relayd to match http request according to path and change headers
Good day.
I have a setup in OpenBSD 6.8, relayd / httpd and wish to see if I can
have specific http options or headers depending on paths in the requests.
Can I do "match path ..." and set headers ? Until now, all doc I read
say you can set headers globally but not on specific paths.
I can set tags, but trying to match on them and set headers after
triggers syntax error.
Here is an extract of the relayd.conf, where I wish to match on the
static path. I got syntax error when I test this conf (currently
commented) :
http protocol https {
# Various TCP options
tcp { nodelay, sack, socket buffer 65536, backlog 128 }
...
#match path "/static/*" {
#response header set "Access-Control-Allow-Methods" value
"GET,OPTIONS"
#response header set "Access-Control-Allow-Headers" value
"Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-
Modified-Since,Cache-Control,Content-Type"
# }
pass request path "/static/*" forward to
pass request path "/tracker/socket" forward to
pass request path "/socket.io" forward to
pass request path "/*" forward to
}
Thanks for answers.
Re: relayd to match http request according to path and change headers
Just a idea, have you tried the keyword request ?
Something like
match request path "/static/*" forward to
Regards,
Christoph
Am 04.04.2021 10:13, schrieb Stephane Guedon:
Good day.
I have a setup in OpenBSD 6.8, relayd / httpd and wish to see if I can
have specific http options or headers depending on paths in the
requests.
Can I do "match path ..." and set headers ? Until now, all doc I read
say you can set headers globally but not on specific paths.
I can set tags, but trying to match on them and set headers after
triggers syntax error.
Here is an extract of the relayd.conf, where I wish to match on the
static path. I got syntax error when I test this conf (currently
commented) :
http protocol https {
# Various TCP options
tcp { nodelay, sack, socket buffer 65536, backlog 128 }
...
#match path "/static/*" {
#response header set "Access-Control-Allow-Methods" value
"GET,OPTIONS"
#response header set "Access-Control-Allow-Headers" value
"Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-
Modified-Since,Cache-Control,Content-Type"
# }
pass request path "/static/*" forward to
pass request path "/tracker/socket" forward to
pass request path "/socket.io" forward to
pass request path "/*" forward to
}
Thanks for answers.
Re: Suspend/resume does not work on Lenovo X1 Carbon 3rd gen laptop
Hi Theo, Thanks for reaching out and explaining the issue in more detail. It prompted me to check the disklabel for the drive. If I recall correctly, the disk was formatted using the autoformatting option supplied by the OpenBSD 6.8 installer and has the following disklabel: # /dev/rsd0c: type: SCSI disk: SCSI disk label: SAMSUNG MZHPV512 duid: e4819536ae37a0af flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 62260 total sectors: 1000215216 # total bytes: 476.9G boundstart: 64 boundend: 1000206900 drivedata: 0 16 partitions: # size offset fstype [fsize bsize cpg] a: 1.0G 64 4.2BSD 2048 16384 12960 # / b: 8.1G 2097216 swap # none c: 476.9G 0 unused d: 4.0G 19164928 4.2BSD 2048 16384 12960 # /tmp e: 19.8G 27553536 4.2BSD 2048 16384 12956 # /var f: 6.0G 69028992 4.2BSD 2048 16384 12960 # /usr g: 1.0G 81611904 4.2BSD 2048 16384 12960 # /usr/X11R6 h: 20.0G 83709056 4.2BSD 2048 16384 12960 # /usr/local i: 2.0G 125652096 4.2BSD 2048 16384 12960 # /usr/src j: 6.0G 129846400 4.2BSD 2048 16384 12960 # /usr/obj k: 300.0G 142429312 4.2BSD 4096 32768 26062 # /home By the looks of it, the swap partition should be sufficiently large to support hibernate. I went through the following steps to highlight the issue: 1. Reboot machine using "doas reboot" to start the test with a clean slate. 2. Switch to console; The machine starts xenodm at boot as the machine is meant to be used as a workstation by my children. 3. Login, execute "ZZZ" and wait for the machine to finish hibernating. 4. Resume machine. 5. OpenBSD boot(8) bootstrap program shows the standard boot prompt, i.e. it does not detect that the machine is being resumed after it has been hibernated. 6. Machine boots as if the hibernate request was never executed. During boot OpenBSD detects a number of uncleanly unmounted filesystems as well. The above test sequence was executed on a fresh OpenBSD 6.9 snapshot which was successfully installed using "sysupgrade -s": OpenBSD 6.9-beta (GENERIC.MP) #446: Sat Apr 3 01:48:42 MDT 2021 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8261603328 (7878MB) avail mem = 7995830272 (7625MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xccbfd000 (65 entries) bios0: vendor LENOVO version "N14ET54W (1.32 )" date 03/19/2020 bios0: LENOVO 20BTS0MX00 acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SLIC ASF! HPET ECDT APIC MCFG SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT PCCT SSDT TCPA SSDT UEFI MSDM BATB FPDT UEFI acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) XHCI(S3) EHC1(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiec0 at acpi0 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-5600U CPU @ 2.60GHz, 798.31 MHz, 06-3d-04 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,SRBDS_CTRL,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i7-5600U CPU @ 2.60GHz, 798.16 MHz, 06-3d-04 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,SRBDS_CTRL,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins acpimcfg0 at acpi0 acpimcfg0: addr 0xf800, bus 0-63 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG_) acpiprt2 at acpi0: bus 3 (EXP1) acpiprt3 at acpi0: bus 4 (EXP2) acpiprt4 at acpi0: bus -1 (EXP3) acpiprt5 at acpi0: bus 10 (EXP6) acpibtn0
Re: How I got iked in -current to work with iOS
Hello - I have added a small bit of additional information at the end. -Original Message- From: Theodore Wynnychenko [mailto:t...@uchicago.edu] Sent: Friday, April 02, 2021 1:46 PM To: misc@openbsd.org Subject: How I got iked in -current to work with iOS Hi I had some time today, and decided to send this now. This is how I got OpenBSD's iked daemon (version in current about 3/28/2021) to work with Apple's iOS (iphone/ipad's) version (about) 14.4.2. Some prelude: So, I have no real reason to do this, other than that I want to. I think of it as a learning exercise, so my knowledge is limited in many ways. I got this to work for my specific use case. Specially, I only have a few devices that I want/need to have access to my home's VPN. I do this to have a secure gateway for access to my email/calendar/files/etc when not at home (yes, I host my own services - I know that Apple and Google and other respect my privacy, etc., but ...). I have NOT tried to set this up as a VPN to route all traffic from associated devices (I don't have the a connection with the bandwidth necessary to do so). Because I am only "managing" a handful of devices, I did all of this manually. Limitations/Requirements: Apple's iOS: Recently, Apple has put several restrictions on the certificates iOS devices will accept for ikev2 connections. These are "disclosed" at https://support.apple.com/en-us/HT211025 and https://support.apple.com/en-us/HT210176. Specifically, certificates must: - CA and TLS certs using RSA must use key => 2048 - CA and TLS certs must use SHA-2 - TLS certs must have a SubjectAlternativeName with the DNS name of the server; a CommonName only is not enough For certificates issued after 7/1/2019: - ExtendedKeyUsage for TLS server and TLS client must be included - TLS certs can only be valid for 825 days or less For certificates issued by the Root CA's preinstalled in iOS, after 9/1/2020: - TLS certs can only be valid for 398 days or less OpenBSD's iked: OpenBSD ikev2 also has some specific requirements for certificate authentication. iked requires specific key/authentication combinations: - rfc7427 only supports SHA2-256 (not sure if iOS supports rfc7427) - ecdsa256 only supports P-256 with SHA2-256 - ecdsa382 only supports P-384 with SHA2-384 - ecdsa521 only supports P-521 with SHA2-512 - rsa suppors RSA but only with SHA1 Other/General: In terms of ECDSA certificates, it seems that P-256 and P-384 are the ones that are more generally accepted, and will likely continue to be generally accepted. This appears to be based on NIST's inclusion of them in their "Suite B Cryptography" information. P-521 was not included in "Suite B," and it seems some things have not included support for it. So, I concluded, to be safe (and since it seems the computational/security cost/benefit of P-384 vs P-521 is narrow), and based on the requirements above, to use P-384 with SHA2-384. My setup: Certificates: In order to do this, I used openssl commands directly. I did not use ikectl to create certs or the CA. Before I go into details, I wanted to have certs that would last longer than the Apple limit. Therefore, I needed to have a CA certificate, and TLS certs, that had a "Not Before" date before 7/1/2019. In order to do this, when I created my CA certificate, I changed the time/date on the system using "date 20190101" before creating the CA, and then reset the date when I was done. Creating back-dated TLS certs is a bit more direct, all that is necessary is to add "-startdate 2019010200Z" to the openssl ca command when signing the TLS certificate. Obviously, you need to have complete control of the CA (and not care that you are doing this) to accomplish this and get certificates with a longer time horizon for iOS. So, first I created a CA using ECDSA384: I created/edited the openssl.cnf file to have the appropriate additions/defaults I need for these certificates. I will not cover everything, but I think these are the basic requirements (I have edited out many things in the actual file I used, but I THINK what is left is all that may be really needed, but my openssl knowledge is not absolute, and I may have errors that I don't realize): (NOTE: When I was trying to get this to work, I began to believe that the current iOS has a problem with "-" [hyphens] in the CN/SAN, so I did not use them. I now am not sure if "-"'s will work or not.] General defaults for generating the signing request (csr), openssl.cnf: default_bits= 4096 default_keyfile = key.pem default_md = sha384 string_mask = utf8only distinguished_name = req_distinguished_name attributes = req_attributes The distinguished name/attributes are basically from the default cnf file. For the CA cert, openssl.cnf: basicConstraints= CA:TRUE subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always,issuer:always issuerAltName
Re: How I got iked in -current to work with iOS
Hello - I have added a small bit of additional information at the end. -Original Message- From: Theodore Wynnychenko Sent: Friday, April 02, 2021 1:46 PM To: misc@openbsd.org Subject: How I got iked in -current to work with iOS Hi I had some time today, and decided to send this now. This is how I got OpenBSD's iked daemon (version in current about 3/28/2021) to work with Apple's iOS (iphone/ipad's) version (about) 14.4.2. Some prelude: So, I have no real reason to do this, other than that I want to. I think of it as a learning exercise, so my knowledge is limited in many ways. I got this to work for my specific use case. Specially, I only have a few devices that I want/need to have access to my home's VPN. I do this to have a secure gateway for access to my email/calendar/files/etc when not at home (yes, I host my own services - I know that Apple and Google and other respect my privacy, etc., but ...). I have NOT tried to set this up as a VPN to route all traffic from associated devices (I don't have the a connection with the bandwidth necessary to do so). Because I am only "managing" a handful of devices, I did all of this manually. Limitations/Requirements: Apple's iOS: Recently, Apple has put several restrictions on the certificates iOS devices will accept for ikev2 connections. These are "disclosed" at https://support.apple.com/en-us/HT211025 and https://support.apple.com/en-us/HT210176. Specifically, certificates must: - CA and TLS certs using RSA must use key => 2048 - CA and TLS certs must use SHA-2 - TLS certs must have a SubjectAlternativeName with the DNS name of the server; a CommonName only is not enough For certificates issued after 7/1/2019: - ExtendedKeyUsage for TLS server and TLS client must be included - TLS certs can only be valid for 825 days or less For certificates issued by the Root CA's preinstalled in iOS, after 9/1/2020: - TLS certs can only be valid for 398 days or less OpenBSD's iked: OpenBSD ikev2 also has some specific requirements for certificate authentication. iked requires specific key/authentication combinations: - rfc7427 only supports SHA2-256 (not sure if iOS supports rfc7427) - ecdsa256 only supports P-256 with SHA2-256 - ecdsa382 only supports P-384 with SHA2-384 - ecdsa521 only supports P-521 with SHA2-512 - rsa suppors RSA but only with SHA1 Other/General: In terms of ECDSA certificates, it seems that P-256 and P-384 are the ones that are more generally accepted, and will likely continue to be generally accepted. This appears to be based on NIST's inclusion of them in their "Suite B Cryptography" information. P-521 was not included in "Suite B," and it seems some things have not included support for it. So, I concluded, to be safe (and since it seems the computational/security cost/benefit of P-384 vs P-521 is narrow), and based on the requirements above, to use P-384 with SHA2-384. My setup: Certificates: In order to do this, I used openssl commands directly. I did not use ikectl to create certs or the CA. Before I go into details, I wanted to have certs that would last longer than the Apple limit. Therefore, I needed to have a CA certificate, and TLS certs, that had a "Not Before" date before 7/1/2019. In order to do this, when I created my CA certificate, I changed the time/date on the system using "date 20190101" before creating the CA, and then reset the date when I was done. Creating back-dated TLS certs is a bit more direct, all that is necessary is to add "-startdate 2019010200Z" to the openssl ca command when signing the TLS certificate. Obviously, you need to have complete control of the CA (and not care that you are doing this) to accomplish this and get certificates with a longer time horizon for iOS. So, first I created a CA using ECDSA384: I created/edited the openssl.cnf file to have the appropriate additions/defaults I need for these certificates. I will not cover everything, but I think these are the basic requirements (I have edited out many things in the actual file I used, but I THINK what is left is all that may be really needed, but my openssl knowledge is not absolute, and I may have errors that I don't realize): (NOTE: When I was trying to get this to work, I began to believe that the current iOS has a problem with "-" [hyphens] in the CN/SAN, so I did not use them. I now am not sure if "-"'s will work or not.] General defaults for generating the signing request (csr), openssl.cnf: default_bits= 4096 default_keyfile = key.pem default_md = sha384 string_mask = utf8only distinguished_name = req_distinguished_name attributes = req_attributes The distinguished name/attributes are basically from the default cnf file. For the CA cert, openssl.cnf: basicConstraints= CA:TRUE subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always,issuer:always issuerAltName = issuer:copy For
Re: Does Minecraft + Microsoft account on OpenBSD work?
O 04/04/21 ás 16:34, Mark Hesselink escribiu: Hi, Minecraft Java Edition can be easily installed on OpenBSD using the games/minecraft port (see e.g. https://openports.se/games/minecraft). Before I buy the game, which at 17.95 GBP is reasonably priced IMHO, I wanted to ask the OpenBSD community whether anyone has been able to get the Minecraft port to work using a Microsoft account: Since 1 December 2020 one needs a Microsoft account to buy and play Minecraft Java Edition. I have attempted to start the games/minecraft port in demo mode using the instructions posted at https://minecraft.fandom.com/wiki/Demo_mode: Supposedly passing the --demo argument to minecraft.jar should launch the demo. Assuming these instructions are correct, I have not been able to log in to Minecraft using my Microsoft account despite registering the account for a free trial. Would anyone know the magic trick to play Minecraft Java Edition on OpenBSD using a Microsoft account? Cheers, Mark I have an account with the paid game. For me it runs perfectly. However there is a problem: this launcher is outdated. Now there is a new one that runs from a native executable, and the Java one is deprecated. This means that you can't run the newer versions (haven't tried it, but after a bit of searching I can find complains from version 1.14.4). And I can't find what are you saying about that «Demo mode page». It clearly says that for launching the demo you only need to login as an account without the game bought. The «--demo» option is for servers.
Does Minecraft + Microsoft account on OpenBSD work?
Hi, Minecraft Java Edition can be easily installed on OpenBSD using the games/minecraft port (see e.g. https://openports.se/games/minecraft). Before I buy the game, which at 17.95 GBP is reasonably priced IMHO, I wanted to ask the OpenBSD community whether anyone has been able to get the Minecraft port to work using a Microsoft account: Since 1 December 2020 one needs a Microsoft account to buy and play Minecraft Java Edition. I have attempted to start the games/minecraft port in demo mode using the instructions posted at https://minecraft.fandom.com/wiki/Demo_mode: Supposedly passing the --demo argument to minecraft.jar should launch the demo. Assuming these instructions are correct, I have not been able to log in to Minecraft using my Microsoft account despite registering the account for a free trial. Would anyone know the magic trick to play Minecraft Java Edition on OpenBSD using a Microsoft account? Cheers, Mark
Re: gl.inet Brume (GL-MV1000): sdcard works with 6.8 but not -current
> From: Darren Tucker > Date: Sun, 4 Apr 2021 09:18:30 +1000 > > On Sun, 4 Apr 2021 at 01:32, Patrick Wildt wrote: > > [...] > Maybe you both can try my revert and make sure it doesn't introduce any > other regressions? > > That also seems to work on the Brume in question: Works for the Turris MOX as well. Do you want to commit the revert Darren? > >> OpenBSD/arm64 BOOTAA64 1.2 > boot> boot /bsd.test > booting sd0a:/bsd.test: 8808452+1793560+567784+830080 > [634134+109+1073400+630260]=0xf904a0 > type 0x2 pa 0x0 va 0x0 pages 0x4000 attr 0x8 > [lots snipped] > type 0x2 pa 0x3ffa6000 va 0x3e715000 pages 0x5a attr 0x8 > [ using 2338872 bytes of bsd ELF symbol table ] > Copyright (c) 1982, 1986, 1989, 1991, 1993 > The Regents of the University of California. All rights reserved. > Copyright (c) 1995-2021 OpenBSD. All rights reserved. > https://www.OpenBSD.org > > OpenBSD 6.9-beta (GENERIC.MP) #1: Thu Apr 1 19:48:05 AEDT 2021 > dtuc...@brume.dtucker.net:/usr/src/sys/arch/arm64/compile/GENERIC.MP > real mem = 1032523776 (984MB) > avail mem = 968355840 (923MB) > random: good seed from bootblocks > mainbus0 at root: GL.inet GL-MV1000 (Marvell) > psci0 at mainbus0: PSCI 1.0 > cpu0 at mainbus0 mpidr 0: ARM Cortex-A53 r0p4 > cpu0: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache > cpu0: 256KB 64b/line 16-way L2 cache > cpu0: CRC32,SHA2,SHA1,AES+PMULL,ASID16 > cpu1 at mainbus0 mpidr 1: ARM Cortex-A53 r0p4 > cpu1: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache > cpu1: 256KB 64b/line 16-way L2 cache > cpu1: CRC32,SHA2,SHA1,AES+PMULL,ASID16 > efi0 at mainbus0: UEFI 2.0.5 > efi0: Das U-boot rev 0x0 > apm0 at mainbus0 > agtimer0 at mainbus0: 12500 kHz > "pmu" at mainbus0 not configured > simplebus0 at mainbus0: "soc" > simplebus1 at simplebus0: "internal-regs" > mvclock0 at simplebus1 > mvclock1 at simplebus1 > mvclock2 at simplebus1 > mvpinctrl0 at simplebus1 > syscon0 at simplebus1: "syscon" > mvpinctrl1 at simplebus1 > agintc0 at simplebus1 shift 4:3 nirq 224 nredist 2 ipi: 0, 1: > "interrupt-controller" > mvspi0 at simplebus1 > mvuart0 at simplebus1 > mvneta0 at simplebus1 > mvneta0: Ethernet address 94:83:c4:03:b0:d9 > mvmdio0 at simplebus1: "mdio" > mvsw0 at mvmdio0 phy 1: 88E6141 rev 0 > xhci0 at simplebus1, xHCI 1.0 > usb0 at xhci0: USB revision 3.0 > uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev > 3.00/1.00 addr 1 > "usb" at simplebus1 not configured > "u3d" at simplebus1 not configured > "udc" at simplebus1 not configured > "xor" at simplebus1 not configured > sdhc0 at simplebus1 > sdhc0: SDHC 3.0, 400 MHz base clock > sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma > sdhc1 at simplebus1 > sdhc1: SDHC 3.0, 400 MHz base clock > sdmmc1 at sdhc1: 8-bit, sd high-speed, mmc high-speed, ddr52, dma > "sata" at simplebus1 not configured > mvkpcie0 at simplebus0 > mvkpcie0: timeout > "regulator" at mainbus0 not configured > scsibus0 at sdmmc1: 2 targets, initiator 0 > sd0 at scsibus0 targ 1 lun 0: removable > sd0: 7456MB, 512 bytes/sector, 15269888 sectors > scsibus1 at sdmmc0: 2 targets, initiator 0 > sd1 at scsibus1 targ 1 lun 0: removable > sd1: 30436MB, 512 bytes/sector, 62333952 sectors > vscsi0 at root > scsibus2 at vscsi0: 256 targets > softraid0 at root > scsibus3 at softraid0: 256 targets > root on sd1a (9e51f250b602291d.a) swap on sd1b dump on sd1b > WARNING: CHECK AND RESET THE DATE! > Automatic boot in progress: starting file system checks. > /dev/sd1a (9e51f250b602291d.a): file system is clean; not checking > 9e51f250b602291d.i: 6 files, 16034 free (8017 clusters) > pf enabled > starting network > starting early daemons: syslogd pflogd ntpd. > starting RPC daemons:. > savecore: can't find device 255/16777088 > checking quotas: done. > clearing /tmp > kern.securelevel: 0 -> 1 > creating runtime link editor directory cache. > preserving editor files. > starting network daemons: sshd smtpd sndiod. > starting local daemons: cron. > Thu Apr 1 19:50:48 AEDT 2021 > > OpenBSD/arm64 (brume.dtucker.net) (console) > > > > That BRUME thingy looks cute, but has a bit of an issue. It doesn't > > > really have three Ethernet ports. Instead those ports are part of a > > > switch that also connects to an Ethernet interface on the SoC. > > > > Yeah I noticed that. Single ethernet plus programmable switch seems > to > > be pretty common in this class of device. > > And if someone wants to program it, feel free to, mvsw(4) exists for a > reason, might just need some code. :) > > and maybe docs :-) > > # man 4 mvsw > man: No entry for mvsw in section 4 of the manual. You must be doing that on an OpenBSD 6.8 system. Man page is there on -current.
Re: relayd to match http request according to path and change headers
Le dimanche 4 avril 2021 11:31:27 CEST, vous avez écrit : > Just a idea, have you tried the keyword request ? > > Something like > > match request path "/static/*" forward to > > Regards, > > Christoph > Actually, it's not at the forward stage that I have a problem, sorry if I explained wrongly. That part works perfect : "match request path "/static/*" forward to " I am trying to match a request based on the "static" path and set its reponse headers. This is the part where I want to improve things: match request path "/static/*" response header set "Access-Control- Allow-Headers" value "Range" And those, I always get syntax errors. Thanks Kind regards.
Re: Does Minecraft + Microsoft account on OpenBSD work?
On 4/4/21 12:06 PM, Parodper wrote: O 04/04/21 ás 16:34, Mark Hesselink escribiu: Hi, Minecraft Java Edition can be easily installed on OpenBSD using the games/minecraft port (see e.g. https://openports.se/games/minecraft). Before I buy the game, which at 17.95 GBP is reasonably priced IMHO, I wanted to ask the OpenBSD community whether anyone has been able to get the Minecraft port to work using a Microsoft account: Since 1 December 2020 one needs a Microsoft account to buy and play Minecraft Java Edition. I have attempted to start the games/minecraft port in demo mode using the instructions posted at https://minecraft.fandom.com/wiki/Demo_mode: Supposedly passing the --demo argument to minecraft.jar should launch the demo. Assuming these instructions are correct, I have not been able to log in to Minecraft using my Microsoft account despite registering the account for a free trial. Would anyone know the magic trick to play Minecraft Java Edition on OpenBSD using a Microsoft account? Cheers, Mark I have an account with the paid game. For me it runs perfectly. However there is a problem: this launcher is outdated. Now there is a new one that runs from a native executable, and the Java one is deprecated. This means that you can't run the newer versions (haven't tried it, but after a bit of searching I can find complains from version 1.14.4). And I can't find what are you saying about that «Demo mode page». It clearly says that for launching the demo you only need to login as an account without the game bought. The «--demo» option is for servers. To handle the newer versions we have games/multimc for a more feature-rich launcher or you can tinker with games/py-minecraft-launcher-lib (kmos@ has scripts for different versions here: https://github.com/kmosiejczuk/minecraft-launchers). But no, neither currently handles Microsoft accounts. I believe multimc plans that for their 0.7 release. -pamela
divert with rdr-to not working properly
Hello Misc, I think divert-packet feature with NAT/NAPT is broken. I can not reach to web server when I use divert-packet with rdr-to. Is this a known bug or a new issue? When I use divert-packet + rdr-to here is the situation: # MY PF RULES pass in log quick on pppoe0 inet proto tcp from any to (pppoe0:0) port 81 rdr-to 10.10.12.27 port 81 pass out log quick on vport12 inet proto tcp from any to 10.10.12.27 port 81 divert-packet port 700 # firewall# tcpdump -s 246 -nettti pflog0 port 81 tcpdump: listening on pflog0, link-type PFLOG Apr 05 09:27:06.862384 rule 1/(match) pass in on pppoe0: 192.95.4.124.60497 > 88.248.12.123.81: S 2356312961:2356312961(0) win 29200 (DF) Apr 05 09:27:06.862412 rule 2/(match) pass out on vport12: 192.95.4.124.60497 > 10.10.12.27.81: S 2356312961:2356312961(0) win 29200 (DF) Here my egress interface tcpdump outputs of my firewall: firewall# tcpdump -s 246 -nettti pppoe0 port 81 tcpdump: listening on pppoe0, link-type PPP_ETHER Apr 05 09:27:06.862372 PPPoE code Session, version 1, type 1, id 0x0001, length 62 IP 192.95.4.124.60497 > 88.248.12.123.81: S 2356312961:2356312961(0) win 29200 (DF) Apr 05 09:27:06.863516 PPPoE code Session, version 1, type 1, id 0x0001, length 66 IP 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack 2356312962 win 16384 (DF) Apr 05 09:27:07.861615 PPPoE code Session, version 1, type 1, id 0x0001, length 62 IP 192.95.4.124.60497 > 88.248.12.123.81: S 2356312961:2356312961(0) win 29200 (DF) Apr 05 09:27:07.862076 PPPoE code Session, version 1, type 1, id 0x0001, length 66 IP 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack 2356312962 win 16384 (DF) Apr 05 09:27:09.855052 PPPoE code Session, version 1, type 1, id 0x0001, length 66 IP 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack 2356312962 win 16384 (DF) Apr 05 09:27:09.865622 PPPoE code Session, version 1, type 1, id 0x0001, length 62 IP 192.95.4.124.60497 > 88.248.12.123.81: S 2356312961:2356312961(0) win 29200 (DF) Apr 05 09:27:09.866059 PPPoE code Session, version 1, type 1, id 0x0001, length 66 IP 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack 2356312962 win 16384 (DF) Apr 05 09:27:13.877705 PPPoE code Session, version 1, type 1, id 0x0001, length 62 IP 192.95.4.124.60497 > 88.248.12.123.81: S 2356312961:2356312961(0) win 29200 (DF) Apr 05 09:27:13.878168 PPPoE code Session, version 1, type 1, id 0x0001, length 66 IP 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack 2356312962 win 16384 (DF) Apr 05 09:27:15.844984 PPPoE code Session, version 1, type 1, id 0x0001, length 66 IP 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack 2356312962 win 16384 (DF) I can only see SYN packets on outgoing interface firewall# tcpdump -s 246 -nettti vport12 port 81 tcpdump: listening on vport12, link-type EN10MB Apr 05 09:27:06.863133 ac:42:28:f6:e0:52 ac:42:28:86:dd:a0 0800 74: 192.95.4.124.60497 > 10.10.12.27.81: S 2356312961:2356312961(0) win 29200 (DF) Apr 05 09:27:06.863414 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78: 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack 2356312962 win 16384 (DF) Apr 05 09:27:07.861706 ac:42:28:f6:e0:52 ac:42:28:86:dd:a0 0800 74: 192.95.4.124.60497 > 10.10.12.27.81: S 2356312961:2356312961(0) win 29200 (DF) Apr 05 09:27:07.861986 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78: 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack 2356312962 win 16384 (DF) Apr 05 09:27:09.854954 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78: 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack 2356312962 win 16384 (DF) Apr 05 09:27:09.865709 ac:42:28:f6:e0:52 ac:42:28:86:dd:a0 0800 74: 192.95.4.124.60497 > 10.10.12.27.81: S 2356312961:2356312961(0) win 29200 (DF) Apr 05 09:27:09.865987 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78: 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack 2356312962 win 16384 (DF) Apr 05 09:27:13.877798 ac:42:28:f6:e0:52 ac:42:28:86:dd:a0 0800 74: 192.95.4.124.60497 > 10.10.12.27.81: S 2356312961:2356312961(0) win 29200 (DF) Apr 05 09:27:13.878085 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78: 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack 2356312962 win 16384 (DF) Apr 05 09:27:15.844881 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78: 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack 2356312962 win 16384 (DF) Apr 05 09:27:27.845083 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78: 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack 2356312962 win 16384 (DF) This is what I see on my web server: webserver# tcpdump -s 246 -nettti em0 port 81 tcpdump: listening on em0, link-type EN10MB Apr 05 09:26:51.144078 ac:42:28:f6:e0:52 ac:42:28:86:dd:a0 0800 74: 192.95.4.124.60497 > 10.10.12.27.81: S 2356312961:2356312961(0) win 29200 (DF) Apr 05 09:26:51.144167 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800
