|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Patch for OpenBSD 5.6 httpd(8)
From http://ftp.openbsd.org/pub/OpenBSD/p...ttpd.patch.sig
Quote:
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
OpenBSD's marketing gimmick is "Only two remote holes in the default install, in a heck of a long time!"
People expect with that a fully functional SMTP server (e.g., Sendmail) and HTTP server (e.g., Apache), but these have been removed from the base with new applications that don't have the functionality (e.g., address rewriting, SNI) the other software has. Some will say "install them from ports if you need them," but in doing so one is possibly opening up an attack vector that wasn't there previously and one could just install the base and have what they needed without the remote holes. Is OpenBSD's new httpd server trying to compete with NetBSD's bozotic? The reason virtualization is huge these days is not for security, although some may use it for that, but when you have a 12 processor machine, one probably doesn't want to use all of that for Sendmail, but rather have multiple machines using various numbers of processors. With the steadfast refusal to have any type of virtualization and replacing core software with from scratch products is probably why OpenBSD needs funding (i.e., couldn't pay the electric bill). |
|
|||
gpatrick
I hope your comment concerning httpd generates a response that "clarifies" the thinking behind selecting base system software (web servers). I have been thinking the same thing myself. |
|
||||
gpatrick: The audited, privsep-enabled Apache 1.3 is available, if needed. Also, there are drivers to support OpenBSD virtual machines: vmmouse(4), vic(4), vmx, vio(4), virtio(4), vioblk(4), viomb(4), and vioscsi(4) come to mind. I'm sure I've missed a bunch of the VMWare-support drivers, because I've never used them.
Edited to add: There was some discussion in the comments to the OpenBSD Journal article announcing the removal of nginx from base. The responses from OpenBSD developers Nick Holland and Reyk Floeter explains some of the thinking behind this switch. Disclaimer: I'm an nginx user, even on servers that only serve static pages, and I have yet to try the new httpd(8). I'm also only a user, not a developer, and my personal opinion was that they made this switch before the paint was dry on the new httpd -- it might have been better to wait for a stable, functional platform before making the switch. I was also disconcerted by the relatively rapid transition of nginx from port to base to port. Even so, I understand the direction being taken and I can accept the decisions of the developers. Last edited by jggimi; 21st November 2014 at 02:17 PM. Reason: added undeadly discussion link, disclaimer |
|
|||
I'm confused. 5.6 still has nginx, right? Are you guys talking about it being pulled out of base in current?
|
|
||||
Quote:
Most people use 5.6 release or 5.6 stable so they still have Nginx in the base. |
|
||||
People expect with that a fully functional SMTP server (e.g., Sendmail) and HTTP server (e.g., Apache), but these have been removed from the base with new applications that don't have the functionality (e.g., address rewriting, SNI) the other software has.
Some will say "install them from ports if you need them," but in doing so one is possibly opening up an attack vector that wasn't there previously and one could just install the base and have what they needed without the remote holes. This just doesn't parse well with me. Here's what I interpret from the above paragraphs. Sendmail and Apache 1.3 were removed from base and that makes them insecure. Um, no. Of all the packages in base Apache 1.3 and Sendmail are star pupils, top of the class if you will. They aren't wireshark, which was booted from ports for being habitually poorly written and is now back in ports. Apache and Sendmail were reviewed and selected in accordance with certain ideals which agreed with OBSDs goals at that time. OBSD is moving in a different direction now, but that doesn't mean the end of the world. Apache was stalled on a dormant release for licensing issues. A lot of folks at this point were wondering why an older version of Apache was being used in a "supposedly" secure system, well the truth is 1.3 was semi forked and there aren't bugs being introduced into dormant software the way bugs are introduced into bleeding edge. This really should put Apache in a very good, albeit, deprecated state. The back porting of security fixes and patches seems unlikely to stop immediately simply due to momentum within the community. http://serverfault.com/questions/507...version-1-3-29 Sendmail has always been a pr issue. I really can't speak much to the decision as I haven't followed it as closely, but I do know OpenSMTPd has been in the pipeline for a while. And again, having been in base for a few years now I would expect sendmail to receive better treatment than other packages. The theory is ports as a group are less secure than base. The fact is, added functionality is more difficult to secure, yet has not necessarily been proven to be less secure. Anyone can take a base system and configure it to be insecure without even touching ports - in theory, in practice there are plenty of people that give up when there isn't a gui installer. Theoretically I assume ports in OpenBSD are more secure than equivalent packages in other systems. In practice I know that the value of each port can only be evaluated on an individual basis. Personally, I can't believe they took lynx out of the base system, how insecure can a text based browser be? *Edited for clarity. Last edited by vanGrimoire; 23rd November 2014 at 10:42 AM. |
|
||||
I transitioned from the fork of Apache 1.3 to nginx when it became built-in. I've also done some testing of the new httpd(8) and deployed it on an internal server used for software distribution.
Code:
server "files" { listen on * port 80 directory auto index } Earlier today on the misc@ mailing list, Stuart Henderson discussed choices for OpenBSD users, comparing the current status of Apache 1.3, Apache 2, nginx, and httpd. He warned users about using httpd with PHP -- and that warning should also be heeded by users of PHP with nginx, though nginx users have options as discussed in the link he provided in his Email. |
|
||||
Reyk Floeter (httpd developer) just responded to the misc@ mailing list thread, weighing in on readiness, rewrite requirements, and PHP security implications, among other comments.
|
|
|||
My only requirements for a webserver at the moment is something that can handle the symon/syweb thing, aka php. I'm not really sure which way to go. Played around with both httpd/nginx, but it feels quite messy compared to the old base-apache.
|
|
||||
Then stick with Apache, denta.
I felt the opposite when I migrated from Apache to nginx some years ago -- nginx was, for me, easier to understand than Apache for provisioning, and php-fpm was (and still is) an elegant integration for PHP with a webserver. I like the flexibility of being able to separate the PHP application server from the webserver. I recall having used sockets and loopback when the two were on the same system, and networks when they were not -- even tunneling over the Internet via IPSec between web and application server. Last edited by jggimi; 6th January 2015 at 01:05 PM. Reason: typo |
|
|||
Actually when thinking more about it, I might just be stuck in a severe case of "being used to" the old apache way. Going with httpd!
|
Tags |
httpd, openbsd httpd(8) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
httpd in OpenBSD 5.6 | jorisvh | OpenBSD Packages and Ports | 8 | 4th November 2014 12:14 AM |
is nginx going to be default OpenBSD httpd? | ershiba | OpenBSD General | 4 | 6th January 2013 03:55 AM |
httpd problem or something else | c0mrade | Other BSD and UNIX/UNIX-like | 6 | 15th January 2009 09:19 PM |
httpd -DNOHTTPACCEPT | starbuck | FreeBSD General | 9 | 23rd August 2008 12:14 PM |
httpd.conf | Snoop1990 | General software and network | 5 | 29th July 2008 04:30 AM |