined } location "/foo/*" { root "/foo" request strip 1 } location "/bar/*" { root "/bar" request strip 1 } location "/baz" { block return 301 "https://foobarbaz.com"; } root "/htdocs/mydomain.com" } Remember httpd.conf(5) is your friend. -- Paco Esteban. 0x5818130B8A6DBC03