DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st November 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default Patch for OpenBSD 5.6 httpd(8)

From http://ftp.openbsd.org/pub/OpenBSD/p...ttpd.patch.sig

Quote:
OpenBSD 5.6 errata 9, Nov 18, 2014: httpd was developed very rapidly
in the weeks before 5.6 release, and it has a few flaws. It would be
nice to get these flaws fully remediated before the next release, and
that requires the community to want to use it. Therefore here is a
"jumbo" patch that brings in the most important fixes.
You can find the other errata at http://www.openbsd.org/errata56.html
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 21st November 2014
gpatrick gpatrick is offline
Spam Deminer
 
Join Date: Nov 2009
Posts: 245
Default

OpenBSD's marketing gimmick is "Only two remote holes in the default install, in a heck of a long time!"

People expect with that a fully functional SMTP server (e.g., Sendmail) and HTTP server (e.g., Apache), but these have been removed from the base with new applications that don't have the functionality (e.g., address rewriting, SNI) the other software has.

Some will say "install them from ports if you need them," but in doing so one is possibly opening up an attack vector that wasn't there previously and one could just install the base and have what they needed without the remote holes.

Is OpenBSD's new httpd server trying to compete with NetBSD's bozotic?

The reason virtualization is huge these days is not for security, although some may use it for that, but when you have a 12 processor machine, one probably doesn't want to use all of that for Sendmail, but rather have multiple machines using various numbers of processors.

With the steadfast refusal to have any type of virtualization and replacing core software with from scratch products is probably why OpenBSD needs funding (i.e., couldn't pay the electric bill).
Reply With Quote
  #3   (View Single Post)  
Old 21st November 2014
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default

gpatrick

I hope your comment concerning httpd generates a response that "clarifies" the thinking behind selecting base system software (web servers). I have been thinking the same thing myself.
Reply With Quote
  #4   (View Single Post)  
Old 21st November 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

gpatrick: The audited, privsep-enabled Apache 1.3 is available, if needed. Also, there are drivers to support OpenBSD virtual machines: vmmouse(4), vic(4), vmx, vio(4), virtio(4), vioblk(4), viomb(4), and vioscsi(4) come to mind. I'm sure I've missed a bunch of the VMWare-support drivers, because I've never used them.

Edited to add:

There was some discussion in the comments to the OpenBSD Journal article announcing the removal of nginx from base. The responses from OpenBSD developers Nick Holland and Reyk Floeter explains some of the thinking behind this switch.

Disclaimer: I'm an nginx user, even on servers that only serve static pages, and I have yet to try the new httpd(8). I'm also only a user, not a developer, and my personal opinion was that they made this switch before the paint was dry on the new httpd -- it might have been better to wait for a stable, functional platform before making the switch. I was also disconcerted by the relatively rapid transition of nginx from port to base to port. Even so, I understand the direction being taken and I can accept the decisions of the developers.

Last edited by jggimi; 21st November 2014 at 02:17 PM. Reason: added undeadly discussion link, disclaimer
Reply With Quote
  #5   (View Single Post)  
Old 21st November 2014
thirdm thirdm is offline
Spam Deminer
 
Join Date: May 2009
Posts: 248
Default

I'm confused. 5.6 still has nginx, right? Are you guys talking about it being pulled out of base in current?
Reply With Quote
  #6   (View Single Post)  
Old 21st November 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Yes. In -current, which means in the upcoming 5.7 later this year, the only web server in base is the new httpd.

Part of the confusion over this might be due to the httpd(8) executable transition. in 5.5 and earlier, this was the OpenBSD fork of Apache 1.3. In 5.6, it is the new web server being discussed in this thread.

Last edited by jggimi; 21st November 2014 at 03:24 PM. Reason: clarity
Reply With Quote
  #7   (View Single Post)  
Old 21st November 2014
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by thirdm View Post
I'm confused. 5.6 still has nginx, right? Are you guys talking about it being pulled out of base in current?
Yes Nginx will be pulled from the base for 5.7 release (currently tagged as 5.6 current)
Most people use 5.6 release or 5.6 stable so they still have Nginx in the base.
Reply With Quote
  #8   (View Single Post)  
Old 22nd November 2014
vanGrimoire's Avatar
vanGrimoire vanGrimoire is offline
Port Guard
 
Join Date: Nov 2012
Posts: 43
Default

People expect with that a fully functional SMTP server (e.g., Sendmail) and HTTP server (e.g., Apache), but these have been removed from the base with new applications that don't have the functionality (e.g., address rewriting, SNI) the other software has.

Some will say "install them from ports if you need them," but in doing so one is possibly opening up an attack vector that wasn't there previously and one could just install the base and have what they needed without the remote holes.


This just doesn't parse well with me. Here's what I interpret from the above paragraphs.

Sendmail and Apache 1.3 were removed from base and that makes them insecure.

Um, no.

Of all the packages in base Apache 1.3 and Sendmail are star pupils, top of the class if you will. They aren't wireshark, which was booted from ports for being habitually poorly written and is now back in ports. Apache and Sendmail were reviewed and selected in accordance with certain ideals which agreed with OBSDs goals at that time. OBSD is moving in a different direction now, but that doesn't mean the end of the world.

Apache was stalled on a dormant release for licensing issues. A lot of folks at this point were wondering why an older version of Apache was being used in a "supposedly" secure system, well the truth is 1.3 was semi forked and there aren't bugs being introduced into dormant software the way bugs are introduced into bleeding edge. This really should put Apache in a very good, albeit, deprecated state. The back porting of security fixes and patches seems unlikely to stop immediately simply due to momentum within the community.

http://serverfault.com/questions/507...version-1-3-29

Sendmail has always been a pr issue. I really can't speak much to the decision as I haven't followed it as closely, but I do know OpenSMTPd has been in the pipeline for a while. And again, having been in base for a few years now I would expect sendmail to receive better treatment than other packages.

The theory is ports as a group are less secure than base. The fact is, added functionality is more difficult to secure, yet has not necessarily been proven to be less secure. Anyone can take a base system and configure it to be insecure without even touching ports - in theory, in practice there are plenty of people that give up when there isn't a gui installer. Theoretically I assume ports in OpenBSD are more secure than equivalent packages in other systems. In practice I know that the value of each port can only be evaluated on an individual basis.

Personally, I can't believe they took lynx out of the base system, how insecure can a text based browser be?

*Edited for clarity.

Last edited by vanGrimoire; 23rd November 2014 at 10:42 AM.
Reply With Quote
  #9   (View Single Post)  
Old 30th December 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I transitioned from the fork of Apache 1.3 to nginx when it became built-in. I've also done some testing of the new httpd(8) and deployed it on an internal server used for software distribution.
Code:
server "files" {
    listen on * port 80
    directory auto index
}
I will be deploying it on an external facing server that serves static pages via http and https. I also have two externally facing PHP applications on a server which where I will not deploy it, I must stay with nginx. This is because these applications use client certificates (authenticated browsers) and the new httpd does not (yet) support this.

Earlier today on the misc@ mailing list
, Stuart Henderson discussed choices for OpenBSD users, comparing the current status of Apache 1.3, Apache 2, nginx, and httpd. He warned users about using httpd with PHP -- and that warning should also be heeded by users of PHP with nginx, though nginx users have options as discussed in the link he provided in his Email.
Reply With Quote
Old 2nd January 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Reyk Floeter (httpd developer) just responded to the misc@ mailing list thread, weighing in on readiness, rewrite requirements, and PHP security implications, among other comments.
Reply With Quote
Old 6th January 2015
denta denta is offline
Shell Scout
 
Join Date: Nov 2009
Location: Sweden
Posts: 95
Default

My only requirements for a webserver at the moment is something that can handle the symon/syweb thing, aka php. I'm not really sure which way to go. Played around with both httpd/nginx, but it feels quite messy compared to the old base-apache.
Reply With Quote
Old 6th January 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Then stick with Apache, denta.

I felt the opposite when I migrated from Apache to nginx some years ago -- nginx was, for me, easier to understand than Apache for provisioning, and php-fpm was (and still is) an elegant integration for PHP with a webserver.

I like the flexibility of being able to separate the PHP application server from the webserver. I recall having used sockets and loopback when the two were on the same system, and networks when they were not -- even tunneling over the Internet via IPSec between web and application server.

Last edited by jggimi; 6th January 2015 at 01:05 PM. Reason: typo
Reply With Quote
Old 7th January 2015
denta denta is offline
Shell Scout
 
Join Date: Nov 2009
Location: Sweden
Posts: 95
Default

Actually when thinking more about it, I might just be stuck in a severe case of "being used to" the old apache way. Going with httpd!
Reply With Quote
Reply

Tags
httpd, openbsd httpd(8)

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
httpd in OpenBSD 5.6 jorisvh OpenBSD Packages and Ports 8 4th November 2014 12:14 AM
is nginx going to be default OpenBSD httpd? ershiba OpenBSD General 4 6th January 2013 03:55 AM
httpd problem or something else c0mrade Other BSD and UNIX/UNIX-like 6 15th January 2009 09:19 PM
httpd -DNOHTTPACCEPT starbuck FreeBSD General 9 23rd August 2008 12:14 PM
httpd.conf Snoop1990 General software and network 5 29th July 2008 04:30 AM


All times are GMT. The time now is 10:20 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick