DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 23rd November 2020
openletter openletter is offline
Real Name: Paul
New OpenBSD User
 
Join Date: Feb 2020
Posts: 14
Default Can I use httpd to only allow IP addresses?

I am wondering if there is a way with httpd.conf to allow only the listed IP addresses? I can see there is a from option in relayd.conf:

Quote:
from address[/prefix]
This rule only matches for connections from the specified source.
Is there something similar for httpd.conf?
Reply With Quote
  #2   (View Single Post)  
Old 24th November 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,138
Default

Not to my knowledge. I perceive 3 choices:
  1. Use relayd(8).
  2. Use client certificates. This is what I do to authenticate clients from any address.
  3. Use pf(4).
Reply With Quote
  #3   (View Single Post)  
Old 24th November 2020
openletter openletter is offline
Real Name: Paul
New OpenBSD User
 
Join Date: Feb 2020
Posts: 14
Default

At this point, I feel relayd is a more new-user-friendly option.

Can relayd and httpd work side-by-side? Or would I need to configure other sites served by httpd to use relayd?
Reply With Quote
  #4   (View Single Post)  
Old 24th November 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,138
Default

The use of relayd(8) would be as a front-end to your webserver, acting as a transparent proxy.

I think pf(4) would be far more "new user friendly" than relayd.
Reply With Quote
  #5   (View Single Post)  
Old 24th November 2020
openletter openletter is offline
Real Name: Paul
New OpenBSD User
 
Join Date: Feb 2020
Posts: 14
Default

Well, mostly I'm new to OpenBSD as I've been using nginx on Ubuntu for the past 8 years. I don't normally use the reverse proxy features, but I'm familiar with its configuration in nginx. However, I've generally shied away from directly managing firewall rulesets (e.g., in Ubuntu I just run UFW).
Reply With Quote
  #6   (View Single Post)  
Old 24th November 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,138
Default

If I understand your use-case, a two-line pf(4) rule set on the webserver would address it. Perhaps something on the order of:
Code:
block
pass in proto tcp from <table.of.addresses> to self port { 80 443 }
You're certainly welcome to provision a redirection chain between relayd(8) and httpd(8), but I think you'll find the provisioning effort will be more complex than the example I've provided here.

You could also install the nginx package as you're already comfortable with it.
Reply With Quote
  #7   (View Single Post)  
Old 24th November 2020
johnR johnR is offline
Fdisk Soldier
 
Join Date: Nov 2017
Posts: 56
Default

Quote:
Originally Posted by openletter View Post
I've generally shied away from directly managing firewall rulesets
I've just switched my web and mail server from Linux to OpenBSD. After many years of wrestling with ipchains and iptables rules, pf is a positive delight. It's well worth learning how to configure it.

I recommend "The Book of PF" by Peter N M Hansteen as an easy-to-read (and fairly in-depth) tutorial.
Reply With Quote
  #8   (View Single Post)  
Old 25th November 2020
openletter openletter is offline
Real Name: Paul
New OpenBSD User
 
Join Date: Feb 2020
Posts: 14
Default

Thanks, guys.

I also found iptables very difficult and on more than one occasion broke a server, so I basically gave up on managing firewalls at the rule level.

I'm wanting to convert everything over to OpenBSD. I like it better, it's just new and I'm not the best at figuring out where to start, but I do try to read the man pages carefully, including the "see also" section at the end of each one.

I'll give that pf rule a try and pick up that book.
Reply With Quote
  #9   (View Single Post)  
Old 26th November 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,138
Default

Just to note that the example above is a "default block" ruleset. Only packets from your table of pre-approved CIDRs or individual addresses are allowed to reach processes. If your webserver needs other network services, including DNS, they would need to be passed also.

The ruleset can be converted to a "default pass" if preferred.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Microsoft spends $7.5m on IP addresses J65nko News 2 24th March 2011 10:49 PM
PHP 5.2.13 addresses security holes J65nko News 2 26th February 2010 10:22 PM
How to find available IP addresses? bigb89 Programming 16 20th August 2008 07:32 PM
Managing IP Addresses bigb89 FreeBSD General 8 28th May 2008 12:09 AM
abbreviating email addresses? ocicat Feedback and Suggestions 9 22nd May 2008 12:21 AM


All times are GMT. The time now is 05:01 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick