Re: [solved]: vi: How to display German umlauts?

2024-07-11 Thread Michael Hekeler 
Dear Anon Loli:

> (...)
> software should be free, and non-personal information should be free,
> too, without any IP or a requirement for a file "LICENSE".. those are
> just my 2 cents..

if you don't say something about using or redisributing your software or
code then nobody knows and noone can be sure if its allowed to do this
or that.
Just to make it clear for everyone you can give a statement about these
topics.
A good place for this statement is to include a file and call it
LICENSE.


> (...), would you use a open source peace of software that in the README
> says "you can use it for whatever you want with no strings attached,
> and that's it

In the end it is your decision. Whether you want to hide the text
down in the README or something else. 
If you are the creator, it's your work and your rules apply.



> I'm not sure about the license thought... as I despise licenses and even 
> having
> a copyleft license like CC is getting on my nerves, ...

creative commons (CC) recommend against using their licenses
for software.
Very similar to most Creative Commons licenses are Permissive software
licenses (e.g. Apache 2.0 License or MIT License)
But here again: if it is your work then you decide the ways share your work.

Re: mailman on OpenBSD - linking problem

2024-03-13 Thread Michael Hekeler 
> Anything else I should pay attention to?

Make sure that your TLS setup is okay.
Read mailman's docs and also the pkg-readme (e.g. setting up cronjobs)
- and pay attention to configuration of your mailserver


> It's a basic mailing list for few gaming discussions really,
> so escaping from chroot was not really that scary, at least in that case.
 
I wouldn't deploy old python scripts outside chroot (python 2.7 was
end-of-life since 01.01.2020!)
...but I also think I wouldn't setup any huge software just to deploy
"a basic mailing list for few gaming discussions"

Re: files are going missing

2024-03-12 Thread Michael Hekeler 
Am 11.03.24 19:04 schrieb beecdadd...@danwin1210.de:
> I'm not stupid, of course I know about -o

Am 11.03.24 18:37 schrieb beecdadd...@danwin1210.de:
> ...why still ask redundant question?


isn't this a rather strange way of communicating for someone who is
looking for help ;-) ??

Re: mailman on OpenBSD - linking problem

2024-03-12 Thread Michael Hekeler 
> What does "request strip 1" actually do in that case?

>From the manpage:
Strip strips path components from the beginning of the request path
before looking up the stripped-down path at the document root.

So in your case:
location "/admin/*" {
fastcgi socket "/var/www/run/slowcgi.sock"
root "/usr/local/lib/mailman/cgi-bin/admin"
request strip 1
}
if request is "admin/" then "admin" is stripped and "/" is sent to
document_root.


> The cgi files are in /usr/local/lib/mailman/cgi-bin/
> chroot setting in httpd.conf: chroot "/"
> Slowcgi starts with: slowcgi_flags="-p /" and it's socket path is:
> /var/www/run/slowcgi.sock
> 
> Slowcgi and httpd works fine. However two things I'd like to know;
> 
> As I asked, what does "request strip 1" do and if I really need that?
> 
> Secondly; how to combine two locations into one? So that;
> "/admin" and "/admin/" would get captured both.

So you expect the location to be triggered if the request is "admin"
but you configured the location to listen on "admin/"?
See the difference?

Next:
There is another misconfiguration in your http.conf: You use root
directive with a filename? Why? Manpage says: The directory is a
pathname within the chroot(2) root directory of httpd.
If you set root to a filename then you have to create multiple locations
for every request:
location "/admin"--> root "/usr/local/lib/mailman/cgi-bin/admin"
location "/list" --> root "/usr/local/lib/mailman/cgi-bin/list"
location "/foo"  --> root "/usr/local/lib/mailman/cgi-bin/foo"
...
this could be quite tedious thats why I would suggest:
location "/*" --> root "/usr/local/lib/mailman/cgi-bin"


If you want mailman act on something like http://localhost/mailman/admin
then you can do:
location "/mailman/*" {
fastcgi
root "/usr/local/lib/mailman/cgi-bin"
request strip 1
}

But please keep in mind that you have disabled chroot and this is not
recommended.
Maybe you want to consider to copy the needed files inside the chroot?
Or perhaps deploy mailman with something like gunicorn or uwsgi?

Re: httpd location question

2024-03-11 Thread Michael Hekeler 
> Is there any directive or regex for the 'location' directive,

httpd doesn't support regular expressions.
httpd includes lua pattern support.
see patterns(7)

Re: mailman on OpenBSD - linking problem

2024-03-11 Thread Michael Hekeler 
> I set up a mailman on OpenBSD, and it seems I have managed to do it.
> 
> A single problem left, that I'd like to share with you and get your idea;
> 
> On mailman homepage, there is a link "you can visit the list admin overview
> page"
> and when I click, redirects me: mysite.com/admin and it gives error 404.
> 
> However if I add "/" at the end, making mysite.com/admin/, it works.
> 
> Also the same happens on the linked-text;
> "Overview of all list.mysite.com mailing lists" linking to;
> mysite.com/listinfo, which gives 404 not found when clicking on it.
> 
> But with an extra '/'; mysite.com/listinfo/ works.
> 
> Where's my mistake?
> 
> Related httpd.conf lines;
> 
> location "/admin/*" {
> fastcgi socket "/var/www/run/slowcgi.sock"
> root "/usr/local/lib/mailman/cgi-bin/admin"
> request strip 1
> }

I don't know this mailman script but...
Why did you strip first component from the request?
Are these cgi's in /usr/local/lib/mailman/cgi-bin/admin or in
/var/www/usr/local/lib/mailman/cgi-bin/admin?
What is your chroot setting in httpd.conf?
And IF you changed httpd chroot how do you start slowcgi(8)?
What/where is socket? Where is path?

Re: certbot in cron - best way?

2024-02-24 Thread Michael Hekeler 
> 
> On 2/21/24 10:07, Stuart Henderson wrote:
> > You might like to investigate ~ in crontab(5), e.g. "~ 0,12" and lose
> > the "sleep".
> > 
> > Wouldn't it be better to have certbot write files into a directory
> > served by httpd so you don't need the "rcctl stop" though?
> > 
> Yes, it would be better. Today had a problem in which rcctl stop worked, but 
> rcctl start didn't.
> Seems like --webroot from certbot can do the trick. Will test in a few days 
> with an expiring certificate.

Another option is to use acme-client(1). Provided that you are happy
with lets encrypt or buypass this could be really easy

* It is in base so it will work out-of-the-box and you don't need to
  install any packages for this task.
* It has super easy config.
* It's typically usage is to work with httpd and uses the correct
  directories by default.
* It is no python

Re: relayd fallback when using tag/tagged

2024-02-19 Thread Michael Hekeler 
> > > Using such a configuration:
> > > #-8<---
> > > table   { 192.0.2.4 }
> > > table  { 192.0.2.7}
> > > http protocol www {
> > >block
> > >match request header "Host" value "www.example" tag "example"
> > >pass request tagged "example" forward to 
   
Wouldn't it be wrong if relayd sends the requests to  even though
you told him quite clearly to send them to ?
If  is down then relayd must error out, or not (because this is
what you told him to do: sending to )


I think you need an additional step between which decides where to send the
request.
Then in next step you can tag and modify...

Maybe I'm wrong but to me it sounds more consistent when doing the
layer 3 redirection on 192.0.2.30 :

table  { 192.0.2.4 }
table  { 192.0.2.7 }
redirect www {
 listen on 192.0.2.30 port 80
 forward to  check http "/" code 200
 forward to  check icmp
}

And then do all the layer 7 filtering on 192.0.2.4

But as I said before: maybe I'm wrong ;-)

Re: httpd generating: read_errdoc entries in syslog

2024-02-15 Thread Michael Hekeler 
> Hi,
> 
> I have a custom error template that I use for the error documents for
> httpd, as described in: man httpd.conf
> 
> In /var/www I have created:
> 
> /err  root:daemon chmod 0755
> 
> Within /var/www/err I have created:
> 
> err.html  www:www chmod 0444
> 
> In my httpd.conf I have a global configuration that points to this:
> 
> /etc/httpd.conf
> . . .
> errdocs "/err"
> 
> When I cause an error with httpd, the error document template I have
> created gets rendered to the client, but I get entries in syslog like
> the following:
> 
> serv1 httpd[23368]: read_errdoc: open: No such file or directory
> 

If you have err.html mand trigger a 404 status then httpd:
(1) tries to serve 404.html -> this causes the above log entry
an then (2): try to serve err.html -> this is fine

if you rename err.html to 404.html then httpd serves 404.html in step 1

Are you sure you caused 404?
Maybe you caused any other status code in your tests?

Re: Installing shellinabox on OpenBSD

2024-02-15 Thread Michael Hekeler 
> Use a UBS drive and run it from that...
> 
> You don't need to install it on the window machine.
> 
> Anyway in 2024 still not have a decent native ssh client on Window say how
> interested Microsoft are in making a secure OS really...


Microsoft has builtin OpenSSH since 2018
No need for putty or powershell or whatever

Just open cmd:

Microsoft Windows [Version 10.0.19045.4046]
(c) Microsoft Corporation. Alle Rechte vorbehalten.

U:\>ssh -V
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2

Re: relayd fallback when using tag/tagged

2024-02-15 Thread Michael Hekeler 
> Hello,
> 
> I'm trying to configure relayd(8) to use tags, to allow legit host names
> only and modify HTTP headers, and fallback. But I can't have it working
> properly.

I don't understand exactly what you want to achieve. Do you want:

A. Requests with http header "www.example" going to primary.
   And going to fallback if primary is down.
   And block all other requests.
or:

B. Request with http header "www.example" going to primary.
   And all other going to fallback.
   And block nothing (=all requests are served either by primary or
   by fallback)


If A) then put both servers in the table and let HCE decide which host
is up. Something like that (header check ignored in example):

table  {192.0.2.4 192.0.2.7}
redirect www {
listen on 192.0.2.30 port 80
forward to  check http “/” code 200
}


If B) then you need an an additional pass rule in your protocol.
Something like that (to be honest I don't know why you need the tag here
so I ignored that in that example):

http protocol www {
pass request quick header "Host" value "www.example" \
forward to 
pass request forward to 
block
}




> 
> Using such a configuration:
> #-8<---
> table   { 192.0.2.4 }
> table  { 192.0.2.7}
> http protocol www {
>   block
>   match request header "Host" value "www.example" tag "example"
>   pass request tagged "example" forward to 
> }
> relay www {
>   listen on 192.0.2.30 port 80
>   protocol www
>   forward to   port 80 check http "/" code 200
>   forward to  port 80
> }
> #-8<---
> forwards all tagged HTTP traffic to the primary server. But if it is turned
> off, relayd(8) only replies with error rather than sending the traffic to
> the fallback server.
> 
> Removing tags and using a simple "pass" directive in protocol (as described
> in the man page) does work as expected regarding the fallback server.
> 
> Is there a way to use both tags and fallback with relayd(8) to mimic
> Apache's Failover[1] configuration with "ProxyPass" and "BalancerMember
> (...) status=+H" ?
> 
> Thank you,
> Joel C.
> 
> [1] https://httpd.apache.org/docs/trunk/howto/reverse_proxy.html#failover
>

Re: relayd forward with tls

2024-01-24 Thread Michael Hekeler 
> Where can I read about the meaning of each field in relayd log? Like you
> said, that 0 is related to the tag one set on the protocol.

I can't tell where to find documentation for relayd's log.
But - to be honest - I found it was not too hard to work with.

For playing with relayd and httpd I suggest Michael W Lucas's
book "Relayd and Httpd Mastery".  Mr. Lucas, has a way of
writing that is easy to read! 
https://mwl.io/nonfiction/tools#relayd

...and of course the excellent manpages relayd(8), relayd.conf(5)

Re: Freshrss configuration httpd.conf and fastcgi

2024-01-16 Thread Michael Hekeler 
> I'd like to setup Freshrss to work under httpd and FastCGI.
> Freshrss uses Php.
^^^
You need to deploy that script with php-fpm NOT via slowcgi(8)
See the file php-XX in /usr/local/share/doc/pkg-readmes/ for doing this
(where XX is your installed version).


> As per the documentation, only the freshrss/p directory should be
> exposed.
> https://github.com/FreshRSS/FreshRSS#installation
> 
> I'd like Freshrss to be access like:
> http://myserver.tld/freshrss
> 

Then you need something like: ..
> server "myserver.tld" {
> listen on * port 80
> listen on * tls port 443 
> tls {
> certificate "/etc/ssl/myserver.tld.crt"
> key "/etc/ssl/private/myserver.tld.key"
> }
> root "/htdocs"

location "/freshrss/*"   { root "/freshrss/p" }


> But at http://myserver.tld/freshrss/p/i/  it shows a 403 Forbidden
> status.

Because there is no index.html in /freshrss/p/i/

Please read manpages httpd.conf(5) for setting directory index other
than index.html.

Test your setup with something like curl(1) or nc(1) not in a browser
like chrome or firefox so that you can see the response clearly and no
cache comes in the way.

And only open your install to the internet when all is set up well.
Also test if access to configfiles is denied.

Re: relayd forward with tls

2024-01-12 Thread Michael Hekeler 
> Em qui., 11 de jan. de 2024 às 13:35, Michael Hekeler
>  escreveu:
> >
> > > Jan  9 07:10:24 stable relayd[29792]: relay wwwtls, session 1 (1 active), 
> > > fqdn1, 127.0.0.1 -> 127.0.0.1:8080, done, GET -> 127.0.0.1:8080;
> > > Jan  9 07:10:25 stable relayd[28442]: relay wwwtls, session 1 (1 active), 
> > > fqdn2, 127.0.0.1 -> 127.0.0.1:8081, done, GET -> 127.0.0.1:8081;
> > > Jan  9 07:10:31 stable relayd[29792]: relay wwwtls2, session 2 (1 
> > > active), 0, 127.0.0.1 -> 127.0.0.1:8080, done, GET
> > > Jan  9 07:10:35 stable relayd[28442]: relay wwwtls2, session 2 (1 
> > > active), 0, 127.0.0.1 -> 127.0.0.1:8080, done, GET
> >
> > Please examine your log:
> > The first and the second request are processed by "relay wwwtls"
> > The first is tagged "fqdn1" and the second request is tagged "fqdn2"
> > The first is relayed to 127.0.0.1:8080
> > The second is relayed to 127.0.0.1:8081
> > All is fine here :-)
> >
> > Now look to the third and fourth requests.
> > They are both processed by wwwtls2.
> > But they are not tagged (see tag 0) and thats the problem!
> > Because the request stays untagged in the protocol the relay wwwtls2
> > chooses simply the first found forward rule: 127.0.0.1:8080
> >
> > So examine your requests:
> > This is fine: 'curl https://fqdn1'
> > But this not: 'curl https://fqdn1:4430'
> >
> > See the difference?
> >
> > The second sets in HTTP-Header "[HTTP_HOST] => fqdn1:4430"
> > Thats why you should match "fqdn1:4430" in relayd.conf:
> >
> > match request header "Host" value "fqdn1:4430" tag "fqdn1"
> > - or -
> > match request header "Host" value "fqdn1*" tag "fqdn1"
> >
> 
> That was exactly the problem.
> I didn't know how to read the logs nor the definition of HTTP_HOST.

Most browsers can show the HTTP-Header.
E.g. in firefox -> developer tools -> network -> just click on any
object and it will show headers (and much more)

Or you can place a simple script in httpd that dumps the header.
In PHP for example you can do: print_r($_SERVER);


What I do is placing a simple C program in /cgi-bin:

#include 

int
main(int argc, char *argv[])
{
extern char **environ;
printf("Content-Type: text/plain\n\n");
for (int i = 0; environ[i] != NULL; i++) {
printf("%s\n", environ[i]);
}
}

Re: relayd forward with tls

2024-01-11 Thread Michael Hekeler 
> Take a look at the example in man relayd.conf. You have to set the X-header 
> like:
> 
> match header set "X-Forwarded-For" \  value "$REMOTE_ADDR"
> match header set "X-Forwarded-By" \   value 
> "$SERVER_ADDR:$SERVER_PORT"


This has nothing to do with relayd's forwarding rules in this topic.

Setting these headers is for logging in httpd.
Because if not set X-Forwarded-For then httpd logs the IP of the relayd
host as source for ALL requests and the original IP of the request would
be lost.
To overcome this httpd comes with a log format called "forwarded" which
appends X-Forwarded-{For,Port} to existing log format.

Re: netcup.eu arm64 (kvm, Ampere Altra), bsd.rd hangup

2024-01-11 Thread Michael Hekeler 
> 
> 
> On 12/28/23 12:30, Michael Hekeler wrote:
> > 
> > I try to install OpenBSD on netcup ARM, too...
> > 
> > > I disabled the pluart driver in the ramdisk kernel (on a other machine 
> > > with
> > > config -e -f /bsd.rd and copied the ramdisk kernel over to the nectup
> > > server) and got access the the installation script.
> > 
> > How did you disable pluart driver?
> I installed OpenBSD on a Hetzner ARM64 system (CAX11) and modified the
> ramdisk with
> config -e -f /bsd.rd
>   disable pluart
>   quit

Thanks :-)


> 
> The modification should also be possible on any other ARM64 system (e.g.
> Raspberry Pi 4).
> 
> Then I copied the modified bsd.rd and
> https://cdn.openbsd.org/pub/OpenBSD/snapshots/arm64/BOOTAA64.EFI to the EFI
> partition (directly under /boot/efi) on the Netcup server.
> After that I started the OpenBSD BOOTAA64.EFI directly from the TianoCore
> UEFI.
> 
> > Could you provide more info, or share the bsd.rd?
> You'll find my modified bsd.rd here: https://download.fusion-zone.net/

thanks again :-)

Re: relayd forward with tls

2024-01-11 Thread Michael Hekeler 
> Jan  9 07:10:24 stable relayd[29792]: relay wwwtls, session 1 (1 active), 
> fqdn1, 127.0.0.1 -> 127.0.0.1:8080, done, GET -> 127.0.0.1:8080;
> Jan  9 07:10:25 stable relayd[28442]: relay wwwtls, session 1 (1 active), 
> fqdn2, 127.0.0.1 -> 127.0.0.1:8081, done, GET -> 127.0.0.1:8081;
> Jan  9 07:10:31 stable relayd[29792]: relay wwwtls2, session 2 (1 active), 0, 
> 127.0.0.1 -> 127.0.0.1:8080, done, GET
> Jan  9 07:10:35 stable relayd[28442]: relay wwwtls2, session 2 (1 active), 0, 
> 127.0.0.1 -> 127.0.0.1:8080, done, GET

Please examine your log:
The first and the second request are processed by "relay wwwtls"
The first is tagged "fqdn1" and the second request is tagged "fqdn2"
The first is relayed to 127.0.0.1:8080
The second is relayed to 127.0.0.1:8081
All is fine here :-)

Now look to the third and fourth requests.
They are both processed by wwwtls2.
But they are not tagged (see tag 0) and thats the problem!
Because the request stays untagged in the protocol the relay wwwtls2
chooses simply the first found forward rule: 127.0.0.1:8080

So examine your requests:
This is fine: 'curl https://fqdn1' 
But this not: 'curl https://fqdn1:4430'

See the difference?

The second sets in HTTP-Header "[HTTP_HOST] => fqdn1:4430"
Thats why you should match "fqdn1:4430" in relayd.conf:

match request header "Host" value "fqdn1:4430" tag "fqdn1"
- or - 
match request header "Host" value "fqdn1*" tag "fqdn1"

Re: netcup.eu arm64 (kvm, Ampere Altra), bsd.rd hangup

2023-12-28 Thread Michael Hekeler 


I try to install OpenBSD on netcup ARM, too...

> I disabled the pluart driver in the ramdisk kernel (on a other machine with
> config -e -f /bsd.rd and copied the ramdisk kernel over to the nectup
> server) and got access the the installation script.

How did you disable pluart driver?
Could you provide more info, or share the bsd.rd?

Re: Relayd - block bad bots

2023-12-12 Thread Michael Hekeler 
> Hey
> 
> I'm running a small VM on OpenBSD where my site resides. My stack is
> pf/relayd/httpd.
> 
> I see a significant traffic coming from bad bots, like mj12. I'd love
> to completely block them and Relayd seems like the best place. I tried to
> block by "User-Agent" header, however there is no support for globs
> there.




> Has anyone had any success with achieving something similiar?

block request header "User-Agent" value "curl*"

Re: FAT names exceeding spec length

2023-12-04 Thread Michael Hekeler 
> > To be honest I don't understand the problem you described.
> 
> It is simple, when you come from Android (tested Android 11 tablet) with file 
> names exceeding the FAT spec
> these are cut to 8.3 format in OpenBSD.


You mean android allows to create filenames >255 on FAT32?
Then you should report this non-compliance on android
(https://learn.microsoft.com/en-us/windows/win32/fileio/filesystem-functionality-comparison#limits)

Re: wired rdiff-backup doc

2023-12-04 Thread Michael Hekeler 
> Hello,
> 
> 7.4, rdiff-backup
> 
> After the upgrade to 7.4 I have been invited to update my
> outdated command line to *the new one* by rdiff-backup.
> 
> The puzzle was not so easy to solve as "rdiff-backup --new --help"
> suggested a good mix of options; "man rdiff-backup" gave out an other
> set of options and two examples, one with the [kind of operation]
> declared just after rdiff-backup, the other one with the 
> [kind of operation] declared just after the option lists; a little
> overwhelming: when you make a mistake the shell show off the *good
> options* suggesting among the others --new, --nonew, etc (not
> recognized) and missing to list all the various --except options among
> the others. I save you from quoting the options listed by 
> "rdiff-backup backup --help". 
> 
> In the end after 10min of tries I was able to launch my
> backup..

maybe to help other users of rdiff-backup you want to post your
experiences onn their mailing-list?
Or you can open an issue on github because that's what the devs
suggested.

Re: FAT names exceeding spec length

2023-11-30 Thread Michael Hekeler 
> 
> There is also some ironic stuff behind these happenings: if you have
> the possibility to check your lost long file names you will discover
> that the most significant information are contained in the first 99 chars.
> 
> 
> Nowarez Market  wrote:
> 
> > 
> > Clearly the problem is that from the user prospective in these kind
> > of events all the information contained in the longer file names are
> > lost. 
> > 
> > A file copy from Android is always completely transparent to the user,
> > anyhow. Android open behavior "doesn't help" copping with these long
> > names: if I copy files from an Android tablet and only after some
> > days I retrieve them..information are lost in OpenBSD.
> > 
> > 
> > Nowarez Market  wrote:
> > 
> > > I have a fat32 usb stick that I use to transfer files
> > > from/to my Android tablet since years.
> > > 
> > > I just want to drop the hint that Android manage
> > > to render the file names exceeding 255 chars offering
> > > the user the long form anyway while OpenBSD strictly
> > > apply the FAT specs rendering these file names
> > > in the 8 chars format.
> >  
> > 

To be honest I don't understand the problem you described.
(Maybe because english is not my native language?)

But I can say that I've never had any problems with the long filenames
on all of my devices whether these are usb-sticks or anything else.

Maybe your android device did something so that an other OS can't detect
the long filenames and maybe you can fix this by enforce -l which should
be set by default but who knows...

Re: cumbersome mtree

2023-11-27 Thread Michael Hekeler 
> Hello,
> 
> I was enthusiastic to write down a tool that permitted everyone
> to check and print the default file permissions of a given path
> but when I knocked my eyes against mtree behavior I remained
> frightened. 
> 
> Given for example:
> 
> mtree -c -f /etc/mtree/4.4BSD.dist -K uid,guid,mode -p /usr/games -e

what is your intention when using these flags? What do you want to do?


> I was expecting that:
> -p let me pass the path to check to mtree like /usr/games

Yes, you are right: p uses path instead of the current directory.


> -K uid,guid,mode let me suggest the output for each file entry
>   specified together with -c command option 

on 7.4: 
$ man mtree | grep -A 57 "supported keywords"
it also gives hint about the specified 'guid' keyword


> But indeed mtree behavior is really different. 

Yes, you are right.


> Please point me in the right direction with mtre

'man mtree' is a good start.
or check security(8). On 7.4 you can do:
$ grep -B 12 -A 27 "sub check_mtree" /usr/libexec/security

Re: Reptar aka CVE-2023-23583

2023-11-21 Thread Michael Hekeler 
Am 15.11.23 13:41 schrieb Christian Weisgerber:
> not jacinda ardern:
> 
> > I saw something about a new intel microcode coming out (subject line) for a 
> > goofy new bug somebody found. Do you guys package that up into the 
> > fw_update (firmware.openbsd.org) magic or does it only come via the oem's 
> > bios updates?
> 
> Whatever Intel releases.
> 
> Yesterday they published a microcode update that should address this.
> The updated firmware package is already on the mirrors.
> 
> 
> CVSROOT:/cvs
> Module name:ports
> Changes by: j...@cvs.openbsd.org 2023/11/14 16:34:51
> 
> Modified files:
> sysutils/firmware/intel: Makefile distinfo 
> 
> Log message:
> update intel microcode to 20231114
> 
> release notes:
> https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20231114
> 
> mitigates:
> https://lock.cmpxchg8b.com/reptar.html
> https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/redundant-prefix-issue.html

How can I find the cpuid of my cpu to see if my CPU is on Intel's list
of affected CPU's?

On my proxmox systems I can do something like dmidecode
But on OpenBSD - ... I don't know...

Re: Font size and character encoding.

2023-11-20 Thread Michael Hekeler 
> How to increase font size in console?
> 
> How to set non-UTF character encoding for tty session on OpenBSD 7.4?
> 

apropos font -a cons

Re: relayd and large POST requests

2023-10-24 Thread Michael Hekeler 
> Hi,
> 
> I'm running a setup on OpenBSD 7.3 (amd64, 16GB RAM) with relayd,
> varnish, httpd and php-fpm. When uploading a large >2GB file through
> ...
> 
> 
> /etc/relayd.conf:
> 
> table  { 127.0.0.1 }
> 
> log connection
> 
> http protocol "https" {
> tls keypair "server"
> return error
> pass
> }
> 
> relay "mysite4" {
> listen on xxx port 443 tls
> protocol "https"
> forward to  port 8443 check tcp
> }
> 

before going any deeper in investigating the behaviour I would suggest
to configure this setup with using redirection.
I think you are better with just forwarding on layer 3.

Or did I miss something? Why did you choose relay here?

Re: iked server/client OBSD/OBSD

2023-07-12 Thread Michael Hekeler 
Am 09.07.23 11:38 schrieb Tobias Heider:
> On Sat, Jul 08, 2023 at 11:08:31PM -0700, latin...@vcn.bc.ca wrote:
> (...)
> > ikev2 'roadwarrior' active esp \
> > from dynamic to any \
> > peer server_ip \
> > srcid roadwarrior \
> > dstid server_domain \
> > request address any \
> > iface lo1
> > 
> > Questions:
> > should i add  the \?
> 
> Yes, because each policy is one line which isn't very convenient but it is 
> what
   ~~~
> it is for historical reasons.


I just wanted to add one thing: To me this IS very convenient!

If I want to disable/comment out this poloicy then I have to insert
only one single '#' in front of 'ike'.
If the policy were multiple lines then you would need multiple #'s - one
on each row.

Re: APCI on old Thinkpad

2023-07-04 Thread Michael Hekeler 
Am 03.07.23 22:45 schrieb Claudio Jeker:
> Also keep in mind that laptops that old most often had bad or broken early
> ACPI implementations and it was better to not enable ACPI on those.
> Normally there was some BIOS knob to just use apm(4) which often worked
> much better.

Ah - very interesting. I will have a look...

Re: APCI on old Thinkpad

2023-07-04 Thread Michael Hekeler 
> Jul 3, 2023 14:47:57 Peter N. M. Hansteen :
> 
> 
> I had to look this up, since I had forgotten that Thinkpads used to come
> with model numbers not prefixed and/or postfixed with letters.
> 
> I think one of several issues you will bump into is that the machine is
> almost a quarter century old (released April 1999 if Wikipedia is to be 
> trusted),
> and you may be one of fairly few people who have kept one around this long.

indeed this device is very old 
...and I am aware that it has many issues ;-)

I did run OpenBSD on that thing for a very long time and I was always happy
with it but that was starting maybe 5.x or something (I think there was
a ghostbusters like CD Box).

A while ago my small Netbook broke and I had to buy a new thinkpad . But
this new one is so heavy that I desperately remebered my old slim and
low weigth thinkpad 570.


> > This means in practice that in all likelihood, recent versions of any 
> > now-useful
> > software has been only lightly tested (if at all) on that vintage hardware.

I thought about reading emails with mutt(1).

Re: APCI on old Thinkpad

2023-07-03 Thread Michael Hekeler 
Am 03.07.23 03:45 schrieb Anders Andersson:
> On Fri, Jun 30, 2023 at 11:44 PM Michael Hekeler  wrote:
> >
> > I have an old thinkpad - really old
> 
> Old enough not to have a model number?

oh dear I have forgotten the model number - Sorry!

It is Thinkpad 570

APCI on old Thinkpad

2023-06-30 Thread Michael Hekeler 
I have an old thinkpad - really old

On booting it stops when listing the acpi sleep states and does nothing
more. This is dmesg:

OpenBSD 7.3 (GENERIC) #660: Sat Mar 25 11:17:44 MDT 2023
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
real mem  = 200753152 (191MB)
avail mem = 179949568 (171MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 11/01/99, BIOS32 rev. 0 @ 0xfd840, SMBIOS rev. 2.2 @ 
0xe0010 (35 entries)
bios0: vendor IBM version "IMET56WW" date 11/01/99
bios0: IBM 26443AG
acpi at bios0: ACPI 1.0
acpi0: sleep states S0 S1 S3 S4 S5


It can boot when disabling acpi (see dmesg below).
But then I can't zzz/ZZZ.
Ist there something other I can than disabling acpi?
Or is this old device simply not supported any more?


OpenBSD 7.3 (GENERIC) #660: Sat Mar 25 11:17:44 MDT 2023
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
real mem  = 200753152 (191MB)
avail mem = 179949568 (171MB)
User Kernel Config
UKC> disable acpi
526 acpi0 disabled
UKC> quit
Continuing...
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 11/01/99, BIOS32 rev. 0 @ 0xfd840, SMBIOS rev. 2.2 @ 
0xe0010 (35 entries)
bios0: vendor IBM version "IMET56WW" date 11/01/99
bios0: IBM 26443AG
acpi at bios0 function 0x0 not configured
apm0 at bios0: Power Management spec V1.2
pcibios0 at bios0: rev 2.1 @ 0xfd7d0/0x830
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdef0/192 (10 entries)
pcibios0: PCI Interrupt Router at 000:06:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #9 is the last bus
bios0: ROM list: 0xc/0xc000
cpu0 at mainbus0: (uniprocessor)
cpu0: Intel Celeron ("GenuineIntel" 686-class, 256KB L2 cache) 366 MHz, 06-06-0a
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,PERF,MELTDOWN
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0xf800, size 0x400
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "Neomagic Magicgraph NM2200" rev 0x20
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
cbb0 at pci0 dev 2 function 0 "TI PCI1450 CardBus" rev 0x03: irq 11
cbb1 at pci0 dev 2 function 1 "TI PCI1450 CardBus" rev 0x03: irq 11
clcs0 at pci0 dev 5 function 0 "Cirrus Logic CS4280/46xx CrystalClear" rev 
0x01: irq 11
ac97: codec id 0x43525903 (Cirrus Logic CS4297 rev 3)
ac97: codec features headphone, 18 bit DAC, 18 bit ADC, No 3D Stereo
pcib0 at pci0 dev 6 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 6 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 3909MB, 8007552 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 6 function 2 "Intel 82371AB USB" rev 0x01: irq 11
piixpm0 at pci0 dev 6 function 3 "Intel 82371AB Power" rev 0x02: SMI
iic0 at piixpm0
"AT&T/Lucent LTMODEM" rev 0x01 at pci0 dev 7 function 0 not configured
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 7 device 0 cacheline 0x8, lattimer 0xb0
pcmcia0 at cardslot0
cbb1: bad Vcc request. sock_ctrl 0x0, sock_status 0x3b20
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 9 device 0 cacheline 0x8, lattimer 0xb0
pcmcia1 at cardslot1
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt2 at isa0 port 0x3bc/4: polled
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
cbb1: bad Vcc request. sock_ctrl 0x30, sock_status 0x3b20
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on wd0a (bdf7ab95ec79e5e9.a) swap on wd0b dump on wd0b
rl0 at cardbus1 dev 0 function 0 "D-Link DFE-690TXD" rev 0x10: irq 11, address 
00:11:95:5a:f8:7a
rlphy0 at rl0 phy 0: RTL internal PHY
clcs0: firmware loaded
audio0 at clcs0
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec

Re: Running Bugzilla in httpd - 'Pg' is not a valid choice for $db_driver in localconfig

2023-03-19 Thread Michael Hekeler 
Am 17.03.23 23:02 schrieb Stuart Henderson:
> On 2023-03-17, Michael Hekeler  wrote:
> > If you really want to run bugzilla as cgi application with slowcgi(8)
> > then you have to copy the required perl modules in your chroot.
> 
> Or use slowcgi -p / to disable chroot.
> 
> > However since bugzilla is ultimately a cgi application you can deploy it
> > via fastcgi which is supported by httpd(8) natively.
> 
> afaik it doesn't support fastcgi, upstream suggestion is to use
> fcgiwrap which does basically the same as slowcgi.

Uuh - didn't know that. I was sure that bugzilla is a fastcgi app :-/
Anyway thanks for clarification.

Re: Running Bugzilla in httpd - 'Pg' is not a valid choice for $db_driver in localconfig

2023-03-17 Thread Michael Hekeler 
Am 12.03.23 00:46 schrieb Werner Boninsegna:
> Hello,
> 
> I wonder if anybody is running Bugzilla in httpd?
> 
> I have completed the setup and run the test scripts successfully, however
> when trying to access it from the browser, I get below error:
> 
> 'Pg' is not a valid choice for $db_driver in  localconfig: 
> Can't load 
> '/usr/local/libdata/perl5/site_perl/amd64-openbsd/auto/DBD/Pg/Pg.so' for 
> module DBD::Pg: 
> Cannot load specified object 
> at /usr/libdata/perl5/amd64-openbsd/DynaLoader.pm line 193.
> at Bugzilla/DB/Pg.pm line 30.
> Compilation failed in require at Bugzilla/DB/Pg.pm line 30.
> BEGIN failed--compilation aborted at Bugzilla/DB/Pg.pm line 30.
> Compilation failed in require at (eval 201) line 1.If I run the Bugzilla 
> index.cgi scripts manually with Perl, everything works fine and I get the 
> initial HTML code generated.
> 
> I think the problem might be related to the chroot, and I am probably missing 
> some dependency, any hints would be appreciated.


If you really want to run bugzilla as cgi application with slowcgi(8)
then you have to copy the required perl modules in your chroot.

I could imagine that this could become a time-consuming and cumbersome
process.
Personally I think it negates the logic of chrooted httpd(8) if you copy a
large amount of stuff inside chroot.

However since bugzilla is ultimately a cgi application you can deploy it
via fastcgi which is supported by httpd(8) natively.
I think this would be a better solution then mimic your perl
installation inside chroot.

Re: OpenBSD, PHP lifecycle and PHP 8.1 broken compatibility

2023-02-15 Thread Michael Hekeler 
> It is all about the dev environment: more precisely I
> need to be able to choose the moment when to switch to PHP[N] and do
> entering in the update process of all my web apps, thats it.

You can have multiple vm's with old versions.
E.g. you can keep an openbsd 60 vm with PHP 5.5.37.

Re: OpenBSD, PHP lifecycle and PHP 8.1 broken compatibility

2023-02-15 Thread Michael Hekeler 
Am 15.02.23 10:41 schrieb Crystal Kolipe:
> On Wed, Feb 15, 2023 at 02:10:17PM +0100, Michael Hekeler wrote:
> > It is pointless to send to the list and in adddition to individuals.
> 
> If you don't want to receive individual replies to list mail, then consider
> setting the
> 
> Mail-Followup-To:
> 
> header in your mail client.

Thank you very much - I didn't know that before.

 
> Some subscribers to the lists _do_ prefer to be cc'ed on threads that they are
> involved in for various reasons, and although setting this header is not a
> guarantee that your preference will be respected, it increases the chances of
> it and also that other posters to that particular thread will be maintained in
> the CC list as per their preference.

Oh - I didn't know this too.
I always do  on a mailinglist so that the reply will go to
the list only. I always thought that some subscribers here cc'ed the
original sender accidentally. But if some subcribers prefer it to be
cc'ed then this makes sense now. Thanks for the clarification :)

Re: OpenBSD, PHP lifecycle and PHP 8.1 broken compatibility

2023-02-15 Thread Michael Hekeler 
Am 15.02.23 10:12 schrieb Daniele Bonini:
> 
> Michael Hekeler  wrote:
> 
> > You can run any PHP version you like.
> > You can run more than just single version.
> 
> ls http://ftp.openbsd.org/pub/OpenBSD/7.2/packages/amd64/ | grep
> 
> php-7.4.30p0.tgz   8197515 
> php-8.0.23p0.tgz   8771969 
> php-8.1.10p0.tgz   9017614
> 
> 
> Ok, let's support OpenBSD project by compile whatever PHP version,
> right? It's not that easy (c lib and diff dependencies), but it is
> nice..
> 
> I was waiting for an honest answer against my problematic dev and
> testing environment..

Actually this WAS a honest answer for your dev environment.

Anyway... please learn how to use mailinglists.
It is pointless to send to the list and in adddition to individuals.

Re: OpenBSD, PHP lifecycle and PHP 8.1 broken compatibility

2023-02-14 Thread Michael Hekeler 
 
> I'm wondering what are your thoughs on the subject of PHP different versions, 
> in respect to OpenBSD lifecycle. And, indeed, what is going to happen in 
> OpenBSD facing this broken compatibility with the past, starting from 8.1.
> Are you going to support PHP 7.4 and 8.0 longer or what?

What do you mean with "Are you going to support "?
PHP is not an OpenBSD project. The PHP devs relase their stuff
completely independant of OpenBSD's lifecycle. You can find their
roadmap on PHP's homepage.

OpenBSD doesn't force you to use specific PHP version.

Some time ago I was deploying PHP 5.x along with PHP 7.x on one of my
webstuff machines for compatibility reasons with an very outdated PHP
script.


> Worrysome this stuff from my side.. I personally have "tons" of  webapps to 
> mantain and there is not a "Docker solution".
> Is it plausible to come to arrange a "sustainable solution" by the ports, 
> chroot or whatever?

You can run any PHP version you like.
You can run more than just single version.

Re: Live stick / cd from official sources

2023-02-09 Thread Michael Hekeler 
Am 08.02.23 13:06 schrieb Stuart Henderson:
> On 2023-02-08, Michael Hekeler  wrote:
> > Am 04.02.23 17:48 schrieb Daniele B.:
> >> Sorry if I bother you again with the thread.
> >> 
> >> The minipc will be on business from tomorrow and I will use it
> >> together with a little student of mine: it is enough critical that the
> >> "not configured" hello! doesn't reppresent anything "risky".
> >> Eg: I tried to tweak the custom bios of Fujitsu for a more perfomant
> >> fan/cpu but the machine started litterally to fly while booting. 
> >> Precautially
> >> I hanged manually the booting process.
> >> 
> >> The part of dmesg I'm wondering about is the following:
> >> 
> >> "FUJ02E3" at acpi0 not configured
> >> 
> >> "PNP0C14" at acpi0 not configured
> >> "PNP0C32" at acpi0 not configured
> >> "PNP0C14" at acpi0 not configured
> >> 
> >> "PNP0C0B" at acpi0 not configured
> >> "PNP0C0B" at acpi0 not configured
> >> "PNP0C0B" at acpi0 not configured
> >> "PNP0C0B" at acpi0 not configured
> >> "PNP0C0B" at acpi0 not configured
> >> 
> >> acpicpu0 at acpi0: C1(@1 halt!), PSS
> >> acpicpu1 at acpi0: C1(@1 halt!), PSS
> >> acpicpu2 at acpi0: C1(@1 halt!), PSS
> >> acpicpu3 at acpi0: C1(@1 halt!), PSS
> >
> > If you just want to stop these messages from filling your logs you can
> > boot into UKC mode by entering -c at the boot prompt:
> > UKC> disable acpi
> > UKC> quit
> >
> >
> > ...(not a real solution but more a quick fix)
> >
> >
> 
> This is bad advice. ACPI may be needed for thermal management,interrupt 
> routing, and maybe other things. These "not configured"
> devices are unlikely to be a problem.

indeed this is NOT a good advice of mine.
@Daniele B. please ignore my last message.

Re: Live stick / cd from official sources

2023-02-08 Thread Michael Hekeler 
Am 04.02.23 17:48 schrieb Daniele B.:
> Sorry if I bother you again with the thread.
> 
> The minipc will be on business from tomorrow and I will use it
> together with a little student of mine: it is enough critical that the
> "not configured" hello! doesn't reppresent anything "risky".
> Eg: I tried to tweak the custom bios of Fujitsu for a more perfomant
> fan/cpu but the machine started litterally to fly while booting. Precautially
> I hanged manually the booting process.
> 
> The part of dmesg I'm wondering about is the following:
> 
> "FUJ02E3" at acpi0 not configured
> 
> "PNP0C14" at acpi0 not configured
> "PNP0C32" at acpi0 not configured
> "PNP0C14" at acpi0 not configured
> 
> "PNP0C0B" at acpi0 not configured
> "PNP0C0B" at acpi0 not configured
> "PNP0C0B" at acpi0 not configured
> "PNP0C0B" at acpi0 not configured
> "PNP0C0B" at acpi0 not configured
> 
> acpicpu0 at acpi0: C1(@1 halt!), PSS
> acpicpu1 at acpi0: C1(@1 halt!), PSS
> acpicpu2 at acpi0: C1(@1 halt!), PSS
> acpicpu3 at acpi0: C1(@1 halt!), PSS

If you just want to stop these messages from filling your logs you can
boot into UKC mode by entering -c at the boot prompt:
UKC> disable acpi
UKC> quit


...(not a real solution but more a quick fix)

Re: DBeaver or similar db tool

2023-02-08 Thread Michael Hekeler 
Am 07.02.23 15:27 schrieb Daniele B.:
> Hello,
> 
> I'm looking around a new "work environment" offering what in terms
> of software and I came across a list of appealing software
> suggested in the category 'db tools' to manage my
> databases.
> 
> Among those I notice DBeaver (https://dbeaver.io/).
> 
> Any chance to have a rich db tool like DBeaver ported to
> OpenBSD soon or later?


As others said before DBeaver is written using Java 17 and maybe you can
compile it whith OpenJDK 17 and Maven.
DBeaver is based on Eclipse and it is also available as eclipse plugin.

Many of these Database GUI's are based on java and so maybe you can find
something you like.

There is also HeiSQL which is written in pascal. Many years ago i
compiled that beast with lazarus and it runs fine ;-)

There are PHP based database GUI's.
E.g. there is Adminer. Just one single php file to drop in your
webserver.

But in the end it all depends on what you expect from such a tool.

>From my experience (which you can safely ignore for sure) i can suggest:
if you really want to use a database then you have to use the tools
provided by this database.
The time learning such all-purpose database management tools is better
invested in learning the quirks of the specific DBMS you want to use.
I find this is true for postgresql, oracle and sql-server.

Re: Xterm copy-paste not happening on OpenBSD 7.1 i386.

2022-08-04 Thread Michael Hekeler 
Am 04.08.22 15:27 schrieb Brian Durant:
> I have installed OpenBSD 7.1 i386 on my Lenovo T60 and am experiencing a
> couple of issues. The first is related to the following addition that I made
> to my .Xdefaults file, which works with OpenBSD 7.1 amd64 installs, but not
> with the OpenBSD 7.1 i386 install on my Lenovo T60:
> XTerm*VT100.Translations: #override\
>     Ctrl Shift  C: copy-selection(CLIPBOARD) \n\
>     Ctrl Shift  V: insert-selection(CLIPBOARD)
> Any ideas how to get copy and paste working in Xterm with an i386 install?
> 
I understand that you want to map these keys but just to mention: there
is support for PRIMARY in xterm(1) and this means selected text is in
primary without any explicit copy action taking place.
see Inter-Client Communication Coventions Manual for X

Re: rspamd and pyzor

2022-05-02 Thread Michael Hekeler 
Am 02.05.22 19:06 schrieb kasak:
> Hello misc!
> 
> I have some information for rspamd users, and one question.
> 
> As you may know, rspamd not using pyzor by directly calling pyzor binary.
> 
> Instead, they say, you need to create special systemd socket, and call pyzor
> through it.
> 
> It is described on rspamd manuals:
> https://rspamd.com/doc/modules/external_services.html#pyzor-specific-details
> 
> OpenBSD does not has systemd, but it has inetd.
> 
> This is simple way to create socket similar to systemd:
> 
> 127.0.0.1:5953    stream    tcp    nowait    root /usr/local/bin/pyzor   
> pyzor check
> 
> It actually works, but you may notice, that i'm using "root" here.
> 
> I've tried to use _rspamd user, but for some reason it drops an error
> 
> rspamd[90054]: <9ef568>; lua; pyzor.lua:134: error parsing response: ERROR
> [Errno 13] Permission denied: '/root/.pyzor'.\\0a
> 
> Can somebody explain to me, what is happening here? Why socket, runned as
> _rspamd try to access root home instead of _rspamd home ?

I don't know what this pyzor so I became curious and take a look...
Their doc say clearly that default homedir is ~/.pyzor
So if your instance of pyzor tries to access /root/.pyzor than it is a
strong indication that you are running pyzor as root, no?

To debug this I would suggest to start pyzor manually with the user you
want it to run (see su(1)).
It's been ages ago when I used inetd thats why I cant help with that.
But are you sure that you need it for pyzor?!?!?!?

Re: OpenSMTPD + Dovecot + Dkimsign configuration?

2022-04-11 Thread Michael Hekeler 
Am 11.04.22 15:05 schrieb latin...@vcn.bc.ca:
> > Am 07.04.22 21:04 schrieb latin...@vcn.bc.ca:
> >> Hello
> >>
> >> i have had 1 Personal server for years with httpd and OpenSMTPD  mail
> >> server working correctly; thanks OpenBSD Team.
> >>
> >> But now i have another server for 500 Colleagues with OSMTPD + Dovecot +
> >> Dkimsign working well; but i ask, if it were possible to use only OSMTPD
> >> with virtual users + Dkimsign?
> >>
> >> Please tell me what i might read.
> >
> > I don't know exactly what you want to do.
> > I think you ask if you can replace dovecot with smptd
> >
> > The answer is: smptd is MTA (=Mail Transport Agent)
> > while dovecot is MDA (=Mail Delivery Agent), dovecot-lda
> >
> > Also:
> > If you want your users accessing your mailserver via IMAP then you need
> > an imap server and that's what dovecot is.
> >
> > They have different purposes but if you don't need any of dovecot's
> > functions here then you can remove it. It's not required to send and
> > receive emails.
> >
> 
> Thanks to answer:
> 
> Yes, i understand the difference between MTA and MDA. But i remember
> Sendmail, at that moment it was as base system; receiving similar
> attention as the rest of the system.
> 
> Dovecot is not cover, it is not part of the base system; and i personally
> have had really bad experience with software that is not considered as
> part of the base system. As result, i use only base system! If it is
> possible.
> 
> In this case, i supossed that using a virtual-users file could work.
> 
> Thanks for your time Michael Hekeler
> 

Your 500 users needs a way to read their emails.

If these 500 users are real users on the system (-> useradd(8)) than
they are able to read directly from filesystem and smtpd is enough.

But if they are virtual users only on the mailserver then you need an
pop or imapserver additional to your smtpd server.
AFAIK this kind of software is not in base. But if you don't like
dovecot you can use any of the alternatives.

Re: OpenSMTPD + Dovecot + Dkimsign configuration?

2022-04-11 Thread Michael Hekeler 
Am 07.04.22 21:04 schrieb latin...@vcn.bc.ca:
> Hello
> 
> i have had 1 Personal server for years with httpd and OpenSMTPD  mail
> server working correctly; thanks OpenBSD Team.
> 
> But now i have another server for 500 Colleagues with OSMTPD + Dovecot +
> Dkimsign working well; but i ask, if it were possible to use only OSMTPD
> with virtual users + Dkimsign?
> 
> Please tell me what i might read.

I don't know exactly what you want to do.
I think you ask if you can replace dovecot with smptd

The answer is: smptd is MTA (=Mail Transport Agent)
while dovecot is MDA (=Mail Delivery Agent), dovecot-lda

Also:
If you want your users accessing your mailserver via IMAP then you need
an imap server and that's what dovecot is.

They have different purposes but if you don't need any of dovecot's
functions here then you can remove it. It's not required to send and
receive emails.

Re: Internal Logging?

2022-04-04 Thread Michael Hekeler 
Am 04.04.22 08:22 schrieb Eric Thomas:
> I'd like to understand more about how OpenBSD logs internal events such as:
> 
> - pkg_add/delete events
> - user logins
> - X session start/stops
> etc.
> 
> Is there "one big log" where all of these types of events are stored?
> Or are they logged in specific directories depending on log type?

Such things are to be configured in `/etc/syslog.conf`.
Please see `man syslogd` and `man syslog.conf`

Re: How to track system changes?

2022-04-04 Thread Michael Hekeler 
Am 04.04.22 08:32 schrieb Eric Thomas:
> I want to have a high degree of confidence in my system's state
> (packages that have been added, configs that have changed, permissions
> changed, etc). I've read about "read only filesystems" and the
> pro's/con's [here](http://geodsoft.com/howto/harden/OpenBSD/no_changes.htm).
> 
> Aside from that, is there a way to...
> 
> 1. ...hash the file system in some way and monitor for changes? OR
> 2. ...somehow review changes that have taken place (a log somewhere)?
> 
> The goal is to concretely know whether the state of the system has
> changed, then point to what EXACTLY has changed.
>

Since many years I use rcs(1) for that on hosts I have to admin. 
In Openbsd this fine tool is in base...

Re: OpenBSD as primary OS

2022-04-03 Thread Michael Hekeler 
Am 11.09.16 12:45 schrieb jean-francois:
> Hi,
> 
> 
> I'm moving to OpenBSD for primary use, I'll have to keep a Windows OS for
> some specific purposes also.
> 
> Just thanks for the development of OpenBSD, it's very easy to use since
> logical and well documented, I've been enjoying it for the past years for
> what it deserved to do.
> 
> Also looked at the softraid development, just few words to thank the
> development of the OS and softwares.

Github didn't force you to use windows. Github offers just a hosted
version control using git(1).
You didn't even have to register an account at github if you want to use
git.
If you like to use git for version control then you can install it
with `pkg_add git` on openbsd and if you like to have a colorful and
clickable frontend then you are not forced to use this windows app from
github's homepage - there are many of them available for different
platforms.

Re: openbsd, softraid recovery (I have password)

2022-04-03 Thread Michael Hekeler 
Am 02.04.22 18:56 schrieb harold:
> Hello,
> 
> Today I take a little breath to try to get some help about a little problem
> I have since weeks.
> I lost data due to misunderstanding of formatting rdsc1 softraid partition
> on openbsd.
> 
> I tell you my little story in  the attached document, because I lost data
> and would really like to recover it..
>
> could you help me please?

>From my experience with this list I am sure you can get help on such
topic if you respect https://www.openbsd.org/mail.html

Re: chroot for go webserver with pledge and unveil

2022-03-17 Thread Michael Hekeler 
Am 16.03.22 03:09 schrieb i...@tutanota.com:
> >> I was thinking that since Go by default doesn't run a webserver on
> >> port 80 or 443
> 
> > What does it even mean. Go is a programming language. If you want to
> > build and run a webserver with it and have it listen on whatever port
> > you want, you can. Go doesn愒 have any opinion as to what ports you
> > should or shouldn't use. And the default ports por an http/https
> > server ARE 80 and 443.
> 
> What I meant was that you cannot code the webserver to run on port 80
> or 443 unless it runs as root (for obvious reasons). What I wanted to
> avoid is a change in privileges, as in starting it as root and then
> change to www. The easy way it seems to be to just run on something
> like port  and then use PF to redirect.
> 
> >> I can run it like this: [...]
> >> But that wouldn't keep it running after a reboot.
> 
> > There you go:
> > https://man.openbsd.org/afterboot.8#System_command_scripts
> 
> Is there something to restart it if it crashes?

Just a one liner can do this: check if it's running. If not restart.

But why would it crash??? Most likely because something was going wrong?
So do you really want your system restart something that is going to be
wrong?

I must admit I have NO full 30 years expierence of sysadmin stuff (like
you posted in another thread) but I would prefer to fix the problem and
restart it manually only when its fixed.
...other way sounds a little bit like systemd(1) to me ;-)

Re: Please put vi in base

2022-03-15 Thread Michael Hekeler 
Am 13.03.22 03:38 schrieb i...@tutanota.com:
> (...)
> In my 30 years of doing sysadmin work, I have never - not even once - come 
> across a
> situation where a normal editor like vi or nano or something equally simple 
> didn't
> exist on the install media.

Maybe I am wrong, but I am thinking you like to use Linux based OS's
because you expect something like nano on install media.
If so, why don't simply boot from one of those countless linux live CDs?

You could even end up editing your files with a mouse-mandatory fancy KDE
whatever editor...

Besides that I want to thank the devs for including ed(1).
It was more than once a livesafer to me in MY years of doing sysadmin
work. 
...and I can remember at least one time exactly the same situation
with a broken fstab(5) ;-)

Re: PHP 7.4: SSL routines:CONNECT_CR_CERT:certificate verify failed

2021-12-23 Thread Michael Hekeler 
Am 23.12.21 00:51 schrieb Leo Unglaub:
> Hey friends,
> 
> i have a OpenBSD 7.0 server with all syspatches applied. On that server i
> have setup httpd and PHP 7.4 running via PHP-FPM. I followed the readme
> provided by the package and everything seams to be fine.
> 
> There is only one issue when i try to establish a secure connection from PHP
> to another server. (sending an email in this case via SMTP). I get the
> following error:
> 
> > PHP Warning: stream_socket_enable_crypto(): SSL operation failed with code 
> > 1. OpenSSL Error messages:
> > error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed

My first guess ist that the chain is not correct and so the server's
certificate cannot be validated.

If you are sure that your PHP script connects to the right host then you
can remove temporarily validation just to see if this will work. If so
you should enable validation again and examine the chain on your
mailserver.


> (...)
> But PHP is still unable to connect to that server. I ssh'ed into that server
> and did the openssl s_client manually. Just to verify that everything works
> as expected and it does:
> 
> > openssl s_client -tls1_2 -connect mail.foobar.com:587
> > openssl s_client -tls1_3 -connect mail.foobar.com:587 (both 1.2 and 1.3 
> > work)

Use showcerts to see what is actually received:
  openssl s_client -showcerts -connect mail.foobar.com:587

Re: opensmtpd remove messages from/to specified mailbox?

2021-12-23 Thread Michael Hekeler 
Whatever you do to filter out the id I suggest NOT to remove the
messages directly from the what you've called "dark magic".

I think a better approach would be to echo out the command and then if
you are happy with it copy & paste...

Another suggestion is to reduce the spawning of subshells in the
pipeline and let do awk(1) the filtering:

doas mailq | awk -F\| /administrator/'{printf "smtpctl remove %s\n",$1}'

Re: route one port via a specific host (both directions)

2021-12-10 Thread Michael Hekeler 
Am 10.12.21 08:49 schrieb Claus Assmann:
> I am trying to run an SMTP server on a dynamic IP address

Running a smtp server on dynamic IP is just asking for troubles.

Re: Running redmine on OpenBSD

2021-12-06 Thread Michael Hekeler 
> (...)
> I run the redmine app as a normal user so puma can't read the 
> /etc/ssl/private/redmine.MY.DOMAIN.COM.key (default perm 400).

Does your environment require keys in /etc/ssl/private? maybe some
corporate policies or such...
If not you can simply configure acme-client(1) to place cert and key into
locations where puma user can access them.


> (...)
> If I change perm /etc/ssl/private/redmine.MY.DOMAIN.COM.key to 555 website 
> loads on FF correctly (no errors on puma) but I still got an error on curl:
> (...)
> If I have ssl key permission set to 555 I also got an error from acme client:

I wouldn't change permissions of files/directories in base
(see security(8), mtree(8), ...)

Re: django-ldap-auth authentication lasts several minutes on OpenBSD

2021-12-06 Thread Michael Hekeler 
> The only machine using another DNS server from my router is the Linux Mint 
> development machine
> which holds the copy of my code and also runs django development
> server on 127.0.0.1:8080 and from where everything works without delays.
   ^^^
Then remove the entry from /etc/hosts and clear dns cache.
Then try again on development machine and if you encounter same delays
then you have found the culprit...

Re: Support

2021-11-11 Thread Michael Hekeler 
Am 10.11.21 03:57 schrieb Brian O'Loughlin:
> Hi
> 
> Further to my support request in September, (...)

You are refering to an email x weeks ago?
I think you will get more helpful answers if continuing your old thread

Re: Running redmine on OpenBSD

2021-11-10 Thread Michael Hekeler 
Am 09.11.21 17:56 schrieb Radek:
> Hi @misc,
> Does anyone successfully run redmine[1] on OpenBSD?
> I'd like to install redmine on 7.0/amd64 with httpd and postgresql. I've 
> never done it before so any advices and hints would be appreciated.

Best way is to begin with your setup and then when you encounter
problems ask your questions with giving details of what you have done,
what you expect, what is not working  and so on.


> There isn't much up to date info in google about it[2][3].

Just begin to setup httpd (it's already in base) and see the manpages.
Don't try to find tutorialson google - most of them are outdated or
describe things that not fit your own environment.

Next step is to install postgresql. It's in packages, so you can do it
with `pkg_add postgresql`. Here again read then manpage and pkg-readme.


> 
> 1. https://www.redmine.org/
> 2. https://www.redmine.org/boards/2/topics/496
> 3. 
> https://web.archive.org/web/20160406041905/http://www.iwebdev.it/blog/?p=229
> 
> Thank you!
> -- 
> Radek
>

Re: httpd.conf Dokuwiki

2021-11-07 Thread Michael Hekeler 
Am 07.11.21 05:58 schrieb latin...@vcn.bc.ca:
> Hello List:
> 
> Could somebody please tell me what is wrong in my httpd.conf?
> historia is a ln -s to dokuwiki.
> 
> (...)

While you didn't say what's not working like you expected we can only
guess...
I can say that most of the problems I see when people have problems 
to setup httpd(8) are more or less concerned to to the chroot.
To debug these kinds of problems you can set the chroot(2) directory in
httpd.conf temporarily to / and see if it works like expected. Then
you will know that a misunderstanding of chroot is the problem.
Then you can reset chroot in httpd.conf and modify your setup so that it
will work.

But you should make sure that your httpd is not accessible from internet
while you tinker with yout httpd.conf. 

As a shot in the dark I would guess that your symlink points to a
directory that is not inside chroot, maybe something like 
kb -> /home/user/dokuwiki


Here is mine:

server "xxx" {
  listen on lo port $httpd_port

  # Set max upload size to 513M (in bytes)
  connection max request body 537919488

  # deny access to the specified files
  location "/wiki/bin/*" { block }
  location "/wiki/conf/*" { block }
  location "/wiki/data/*" { block }
  location "/wiki/inc/*" { block }
  location "/wiki/*/.ht*" { block }
  location "/wiki/README" { block }
  location "/wiki/VERSION" { block }
  location "/wiki/COPYING" { block }

  location "/" {
 block return 301 "/wiki/doku.php"
  }
  location "*.php" {
fastcgi socket "/run/php-fpm.sock"
  }
}

Re: send help ( chroot php fpm refuse to exec/popen/procopen... on 7.0 )

2021-10-26 Thread Michael Hekeler 
Am 26.10.21 09:18 schrieb Sven F.:
> }{ello,
> 
> I updated a device and use php fpm on openbsd 7.0
> everything works fine after putting a resolv file in the chroot
> but i can't send email from the chroot
> 
> I hope I didn't see something obvious.
> 
> to troubleshoot i drop the ksh inside the chroot
> 
> /var/www/usr/sbin/ksh:
> (...)

I am not entirely sure what to answer here because I don't know what
your question is, but maybe it helps to copy /bin/sh to ${CHROOT}/bin/sh

Re: traceroute losses

2021-10-21 Thread Michael Hekeler 
Am 13.10.21 09:58 schrieb Peter J. Philipp:
> On Wed, Oct 13, 2021 at 08:02:35AM +0200, Michael Hekeler wrote:
> > Hello list,
> > 
> > I have question regarding network/routing. However it is not directly
> > openbsd related (I can see the same even on windows machines) I decided
> > to ask here because I know that there are many experienced admins here
> > and there is wealth of expertise on such things on this list.
> > 
> > On my site there are about 10 clients which connects to an internet
> > database host.
> > From time to time connection gets lost and sometimes the clients
> > reconnect after a while but sometimes the database app breaks.
> > 
> > When doing network diagnostics with mtr(8) which combines the
> > functionality of traceroute(8) and ping(8) it shows the packets hopping
> > through 8 to 9 hosts to reach the destination.
> > When running this tool for a few hours it shows that two hosts in this
> > route produces packet loss (~20%).
> > 
> > My Question:
> > is there anything I can do about that by myself or is only option to
> > contact the admin of these hosts and hope that they are willing to fix
> > whatever problem there is?
> 
> If you have 9 hops and the packet loss is on hop 4 and 5 but does not carry
> over to the destination you can ignore it.  If it carries over to the
> destination ie. hops 6, 7, 8 and 9, then you should look further at reaching
> out.
> 
> The reason is as follows:  some routers pass packets through their ASIC's for
> forwarding and it doesn't touch their processor at all, it's like offloading
> the entire packet forwarding process.  Yet when you talk to the IP of the
> router directly, which is what ping does then the processor in the router
> processes the packet and this may cause packet loss becuase usually they don't
> have a fast cpu here.  And ICMP doesn't have much priority in this case 
> either.
> 
> Best regards,
> -peter
> 

That's very interesting. Thank you so much.
According to the DB hoster the loss showing at traceroute's output on
hop 4 and 5 of 9 would provide reliable proof that the connection is the
culprit.
Now I understand that this conclusion is not automatically true.
Hops 6,7,8,9 showed no more than 1% loss.

traceroute losses

2021-10-13 Thread Michael Hekeler 
Hello list,

I have question regarding network/routing. However it is not directly
openbsd related (I can see the same even on windows machines) I decided
to ask here because I know that there are many experienced admins here
and there is wealth of expertise on such things on this list.

On my site there are about 10 clients which connects to an internet
database host.
>From time to time connection gets lost and sometimes the clients
reconnect after a while but sometimes the database app breaks.

When doing network diagnostics with mtr(8) which combines the
functionality of traceroute(8) and ping(8) it shows the packets hopping
through 8 to 9 hosts to reach the destination.
When running this tool for a few hours it shows that two hosts in this
route produces packet loss (~20%).

My Question:
is there anything I can do about that by myself or is only option to
contact the admin of these hosts and hope that they are willing to fix
whatever problem there is?

Re: sed(1) and line number 0

2021-08-13 Thread Michael Hekeler 
Am 13.08.21 23:19 schrieb Philippe Meunier:
> Hello,
> 
> While porting a shell script from Linux to OpenBSD I came across the
> following:
> 
> $ uname -a
> Linux foo.there.org 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 
> UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
> $ cat > foo
> test
> hello
> world
> $ sed '0,1d' < foo
> sed: -e expression #1, char 4: invalid usage of line address 0
> $ sed '0,/^hello$/d' < foo
> world
> $ sed '1,/^hello$/d' < foo
> world
> $ sed '0,/^test$/d' < foo
> hello
> world
> $ sed '1,/^test$/d' < foo
> $
> 
> which makes sense since, according to 
> https://www.gnu.org/software/sed/manual/html_node/Addresses.html:
> 
> [...]
> 0,/regexp/
> A line number of 0 can be used in an address specification like 0,/regexp/
> so that sed will try to match regexp in the first input line too. In other
> words, 0,/regexp/ is similar to 1,/regexp/, except that if addr2 matches
> the very first line of input the 0,/regexp/ form will consider it to end
> the range, whereas the 1,/regexp/ form will match the beginning of its
> range and hence make the range span up to the second occurrence of the
> regular expression.
> Note that this is the only place where the 0 address makes sense; there is
> no 0-th line and commands which are given the 0 address in any other way
> will give an error.
> [...]
> 
> Now:
> 
> $ uname -a
> OpenBSD bar.here.org 6.8 GENERIC#0 i386
> $ cat > foo
> test
> hello
> world
> $ sed '0,1d' < foo
> test
> hello
> world
> $ sed '0,/^hello$/d' < foo
> test
> hello
> world
> $ sed '1,/^hello$/d' < foo
> world
> $ sed '0,/^test$/d' < foo
> test
> hello
> world
> $ sed '1,/^test$/d' < foo
> $
> 
> So:
> 
> 1) I'm surprised that '0,1d' and '0,/^hello$/d' and '0,/^test$/d' don't give
> an error.  Looking at the results, I'm not sure what they do, if anything.
> 
> 2) Out of curiosity, is there an OpenBSD equivalent to GNU's '0,/^test$/d' ?

Your first address is 0?
What do you expect from a line number 0?

You can do:
sed '/^test$/d' OR 
sed 1d OR 
grep -v 'test' OR
...



> 
> Thanks,
> 
> Philippe
> 
>

Re: smtpd only Mail Server

2021-08-12 Thread Michael Hekeler 
Am 10.08.21 13:29 schrieb latin...@vcn.bc.ca:
> > On Tue, 2021-08-10 at 04:32 -0700, latin...@vcn.bc.ca wrote:
> >> > On Aug 10 01:52:57, latin...@vcn.bc.ca wrote:
> >> > > > - smtpd had its first commit in 2008 and back then was far from
> >> > > >   production ready: So are you using base smtpd, or sendmail, or
> >> > > >   something else?
> >> > >
> >> > > Yes, 2000 it was sendmail, nginx, apache, smtpd if i remember
> >> correctly;
> >> > > but my question is:
> >> > >
> >> > > "Could someone please point me to specific openbsd place to look for
> >> > > it?"
> >> >
> >> > To look for what? smtpd documentation? man smtpd, man spmtpd.conf,
> >> > there's a dkim example right there.
> >>
> >> Jay in this case it looks out of context, because it is a question after
> >> the explanation! Look for understandable (my level) information related
> >> to
> >> dkim, dmarc, and spf! My field is agriculture!
> >>
> >> >
> >> > > > - I assume it's related to outbound mail, but even that is not
> >> > > >   completely clear to me.
> >> > >
> >> > > No, it is the complete behaviour of dkim, dmarc, and spf. i got 0/10
> >> at
> >> > > this page: https://www.mail-tester.com/ and yes, i can receive
> >> mail, but
> >> > > mine is considered spam!
> >> >
> >> > The fact that and arbitrary third site "tester" gives you this score
> >> > or another can mean a lot of things. Nobody has seen your DNS or a
> >> > single line of your conig yet, so it's hard to help you really.
> >> >
> >>
> >> Well, i never said that it is the last word! I am asking for clear
> >> information for dkim, dmarc, spf, and now dkimproxy and anything related
> >> to send mail correctly; where correctly means "NO qualify my mail as
> >> spam"
> >>
> >> > > > - Did you just put a dkim txt record in DNS without any additional
> >> > > >   configuration on your mailserver?
> >> > >
> >> > > ok: i have 2 servers: 1. managed by nsd, which obtained 9.7/10 at
> >> the
> >> > > same
> >> > > web page, not a problem; 2. vultr managed by their dns app, here i
> >> am
> >> > > not
> >> > > able to make it work correctly. What should be the additional
> >> > > configuration on the mail server please?
> >> >
> >> > What mail server?
> >> > What "additional" configuration?
> >>
> >> This server:
> >> > > > - Did you just put a dkim txt record in DNS without any additional
> >> > > >   configuration on your mailserver?
> >>
> >> >
> >> > If you want help with a mail config,
> >> > you need to show your mail config.
> >> >
> >>
> >> No problem:
> >> I am used to use only the base system.
> >>
> >> #       $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles
> >> Exp $
> >>
> >> # This is the smtpd server system-wide configuration file.
> >> # See smtpd.conf(5) for more information.
> >>
> >> table aliases file:/etc/mail/aliases
> >>
> >> listen on socket
> >>
> >> # To accept external mail, replace with: listen on all
> >> #
> >> listen on all filter "dkimsign"
> >>
> >> action "local_mail" mbox alias 
> >> action "outbound" relay
> >>
> >> # Uncomment the following to accept external mail for domain
> >> "example.org"
> >> #
> >> # match from any for domain "example.org" action "local_mail"
> >> match from any for domain "agroena.org" action "local_mail"
> >> match from local for local action "local_mail"
> >> match from local for any action "outbound"
> >>
> >> # dkim
> >> filter "dkimsign" proc-exec "filter-dkimsign -d agroena.org -s s1 -k
> >> /etc/mail/dkim/private.key" user _dkimsign group _dkimsign
> >>
> >>
> > So assuming that you actually installed opensmtpd-filter-dkimsign and
> > everything starts okay, you haven't put the public key in the DNS like
> > you claimed in your original e-mail.
> > $ dig +short txt s1._domainkey.agroena.org
> > $
> >
> 
> I am not sure if it is a problem, but the selector is: mail.
> 
> $ dig +short txt mail._domainkey.agroena.org
> "k=rsa; t=s; h=sha256;
> p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOGOPbZVPidt2KCGqb38+OOD/cIZZnkpMY67oUPAfjVzP7vjJnxeTUOYtuQPTYv3whE6dwRSDwdw96DELKTjbaJ8DMEDFxbeqZxFl4EivuxuIwRSJVZQ36ed+TnfrPxLQowcno3kIh9je3t2VQ7GfD4WJfPD2GzfVljcTmJP3gNQIDAQAB"
> 
> 
First you should match the selectors name.
Either by telling the filter to use the key in selector "mail"
or by changing the selectors name in DNS to "s1"
Then you can debug further (e.g. your public key in DNS should match
/etc/mail/dkim/private.key)

Re: How to use macros in acme-client.conf?

2021-07-26 Thread Michael Hekeler 
Am 25.07.21 18:54 schrieb Wolf:
> (...)
> api_url="https://acme-v02.api.letsencrypt.org/directory";
> authority letsencrypt {
>   api url $api_url
>   account key "/etc/acme/letsencrypt-privkey.pem"
> }

please check if you accidently inserted some control characters when
copy&paste the snippet from the manpage to test.conf.

To test you can remove all whitespace before the word "api" and after
"$api_url".
 

> It fails with a syntax error:
> 
> $ ./acme-client -vvv -f ../test.conf
> api_url = "https://acme-v02.api.letsencrypt.org/directory";
> ../test.conf:3: syntax error

What is "-vvv"? 
Manpage on my 6.9-STABLE mentions "Specify twice..."


> It looks like the macro is loaded correctly, but the expansion fail. Are
> the macros just bugged? If not, could someone please advice me on what I
> am doing wrong?
>

macro expansion works on all of my systems.
So they are not "just bugged" ;-)

Re: CWM+Xterm+Tmux+Vim & Copy/Paste

2021-07-12 Thread Michael Hekeler 
Am 13.07.21 07:20 schrieb Michael Hekeler:
> Am 13.07.21 01:13 schrieb Samuel Banya:
> > My recommendation, tweak your tmux setup, and use vim keybindings for 
> > copying and pasting with the proper config options:
> > - https://www.youtube.com/playlist?list=PL5BE1545D8486D66D
> > 
> > On Mon, Jul 12, 2021, at 9:12 PM, David Anthony wrote:
> > > Hello,
> > > 
> > > Does anyone using the combination of CWM+Xterm+Tmux+Vim have any advice
> > > for dealing with Copy/Paste? To/From Browser?
> 
> you want to copy to/from clipboard or to/from the primary selection?
> I am asking because the primary selection was always working on all of
> my hosts out of the box.
> When in tmux need to press Shift to set selection.

Edit to make it clearer:
the selected text is in primary without the need of any explicit copy action
See: https://tronche.com/gui/x/icccm/sec-2.html#s-2.6.1

If you enable mouseprotocol then you will notice that the selection made
with the mouse is NOT recognized.
So you have to press `shift` while doing things with the mouse to
override the mouse protocol
https://man.openbsd.org/xterm#Mouse_Protocol

Re: CWM+Xterm+Tmux+Vim & Copy/Paste

2021-07-12 Thread Michael Hekeler 
Am 13.07.21 01:13 schrieb Samuel Banya:
> My recommendation, tweak your tmux setup, and use vim keybindings for copying 
> and pasting with the proper config options:
> - https://www.youtube.com/playlist?list=PL5BE1545D8486D66D
> 
> On Mon, Jul 12, 2021, at 9:12 PM, David Anthony wrote:
> > Hello,
> > 
> > Does anyone using the combination of CWM+Xterm+Tmux+Vim have any advice
> > for dealing with Copy/Paste? To/From Browser?

you want to copy to/from clipboard or to/from the primary selection?
I am asking because the primary selection was always working on all of
my hosts out of the box.
When in tmux need to press Shift to set selection.

Re: An OpenBSD Consumer Gateway Launc

2021-06-17 Thread Michael Hekeler 
Am 11.06.21 16:15 schrieb fern.tje...@aiyja.com:
> Hi,
> 
> I am Nan Mel, the marketing director of Aiyja and Etheria group of companies, 
> nice to meet you all. All of us in the company would like to say a big thank 
> you!
> 
> We have launched Ayos HCS, (...)


>From the homepage:
"Ayos uses BSD as its base, so it is naturally hardened, but then we add
sprinkles on top to help harden it more."

Just out of curiosity: what are these sprinkles?

Re: Color emojis

2021-06-17 Thread Michael Hekeler 
Am 17.06.21 09:06 schrieb Michael Hekeler:
> Am 17.06.21 00:28 schrieb Francisco Fuentes:
> > (...)
> > I need to be able to see emojis across the system, 
> > (...)
> 
> Excuse me.
> But what are these color emojis that you "need to be able to see across
> the system"?
> 

Oh - ha ha...
A quick google'ing showed me the emoji. 

I was reading an article about monitoring some oracle stuff before and
so my mind was locked in thoughts of such... - Sorry for the noise!

Re: Color emojis

2021-06-17 Thread Michael Hekeler 
Am 17.06.21 00:28 schrieb Francisco Fuentes:
> (...)
> I need to be able to see emojis across the system, 
> (...)

Excuse me.
But what are these color emojis that you "need to be able to see across
the system"?

Re: web server security

2021-06-10 Thread Michael Hekeler 
Am 10.06.21 01:16 schrieb Gustavo Rios:
> Hi folks!
> 
> I am planning a web serve using openbsd as the os and using php. My
> question is: how to avoid any given user from implement an php script that
> will read some else file, since everything will run as the web server user
> and group ?

If your requirements are really to run everything as the same user
then it's not possible to forbid this user from reading files
created by someone else that has same uid.
Same uid means "same person". This means your webserver expects person A
to be the owner of files created by person B.

If you want to separate ownership of files then you have to create
different users and restrict php from reading directories that it shouldn't.

Another advice for 'web server security' is to don't give untrusted
users shell access or any write access to your system so you won't have to deal
with someone "implementing a script that will read someone else files"... ;-)

Re: OpenBSD 6.9 and PHP version

2021-05-18 Thread Michael Hekeler 
Am 17.05.21 18:20 schrieb Steve Williams:
> Hi,
> 
> When I upgraded to OpenBSD 6.9 then did the pkg_add -u, I got php-php-7.4.18
> installed.
> 
> How do I know if it's "safe" to delete the old php-7.3.28 and all the
> associated modules?

You will have to check the manual (readmes, manpages, homepage whatever)
provided by the webapp developers whether the thing runs on php-7.4.

And if PHP 7.4 is supported by ALL of your webapps then it is safe to
remove PHP 7.3

If PHP 7.4 is supported by all BUT ONE then you should run multiple
instances of php-fpm and configure 7.4 for the supported ones and
serve 7.3 only for the unsupported webapp. 
Then you shouldn't remove php-7.3 ;-)



> 
> I know I'll have to migrate my ".ini" file changes to the new version for
> both php and php_fpm, but other than that, how do I figure out if anything
> is still calling 7.3?
> 
> I have a simple build, roundcubemail, piwigo, nextcloud and a few others.
> 
> Thanks,
> Steve W.
>

Re: Enhancing Privacy in 2020 attached screenshot

2020-12-22 Thread Michael Hekeler 
On 22.12.20 00:18, pipus wrote:
> (...)
> Interesting 28 public and private emails protecting Stuart and his parts  
> 2 really nice private emails on the product itself :)

Well, in fact the project sounds indeed to me in the beginning.

But reading this thread I must realize that you tried hard to create very bad
conditions for that project by stumbling through this list insulting
people and lecture me in a top-down approach what I have been
supposedly "waiting for ages" and such 

I am very happy that you are not in MY marketing team 
(and I mean *really* happy).

I can only speak for me, but the project you announced before is not
longer on my list (I don't know but this project has negative
connotation since reading this thread).
Chapeau!

Re: No longer can change brightness

2020-10-14 Thread Michael Hekeler 
On 13.10.20 13:07, james.lu...@keemail.me wrote:
> Hello,
> 
> The latest snapshots (maybe 1 week ago) have made wsconsctl(8) no longer 
> functional for changing display brightness on my MacBook Pro mid 2014.
> 
> The expected behavior would be to `wsconsctl display.brigthness=X` to change 
> the value for the desired percentage, but it always return 
> `display.brightness -> 0.00%` while keeping the brightness at the highest 
> possible.

using xrandr(1)?
xrandr --output ... --brightness 1.0

Re: displayport - hdmi audio

2020-01-16 Thread Michael Hekeler 


> 
> Hello thee, im trying to connect my TV to Thinkpad x220 via displayport - 
> hdmi, but sound is only working on notebook not on TV.
> I tried some tricks from audio faq from site but no result. Problem is i have 
>  kinda low knowledge in audio related stuff in OpenBSD, cuz audio just works 
> fine from the box on my laptop itself.
> 
> # dmesg | grep audio
> audio0 at azalia0
> 
> #
> 
> # audioctl
> name=azalia0
> mode=
> pause=1
> active=0
> nblks=16
> blksz=480
> rate=48000
> encoding=s16le
> play.channels=2
> play.bytes=0
> play.errors=0
> record.channels=2
> record.bytes=0
> record.errors=0
> 
> ###
> # mixerctl
> inputs.dac-2:3_mute=off
> inputs.dac-2:3=189,189
> inputs.dac-0:1_mute=off
> inputs.dac-0:1=189,189
> inputs.beep=108
> record.adc-2:3_source=mic3
> record.adc-2:3_mute=off
> record.adc-2:3=126,126
> record.adc-0:1_source=sel
> record.adc-0:1_mute=off
> record.adc-0:1=126,126
> record.adc-4:5_source=sel
> record.adc-4:5_mute=off
> record.adc-4:5=126,126
> inputs.sel_source=mic
> outputs.sel=126,126
> inputs.sel2_source=mic
> outputs.sel2=126,126
> outputs.hp_source=dac-0:1
> outputs.hp_boost=off
> outputs.mic_dir=input-vr80
> outputs.mic2_source=dac-2:3
> outputs.mic2_dir=input-vr80
> outputs.mic2_eapd=on
> outputs.hp2_source=dac-0:1
> outputs.spkr_source=dac-2:3
> inputs.mic3=126,126
> inputs.mix_source=dac-2:3,dac-0:1
> inputs.mix_dac-2:3=126,126
> inputs.mix_dac-0:1=126,126
> outputs.hp_sense=unplugged
> outputs.mic_sense=unplugged
> outputs.mic2_sense=unplugged
> outputs.hp2_sense=unplugged
> outputs.spkr_muters=hp,mic2,hp2
> outputs.master=190,190
> outputs.master.mute=off
> outputs.master.slaves=dac-2:3,dac-0:1
> record.volume=126,126
> record.volume.mute=off
> record.volume.slaves=adc-2:3,adc-0:1,adc-4:5
> record.enable=sysctl
> 
> Will appreciate any tip
> Regards
> 
> Sent with [ProtonMail](https://protonmail.com) Secure Email.

I would assume that your TV registered itself as a DVI device when you connect 
a notebook. 
But DVI not sends audio.

...just a shot in the dark.

Re: From nginx to openbsd httpd

2020-01-16 Thread Michael Hekeler 
> 
> Hello,
> 
> I use poudriere pkg builder on FreeBSD and I use nginx to get poudriere web
> status interface.
> 
> I'm looking for a less complex httpd server and obhttpd seems to be right
> choice. I have installed obhttpd 
> port
> 
> nginx httpd.conf is:
> 
> server {
>   listen 80 default;
>   server_name server_domain_or_IP;
>   root /usr/local/share/poudriere/html;
> 
>   location /data {
>   alias /usr/local/poudriere/data/logs/bulk;
>   autoindex on;
>   }
> 
>   location /packages {
>   root /usr/local/poudriere/data;
>   autoindex on;
>   }
>   }
> }
> 
> obhttpd uses chroot, so I will have to point it to /usr/local/poudriere.
> 
> Any hints on getting this on openbsd httpd conf file?
> 
> Thanks,
> 
> Nuno

Teach poudriere to store logs to /var/www/usr/local/poudriere/data/logs/bulk

Re: What do you use to generate invoices on OpenBSD?

2019-12-22 Thread Michael Hekeler 
Am Sat, 21 Dec 2019 16:56:29 -0800
schrieb Lyndon Nerenberg :

> tbl + troff -ms has always worked for me.
> 

Can u share a snippet of what you are doing?

Re: What do you use to generate invoices on OpenBSD?

2019-12-22 Thread Michael Hekeler 
Am Sat, 21 Dec 2019 23:57:07 +
schrieb Mikolaj Kucharski :

> Hi,
> 
> Do you generate invoices on OpenBSD? What do you recommend? If you
> have experience in more than one app, why did you chose one over the
> other? If you use something open-source on other OS, let me know as
> well. If you use some own written app, for generating invoices, I'm
> also interested to hear, just to get an idea, which way people decide
> to go.
> 
> Please carbon-copy me in the replies, thanks!
> 

I created a pdf with company logo and use a perl script to inject the
numbers with PDF::Reuse
Very simple, but it fits for me.

Meaning of 'OpenBSD -stable binary packages'

2019-09-10 Thread Michael Hekeler 
Hello all.

I am running 6.5 STABLE. 
This release was with PHP 7.1.28. So my webserver runs PHP 7.1.28. 

Today I wanted to install an additional PHP driver for postgresql and I 
realized that there are only plugins for PHP versions 7.1.31 and 7.1.32 
(and 7.2.x + 7.3.x) available with pkg_add.

So my question is if the new announced binary updates for packages means 
that the released versions are gone? 
Do I have to edit /etc/installurl to follow -stable without the updates 
for packages? 
Have I misunderstood the mail on the list about the binary  updates...

Re: Getting screen to lock on suspend with Lenovo Thinkpad X1 Carbon

2019-09-09 Thread Michael Hekeler 
On 03.09.19 21:09:11, Trey Sizemore wrote:
> (...)
> Thank you.  I should have said, I have the following:
> 
> bsd# cat /etc/apm/suspend 
>   
>  
> #!/bin/sh
> pkill -USR1 xidle
> 
> and that file is executable.

Maybe xidle isn't running at the time you suspend your laptop?
Please check if there is a process with name "xidle" which listens to
USR1 by typing this pkill command in a shell and see if it looks your
screen like you expect.

Re: Package -stable updates

2019-09-02 Thread Michael Hekeler 
> http://cdn.openbsd.org/pub/OpenBSD/6.5/packages-stable/amd64/
> updated binary packages (with security fixes) for stable, as described here
> https://marc.info/?l=openbsd-announce&m=156577865917831&w=2


Uu Ooh - I am sorry :-(
I managed to break my .muttrc and so I've overseen the announce of 
/packages-stable

Excuse me!

Re: obsd web server

2019-09-02 Thread Michael Hekeler 
Hi gustavo,

my own expirience with this list is that you will receive very good
answers and tips from experienced people. 
...but only if you try to ask good questions ;-)

With "good questions" I mean for example writing about what you want to
do, what you have done by now, what is not working, giving filenames,
errormessages, logfiles...

  - and of course asking a question ;-)
 
Because in your mail you have failed to tell what you have tried so far. 
You didn't telll us what you expect and what failed or what errormessage 
you receive. And - maybe I read wrong - there is no specific question in 
your mail.

If you fix the above, I will be sure that someone will jump in and help






On Sun, Sep 01, 2019 at 08:49:45PM -0300, Gustavo Rios wrote:
> Hi folks,
> 
> i would like to confgiure my obsd server as a web server.
> 
> I would like to configure my web server to handle multiple domains
> without having to set each domain one by one.
> 
> I mean:
>   Every request for www.x.com is mapped into the root directory
> /var/web/www.x.com
> 
> Got the idea ? If a new server is required,  All i needed to do would
> create a directory inside /var/web with the full access string :
> 
> mkdir /var/web/www.newdomain.com
> 
> And i should not need to manipulate config files.
> 
> Thanks in advance
> 
> -- 
> Pag Bem Fácil Ltda
> www.pagbemfacil.com.br
> 

-- 
Viele Grüße
Michael

Re: Package -stable updates

2019-09-02 Thread Michael Hekeler 
In this thread I didn't understand what you update.

You said you run STABLE? So you update ports? ...or using m:tier?? ...? 
Can somebody please tell me what are those "-stable updates for 
packages"?





On Wed, Aug 28, 2019 at 07:59:59PM -0400, Steven Shockley wrote:
> So, many thanks to everyone who put together the new -stable updates for
> packages.  Is there a command I can put in the crontab that will only
> output if there are updates?  Similar to what syspatch or openup does.
> I tried pkg_add -unx, but that still tells me to delete old files and
> prints the quirks line even if there are no updates.
>

Re: Virtual Web Server

2019-03-08 Thread Michael Hekeler 
I would suggest to analyze the problems you have with wordpress on httpd.

Just a few thoughts (shot in the dark): 

"unable to post content" -> write permissions? 

"crop images" -> do you have all the php libraries 
installed that wordpress needs?
What is needed to crop images? gd? image-magick? check wordpress 
requirements.

A good start is to see httpd's error log.
Also see the output of phpinfo().

Installing linux to host wordpress will not magically solve problems ;-)




On Fri, Mar 08, 2019 at 12:09:22PM +, daffodil...@protonmail.ch wrote:
> I installed OpenBSD on my home server with the intention of running 
> Wordpress and some other things (maybe a TOR relay, I don't know). 
> After installing, I used some online guides to get PHP and MySQL as 
> well as httpd (not apache) set up. But after setting up Wordpress, I 
> was getting some errors I was unable to debug (unable to post content, 
> unable to crop images, etc.)
> 
> Now I'm thinking instead to run Linux in a VM to host Wordpress but 
> keeping OpenBSD on the machine as the base operating system. What 
> settings do I need to alter in order to serve http and https from a 
> VM? And is this a normal kind of setup or should I work harder at just 
> debugging what is wrong with Wordpress on the OpenBSD setup?

Re: Puffy Security smtpd out of date

2019-03-08 Thread Michael Hekeler 
Text on the bottom:
This site Copyright © 2015 Thomas Dwyer .

So maybe Thomas can do?
...or better you look in the official documentation. 



> Am 07.03.2019 um 13:17 schrieb Geir Svalland :
> 
> Hello all.
> 
> Any chance to get the http://puffysecurity.com/wiki/opensmtpd.html updated ?
> 
> Actual description are out of date. Don't work anymore.
> 
> /Hasse
>

Re: relayd smtp traffic

2018-10-27 Thread Michael Hekeler 
Am Fri, 19 Oct 2018 13:20:46 +0200
schrieb Markus Rosjat :

> Hi all,
> 
> once again a silly question (but maybe someone is willing to answer) 
> about relayd. Is it spossible to determine the domain of the
> recipient and depending on this redirect the traffic to da specific
> server behind the relayd machine? What I try to do is setup a test
> mailserver and just redirect mailtraffic for a domain to this machine.
> 
> 
> regards
> 

Why not sending directly to the mailserver?
What is the job for relayd here? (Sorry I don't understand :-/)

Re: Deploy Django app - strategy?

2018-09-18 Thread Michael Hekeler 
Am Sun, 16 Sep 2018 16:27:32 -0400
schrieb Ken MacKenzie :

> An example from one of my setups:
> 
> location /api/deploy/core {
> proxy_set_header Host $http_host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto
> $scheme; proxy_pass http://unix:/applications/deploy/core-api.sock:/;
> }

if you want to stay with base then you can do this with relayd (I
think - never did something with django).


> 
> This example is from a CentOS 7.4 box.
> 
> On Sun, Sep 16, 2018 at 2:43 PM Bogdan Kulbida 
> wrote:
> 
> > Hi Ken,
> >
> > Can you please be more specific on Nginx talking via sockets? Any
> > URLs on that topic will be appreciated. Thank you.
> >
> > On Sun, Sep 16, 2018 at 09:46 Ken M  wrote:
> >  
> >> On Sun, Sep 16, 2018 at 09:05:33AM +0300, ?? 
> >> wrote:  
> >> > I deploy my django app using uwsgi and venv in my home dir
> >> > uWSGi starts on its default port and httpd server uses this port
> >> > to handle my app requests. Everything just like in the official
> >> > manual  
> >> of  
> >> > uwsgi.
> >> >  
> >>
> >> Don't know if this is helpful for Django apps, or if httpd in
> >> openbsd can use
> >> unix sockets. Anyway with a couple of falcon api's I setup with
> >> Gunicorn I actually used unix sockets instead of creating ports.
> >> If my proxy is on the same
> >> server as the api's I found that a little easier to manage.
> >> Granted in this case
> >> it was on centos and I was using nginx. Also in the process of
> >> figuring out how
> >> to do that I found a lot of the documentation on nginx syntax
> >> talking to a unix
> >> socket was wrong. But that is another story.
> >>
> >> Ken
> >>
> >> --  
> > ---
> > Best regards,
> > Bogdan Kulbida
> > Founder and CEO, Konstankino LLC 
> > +1.802.793.8295
> >
> >
> >

Re: NodeJS apps on Httpd?

2018-09-06 Thread Michael Hekeler 
Am Wed, 5 Sep 2018 18:13:29 +0100
schrieb Michael Joy :

> Does anyone have any experience of getting node apps running through
> httpd? Any opinions, instructions or warnings are welcome.


aren't node apps runing their own webserver ("express server")?

I think that I've seen some handicraft projects that builds fastcgi
interfaces for the express server.
But I think you should proxy the incoming http request to the
express server by relayd (reverse proxy).

httpd is a http server with fastci support only (not more).
httpd's job is not to act as a reverse proxy. That is relayd's
job AFAIK.

So what is your actual problem you are trying to solve? Why is it a
requirement to "getting node apps running through httpd"?

Re: httpd index directive confusion

2018-06-03 Thread Michael Hekeler 
Am Wed, 30 May 2018 12:32:31 +0200
schrieb Markus Rosjat :

> Hi there,
> 
>   i hope someone can sort this out for me but I dont get it. I get a 
> nice "Primary Script unknown" message when I try to reach a defined 
> location.
> 
> I try reach https://UrlToMySite.tld/admin/ and in thsi location is a 
> index.php file
> 
> so I Configure my Location in httpd.conf like this
> 
> location "/admin/*" {
>  root "/path/to/my/site/admin"
>  root strip 1
>  directory index index.php
> 
>  fastcgi socket "/run/php-fpm.sock"
> 
>  authenticate with "/users/me/mysite_passwd"
>  }
> 
> in my opinion this should show me the generated index.php but instead
> I get file not found. When I call the index.php explicitly like 
> https://UrlToMySite.tld/admin/index.php it works.
> 
> so where do I go wrong here?
> 
> regards
> 


why do you strip the first path component? What do you want to achieve?

Strip 'admin'? And serve '/path/to/my/site/index.php'?
Are you sure that the file exists?
What is in the log (tail -f /var/www/logs/*.log)

maybe the 'directory index' in '/path/to/my/site' is set to
'index.html'?

Re: httpd.conf path substitution

2018-04-03 Thread Michael Hekeler 
Am Thu, 29 Mar 2018 17:13:10 +0200
schrieb Michael Hekeler :

> On Thu, Mar 29, 2018 at 11:58:09AM +0200, Markus Rosjat wrote:
> > Hi there,
> > 
> > its not really an issue but I noticed if I want to substitute a path
> > for the tls key or cert  I get a syntax error from httpd -n
> > 
> > So is there some special syntax for this or is it simply not
> > possible to do something like
> > 
> > tls_key ="/path/to/key"
> > tls_cert ="/path/to/cert"
> > 
> > server "domain.tld" {
> > 
> >  tls {
> > key $tls_key
> > certificate $tls_cert
> >  }
> > 
> > }
> 
> Am 29.03.2018 17:13 schrieb Michael Hekeler :
> >
> > Why not type "/path/to/{ key,cert }" inside the tls  declaration? 
> > You don´t have to use these filenames multiple times in httpd.conf. 
> > Only once. So why do you want to define a macro for them? 
> >
> SNI ? Server definitions with different name / root but the same
> certificate? 


Ah - I see what you try to do...

But SNI doesn´t mean one single certificate for multiple hostnames
(this you can do with multiple entries in the certificate subject alt
name).

SNI means to server multiple hostnames on ONE ip address

SNI is an extension by which a client (e.g. a webbrowser) indicates
(hence the name: server name INDICATION) one of these multiple
hostnames to be in the TLS handshake. Then the server can choose the
right certifificate to present to the client.

So if you want to serve domain1, domain2 and domain3 each on https then
you need
cert1 for domain1 and 
cert2 for domain2 and
cert3 for domain3

If every domain has its own ip then you don´t need SNI.
But if all domains share the same ip, then the client and the server 
must be SNI compatible.
When the client requests domain2 the server will be able to present
cert2.

Of course you can issue a single cert with domain1, domain2 and
domain3 in certificate´s subject name and configure the server to
present this cert on every request. But that´s no SNI.

Re: Using stmp auth for local account with PHP scripts

2018-04-03 Thread Michael Hekeler 
Am Sun, 01 Apr 2018 17:28:29 +0200
schrieb Markus Rosjat :

> Hi there,  
> 
> There are simple ways of relaying local mails(connection on lo0 on
> port 25) to a other mailserver. This is oky for logs and stuff but
> what's about mails created by a php on the local webserver? His do I
> get smtpd to still do a auth with username and pwd on lo0? Is it
> possible or do I need to configure the "external" addr too for this
> purpose?


Hello Markus,

I am not sure if I understand your question...
But to relay emails on an internal webserver you have to set the
following 2 lines in /etc/mail/smtpd.conf:

  table passwd file:/etc/mail/secrets
  accept from any \
for any \
relay via tls+auth://foo@mailserver auth 


and in /etc/mail/secrets:

  foo  username:passwword



Thats all. Simple.

Re: httpd.conf path substitution

2018-03-29 Thread Michael Hekeler 
On Thu, Mar 29, 2018 at 11:58:09AM +0200, Markus Rosjat wrote:
> Hi there,
> 
> its not really an issue but I noticed if I want to substitute a path
> for the tls key or cert  I get a syntax error from httpd -n
> 
> So is there some special syntax for this or is it simply not
> possible to do something like
> 
> tls_key ="/path/to/key"
> tls_cert ="/path/to/cert"
> 
> server "domain.tld" {
> 
>  tls {
>   key $tls_key
>   certificate $tls_cert
>  }
> 
> }


Make sure that "/path/to/{ key,cert }" exists. 

Why not type "/path/to/{ key,cert }" inside the tls  declaration?
You don´t have to use these filenames multiple times in httpd.conf. 
Only once. So why do you want to define a macro for them?

Re: httpd / acme-client confusion

2018-03-16 Thread Michael Hekeler 
> Hi,
> 
> thanks for the samples I will give it a try but wondering why 
> acme-client still works even httpd is not serving any kind of
> location for a challenge exchange?

acme_client(1) is only working if a file could be created within a
directory accessible by a locally-run web server.


> Like I said I stoped httpd
> intirely and still got a new certificate with acme-client.

if you really stopped httpd and there is still something listening then
there is another webserver process running.
You can check locally with netstat(1) or 'ps -aux'
or you can do 'curl -i http://your_domain/.well-known/acme-challenge'
from another machine and look in the header which servername is
answering this request.


> But if it works as expected after a apply the suggested changes Im
> okay with it :)

I think it´s not a good idea to say "if it works, it´s okay for me...".

At the moment you have a internet facing box that is listening on a
port but you don´t know which process it is nor what it does.
This is a serious security risk and I suggest you to investigate.



> 
> regards
> 
> Markus
> 
> Am 16.03.2018 um 08:42 schrieb Florian Obser:
> > 
> > this works for me:
> > 
> > server "tlakh.xyz" {
> > listen on 0.0.0.0 tls port 443
> > listen on :: tls port 443
> > tls certificate "/etc/ssl/tlakh.xyz.crt"
> > tls key "/etc/ssl/private/tlakh.xyz.key"
> > hsts
> > location "/shop.6.html" {
> > block return 402
> > }
> > location "/coffee.6.html" {
> > block return 418
> > }
> > location "/.well-known/acme-challenge/*" {
> > root "/acme"
> > root strip 2
> > }
> > }
> > server "tlakh.xyz" {
> > listen on 0.0.0.0 port 80
> > listen on :: port 80
> > hsts
> > block return 302 "https://$HTTP_HOST$REQUEST_URI";
> > }
> > 
> > 
> > On Thu, Mar 15, 2018 at 11:01:42AM +0100, Markus Rosjat wrote:
> >> Hi there,
> >>
> >> Im kinda confused right now about it. I have a OpenBSD 6.1 running
> >> a simple httpd.conf with a definition for a http server and a
> >> https server so far so good, I figured I need to have a http
> >> server so acme-client can talk to let's encrypt an issue
> >> certificate requests also no big problem but now it get confusing.
> >> I tried to automate the certificate renew and as far as I
> >> understand the docs httpd.conf get evaluated to to bottom with
> >> first matching rule found. So this would mean a definition like:
> >>
> >> $ext_addr ="*" # its just one nic with one external ip on that vm
> >>
> >> server "mydomain.tld" {
> >>  listen on $ext_addr port http
> >>
> >>  location "/.well-known/acme-challenge/*" {
> >>  root "/acme"
> >>  root strip 2
> >>  directory no auto index
> >>  }
> >>
> >>  block return 302 "https://$HTTP_HOST$REQUEST_URI";
> >> }
> >>
> >> should enable acme-client to renew certificates but redirect other
> >> traffic to the https server. Well it doesn't ! So I need to
> >> comment out the block request to renew the certificate. That's a
> >> thing I could live with and just invent some script that loads a
> >> different conf file just for the renew and when the certificate is
> >> obtained just load the normal httpd.conf and restart httpd. I was
> >> playing arround and stumbled over the fact that acme-client
> >> suddenly can renew certificates even without running httpd in the
> >> first place o.O Thats just wrong since there isn't support that
> >> does dns-01 challenges right? I stoped httpd to checked the site
> >> wasn't reachable and did a
> >>
> >> acme-client -vvF mydomain.tld
> >>
> >> it gave me a new certificate from let's encrypt ...
> >>
> >>
> >> anyway can someone who has the insight please tell me whats goin
> >> on here and maybe post a config example that works for a basic
> >> https redirect? Or is it really the case that I need to load a
> >> config that hasn't a blok return statement in the http server
> >> definition?
> >>
> >> One last note, I did a syspatch today and don't know if this
> >> changed something in the behaviour of the components involved.
> >>
> >> regards
> >>
> >> -- 
> >> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
> >>
> >> G+H Webservice GbR Gorzolla, Herrmann
> >> Königsbrücker Str. 70, 01099 Dresden
> >>
> >> http://www.ghweb.de
> >> fon: +49 351 8107220   fax: +49 351 8107227
> >>
> >> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss!
> >> Before you print it, think about your responsibility and
> >> commitment to the ENVIRONMENT
> >>
> > 
>

Re: httpd / acme-client confusion

2018-03-15 Thread Michael Hekeler 
Am Thu, 15 Mar 2018 11:01:42 +0100
schrieb Markus Rosjat :

> Hi there,
> 
> Im kinda confused right now about it. I have a OpenBSD 6.1 running a 
> simple httpd.conf with a definition for a http server and a https
> server so far so good, I figured I need to have a http server so
> acme-client can talk to let's encrypt an issue certificate requests
> also no big problem but now it get confusing. I tried to automate the
> certificate renew and as far as I understand the docs httpd.conf get
> evaluated to to bottom with first matching rule found.

Really?
I had a quick browse through httpd´s manualpages but I didn´t found
this.


> So this would mean a definition like:
> 
> $ext_addr ="*" # its just one nic with one external ip on that vm
> 
> server "mydomain.tld" {
>  listen on $ext_addr port http
> 
>  location "/.well-known/acme-challenge/*" {
>  root "/acme"
>  root strip 2
>  directory no auto index
>  }
> 
>  block return 302 "https://$HTTP_HOST$REQUEST_URI";
> }
> 
> should enable acme-client to renew certificates but redirect other 
> traffic to the https server.

in httpd.conf(5) it´s said that the 'block' statement closes the
connection.


> Well it doesn't !

That´s right


> So I need to comment out the block request to renew the
> certificate. (...)

???


> some script that loads a different conf file just for the renew and
> when the certificate is obtained just load the normal httpd.conf and
> restart httpd. I was playing arround and stumbled over the fact that
> acme-client suddenly can renew certificates (...)

Without wanting to offend you but please let me suggest to
re-think what you want to achieve.

Why do you ask lets encypt to sign a cert for a server which
listens on http?? and furthermore this server does nothing than
redirect?

What problem do you want to solve?




> httpd in the first place o.O Thats just wrong since there isn't
> support that does dns-01 challenges right? I stoped httpd to checked
> the site wasn't reachable and did a
> 
> acme-client -vvF mydomain.tld
> 
> it gave me a new certificate from let's encrypt ...
> 
> 
> anyway can someone who has the insight please tell me whats goin on
> here and maybe post a config example that works for a basic https
> redirect? Or is it really the case that I need to load a config that
> hasn't a blok return statement in the http server definition?
> 
> One last note, I did a syspatch today and don't know if this changed 
> something in the behaviour of the components involved.
> 
> regards
>

Re: signify-openbsd to crypt'ly verify install62.iso in linux

2018-02-12 Thread Michael Hekeler 

> To keep it neat, let's say both files are in /data/bsd-stuff, so we
> have: 
> /data/bsd-stuff/install62.iso
> /data/bsd-stuff/SHA256.sig


where did you download the public key?

Re: root autologin?

2018-02-06 Thread Michael Hekeler 
> A better approach is to to autologin an user in X and
> use doas(1)
> I think xenodm(1) has an "autologin" option...
> 
> 

But why would one do that? What problem do you like to solve?

Re: root autologin?

2018-02-06 Thread Michael Hekeler 
Am Tue, 6 Feb 2018 16:42:03 +0330
schrieb Mohammad BadieZadegan :

> Hi everybody,
> How can I boot OpenBSD with root autologin?
> 

Maybe run a script in place of a getty.
Then redirecting stderr/stdout to /dev/ttyWhatever

A better approach is to to autologin an user in X and
use doas(1)
I think xenodm(1) has an "autologin" option...

Re: gzip compression and httpd/relayd

2018-01-28 Thread Michael Hekeler 
Am Sun, 28 Jan 2018 10:18:30 +0100
schrieb Thuban :

>  
> > Yes it's possible. Make sure to set the appriopriate HTTP headers
> > aswell with relayd: read "Accept-Encoding" and if it's acceptable
> > set "Content-Encoding".
> 
> Indeed, it works.
> 
> relayd.conf : 
> 
>   match response header "Accept-Encoding" value "gzip"
> match response header set "Content-Encoding" value "gzip"
> 
> Then : 
> 
>   cd /var/www/htdocs/site
>   gzip style.css && mv style.css.gz style.css
> 
> Now, open URL pointing to style.css, and here you go.
> 
> However, all your files must be gzipped, or the browser is unhappy.
> 
> Thanks a lot.
> 

Interesting...
Thank you

Re: gzip compression and httpd/relayd

2018-01-27 Thread Michael Hekeler 
Am Sat, 27 Jan 2018 09:56:48 +0100
schrieb Thuban :

> Thank you for all answers, very interesting.
> I'll try to compress some files on my own, we'll see.
> 
> Regards

Please give feedback here after you tried it.

Re: gzip compression and httpd/relayd

2018-01-25 Thread Michael Hekeler 
Am Thu, 25 Jan 2018 19:47:09 +0100
schrieb Thuban :

> I'm very happy with relayd + httpd.
> Relayd deals with headers and httpd serve files.
> 
> I know httpd doesn't have gzip compression.
> 
> 1. Do you know if it's planned in the future?
> 2. Does anyone has a workaround to advise?
> 
> regards
> 

to 1.
https://marc.info/?l=openbsd-misc&m=142407262812306&w=2


to 2.
I never tested it myself, but ,maybe you can compress the files before
you place them in htdocs!?

...or use ngingx reverse-proxy?

Re: Trying to use OpenBSD as webserver, inside home network (ADSL internet connection)

2018-01-19 Thread Michael Hekeler 
Am Fri, 19 Jan 2018 12:55:20 -0200 schrieb Michel von Behr
:

> Hi - rookie question: I have ADSL internet at home, distributed to
> local hosts via a cheap modem/router provided by the ISP. And
> connected as one of the network nodes is an old laptop running
> OpenBSD. I want to use that laptop as a webserver, ftp server, etc. I
> can connect to the laptop internally, from within the local network
> (192.168.15.11) via http, ssh, ftp, etc, but I can't see it from
> external hosts. I already tried different configurations in the
> router/modem related to port forwarding, NAT, but without success, so
> I'm starting to think that it might be something I'm missing on
> OpenBSD network config (PF maybe?).
> 
> I tried enabling ip forwarding in sysctl but I still can't see it from
> outside hosts.
> 
> Specifically, my question would be this: if I can see my laptop from
> within the local network, would that be enough to guarantee that I
> should be able to detect it externally?

No.

You have:
{ WAN (Internet) } <--> { Router } <--> { LAN (192.168.15.0) }

A host in WAN can only see your Router

you have to forward ports from {router} to {lan} but I wouldnt
recommend that.
Maybe read something about networking and NAT and such things to get a
deeper understanding? ;-)

  1   2   >