New video out! 😎
Hosting a simple static website with #httpd on #OpenBSD 😀

From here on out, everything pertaining to the videos can be found on my #GitHub page:

https://github.com/jhx0/Yet-another-SysAdmin

(Configs, Notes, etc.) 🙂

Have fun everyone! 👍

https://www.youtube.com/watch?v=4xHmr7-x9h8

New video out! 😎
Hosting a simple static website with #httpd on #OpenBSD :openbsd:

From here on out, everything pertaining to the videos can be found on my #GitHub page:

https://github.com/jhx0/Yet-another-SysAdmin

(Configs, Notes, etc.) 🙂

Have fun everyone! 👍

https://www.youtube.com/watch?v=4xHmr7-x9h8

@argv_minus_one

You're on your own there.

The rest of the world, from https://owasp.org/www-community/attacks/Path_Traversal to CVE-2023-34096 through many other places along the way, calls this an attack.

You're trying to defend a bad implementation strategy based upon an erroneously perceived need for something that the world does not do. And somehow trying to make it Daniel J. Bernstein's fault for showing how to quite simply address the problem without reinventing wheels badly.

#httpd #publicfile

@argv_minus_one

No. We're having this discussion because of the right things to learn; which is to let the filesystem do the name lookup of filesystem-like pathnames, to not reinvent that, and to prevent attacks of things like /../ and non-regular files.

/../ is not a "pattern" that can be relied upon when it reaches a server. It is an attack.

RFC 3986 explains how it is normalized away by clients, before server involvement.

#httpd #publicfile

@argv_minus_one

Read what the SECURITY section says about dots again. M. Bernstein thought of all this. It also implements the Unix file hiding convention.

#httpd #publicfile

@lispi314

I use #publicfile which relies upon the filesystem entirely, apart from an injection prevention mechanism that disallows dots at the starts of pathname components.

Symbolic links have been doing the job of host aliases for many years for me.

$ ls -dg /public/file/jdebp.uk
lrwxr-xr-x 1 wheel 10 Aug 1 2018 /public/file/jdebp.uk -> jdebp.info
$

@argv_minus_one #httpd

@argv_minus_one

It's entirely backwards to think that eliminating the filesystem is the lesson to learn here.

The lesson to learn here is that if one is presenting hierarchical CIS URLs then one should parse them like filesystem pathnames are parsed. /imgsomething must not ever be matched by /img in pathname lookup.

The best way to achieve this is not to re-invent filesystem pathname parsing badly yet again, but to let the filesystem parse the pathnames.

#httpd #publicfile

@lispi314

Just installed Z-Push 2.7.0 and PHP 8.2 on OpenBSD. Tried with #FreeBSD but had some dependency issues with PHP and didn't want to push too hard. OpenBSD, on the other hand, worked like a charm! (I used acme and nginx, of course in chroot as per OpenBSD best practices). Will modify the configuration to make it work with httpd. #OpenBSD #zpush #PHP #nginx #httpd

On this day in 2008, the #Apache Software Foundation released mod_perl 2.0.4, compatible with the December 2007 release of #Perl v5.10: https://lists.apache.org/thread/shyvjnl3dww17pdv24147vbnnwpcb64b

#ModPerl embeds a #Perl runtime in the Apache #httpd web server, hooking it into all stages of the request and response process as well as configuration file logic. Before the advent of #PSGI and #Plack in the 2010s it was the recommended platform for persistent Perl web applications without the overhead of legacy #CGI.

#WebDev #ASF

Apache httpd 2.4.57 Released #apache #httpd #web #server

https://downloads.apache.org/httpd/Announcement2.4.html

Does anyone know apache2 and could give me some insight as to why this is happening?

It's a brand new Ubuntu 20 install with Wordpress. Two domains are redirecting to another main domain and https.

Shortly after restarting apache2, there are tons of workers in the start state and eventually the site becomes unstable. It's not due to traffic.

https://pastebin.com/kTZE8vZ1

#apache2 #httpd #linux #wordpress

Found my old blog post regarding a load balancer setup for an Oracle ERP system.

Every now and then I sneak in a comment that I think is subtle enough to include, but hilarious enough to make me laugh out loud when I find it later.

Here's one of those comments. If you know, you know. #httpd

@astraleureka @ska

That's a straw man, though, because it was even in the original Bernstein doco that publicfile didn't read directories for security.

Always read the manual. (-:

http://cr.yp.to/publicfile/httpd.html

#publicfile #httpd

@ska @astraleureka

On the contrary: HTTP/1.1 support, including persistent connections, was even in the Bernstein original, as was checking that the pathname was not a directory.

http://jdebp.info/Softwares/djbwares/guide/commands/httpd.xml

#publicfile #httpd

@astraleureka @ska

I haven't looked at the code of Bernstein's publicfile in a while, but I don't remember offhand any obvious problems with metadata race conditions.

#publicfile #httpd

Trying to wrap my head around mapping #nginx configurations to #OpenBSD #relayd #httpd.

I know it can be done, it just doesn't seem terribly straight-forward (to me). Specifically, trying to tie in #LetsEncrypt via acme-client in a reverse proxy. Obviously needs to happen at the proxy level if you want to handle your certs in a single central location (the ideal), but it's escaping me at the moment on how to accomplish this with relayd/httpd.

That’s cool, but can your web server do this?

.htaccess:
```
Options +Includes
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
```

index.shtml:
```
<!--#include
virtual="/header.html"
-->

<!--#config timefmt="%D" -->
This page was last modified
<!--#echo
var="LAST_MODIFIED"
-->

<!--#include
virtual="/footer.html"
-->
```

#Apache #HTTPD

That’s cool, but can your web server do this?

```
<Directory "/app/web/private">
AuthType Basic
AuthName "My Secret Stuff"
AuthBasicProvider file
AuthUserFile "/app/passwords"
Require valid-user
</Directory>
```

#Apache #HTTPD

Can anyone point me to a good #tutorial about migrating #Apache #httpd from using #mod_php to #mod_suphp?

Hmmm I can't find much information about running #httpd on #k8s.

Which MPM is recommended for running in K8S? Event?