Re: odd bc -l output

[Łukasz Moskała]

Dnia 30 listopada 2021 08:38:27 CET, "Peter J. Philipp"  
napisał/a:
>In fact it's not just bc -l, but also when I calculate the following in C
>(linked with -lm)
>
>C = (180.0 - A) - B;
>a = (double)(c / sin(C)) * sin(A);
>b = (double)(c / sin(C)) * sin(B);
>
>Some may recognize this as parts of the Law of Sines.
>
>pjp@neptune$ bc -l
>(9 / s(70)) * s(76)
>6.58357679385302895866
>
>When I do it with xcalc I get the correct 9.2931043.
>
>What am I doing wrong?  How must I massage my system the correct way?
>The wrong number was observed on arm64 (bc -l) and amd64 (CGI).
>
>Best Regards,
>-peter
>

>From what I know, in C, sin takes input in radians.

Most likely bc does the same, and then xcalc probably automatically converts 
input to radians before passing it to sin().

Kind regards
--
Łukasz Moskała

Re: odd bc -l output

[Otto Moerbeek]

On Tue, Nov 30, 2021 at 08:38:27AM +0100, Peter J. Philipp wrote:

> In fact it's not just bc -l, but also when I calculate the following in C
> (linked with -lm)
> 
> C = (180.0 - A) - B;
> a = (double)(c / sin(C)) * sin(A);
> b = (double)(c / sin(C)) * sin(B);
> 
> Some may recognize this as parts of the Law of Sines.
> 
> pjp@neptune$ bc -l
> (9 / s(70)) * s(76)
> 6.58357679385302895866
> 
> When I do it with xcalc I get the correct 9.2931043.
> 
> What am I doing wrong?  How must I massage my system the correct way?
> The wrong number was observed on arm64 (bc -l) and amd64 (CGI).
> 
> Best Regards,
> -peter
> 

You are using degrees instead of radians.

-Otto

Re: odd bc -l output

[Peter J. Philipp]

Sorry about this, I forget sin() takes radians not degrees!

On Tue, Nov 30, 2021 at 08:38:27AM +0100, Peter J. Philipp wrote:
> In fact it's not just bc -l, but also when I calculate the following in C
> (linked with -lm)
> 
> C = (180.0 - A) - B;
> a = (double)(c / sin(C)) * sin(A);
> b = (double)(c / sin(C)) * sin(B);
> 
> Some may recognize this as parts of the Law of Sines.
> 
> pjp@neptune$ bc -l
> (9 / s(70)) * s(76)
> 6.58357679385302895866
> 
> When I do it with xcalc I get the correct 9.2931043.
> 
> What am I doing wrong?  How must I massage my system the correct way?
> The wrong number was observed on arm64 (bc -l) and amd64 (CGI).
> 
> Best Regards,
> -peter
> 

odd bc -l output

[Peter J. Philipp]

In fact it's not just bc -l, but also when I calculate the following in C
(linked with -lm)

C = (180.0 - A) - B;
a = (double)(c / sin(C)) * sin(A);
b = (double)(c / sin(C)) * sin(B);

Some may recognize this as parts of the Law of Sines.

pjp@neptune$ bc -l
(9 / s(70)) * s(76)
6.58357679385302895866

When I do it with xcalc I get the correct 9.2931043.

What am I doing wrong?  How must I massage my system the correct way?
The wrong number was observed on arm64 (bc -l) and amd64 (CGI).

Best Regards,
-peter

Raspberry Pi 4B performance compared to APU / wireless networking?

[Steve Williams]

Hi,

I have an APU 2C4 running OpenBSD 7.

I see that the Raspberry Pi 4B is supported by OpenBSD now and I was 
thinking of getting one to play with as my APU is my main server and I 
don't want to take it down to experiment.


I can't seem to find any reviews/comparisons of an APU vs. a Raspberry 
Pi 4B.


Does anyone have a "gut" feeling on the relative performance?

Does the wireless networking work well on the Raspberry as the APU's 
wireless is less than optimal :) ?


Thanks for any feedback.

Cheers,
Steve Williams

Re: bgpd, announce to ibgp from 2 routers, prefixes only show up from 1

[Adam Thompson]

[apologies in advance for top-posting]

bgpd(8) is excellent in many ways, and I am SO very grateful it exists.  (Thank 
you Henning, Claudio, Peter and everyone else who has contributed to it over 
the years!  It has straight-up saved my bacon a couple of times.)

But one feature it does not yet AFAIK have is Additional Paths 
("additional-path", or just "add-path") [1].  This is where a BGP speaker 
advertises not only its "best" routes, but *all* its routes, to its peers.  The 
FIB remains unchanged, but the RIB can grow very large in a well-connected AS.  
Since each router now knows all the available paths through every other router, 
convergence is - at least in theory - sped up quite dramatically, and you 
mostly avoid the "hole" described.  It's not a perfect solution but it works 
very well.

If you're brave enough, at least some versions/forks of Bird/Quagga/Zebra have 
support for add-path.  I wouldn't recommend running these on OpenBSD, generally 
speaking - bgpd(8) is more appropriate 99.999% of the time - but you might find 
it worthwhile, depending on your needs.  Be particularly careful of any routing 
software that lacks the ability to affect kernel routes - unless you're just 
running a route reflector, that will change your design *significantly*.

Or, as Stuart said, running a "proper" IGP like OSPF could bridge some of the 
gaps you might see.  YMMV.
 
-Adam 

P.S. From what I heard a few years ago, OpenBSD isn't completely ignoring 
add-path, it's just 
complex/difficult/time-consuming/unfunded/low-priority/pick-your-favourite-reason.

[1] https://datatracker.ietf.org/doc/html/rfc7911


-Original Message-
From: owner-m...@openbsd.org  On Behalf Of Sebastian 
Benoit
Sent: Monday, November 29, 2021 3:38 PM
To: misc@openbsd.org
Subject: Re: bgpd, announce to ibgp from 2 routers, prefixes only show up from 1

Stuart Henderson(s...@spacehopper.org) on 2021.11.13 00:11:08 +:
> I have a pair of -current routers running bgpd (let's call them rtr-a 
> and rtr-b) on a subnet which also has some vpn gateways and firewalls.
> 
> These routers provide a carp address which the vpn gateways are using 
> as default route. There are some networks behind the vpn gateways (a
> /32 to accept incoming vpn connections and some other prefixes that 
> vpn clients are numbered from).
> 
> rtr-a and rtr-b have static routes to those networks, and they have 
> network statements in bgpd.conf to announce them to their ibgp peers 
> ("network 172.24.232.0/21 set nexthop XXX" etc) so the paths are 
> reachable from the rest of the network. (This is replacing an existing 
> setup using ospf, trying to remove routing protocols from machines 
> that don't really need them).
> 
> It is working but something seems a little odd - the paths are 
> announced from both routers briefly and show up on the rest of the 
> network from both rtr-a and rtr-b. But after a few seconds, rtr-b 
> receives these paths from rtr-a, and then rtr-b stops announcing them 
> itself. (they stop showing in "bgpctl sh rib out" on rtr-b; "bgpctl sh 
> nex" does correctly identify the associated nexthops as connected/UP).
> 
> Is this expected/correct behaviour?

It is expected: once rtr-b receives the route from rtr-a, it will run the route 
decision process on it. IF both routers are configured identically except for 
the router-id, one of the routes will be prefered at either the "oldest path" 
or the "lowest bgp id" criteria.

As only one route is a best route, that one will be annouced to the neighbors. 
However this is IBGP. In a set of IBGP connected routers, a router will not 
announce a route to other IBGP peers that it received from on a IBGP session. 
Thus, rtr-b will stop announcing that route.

When rtr-a goes down, the session is shut down or the prefix is filtered, bgpd 
wont see the "better" route anymore and announce its own instead.

> I'd prefer to have them announced from both rtr-a and rtr-b, so 
> there's no blackhole period if rtr-a is restarted while rtr-b figures 
> out that it should start announcing them, etc. (No need for tracking 
> carp state in this case, I'm not using stateful pf rules on the traffic 
> involved).

This is a place where ospf might give you faster failover, especiall y with the 
redistribute ... depend on ... syntax.
 
> If rtr-b stops seeing the prefixes from rtr-a (either by taking down 
> the ibgp session, or by filtering) I see the announcements from both 
> rtr-a and rtr-b again. So the obvious workaround is to filter, but I 
> thought I'd ask first in case it's something that is better handled by 
> code changes rather than config.

Re: bgpd, announce to ibgp from 2 routers, prefixes only show up from 1

[Sebastian Benoit]

Stuart Henderson(s...@spacehopper.org) on 2021.11.13 00:11:08 +:
> I have a pair of -current routers running bgpd (let's call them rtr-a
> and rtr-b) on a subnet which also has some vpn gateways and firewalls.
> 
> These routers provide a carp address which the vpn gateways are using
> as default route. There are some networks behind the vpn gateways (a
> /32 to accept incoming vpn connections and some other prefixes that vpn
> clients are numbered from).
> 
> rtr-a and rtr-b have static routes to those networks, and they have
> network statements in bgpd.conf to announce them to their ibgp peers
> ("network 172.24.232.0/21 set nexthop XXX" etc) so the paths are reachable
> from the rest of the network. (This is replacing an existing setup using
> ospf, trying to remove routing protocols from machines that don't really
> need them).
> 
> It is working but something seems a little odd - the paths are announced
> from both routers briefly and show up on the rest of the network from
> both rtr-a and rtr-b. But after a few seconds, rtr-b receives these
> paths from rtr-a, and then rtr-b stops announcing them itself. (they
> stop showing in "bgpctl sh rib out" on rtr-b; "bgpctl sh nex" does
> correctly identify the associated nexthops as connected/UP).
> 
> Is this expected/correct behaviour?

It is expected: once rtr-b receives the route from rtr-a, it will run the
route decision process on it. IF both routers are configured identically
except for the router-id, one of the routes will be prefered at either the
"oldest path" or the "lowest bgp id" criteria.

As only one route is a best route, that one will be annouced to the
neighbors. However this is IBGP. In a set of IBGP connected routers, a
router will not announce a route to other IBGP peers that it received from
on a IBGP session. Thus, rtr-b will stop announcing that route.

When rtr-a goes down, the session is shut down or the prefix is filtered,
bgpd wont see the "better" route anymore and announce its own instead.

> I'd prefer to have them announced from both rtr-a and rtr-b, so there's
> no blackhole period if rtr-a is restarted while rtr-b figures out that
> it should start announcing them, etc. (No need for tracking carp state
> in this case, I'm not using stateful pf rules on the traffic involved).

This is a place where ospf might give you faster failover, especiall y with
the redistribute ... depend on ... syntax.
 
> If rtr-b stops seeing the prefixes from rtr-a (either by taking down
> the ibgp session, or by filtering) I see the announcements from both
> rtr-a and rtr-b again. So the obvious workaround is to filter, but
> I thought I'd ask first in case it's something that is better handled
> by code changes rather than config.

/etc/bsd.re-config - change a device?

[Paul B. Henson]

I'm upgrading to OpenBSD 7 and I was happy to see the new support for
/etc/bsd.re-config to allow modified kernels to be automatically
rebuilt. However, one of the changes I need to make is updating the IRQ
on com2, as my bios assigns it a non-standard value 8-/.

I can't figure out how to do that? Is it supported? When I put "change
com2" in /etc/bsd.re-config, config interactively asks me:

change [n]

I tried "change com2 y" and "change com2", then "y" on the next line,
but the first gave an error and the second still prompted interactively.

Are the only changes supported by /etc/bsd.re-config those that don't
need further input?

Thanks...

odd shutdown message

[Peter J. Philipp]

I have a VPS at openbsd amsterdam that shutdown with the message that _unbound
shut it down when it was my user OR root.

sky# zgrep unbound /var/log/authlog*gz
/var/log/authlog.0.gz:Nov 26 08:59:04 sky shutdown: reboot by _unbound: 

It was recorded in the logs as such.  I haven't totally figured this out yet
but the services that are open on this host are:

DNS
HTTP
SMTP
SSH

Today I tried several things to get this message again but failed.  It must
have come from an outside source that did the setlogin().  At first I thought
it came from unbound like the message says but now I'm leaning more toward
ssh.

sky# grep -v ^# sshd_config | grep -v ^$
Port 1022
PermitRootLogin no
AuthorizedKeysFile  .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
Subsystem   sftp/usr/libexec/sftp-server

I read a bit in the ssh source and it indeed does some libc calls that 
eventually end up in a setlogin() but I haven't got a clue on this program
how it is structured.

All I can ask, has anyone seen this before?  I'm reinstalling the host 
tomorrow.Interesting to note I have password authentication turned off.

Best Regards,
-peter

pkg_add python errors ...

[Why 42? The lists account.]

Well, errors related to the python package ...

After updating to the latest snapshot and rebooting I ran "pkg_add -vu"
to update all my packages, which I think is the right thing to do.

I noticed some strange errors related to python scroll past i.e.
> ...
> Update candidates: p7zip-16.02p6 -> p7zip-16.02p6
> Update candidates: partial-python-3.9.7p3 -> python-3.9.9
> Unexpected symlink: /usr/local/bin/2to3
> Unexpected symlink: /usr/local/bin/pydoc3
> Unexpected symlink: /usr/local/bin/python3
> Unexpected symlink: /usr/local/bin/python3-config
> Unexpected symlink: /usr/local/lib/pkgconfig/python3-embed.pc
> Unexpected symlink: /usr/local/lib/pkgconfig/python3.pc
> Unexpected symlink: /usr/local/man/man1/python3.1
> Bad rename /usr/local/bin/2to3 to /usr/local/bin/2to3.X77AFtJWEq: No such 
> file or directory
> Bad rename /usr/local/bin/pydoc3 to /usr/local/bin/pydoc3.FLyJqqVBCV: No such 
> file or directory
> Bad rename /usr/local/bin/python3 to /usr/local/bin/python3.mct9eU2JKh: No 
> such file or directory
> Bad rename /usr/local/bin/python3-config to 
> /usr/local/bin/python3-config.LVZ4scwF2N: No such file or directory
> Bad rename /usr/local/lib/pkgconfig/python3-embed.pc to 
> /usr/local/lib/pkgconfig/python3-embed.pc.W3q0EmYVnC: No such file or 
> directory
> Bad rename /usr/local/lib/pkgconfig/python3.pc to 
> /usr/local/lib/pkgconfig/python3.pc.0svv4fWReb: No such file or directory
> Bad rename /usr/local/man/man1/python3.1 to 
> /usr/local/man/man1/python3.1.iWHWD3b3mt: No such file or directory
> [python-3.9.9]partial-python-3.9.7p3->: ok
> Update candidates: pcsc-tools-1.4.27p0 -> pcsc-tools-1.4.27p0
> Update candidates: picocom-3.1 -> picocom-3.1
> ...

I'm not sure why the "bad rename" would occur, indeed the rename does
seem to have taken place:
> mjoelnir:log 29.11 # ls -l /usr/local/bin/2to3*
> -rwxr-xr-x  1 root  bin101 Nov 26 12:37 /usr/local/bin/2to3-3.8
> -rwxr-xr-x  1 root  bin101 Nov 25 20:41 /usr/local/bin/2to3-3.9
> -rw---  1 root  wheel0 Nov 29 15:04 /usr/local/bin/2to3.H0cMphlKfH
> -rw---  1 root  wheel0 Nov 29 15:34 /usr/local/bin/2to3.X77AFtJWEq

(I ran the pkg_add a second time to capture the above error messages, so
I imagine that is why there are now two temp filenames.)

The pkg_add operation ended with:
> ...
> Update candidates: zsh-syntax-highlighting-0.7.1 -> 
> zsh-syntax-highlighting-0.7.1
> --- -partial-python-3.9.7p3 ---
> Files kept as partial-python-3.9.7p3.1 package

I now seem to have four different versions of the python package
installed:
partial-python-3.9.7p3.1
python-2.7.18p5
python-3.8.12p4
python-3.9.9

I'm not sure why python-3.9.7p3.1 has been kept around, according to
pkg_info nothing requires it:
> mjoelnir:/etc 29.11 # pkg_info -R partial-python-3.9.7p3.1
> mjoelnir:/etc 29.11 #

Running sysclean doesn't report anything obviously python related.

Has something gone wrong here? Do I need to to do any manual cleanup?

Cheers,
Robb.

mjoelnir:/etc 29.11 # sysctl kern.version
kern.version=OpenBSD 7.0-current (GENERIC.MP) #131: Mon Nov 29 00:32:40 MST 2021
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

IKEv1 and IKEv2 coexistence

[Grzegorz Patola]

Hi All,


Could you tell me if it is possible to run ipsec in v1 and v2

ie. isakmpd and iked daemons on just one gateway ?


Thanks,

Greg.




--




We Revolutionise Customer Journeys.

www.engagehub.com 
 | Follow us on LinkedIn 







This communication is sent by Engage Hub and contains information which 
is confidential and privileged and is intended for the use of the addressee 
only. If you are not the intended recipient please destroy and contact the 
sender. Please note that any distribution, copying or use of this 
communication or the information in it is strictly prohibited. Any views 
expressed in this email are those of the individual sender and may not 
necessarily reflect the views of Engage Hub. Engage Hub makes no warranties 
that emails are virus free. This company is registered in England and Wales 
as Brainstorm Mobile Solutions Ltd and trading as Engage Hub (registered at 
Studio 311 Highgate Studios, 53-79 Highgate Road, London NW5 1TL. Company 
Number: 01661467; VAT Number: 214 9845 90) and Oxygen8 Communications 
Limited (registered in Ireland at 1st Floor, 21-22 Grafton Street, Dublin 
2, Ireland. Company No: 350312; VAT Number: 6370312O).

CPU recommendation

[Barbaros Bilek]

Hello @misc,

I’m network administrator at a Hotel. We have nearly ~=1600 users
concurrently.
I’m trying to figure out which hardware covers my pc based OpenBSD firewall.
Disk : 1 TB SSD
RAM : 16 GB
Ethernet : Intel i211AT
But what about CPU. As far as I know CPU frequency is more important at
OpenBSD cause there is netlock() etc.
Right?

So which CPU is better at the moment?
Intel Core i3-6320 @ 3.90GHz
Intel Core i7-7700 @ 3.60GHz

Re: libdmx removal incomplete?

[Nick Holland]

On 11/28/21 6:17 PM, Alexander wrote:
...

Lastly: From your emails it seems to me that the use of sysclean after
upgrading is very much encouraged if not necessary. Then why is it not
included in base (especially when it's developed by OpenBSD developers)?
Or am I misunderstanding the requirements for inclusion of packages in
base?


VERY WRONG (as others have said).

I've been using OpenBSD since v2.4, I have never run a "clean up" tool of
any kind.  I reinstall only when replacing hardware, the rest of the time,
I run upgrades, I run snapshots and update frequently so I get a lot of
old files piling up at times.  And they just don't matter.

Occasionally, I have manually deleted old libraries when I have
run a system too long and an old HD starts getting tight on space, but
that is usually an indicator that I should probably be looking at swapping
out the hardware because it has done its time and I've probably got
something better.  And often not even then:

  $ ls -lt /usr/lib/|tail -4
  -r--r--r--  1 root  bin274965 Feb  9  2012 libpcap.so.6.0
  -r--r--r--  1 root  bin240930 Feb  9  2012 libkvm.so.12.0
  -r--r--r--  1 root  bin323995 Feb  9  2012 libexpat.so.9.0
  -r--r--r--  1 root  bin   2593417 Feb  9  2012 libc.so.62.0

(wow. that's an old machine.)

Using an automatic cleanup tool is far more likely to CAUSE problems
than to fix problems.  I'm not saying they /often/ cause problems,
but since old files laying around basically never cause problems other
than a small amount of space, there's some risk and almost no gain.

That machine with files left over from 2012?  It's got a 40G hard disk.
You will have trouble convincing me in 2021 that you are running out
of disk space and thus need to "clean" your system.

  $ dmesg|grep ^wd
  wd0 at pciide0 channel 0 drive 0: 
  wd0: 16-sector PIO, LBA48, 38146MB, 78125000 sectors
  wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4

(to be fair, that machine fell off the 'net for a few years, I assumed
it had died.  Then it suddenly came back on line, so I brought it up to
-current, so it skipped a lot of releases.  But it's /usr partition is
well under 50% full, so it has some life left...)

Nick.

Re: Running redmine on OpenBSD

[Łukasz Moskała]

W dniu 28.11.2021 o 18:07, Radek pisze:

Hello,
following the official guide [1] and few others webites I finally installed my 
first Ruby on Rails/Puma web app...  and it passed the local test by curl 
(bundle exec rails server webrick -e production) - relayd wasn't configured yet.

Then, I ran my app with puma server. I can't figure out how to make it work 
with FQDN and LetsEncrypt cert.
My configs seems to be fine. It's 7.0/amd64. I've read [2], [3].

I started with simple httpd configuration to get certs with acme-clinet and 
then https://redmine.MY.DOMAIN.COM showed my testing index.html properly.
Now /etc/httpd.conf has changed but I assume my certs are still OK.

Remote firefox is giving me a "Redirect Loop" error when trying to access 
https://redmine.MY.DOMAIN.COM

Could someone please shed some light on this puzzle?

1. https://www.redmine.org/projects/redmine/wiki/RedmineInstall
2. https://github.com/basicfeatures/openbsd-rails
3. https://gist.github.com/anon987654321/4532cf8d6c59c1f43ec8973faa031103

$ openssl s_client -connect redmine.MY.DOMAIN.COM:443
CONNECTED(0003)
depth=0 CN = redmine.MY.DOMAIN.COM
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = redmine.MY.DOMAIN.COM
verify error:num=21:unable to verify the first certificate
verify return:1
write W BLOCK
---
Certificate chain
  0 s:/CN=redmine.MY.DOMAIN.COM
i:/C=US/O=Let's Encrypt/CN=R3
---
Server certificate
-BEGIN CERTIFICATE-
[...]
-END CERTIFICATE-
subject=/CN=redmine.MY.DOMAIN.COM
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 2403 bytes and written 367 bytes
---
New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
 Protocol  : TLSv1.3
 Cipher: AEAD-AES256-GCM-SHA384
 Session-ID:
 Session-ID-ctx:
 Master-Key:
 Start Time: 1638116582
 Timeout   : 7200 (sec)
 Verify return code: 21 (unable to verify the first certificate)
---


[redminepk@@redmine70~/redminepk:]bundle exec pumactl27 --config-file 
config/puma.rb start
Puma starting in single mode...
* Puma version: 5.5.2 (ruby 2.7.4-p191) ("Zawgyi")
*  Min threads: 0
*  Max threads: 5
*  Environment: production
*  PID: 85983
* Listening on 
ssl://127.0.0.1:3000?cert=/etc/ssl/redmine.MY.DOMAIN.COM.crt=/etc/ssl/private/redmine.MY.DOMAIN.COM.key_mode=none
* Listening on http://127.0.0.1:3001
Use Ctrl-C to stop




# /home/redminepk/redminepk/config/puma.rb
#!/usr/bin/env puma
app = "redminepk"
ssl_bind "127.0.0.1", "3000", {
   key: "/etc/ssl/private/redmine.MY.DOMAIN.COM.key",
   cert: "/etc/ssl/redmine.MY.DOMAIN.COM.crt"
}
bind "tcp://127.0.0.1:3001"
pidfile "/home/#{app}/#{app}/tmp/puma.pid"
state_path "/home/#{app}/#{app}/tmp/puma.state"
stdout_redirect "/home/#{app}/#{app}/log/puma_access.log", 
"/home/#{app}/#{app}/log/puma_errors.log"
environment "production"


# /home/redminepk/redminepk/config/environments/production.rb
Rails.application.configure do
config.cache_classes = true
config.eager_load = true
config.consider_all_requests_local = false
config.action_controller.perform_caching = true
config.action_mailer.raise_delivery_errors = false
config.action_mailer.logger = nil
config.active_support.deprecation = :log
config.force_ssl = true
end



# /etc/httpd.conf
ext_if="vmx0"
types { include "/usr/share/misc/mime.types" }
server "redmine.MY.DOMAIN.COM" {
 listen on $ext_if port 80
 location "/.well-known/acme-challenge/*" {
 root "/acme"
 request strip 2
 }
 location "*" {
 block return 302 "https://$HTTP_HOST$REQUEST_URI;
 }
}


# /etc/relayd.conf
egress="A.B.C.D"
table  { 127.0.0.1 }
redminepk_port="3001"
table  { 127.0.0.1 }
httpd_port="80"
http protocol "http" {
   match request header set "Connection" value "close"
   match response header remove "Server"
}
http protocol "https" {
   pass request header "Host" value "redmine.MY.DOMAIN.COM" forward to 

   tls keypair "redmine.MY.DOMAIN.COM"
   # Preserve address headers
   match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
   match request header append "X-Forwarded-Port" value "$REMOTE_PORT"
   match request header append "X-Forwaded-By" value "$SERVER_ADDR:$SERVER_PORT"
   match request header set "Connection" value "close"
   match response header remove "Server"
}
relay "http" {
   listen on $egress port http
   protocol "http"
   forward to  port $httpd_port
}
relay "https" {
   listen on $egress port https tls
   protocol "https"
   forward to  port $httpd_port
   forward to  port $redminepk_port
}

$ grep relayd /etc/pf.conf
# Allow relayd(8) redirects
anchor "relayd/*"




On Fri, 12 Nov 2021 20:35:45 +0100
Radek  wrote:


Hello Werner,
thank you for your installation 

Re: libdmx removal incomplete?

[Crystal Kolipe]

On Mon, Nov 29, 2021 at 08:36:42AM +0100, Sebastien Marie wrote:
> On Sun, Nov 28, 2021 at 10:58:38PM -0700, Theo de Raadt wrote:
> >  (2) who don't recognize they can always reinstall and
> 
> Reinstalling means "choose the files you want to keep" vs "choose the
> files you want to remove". Both have pros and cons.

If you're in a situation where restoring configuration and user data
after a re-install, either of the same or a more recent OpenBSD version,
is a significant burden then you've already got a potential problem
looming in the background.

100% of our production machines and servers are updated to each new
OpenBSD version by re-install.  This includes compiling any and all
required ports from source.  I can't remember the last time any
particular machine required more than six hours, including time to
either image the main system disk or physically replace it with another
unit.

If you keep the OpenBSD installation separate from user data, I.E. on
a different physical disk, upgrade by re-installation becomes very
easy.  Just backup the entire installation to a partition on the user
data disk, and do a fresh install on the system disk.  Then mount the
backup that you just made, copy and manually update any custom
configuration that you had previously.

Since we build all of our packages from source, often with local
modifications to the makefiles, we tend to download the relevant source
files first and check that the custom builds complete successfully on a
scratch machine the day before we start the real updates.

This also has the advantage that we can easily downgrade back to a
clean install of a previous version if it ever became necessary for
testing or other reasons.