Re: bozohttpd: user.domain URL (instead of ~user)

[Mayuresh]

On Sun, May 01, 2022 at 12:22:36PM +, RVP wrote:
> $ ln -sf "http://x202e.localdomain/~rvp; .bzabsredirect

Thanks for the hint.

I tried the following:

In /var/www/virtual (passed as -v to httpd)

ln -s ~user/public_html user.domain

This seemed to work for URL http://user.domain

I did not need .bzabsredirect

Also moved the main site under /var/www/virtual/domain

Hope this is workable.

-- 
Mayuresh

Re: bozohttpd: user.domain URL (instead of ~user)

[RVP]

Is there any way in bozohttpd to redirect a URL of "user.domain" form to
a user specific directory - (just like how domain/~user is).



Will this do: virtual hosting + .bzabsredirect ?

$ tail -n2 /etc/hosts
192.168.68.171  x202e.localdomain   x202e
192.168.68.171  rvp.localdomain rvp

$ mkdir ~/public_html
$ mkdir /tmp/www /tmp/vroot
$ cd /tmp/vroot
$ mkdir rvp.localdomain; cd rvp.localdomain
$ ln -sf "http://x202e.localdomain/~rvp; .bzabsredirect

# bozohttpd -f -H -s -u -X -v /tmp/vroot /tmp/www

$ curl -s http://rvp.localdomain/
Document Moved
Document Moved
This document had moved http://x202e.localdomain/~rvp;>here

$

-RVP

bozohttpd: user.domain URL (instead of ~user)

[Mayuresh]

Is there any way in bozohttpd to redirect a URL of "user.domain" form to a
user specific directory - (just like how domain/~user is).

Best if it generically works for all users, but even if a per user setting
is required it would work for me for now.

-- 
Mayuresh

Re: How to bind bozohttpd / inetd to port 8080?

[Matthias Petermann]

Hi,

Am 18.12.2021 um 11:47 schrieb Ignatios Souvatzis:

On Sat, Dec 18, 2021 at 11:34:12AM +0100, Matthias Petermann wrote:


I am currently trying to have bozohttpd listen on port 8080 instead of port
80 via inetd.

In /etc/services there is an entry "http-alt" for this.


yes, but in the distributed version there are two others (591 and
8008), both for TCP and UDP.  I guess you'll have to edit your
/etc/services and put comment signs before the two you don't want.

Regards,
-is


You are right:

```
extranet$ getent services http-alt
http-alt591/tcp
```

I had not counted on that - thanks for the tip :-)
There were to more (8008) and after commenting them out it looks good:

```
extranet$ doas vi /etc/services
extranet$ doas services_mkdb
extranet$ getent services http-alt
http-alt   8080/tcp
```

Many greetings
Matthias

Re: How to bind bozohttpd / inetd to port 8080?

[Ignatios Souvatzis]

Hi,

On Sat, Dec 18, 2021 at 11:34:12AM +0100, Matthias Petermann wrote:
> 
> I am currently trying to have bozohttpd listen on port 8080 instead of port
> 80 via inetd.
> 
> In /etc/services there is an entry "http-alt" for this.

yes, but in the distributed version there are two others (591 and
8008), both for TCP and UDP.  I guess you'll have to edit your
/etc/services and put comment signs before the two you don't want.

Regards,
-is

How to bind bozohttpd / inetd to port 8080?

[Matthias Petermann]

Hello all,

I am currently trying to have bozohttpd listen on port 8080 instead of 
port 80 via inetd.


In /etc/services there is an entry "http-alt" for this.

However, when I set in the /etc/inetd.conf:

```
http-altstream  tcp nowait:600  _httpd 
/usr/libexec/httpd  httpd -L wol /var/www/wol.lua /var/www

```

...I still cannot access port 8080.

Starting inetd in Debug mode shows:

```
extranet$ doas inetd -d /etc/inetd.conf
ADD : http-alt proto=tcp, wait.max=0.600, user:group=_httpd:(null) 
builtin=0 server=/usr/libexec/httpd policy=

registered /usr/libexec/httpd on 6
```

Did I miss something? If it matters, it is NetBSD 9.2_STABLE.

Many greetings
Matthias

Re: Python flask app behind bozohttpd vs separate webserver for app

[Mayuresh]

On Sun, May 17, 2020 at 04:34:46PM +0530, Mayuresh wrote:
> gunicorn has an option to drop privileges to normal user, but it does so
> `too soon', i.e. it can't then read the certificate and key files. If
> that's the case why would one ever need to start it as root anyway and
> what's the use of the option to drop privileges is unclear.

For records, I finally gave read permissions to the app user to read the
cert/key files - didn't want to do that as far as possible, but couldn't
find any other way. Adopted gunicorn server running on a different port
along side bozohttpd instead of attempting to reverse proxy.

Mayuresh

Re: Python flask app behind bozohttpd vs separate webserver for app

[Mayuresh]

On Sat, May 16, 2020 at 10:54:03PM +0530, Mayuresh wrote:
> I have to start gunicorn as root so that it can get access to certificate
> files, but run the worker process as a non root user which is an option
> provided by gunicorn.

gunicorn has an option to drop privileges to normal user, but it does so
`too soon', i.e. it can't then read the certificate and key files. If
that's the case why would one ever need to start it as root anyway and
what's the use of the option to drop privileges is unclear.

Seems a known issue already:
https://github.com/benoitc/gunicorn/issues/1404

Mayuresh

Re: Python flask app behind bozohttpd vs separate webserver for app

[matthew sporleder]

On Sat, May 16, 2020 at 11:30 PM Mayuresh  wrote:
>
> On Sat, May 16, 2020 at 03:56:47PM -0400, matthew sporleder wrote:
> > Just use apache :)  bozo has no proxy capabilities.
>
> I can invoke a Flask service from a cgi script using wget/curl - no?
> (Haven't yet tried.)
>
> Apache looks a monster to me and I don't need majority of what it offers.
>
> Mayuresh

FWIW I wrote the initial version of this:
https://cwiki.apache.org/confluence/display/HTTPD/Minimal+Config  and
at my job will run zero config apache on docker with just appending
-c's to the CMD..

With mpm_event, the minimal config, and whatever you need
(mod_proxy_uwsgi etc) you can live, easily, inside of a few MB and run
high performance.

Re: Python flask app behind bozohttpd vs separate webserver for app

[Mayuresh]

On Sat, May 16, 2020 at 03:56:47PM -0400, matthew sporleder wrote:
> Just use apache :)  bozo has no proxy capabilities.

I can invoke a Flask service from a cgi script using wget/curl - no?
(Haven't yet tried.)

Apache looks a monster to me and I don't need majority of what it offers.

Mayuresh

Python flask app behind bozohttpd vs separate webserver for app

[Mayuresh]

I have a setup where NetBSD's native bozohttpd serves certain static
contents. It uses https and basic auth and the setup is pretty stable.

There are some small pieces of requirements to add some python web apps
developed using Flask. The app needs to use the same authentication data
used by the basic setup above. Fortunately that turns out to be easy.

Now I have two options:

Option 1: Run a separate instance of a python based web server such as
gunicorn on a separate port for the apps and use bozohttpd for static
contents.

I have to start gunicorn as root so that it can get access to certificate
files, but run the worker process as a non root user which is an option
provided by gunicorn.

One problem with this is, I don't get the environment variables right this
way. There are ways to feed those into gunicorn, but that would amount to
replicating my rc scripts that elaborately define the environment.

Option 2: Run python web server on localhost and via bozohttpd cgi route
the requests/responses to/from it. There may be slight overhead of this,
but it's not a performance critical application.

I can also use a simple http and Flask's simple builtin server internally
as it is not exposed to the internet.

Would appreciate any comments / pros and cons etc.

Mayuresh

Re: authentication scheme to share password between bozohttpd and asterisk

[Mayuresh]

On Tue, Apr 28, 2020 at 06:20:44PM +0300, Pierre-Philipp Braun wrote:
> How is authentication handled on Asterisk's side?  And if that's WebRTC,
> could a reverse proxy take care of it in the middle?

Not sure, does it mean modifying with asterisk's webrtc server?

> A original way to approach the problem would be to go for something even
> better -- I think -- than SSO, namely plain and simple PKI.  You setup a
> private CA, sign a few client certificates, deliver those to your users'
> workstations, and they won't have to bother with passwords anymore,
> while being authenticated by that client certificate.

Yes, quite convenient, not sure if bozohttpd supports.

Also, I am doing this for largely non-tech users, though. Have to see
whether it will be easy enough to administer installation of certificates
at their end.

> Bozohttpd seems to support SSL but probably only for the server side.  I
> hope you did enable SSL by the way, since Basic HTTP auth sends the
> password in clear, no matter what hash function you're using to store
> the passwords.  Digest would be preferred, if supported.

Yes, taken care of using SSL when using basic auth.

> Besides, I've had good experiences with Jitsi Meet which is essentially
> providing video conferencing facilities, I don't know however how hard
> it would be to package it for NetBSD.

Yes, my server runs NetBSD, so it may have to start with a wip project...

But I am curious about the following line in the documentation. Asterisk
works pretty well with NAT with the client using STUN. Is that not the
case with Jitsi?

https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md
  "Jitsi Videobridge can run behind a NAT, provided that both required
  ports are routed (forwarded) to the machine that it runs on. By default
  these ports are TCP/4443 and UDP/1"

Besides, dialplan etc in asterisk are quite flexible. Not sure whether
jitsi has.

Mayuresh

Re: authentication scheme to share password between bozohttpd and asterisk

[Pierre-Philipp Braun]

Whenever I open up use of sip/webrtc to users, as far as possible I don't
want them to be bothered with yet another password and preferably not even
ask to enter the same password when using the webrtc app.


How is authentication handled on Asterisk's side?  And if that's WebRTC, could 
a reverse proxy take care of it in the middle?

A original way to approach the problem would be to go for something even better 
-- I think -- than SSO, namely plain and simple PKI.  You setup a private CA, 
sign a few client certificates, deliver those to your users' workstations, and 
they won't have to bother with passwords anymore, while being authenticated by 
that client certificate.

Bozohttpd seems to support SSL but probably only for the server side.  I hope 
you did enable SSL by the way, since Basic HTTP auth sends the password in 
clear, no matter what hash function you're using to store the passwords.  
Digest would be preferred, if supported.

In any case, one could consider using the same SSL engine + PKI authentication 
end-point + reverse-proxy for both Asterisk and HTTP.  You will need hardware 
accelerated SSL to handle 15+ users at once, esp. for video streams.

Besides, I've had good experiences with Jitsi Meet which is essentially 
providing video conferencing facilities, I don't know however how hard it would 
be to package it for NetBSD.

--
Pierre-Philipp

authentication scheme to share password between bozohttpd and asterisk

[Mayuresh]

I have a separate thread going on to setup webrtc with asterisk on
NetBSD8.

I have an existing website that uses stock bozohttpd on NetBSD. It uses
.htpasswd aka basic authentication. The passwords are stored using
blowfish encryption.

Whenever I open up use of sip/webrtc to users, as far as possible I don't
want them to be bothered with yet another password and preferably not even
ask to enter the same password when using the webrtc app.

Firstly asterisk doesn't seem to support blowfish. It supports md5, which
bozohttpd also does (I guess). So I may have to have all passwords reset
once - which is not so good, but acceptable. That may solve the `no 2
passwords' requirement.

But I'd prefer not to prompt for a password for asterisk if the user has
reached the landing page of webrtc app with basic auth. That seems
difficult, as browser will have to send the credentials to asterisk
directly. [I can possibly have a separate asterisk password which I can
return to the browser to let it send it to asterisk, but that may be
somewhat insecure.]

Mayuresh

Re: bozohttpd letsencrypt not working with firefox/chrome

[Mayuresh]

On Sun, Jun 09, 2019 at 08:38:39PM +0530, Mayuresh wrote:
> It's a bit strange, but with https enabled, "index.html" is returned by
> default only for the home page, when the URL doesn't specify it. For all
> other pages, different browsers give different errors. Some versions of
> firefox actually work (may be by trying to suffix index.html themselves).

Giving -x index.html option (which I think should not be required) the
problem is solved.

Bug?

Mayuresh

Re: bozohttpd letsencrypt not working with firefox/chrome

[Mayuresh]

On Sun, Jun 09, 2019 at 08:09:21PM +0530, Mayuresh wrote:
> Ok, I need -z. Thanks[1].

It's a bit strange, but with https enabled, "index.html" is returned by
default only for the home page, when the URL doesn't specify it. For all
other pages, different browsers give different errors. Some versions of
firefox actually work (may be by trying to suffix index.html themselves).

With explicit index.html all pages work in all browsers.

Is that having some reasoning or is it a bug?

Mayuresh

Re: bozohttpd letsencrypt not working with firefox/chrome

[Mayuresh]

On Sun, Jun 09, 2019 at 08:01:23PM +0530, Mayuresh wrote:
> I have started httpd with  -Z   option.

Ok, I need -z. Thanks[1].

[1] https://atomicules.co.uk/2017/07/21/Now-serving-https-as-well.html

Mayuresh

bozohttpd letsencrypt not working with firefox/chrome

[Mayuresh]

I am trying to httpsize a NetBSD 8.1 based website.

Got the certificate from letsencrypt using security/py-certbot

I have started httpd with  -Z   option.

When accessing this site firefox says:

An error occurred during a connection to flowervalleywanawadi.in. Cannot
communicate securely with peer: no common encryption algorithm(s). Error
code: SSL_ERROR_NO_CYPHER_OVERLAP 

Tried chrome on android, it says:

server sent an invalid response
ERR_INVALID_REDIRECT

On the other hand, a stock browser on mobile phone is able to connect with
the site with no error!

What could the way out?

Mayuresh

Re: bozohttpd .htpasswd basic auth being non recursive

[Mayuresh]

On Sat, Jun 01, 2019 at 08:53:56AM +0200, Martin Husemann wrote:
> I am using a .bzremap file to map the externally visible url to that
> /some/internal/dir/my-cgi.pl url.

In this case the -c option should point to externally visible url or
/some/internal/dir? And is cgi-bin directory required under
/some/internal/dir?

I tried a few things though haven't got it to work. (Normal file remap
worked, not cgi as yet.)

Mayuresh

Re: bozohttpd .htpasswd basic auth being non recursive

[Mark Carroll]

On 01 Jun 2019, mayur...@acm.org wrote:

> On Sat, Jun 01, 2019 at 08:33:42AM +0100, Mark Carroll wrote:
>> I'm running lighttpd on NetBSD, also hosting DokuWiki. Seems great so
>> far,
>
> Thanks for sharing first hand experience. My requirement is also like
> yours - simple hardware, not too many concurrent users (may be in single
> digit max).
>
> What sort of auth did you use?

(This will make more sense once you've glanced over lighttpd's config
file structure but,) I start out the configuration with having
url.access-allow permit nothing then I protect subdirectories based on
users and passwords. I have some HTTPS setup setting ssl.pemfile,
ssl.cipher-list, etc. then within a $HTTP["scheme"] == "https" block I
set auth.backend and auth.backend.htdigest.userfile and have stuff like,

auth.require = (
  "/some/subdirectory/" =>
("method"  => "digest",
 "realm"   => "some-realm",
 "require" => "valid-user",
),

then still in that "https" block I write some inner $HTTP["url"] =~
"^/some/URL/regex" blocks that set url.access-allow for whatever file
extensions I want to permit in them.

For that htdigest userfile I set it was just a case of putting the
hashes of the users, passwords, realms line-by-line.

I didn't attempt to integrate with DokuWiki's authentication so for the
more sensitive areas of the wiki people have to go through two layers
but they haven't complained, I suppose their browsers just remember it
all anyway for them. (I don't want to get my wiki access substructure
mixed into my web server access stuff!)

It's highly likely that I just tweaked existing official examples
because porting my whole configuration took no more than a few hours
then I spent a bit of time another day getting the HTTPS all green in
the usual online server checking sites. The lighttpd official docs are
quite reasonable, I don't remember having to dig up secret knowledge or
being long frustrated by mysterious behaviors or having to read over the
whole manual three times.

The main thing for me is just remembering to include enough of /var/
among critical_filesystems_local so I get to see logs at all. (-: (I
tend to put things that might grow plenty onto separate partitions.)

-- Mark

Re: bozohttpd .htpasswd basic auth being non recursive

[Martin Husemann]

On Sat, Jun 01, 2019 at 01:11:53PM +0530, Mayuresh wrote:
> On Sat, Jun 01, 2019 at 09:35:34AM +0200, Martin Husemann wrote:
> > It is in 8.1 but not in 8.0.
> 
> Ok, I'll try out the pkg version which shows 20181215 (8 shows 20170201).
> Hope I'll get the feature.

You should update to 8.1 ;-)

Martin

Re: bozohttpd .htpasswd basic auth being non recursive

[Mayuresh]

On Sat, Jun 01, 2019 at 09:35:34AM +0200, Martin Husemann wrote:
> It is in 8.1 but not in 8.0.

Ok, I'll try out the pkg version which shows 20181215 (8 shows 20170201).
Hope I'll get the feature.

Mayuresh

Re: bozohttpd .htpasswd basic auth being non recursive

[Mayuresh]

On Sat, Jun 01, 2019 at 08:33:42AM +0100, Mark Carroll wrote:
> I'm running lighttpd on NetBSD, also hosting DokuWiki. Seems great so
> far,

Thanks for sharing first hand experience. My requirement is also like
yours - simple hardware, not too many concurrent users (may be in single
digit max).

What sort of auth did you use?

Mayuresh

Re: bozohttpd .htpasswd basic auth being non recursive

[Martin Husemann]

On Sat, Jun 01, 2019 at 01:04:00PM +0530, Mayuresh wrote:
> In the man page there are  .bzdirect, .bzredirect, .bzabsredirect
> (added by you!). Didn't notice .bzremap. Is it something newer or
> undocumented or just an alias to one of these? The version I am using is
> of 8.0 base.

It is in 8.1 but not in 8.0.

Martin 

Re: bozohttpd .htpasswd basic auth being non recursive

[Mayuresh]

On Sat, Jun 01, 2019 at 08:53:56AM +0200, Martin Husemann wrote:
> It does, but not for /cgi-bin/ ones.

Thanks. It may solve the problem I am facing quite amicably.

> I run a service that I implemented in a perl cgi script and that is .htpasswd
> protected. The .pl file just lives in the same directory as the .htpasswd
> file, and I am using a .bzremap file to map the externally visible url
> to that /some/internal/dir/my-cgi.pl url.

In the man page there are  .bzdirect, .bzredirect, .bzabsredirect
(added by you!). Didn't notice .bzremap. Is it something newer or
undocumented or just an alias to one of these? The version I am using is
of 8.0 base.

Mayuresh

Re: bozohttpd .htpasswd basic auth being non recursive

[Mark Carroll]

On 01 Jun 2019, mayur...@acm.org wrote:

> Any takers for lighttpd, it it light as its name suggests? Of course,
> whether .htpasswd applies recursively or not is to be checked.

I'm running lighttpd on NetBSD, also hosting DokuWiki. Seems great so
far, also appears still actively developed. Configuring it as a newbie
wasn't too bad, the configuration file feels as clean as OpenHTTPD's. My
choice of server software was more gut feeling after reading around than
it was a careful comparison though. The hardware it's running on isn't
powerful but also it's not having to serve many users so if it's /not/
really very light I could easily have not noticed, sorry.

-- Mark

Re: bozohttpd .htpasswd basic auth being non recursive

[Mayuresh]

On Sat, Jun 01, 2019 at 07:12:29AM +, Christopher Pinon wrote:
> > > apache? ;-)
> > 
> You did notice the smiley, right? :-)

Ah, I did miss!

> Just wondering: did you take a glance at thttpd? (Given that you're keen
> on minimalistic.)

Sounds good from its description, but the bad news is, basic auth is not
recursive.

man page: "The protection does not carry over to subdirectories."

Mayuresh

Re: bozohttpd .htpasswd basic auth being non recursive

[Christopher Pinon]

Mayuresh  wrote:

> On Fri, May 31, 2019 at 07:52:25PM +, Christopher Pinon wrote:
> > > I meant, if we can't solve this in bozohttpd, please suggest some other
> > > httpd which is nearest match to its minimalistic approach.
> > 
> > apache? ;-)
> 
> Well... minimalistic?

You did notice the smiley, right? :-)

Just wondering: did you take a glance at thttpd? (Given that you're keen
on minimalistic.)

C.

Re: bozohttpd .htpasswd basic auth being non recursive

[Martin Husemann]

On Sat, Jun 01, 2019 at 12:09:34PM +0530, Mayuresh wrote:
> On Sat, Jun 01, 2019 at 08:59:45AM +0530, Mayuresh wrote:
> 
> I wish bozohttpd supported .htpasswd for cgi scripts!
> 
> I just checked, that it doesn't.

It does, but not for /cgi-bin/ ones.

I run a service that I implemented in a perl cgi script and that is .htpasswd
protected. The .pl file just lives in the same directory as the .htpasswd
file, and I am using a .bzremap file to map the externally visible url
to that /some/internal/dir/my-cgi.pl url.

Martin

Re: bozohttpd .htpasswd basic auth being non recursive

[Mayuresh]

On Sat, Jun 01, 2019 at 08:59:45AM +0530, Mayuresh wrote:

I wish bozohttpd supported .htpasswd for cgi scripts!

I just checked, that it doesn't.

I could have wrapped static contents under a cgi script to meet the auth
requirement for all contents with one .htpasswd file.

Mayuresh

Re: bozohttpd .htpasswd basic auth being non recursive

[Matt Sporleder]

> On May 31, 2019, at 10:01 PM, Mayuresh  wrote:
> 
> On Fri, May 31, 2019 at 07:52:25PM +, Christopher Pinon wrote:
>>> I meant, if we can't solve this in bozohttpd, please suggest some other
>>> httpd which is nearest match to its minimalistic approach.
>> 
>> apache? ;-)
> 
> Well... minimalistic?
> 
> Any takers for lighttpd, it it light as its name suggests? Of course,
> whether .htpasswd applies recursively or not is to be checked.
> 
> Mayuresh

Apache runs in well under 1MB and does all of this stuff and more. 

I wrote the original version of this if the default config freaks you out 

https://cwiki.apache.org/confluence/display/HTTPD/Minimal+Config

Don’t use .htaccess

Re: bozohttpd .htpasswd basic auth being non recursive

[Mayuresh]

On Fri, May 31, 2019 at 10:45:08PM -0400, Matt Sporleder wrote:
>Apache runs in well under 1MB and does all of this stuff and more.
>I wrote the original version of this if the default config freaks you out
>https://cwiki.apache.org/confluence/display/HTTPD/Minimal+Config
>Don’t use .htaccess

I'd also prefer a minimal configuration. The benchmark is bozo has no conf
file at all. Alternatives that have conf file, should have it at least
very small.

Wondering choosing 1 of the 2 ways:

- Use .htpasswd (basic auth) with some other webserver (apatch/lighttpd/?)
  that allows recursive .htpasswd or other means to avoid password
  dialogue popping up on subdirectories.

- Continue with lighttpd but drop .htpasswd auth. Use some lightweight
  framework (py-flask/others?). [Unfortunately that will bloat my htmls
  that are otherwise very simple.]

Mayuresh

Re: bozohttpd .htpasswd basic auth being non recursive

[Mayuresh]

On Fri, May 31, 2019 at 07:52:25PM +, Christopher Pinon wrote:
> > I meant, if we can't solve this in bozohttpd, please suggest some other
> > httpd which is nearest match to its minimalistic approach.
> 
> apache? ;-)

Well... minimalistic?

Any takers for lighttpd, it it light as its name suggests? Of course,
whether .htpasswd applies recursively or not is to be checked.

Mayuresh

Re: bozohttpd .htpasswd basic auth being non recursive

[Christopher Pinon]

Mayuresh  wrote:

> On Fri, May 31, 2019 at 11:18:40PM +0530, Mayuresh wrote:
> > Has anyone come across this situation and how do you deal with it. I like
> > bozohttpd's minimalistic approach and would switch away from it only as a
> > last resort.
> 
> I meant, if we can't solve this in bozohttpd, please suggest some other
> httpd which is nearest match to its minimalistic approach.

apache? ;-)

I can't say for sure but perhaps http://pkgsrc.se/www/thttpd is an
option.

I don't see how to work around this issue in bozohttpd.

C.

Re: bozohttpd .htpasswd basic auth being non recursive

[Mayuresh]

On Fri, May 31, 2019 at 11:18:40PM +0530, Mayuresh wrote:
> Has anyone come across this situation and how do you deal with it. I like
> bozohttpd's minimalistic approach and would switch away from it only as a
> last resort.

I meant, if we can't solve this in bozohttpd, please suggest some other
httpd which is nearest match to its minimalistic approach.

Mayuresh

bozohttpd .htpasswd basic auth being non recursive

[Mayuresh]

man httpd makes it clear that the .htpasswd authentication does not apply
to subdirectories.

 .htpasswd exists in the directory of the current request, bozohttpd will
 restrict access to documents in that directory using the RFC 2617 HTTP
 “Basic” authentication scheme.

 Note: This does not recursively protect any sub-directories.

Now, if one writes a script to replicate .htpasswd down the subdirs, that
could have solved it. However now, most annoyingly, the browser would
popup the password dialogue when you try to go to subdirectory.

Has anyone come across this situation and how do you deal with it. I like
bozohttpd's minimalistic approach and would switch away from it only as a
last resort.

Mayuresh

Re: bozohttpd mime types etting for markdown files

[Mayuresh]

On Tue, May 28, 2019 at 12:02:04PM +0200, Andreas Krey wrote:
> I wouldn't expect browsers to have markup processors.

Ok. I was expecting that, but it's the servers that are doing the tricks.

BTW I have used latex as a markup language to produce some simple
websites, meant for documentation / information dissemination. I know
htlatex has limitations, but for my purpose it's good enough. I thought
md would be fit for that purpose as well, just with a simpler notation.
But looks like I will need an md2html converter anyway. I might as well
stick to latex in that case.

Any other thoughts?

Mayuresh

Re: bozohttpd mime types etting for markdown files

[Andreas Krey]

On Tue, 28 May 2019 14:28:26 +, Mayuresh wrote:
...
> Clicking on a .md file in, for example, a git repository renders it
> instead of asking to save.

I assume that is not the rendering of just the plain file
but also include navigation elemets around it? Like
https://gitweb.torproject.org/tor.git/tree/doc/HACKING/Maintaining.md does?
There the entire page is delivered as one html document.

> Or may be my expectation is wrong and is a web server supposed to convert
> it to html on the fly?

That depends on your expectation of what the server does in turn.
I wouldn't expect browsers to have markup processors.

- Andreas

-- 
"Totally trivial. Famous last words."
From: Linus Torvalds 
Date: Fri, 22 Jan 2010 07:29:21 -0800

Re: bozohttpd mime types etting for markdown files

[Martin Husemann]

On Tue, May 28, 2019 at 02:28:26PM +0530, Mayuresh wrote:
> Or may be my expectation is wrong and is a web server supposed to convert
> it to html on the fly?

Github renders it as html (AFAICT).
You can check details in the debugger (F12), in network view.

Martin

Re: bozohttpd mime types etting for markdown files

[Martin Husemann]

On Tue, May 28, 2019 at 01:27:56PM +0530, Mayuresh wrote:
> On Tue, May 28, 2019 at 09:33:12AM +0200, Martin Husemann wrote:
> > So your example should be correct, assuming you put the single quotes only
> > in the mail and not on the command line (or into inetd.conf). This needs
> > to be 5 args to the server.
> 
> I am using /etc/rc.conf
> 
> httpd_flags="-M md text/markdown - -"
> 
> (and many trials there after -M as mentioned).
> 
> I do not know how much role the browser is playing. Tried only firefox
> till now. It just offers to save the file and says it's a markdown file.

Sounds like it is working?

Martin

Re: bozohttpd mime types etting for markdown files

[Mayuresh]

On Tue, May 28, 2019 at 09:33:12AM +0200, Martin Husemann wrote:
> So your example should be correct, assuming you put the single quotes only
> in the mail and not on the command line (or into inetd.conf). This needs
> to be 5 args to the server.

I am using /etc/rc.conf

httpd_flags="-M md text/markdown - -"

(and many trials there after -M as mentioned).

I do not know how much role the browser is playing. Tried only firefox
till now. It just offers to save the file and says it's a markdown file.

Mayuresh

Re: bozohttpd mime types etting for markdown files

[Martin Husemann]

On Tue, May 28, 2019 at 12:27:00PM +0530, Mayuresh wrote:
> The man page says:
>  -M suffix type encoding encoding11
> Adds a new entry to the table that converts file suffixes to
> content type and encoding.  This option takes four additional
> arguments containing the file prefix, its ?Content-Type?,
> ?Content-Encoding?, and ?Content-Encoding? for HTTP/1.1
> connections, respectively.  If any of these are a single dash
> (?-?), the empty string is used instead.
> 
> Tried '-M md text/markdown - -' and variations like .md instead of md,
> utf-8 instead of - etc.
> 
> What is a proper way to specify this?

I didn't try markdown but I have:

-M .js "script/javascript" - -

(plus a few other -M options) and it seemed to work for me last I tested.

So your example should be correct, assuming you put the single quotes only
in the mail and not on the command line (or into inetd.conf). This needs
to be 5 args to the server.

Martin

bozohttpd mime types etting for markdown files

[Mayuresh]

The man page says:
 -M suffix type encoding encoding11
Adds a new entry to the table that converts file suffixes to
content type and encoding.  This option takes four additional
arguments containing the file prefix, its “Content-Type”,
“Content-Encoding”, and “Content-Encoding” for HTTP/1.1
connections, respectively.  If any of these are a single dash
(“-”), the empty string is used instead.

Tried '-M md text/markdown - -' and variations like .md instead of md,
utf-8 instead of - etc.

What is a proper way to specify this?

Mayuresh

bozohttpd, ~user + cgi

[Mayuresh]

On NetBSD 8.0_RC1 the man page of httpd says:

 -c cgibin  Enables the CGI/1.1 interface.  The cgibin directory is
expected to contain the CGI programs to be used.
bozohttpd looks for URL's in the form of
/cgi-bin/ where  is a valid CGI
program in the cgibin directory.  In other words, all CGI
URL's must begin with /cgi-bin/.  Note
that the CGI/1.1 interface is available with ~user
translation using -E switch.


I am able to get cgi work without ~user, e.g. with -c /var/cgi

But when I want to use ~user/cgi-bin URL, what should be the argument to
"-c" above? (It is clear that -u and -E should be specified, I have those
in my httpd_flags.)

Can someone share example of command line options to enable ~user/cgi-bin?

Mayuresh

Re: bozohttpd : how to enable TLS

[Brad Spencer]

Mayuresh  writes:

> The man page of bozohttpd in the base (NetBSD 8.0) says TLS 1.1 and 1.2 is
> supported.
>
> But I couldn't find much documentation about how to enable it.
>
> Are there any tutorials on how to use TLS with bozohttpd?
>
> Mayuresh

In my inetd.conf I invoke it like this:

https   httpd -Z /usr/pkg/etc/httpd/server.crt 
/usr/pkg/etc/httpd/server.key /var/www


man httpd


 -Z certificate_path privatekey_path
Sets the path to the server certificate file and the private
key file in pem format.  It also causes bozohttpd to start SSL
mode.


Use -z to set ciphers


-- 
Brad Spencer - b...@anduin.eldar.org - KC8VKS - http://anduin.eldar.org

Re: bozohttpd : how to enable TLS

[Jan Schaumann]

Mayuresh  wrote:
> The man page of bozohttpd in the base (NetBSD 8.0) says TLS 1.1 and 1.2 is
> supported.
> 
> But I couldn't find much documentation about how to enable it.

Adding the "-Z" flag with its required arguments automatically enables
TLS support:

-Z certificate_path privatekey_path
Sets the path to the server certificate file and the
private key file in pem format.  It also causes bozohttpd to
start SSL mode.

-Jan

bozohttpd : how to enable TLS

[Mayuresh]

The man page of bozohttpd in the base (NetBSD 8.0) says TLS 1.1 and 1.2 is
supported.

But I couldn't find much documentation about how to enable it.

Are there any tutorials on how to use TLS with bozohttpd?

Mayuresh

bozohttpd(8) mentions '-r' option, but not in synopsis

[J. Lewis Muir]

I noticed that the bozohttpd(8) man page

  http://netbsd.gw.com/cgi-bin/man-cgi?bozohttpd++NetBSD-current

references the '-r' option in the FILES section, but there is no '-r'
option listed in the SYNOPSIS section.

Looking at main.c

  
http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/httpd/main.c?rev=1.22=text/x-cvsweb-markup_with_tag=MAIN

I see a comment that says

  -r option was removed, do not reuse it for a while

So, I think the reference in the man page should be removed.

Lewis

Re: bozohttpd

[Jeremy C. Reed]

On Thu, 1 Mar 2018, Jeremy C. Reed wrote:

> The -s works when not using -b
> 
> With -s and -b the debugging is lost.
> 
> I see it uses daemon(3)
> to redirect standard error to /dev/null

-f -b -s  combination works for me

Re: bozohttpd

[Jeremy C. Reed]

The -s works when not using -b

With -s and -b the debugging is lost.

I see it uses daemon(3)
to redirect standard error to /dev/null

Re: bozohttpd

[Patrick Welche]

On Wed, Feb 28, 2018 at 07:11:56PM +, m...@netbsd.org wrote:
> On Wed, Feb 28, 2018 at 04:41:57PM +, Patrick Welche wrote:
> > /usr/libexec/httpd -d -d -d -d -P /tmp/foo.pid -i 127.0.0.1 -b -s /var/www
> 
> works for me.

What do you see?

quark$ uname -srp
NetBSD 8.99.12 x86_64
quark# /usr/libexec/httpd -d -d -d -d -P /tmp/foo.pid -i 127.0.0.1 -b -s 
/var/www
quark# ftp http://127.0.0.1/index.html
Requesting http://127.0.0.1/index.html
100% |***|781.14 MiB/s00:00 ETA
78 bytes retrieved in 00:00 (482.09 KiB/s)
quark# 

All the output there is from ftp - I don't see anything from httpd?
(I was hoping that "EXPLOSIVE" would be quite a lot of debug output.)

> easier to debug:
>  /usr/libexec/httpd -d -d -d -d -P /tmp/foo.pid -i 127.0.0.1 -b -f /var/www

(I'm trying to debug the attached script, so not very interactive - the
puzzle is that /usr/tests/net/net do something very similar and pass.)


Cheers,

Patrick


web.sh
Description: Bourne shell script

Re: bozohttpd

[maya]

On Wed, Feb 28, 2018 at 04:41:57PM +, Patrick Welche wrote:
> /usr/libexec/httpd -d -d -d -d -P /tmp/foo.pid -i 127.0.0.1 -b -s /var/www

works for me.

easier to debug:
 /usr/libexec/httpd -d -d -d -d -P /tmp/foo.pid -i 127.0.0.1 -b -f /var/www

bozohttpd

[Patrick Welche]

Running

/usr/libexec/httpd -d -d -d -d -P /tmp/foo.pid -i 127.0.0.1 -b -s /var/www

and fetching index.html, I see no output whatsoever. Where is it going?

 -s Forces logging to be set to stderr always.


Cheers,

Patrick

re: bozohttpd minor fixes to man page

[matthew green]

Swift Griggs writes:
> 
> I like NetBSD's httpd. I noticed a couple of minor inconsistencies in the 
> bozohttpd(8) manual page. Where should I report these?

thanks.  directly to me is fine, and is send-pr from netbsd or from
the send-pr form on gnats.netbsd.org.

> * The -v option appears twice in the options summary. It's shown as both a 
>   flag and a switch that takes options. They can't be both right. 

this got fixed late last year by shm@.

> * The -V option is documented in the manual page, but does not appear in 
>   the options summary block at the top of the manual page. It's also 
>   unclear if "slashdir" is an option for -V or if the text refers to the 
>   "slashdir" given as the document root.

OK, i've cleared this one some.

> * -V is also not documented in the usage when you get help directly from 
>   the binary (ie.. just run /usr/libexec/httpd to see what I mean). 

i also fixed this.

thanks!


.mrg.

bozohttpd minor fixes to man page

[Swift Griggs]

I like NetBSD's httpd. I noticed a couple of minor inconsistencies in the 
bozohttpd(8) manual page. Where should I report these?

* The -v option appears twice in the options summary. It's shown as both a 
  flag and a switch that takes options. They can't be both right. 

* The -V option is documented in the manual page, but does not appear in 
  the options summary block at the top of the manual page. It's also 
  unclear if "slashdir" is an option for -V or if the text refers to the 
  "slashdir" given as the document root.

* -V is also not documented in the usage when you get help directly from 
  the binary (ie.. just run /usr/libexec/httpd to see what I mean). 


-Swift

Re: bozohttpd support for SNI

[Thor Lancelot Simon]

On Fri, Sep 30, 2016 at 04:45:10PM -0400, matthew sporleder wrote:
> 
> bozo is growing features pretty quickly as netbsd keeps trying to use it to
> do actual stuff(tm).  :)

I'd prefer to see a lot of the complex functionality in bozo split out into
helper programs.

This feature, in particular, along with the rest of bozo's SSL handling, could
go in something like pound -- except that pound is GPL.  The helper could
communicate with bozo on an AF_UNIX socket.

Experience from a past life tells me such a program would take about two days
to write, would leave me owing dyoung about six dinners for debugging, and
would be about 1500 lines long.

-- 
  Thor Lancelot Simont...@panix.com

"The dirtiest word in art is the C-word.  I can't even say 'craft'
 without feeling dirty."-Chuck Close

Re: bozohttpd support for SNI

[matthew sporleder]

On Fri, Sep 30, 2016 at 4:43 PM, Alistair Crooks <a...@pkgsrc.org> wrote:

> Personally, I'd love to have support for SNI (and multiple -Z paths
> per site too) - I'd use it daily.
>
> In fact, I was just bemoaning that fact yesterday, but am not
> best-placed to do anything about it right now (yes, I suck :()
>
> Best,
> Alistair
>
> On 30 September 2016 at 13:37, J. Lewis Muir <jlm...@imca-cat.org> wrote:
> > Hello!
> >
> > Does bozohttpd in NetBSD (7 or current) support SNI (Server Name
> > Identification) such that multiple SSL sites can be served from one
> > HTTPS server?  If not, what is NetBSD's position on the feature: is it
> > "we're open to accepting a quality patch," or is it more "we'd rather
> > not add the feature; it's better to just use separate server instances
> > on separate IP addresses; we're trying to keep with bozohttpd's main
> > feature as stated on its website which is 'the lack of features,
> > reducing the code size and improving verifiability'"?
> >
> > Thanks!
> >
> > Lewis
> >
>

bozo is growing features pretty quickly as netbsd keeps trying to use it to
do actual stuff(tm).  :)

Re: bozohttpd support for SNI

[Alistair Crooks]

Personally, I'd love to have support for SNI (and multiple -Z paths
per site too) - I'd use it daily.

In fact, I was just bemoaning that fact yesterday, but am not
best-placed to do anything about it right now (yes, I suck :()

Best,
Alistair

On 30 September 2016 at 13:37, J. Lewis Muir <jlm...@imca-cat.org> wrote:
> Hello!
>
> Does bozohttpd in NetBSD (7 or current) support SNI (Server Name
> Identification) such that multiple SSL sites can be served from one
> HTTPS server?  If not, what is NetBSD's position on the feature: is it
> "we're open to accepting a quality patch," or is it more "we'd rather
> not add the feature; it's better to just use separate server instances
> on separate IP addresses; we're trying to keep with bozohttpd's main
> feature as stated on its website which is 'the lack of features,
> reducing the code size and improving verifiability'"?
>
> Thanks!
>
> Lewis
>

bozohttpd support for SNI

[J. Lewis Muir]

Hello!

Does bozohttpd in NetBSD (7 or current) support SNI (Server Name
Identification) such that multiple SSL sites can be served from one
HTTPS server?  If not, what is NetBSD's position on the feature: is it
"we're open to accepting a quality patch," or is it more "we'd rather
not add the feature; it's better to just use separate server instances
on separate IP addresses; we're trying to keep with bozohttpd's main
feature as stated on its website which is 'the lack of features,
reducing the code size and improving verifiability'"?

Thanks!

Lewis

Re: bozohttpd and lua, getting input from user

[coypu]

On Wed, Jun 15, 2016 at 06:26:28PM +1000, Travis Paul wrote:
> 
> > On Jun 15, 2016, at 5:03 PM, co...@sdf.org wrote:
> > 
> > Trying to get GET/POST info.
> > 
> > I feel like I've tried all the examples I could find, and they all fail
> > with an error like:
> > failed to execute script /var/www/hello.lua: /var/www/hello.lua:70:attempt 
> > to index a nil value (global 'httpd')
> > 
> > Where that is httpd.register_handler(...)
> > 
> > What would be a valid way to get any input from a user using bozo?
> > 
> > Thanks.
> > 
> 
> 
> Have you tried the example here: src/libexec/httpd/printenv.lua
> 
> Last time I tried, that example worked.  I’m traveling and not near a NetBSD 
> box at the moment :(
> 
> If that fails can you share the command line args you are using with httpd?
> 
> Best,
> Travis P

Seems good now that I am following it word to word.
I'm not sure what I was doing wrong before.

Thanks!

Re: bozohttpd and lua, getting input from user

[Travis Paul]

> On Jun 15, 2016, at 5:03 PM, co...@sdf.org wrote:
> 
> Trying to get GET/POST info.
> 
> I feel like I've tried all the examples I could find, and they all fail
> with an error like:
> failed to execute script /var/www/hello.lua: /var/www/hello.lua:70:attempt to 
> index a nil value (global 'httpd')
> 
> Where that is httpd.register_handler(...)
> 
> What would be a valid way to get any input from a user using bozo?
> 
> Thanks.
> 


Have you tried the example here: src/libexec/httpd/printenv.lua

Last time I tried, that example worked.  I’m traveling and not near a NetBSD 
box at the moment :(

If that fails can you share the command line args you are using with httpd?

Best,
Travis P

bozohttpd and lua, getting input from user

[coypu]

Trying to get GET/POST info.

I feel like I've tried all the examples I could find, and they all fail
with an error like:
failed to execute script /var/www/hello.lua: /var/www/hello.lua:70:attempt to 
index a nil value (global 'httpd')

Where that is httpd.register_handler(...)

What would be a valid way to get any input from a user using bozo?

Thanks.

Re: segfault in bozohttpd

[Matt Sporleder]

> On Nov 3, 2015, at 4:19 PM, Jan Danielsson <jan.m.daniels...@gmail.com> wrote:
> 
> Hello,
> 
>   Environment: Running netbsd-7, but using bozohttp from -current
> 
>   I built bozohttpd and started it using my regular script, but it
> segfaulted immediately.  The corefile said:
> 
> [---]
> Reading symbols from /home/jan/checkout/fsys/bozohttpd/bozohttpd...(no
> debugging symbols found)...done.
> [New process 1]
> Core was generated by `bozohttpd'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x0040ab33 in bozo_add_lua_map ()
> (gdb) bt
> #0  0x0040ab33 in bozo_add_lua_map ()
> #1  0x0040b94f in main ()
> 
>   I rebuilt it with -g and the segfault didn't occur.  I then cleaned
> up again and rebuilt without -g again, and this time it didn't segfault.
> 
>   Non-deterministic segfaults..  :/
> 
> -- 
> Kind Regards,
> Jan

I saw seeing similar and marked it down to a bad build env from old builds 
hanging around. 

segfault in bozohttpd

[Jan Danielsson]

Hello,

   Environment: Running netbsd-7, but using bozohttp from -current

   I built bozohttpd and started it using my regular script, but it
segfaulted immediately.  The corefile said:

[---]
Reading symbols from /home/jan/checkout/fsys/bozohttpd/bozohttpd...(no
debugging symbols found)...done.
[New process 1]
Core was generated by `bozohttpd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0040ab33 in bozo_add_lua_map ()
(gdb) bt
#0  0x0040ab33 in bozo_add_lua_map ()
#1  0x0040b94f in main ()

   I rebuilt it with -g and the segfault didn't occur.  I then cleaned
up again and rebuilt without -g again, and this time it didn't segfault.

   Non-deterministic segfaults..  :/

-- 
Kind Regards,
Jan