Re: httpd & pixelfed

[Stuart Henderson]

On 2024-05-27, Am Jam  wrote:
>
> Most of what makes pixelfed work is located in /var/www/pixelfed/public,
> and hence pixelfed requires that the root directory be
> /var/www/pixelfed/public.
> So in /etc/httpd.conf I have the following lines:
> -   root "/pixelfed/public"
> -   directory index "index.php"
>
> However, for some bizarre reason, all the images are stored in
> /var/www/pixelfed/storage (note: *not* /var/www/pixelfed/public/storage).

Probably not bizarre. I expect they arrange things so that everything
under /var/www/pixelfed/public can be read-only (or at least not writable
by the user running the web server).

> And part of the pixelfed installation process includes creating the
> following symlink in /var/www/pixelfed:
> -   lrwxr-xr-x  1 root  www37B May 27 12:15 storage@ ->
> /var/www/pixelfed/storage/app/public/
>
> That, unfortunately, is "outside" of the root directory specified in
> /etc/httpd.conf.

httpd is in a chroot jail so the absolute symlink won't work.

Either use a relative symlink for the above link, or set things up so
that /var/www still works inside the chroot -

mkdir /var/www/var; ln -s .. /var/www/var/www

Re: disk encryption for remote server

[Abel Abraham Camarillo Ojeda]

I keep a /crypt noauto partition that I mount manually  by passphrase via
ssh after the server is booted.
And don't keep 'sensitive' info in other partitions...

On Mon, May 27, 2024 at 11:57 AM <04-psyche.tot...@icloud.com> wrote:

> Thanks all for your thoughts.
>
> Regarding the remote serial console access, unfortunately, it is not
> possible in my case.
> I do not have IPMI or something similar :(
>
> On Mon, 27 May 2024 at 08:17, Manuel Giraud <
> manuel_at_ledu-giraud_fr_rmp93abv53d47h_m6783...@icloud.com> wrote:
>
>> Stefan Kreutz  writes:
>>
>> > Can you access the machine's serial console, maybe redirected over IP?
>>
>> I concur that a remote serial console access (maybe via a web interface
>> serviced by your provider) is your best option here.
>>
>> I used to do (almost) FDE without console access but here is list of
>> drawbacks/requirements:
>>
>> - It is not really FDE because / was not encrypted
>>
>> - It required patching /etc/rc with the patch at the end of this
>>   message
>>
>> - The "/root/sshd" from this patch is a self-contained sshd
>>   without the need of any external library.  It is *not* a copy
>>   of /usr/sbin/sshd and you have to compile it yourself (and I
>>   don't remenber how)
>>
>>
>> Best regards,
>> --
>> Manuel Giraud
>>
>

Re: ifconfig autoconf stopped working - how to debug?

[deich...@placebonol.com]

What did the packet capture look like during the DHCP request/response?

On May 27, 2024 10:56:19 AM MDT, Chris Narkiewicz  wrote:
>On Mon, May 27, 2024 at 03:06:04PM +0100, Zé Loff wrote:
>> On Mon, May 27, 2024 at 01:51:25PM +0100, Chris Narkiewicz wrote:
>> dhcpleased now handles this.  You can run it with -d and with one or
>> more "-v"s.  You can also use dhcpleasectl to request a new lease.
>
>I run dhcpleased -d -vvv and here is the output:
>
>state_transition[vio0] Down -> Rebooting, timo: 1
>DHCPREQUEST on vio0
>iface_timeout[1]: Rebooting
>state_transition[vio0] Rebooting -> Rebooting, timo: 2
>DHCPREQUEST on vio0
>iface_timeout[1]: Rebooting
>deleting AAA.BBB.CCC.DDD from vio0 (lease from 0.0.0.0)
>state_transition[vio0] Rebooting -> Init, timo: 1
>DHCPDISCOVER on vio0
>deconfigure_interface vio0
>iface_timeout[1]: Init
>state_transition[vio0] Init -> Init, timo: 2
>DHCPDISCOVER on vio0
>iface_timeout[1]: Init
>state_transition[vio0] Init -> Init, timo: 4
>
>and so on, so on, so on, timo: 8, 16, 32, 64...
>
>The weird thing is that AAA.BBB.CCC.DDD is the IP address
>I'm expecting to receive, but it's not listed in ifconfig vio0 output.
>
>Best regards,
>Chris Narkiewicz
>

Re: 7.5 install crashes on "entry point at 0x1001000" HP Elitebook 840 G10

[Comète]

Hi Aaron,

thanks for the idea. Booting the regular kernel as suggested, has the same 
result:
it freezes on "entry point at 0x1001000" too.

Thanks a lot.

Comete

27 mai 2024 04:48 "Aaron Mason"  a écrit:

> Hi
> 
> Can you try booting the regular kernel? You should be able to do it this way:
> 
> boot> /7.5/amd64/bsd
> 
> If it makes it past the stage where the install kernel fails, it'll
> panic at the lack of root, which is expected.
> 
> Might be a pointless move but it might help eliminate the install
> kernel as a variable.
> 
> On Fri, May 24, 2024 at 10:30 PM Comète  wrote:
> 
>> Thanks Sven,
>> 
>> I can't install OpenBDS because I get the error when trying to boot the 
>> install image.
>> 
>> Comete
>> 
>> 24 mai 2024 07:48 "Sven Wolf"  a écrit:
>> 
>> Hi,
>> 
>> I had a silimar issue on a Lenovo V130.
>> For this machine I needed to remove the amdgpu driver in the kernel.
>> 
>> See also:
>> https://marc.info/?l=openbsd-misc&m=160232897421774&w=2
>> https://marc.info/?l=openbsd-tech&m=160383074317608&w=2
>> 
>> Do you get the error "entry point at 0x1001000" also with the bsd.rd kernel 
>> or only after you
>> installed the system with the bsd.mp/bsd.sp kernel?
>> 
>> Best regards,
>> Sven
>> 
>> On 5/23/24 22:40, Comète wrote:
>> 
>> Hello,
>> I tried to install OpenBSD 7.5 on a new HP Elitebook 840 G10 (UEFI capable 
>> only) without success.
>> It is stuck at boot on "entry point at 0x1001000".
>> Even retried after a BIOS upgrade but no luck either.
>> I tried with a snapshot install too with the same result.
>> I post here what lspci returns from a debian bookworm:
>> 00:00.0 Host bridge: Intel Corporation Device a706
>> 00:02.0 VGA compatible controller: Intel Corporation Raptor Lake-P [Iris Xe 
>> Graphics] (rev 04)
>> 00:04.0 Signal processing controller: Intel Corporation Raptor Lake Dynamic 
>> Platform and Thermal
>> Framework Processor Participant
>> 00:06.0 PCI bridge: Intel Corporation Raptor Lake PCIe 4.0 Graphics Port
>> 00:06.2 PCI bridge: Intel Corporation Device a73d
>> 00:07.0 PCI bridge: Intel Corporation Raptor Lake-P Thunderbolt 4 PCI 
>> Express Root Port
>> 00:07.2 PCI bridge: Intel Corporation Raptor Lake-P Thunderbolt 4 PCI 
>> Express Root Port
>> 00:08.0 System peripheral: Intel Corporation GNA Scoring Accelerator module
>> 00:0a.0 Signal processing controller: Intel Corporation Raptor Lake Crashlog 
>> and Telemetry (rev 01)
>> 00:0d.0 USB controller: Intel Corporation Raptor Lake-P Thunderbolt 4 USB 
>> Controller
>> 00:0d.2 USB controller: Intel Corporation Raptor Lake-P Thunderbolt 4 NHI
>> 00:0d.3 USB controller: Intel Corporation Raptor Lake-P Thunderbolt 4 NHI
>> 00:14.0 USB controller: Intel Corporation Alder Lake PCH USB 3.2 xHCI Host 
>> Controller (rev 01)
>> 00:14.2 RAM memory: Intel Corporation Alder Lake PCH Shared SRAM (rev 01)
>> 00:14.3 Network controller: Intel Corporation Raptor Lake PCH CNVi WiFi (rev 
>> 01)
>> 00:15.0 Serial bus controller: Intel Corporation Alder Lake PCH Serial IO 
>> I2C Controller #0 (rev
>> 01)
>> 00:16.0 Communication controller: Intel Corporation Alder Lake PCH HECI 
>> Controller (rev 01)
>> 00:16.3 Serial controller: Intel Corporation Alder Lake AMT SOL Redirection 
>> (rev 01)
>> 00:1c.0 PCI bridge: Intel Corporation Alder Lake PCH-P PCI Express Root Port 
>> #9 (rev 01)
>> 00:1e.0 Communication controller: Intel Corporation Alder Lake PCH UART #0 
>> (rev 01)
>> 00:1e.2 Serial bus controller: Intel Corporation Alder Lake SPI Controller 
>> (rev 01)
>> 00:1f.0 ISA bridge: Intel Corporation Raptor Lake LPC/eSPI Controller (rev 
>> 01)
>> 00:1f.3 Multimedia audio controller: Intel Corporation Raptor Lake-P/U/H 
>> cAVS (rev 01)
>> 00:1f.4 SMBus: Intel Corporation Alder Lake PCH-P SMBus Host Controller (rev 
>> 01)
>> 00:1f.5 Serial bus controller: Intel Corporation Alder Lake-P PCH SPI 
>> Controller (rev 01)
>> 02:00.0 Non-Volatile memory controller: SK hynix BC901 NVMe Solid State 
>> Drive (DRAM-less) (rev 03)
>> 57:00.0 Wireless controller [0d40]: Intel Corporation XMM7560 LTE Advanced 
>> Pro Modem (rev 01)
>> Thanks for your help.
>> Comete
> 
> --
> Aaron Mason - Programmer, open source addict
> I've taken my software vows - for beta or for worse

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

[Vitaliy Makkoveev]

npppd does not support replication

> On 27 May 2024, at 19:58, Radek  wrote:
> 
> Hello,
> I have two redundant firewalls with CARP: [krz75-MAS]<->[krz75-SLA]. I'm 
> trying to set up redundant IPSEC VPN on it.
> 
> - CARP + pfsync is working as expected - ca 1-2 pings lost at switchover.
> - sasyncd seems to work as expected  - flows and SADs are replicated between 
> nodes
> - isakmpd is running with "-S -K" on both nodes
> - IPSEC/npppd is working as expected on [krz75-MAS] - client can connect to 
> VPN node
> - IPSEC/npppd is working as expected on [krz75-SLA] (when running as master) 
> - client can connect to VPN node
> 
> Problem to solve:
> When I perform the switchover between nodes the "new master" doesn't pick up 
> the VPN sessions. Clinet needs to disconnect, to wait several dozen seconds 
> and then to reconnect to VPN at new master.
> 
> Can anybody help me out with making it working?
> Thanks!
> 
> Configs on both nodes are the same.
> 
> 
> May 27 17:37:22 krz75-SLA reorder_kernel: kernel relinking done
> May 27 17:37:28 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
> file or directory
> May 27 17:38:00 krz75-SLA last message repeated 8 times
> May 27 17:40:03 krz75-SLA last message repeated 31 times
> May 27 17:42:46 krz75-SLA last message repeated 41 times
> May 27 17:42:49 krz75-SLA /bsd: carp100: state transition: BACKUP -> MASTER
> May 27 17:42:49 krz75-SLA /bsd: carp2: state transition: BACKUP -> MASTER
> May 27 17:42:50 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
> file or directory
> May 27 17:42:52 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
> file or directory
> May 27 17:42:52 krz75-SLA /bsd: carp0: state transition: BACKUP -> MASTER
> May 27 17:42:52 krz75-SLA isakmpd[98426]: conf_set_now: duplicate tag 
> [peer-10.0.15.11]:Refcount, ignoring...
> May 27 17:42:52 krz75-SLA isakmpd[98426]: message_recv: cleartext phase 2 
> message
> May 27 17:42:52 krz75-SLA isakmpd[98426]: dropped message from 10.0.15.11 
> port 500 due to notification type INVALID_FLAGS
> May 27 17:42:56 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
> file or directory
> May 27 17:42:58 krz75-SLA /bsd: carp100: state transition: MASTER -> BACKUP
> May 27 17:42:58 krz75-SLA /bsd: carp2: state transition: MASTER -> BACKUP
> May 27 17:42:59 krz75-SLA isakmpd[98426]: message_recv: invalid cookie(s) 
> e0f66ed709fcf140 16c20619d6f11bf4
> May 27 17:42:59 krz75-SLA isakmpd[98426]: dropped message from 10.0.15.11 
> port 500 due to notification type INVALID_COOKIE
> May 27 17:42:59 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
> file or directory
> May 27 17:42:59 krz75-SLA /bsd: carp0: state transition: MASTER -> BACKUP
> May 27 17:43:03 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
> file or directory
> May 27 17:43:07 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
> file or directory
> May 27 17:43:08 krz75-SLA isakmpd[98426]: sendmsg (36, 0x73a6d3321e08, 0): 
> Network is unreachable
> May 27 17:43:11 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
> file or directory
> May 27 17:43:15 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
> file or directory
> May 27 17:43:19 krz75-SLA isakmpd[98426]: sendmsg (36, 0x73a6d3321e08, 0): 
> Network is unreachable
> May 27 17:43:19 krz75-SLA isakmpd[98426]: transport_send_messages: giving up 
> on exchange peer-10.0.15.11, no response from peer 10.0.15.11:500
> May 27 17:43:19 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
> file or directory
> 
> [root@@krz75-MAS~:]ipsecctl -sa
> FLOWS:
> flow esp in proto udp from 10.0.15.11 port l2tp to 10.0.15.216 port l2tp peer 
> 10.0.15.11 srcid 10.0.15.216/32 dstid 10.0.15.11/32 type require
> flow esp out proto udp from 10.0.15.216 port l2tp to 10.0.15.11 port l2tp 
> peer 10.0.15.11 srcid 10.0.15.216/32 dstid 10.0.15.11/32 type require
> 
> SAD:
> esp transport from 10.0.15.11 to 10.0.15.216 spi 0x6df78c14 auth hmac-sha1 
> enc aes
> esp transport from 10.0.15.216 to 10.0.15.11 spi 0xabdcff29 auth hmac-sha1 
> enc aes
> 
> [root@@krz75-SLA~:]ipsecctl -sa
> FLOWS:
> flow esp in proto udp from 10.0.15.11 port l2tp to 10.0.15.216 port l2tp peer 
> 10.0.15.11 srcid 10.0.15.216/32 dstid 10.0.15.11/32 type require
> flow esp out proto udp from 10.0.15.216 port l2tp to 10.0.15.11 port l2tp 
> peer 10.0.15.11 srcid 10.0.15.216/32 dstid 10.0.15.11/32 type require
> 
> SAD:
> esp transport from 10.0.15.11 to 10.0.15.216 spi 0x6df78c14 auth hmac-sha1 
> enc aes
> esp transport from 10.0.15.216 to 10.0.15.11 spi 0xabdcff29 auth hmac-sha1 
> enc aes
> 
> 
> [root@@krz75-MAS~:]cat /etc/sysctl.conf
> net.inet.ip.forwarding=1
> net.inet.ipcomp.enable=1
> net.inet.esp.enable=1
> # CARP
> net.inet.carp.allow=1 
> net.inet.carp.preempt=1  
> 
> [root@@krz75-SLA~:]cat /etc/sysctl.conf
> net.inet.ip.forwarding=1
> net.inet.ipcomp.enable=1
> net.inet.esp.enable=1
> # CARP
> net.inet.carp.allow=1

Re: disk encryption for remote server

[04-psyche . totter]

Thanks all for your thoughts.

Regarding the remote serial console access, unfortunately, it is not
possible in my case.
I do not have IPMI or something similar :(

On Mon, 27 May 2024 at 08:17, Manuel Giraud <
manuel_at_ledu-giraud_fr_rmp93abv53d47h_m6783...@icloud.com> wrote:

> Stefan Kreutz  writes:
>
> > Can you access the machine's serial console, maybe redirected over IP?
>
> I concur that a remote serial console access (maybe via a web interface
> serviced by your provider) is your best option here.
>
> I used to do (almost) FDE without console access but here is list of
> drawbacks/requirements:
>
> - It is not really FDE because / was not encrypted
>
> - It required patching /etc/rc with the patch at the end of this
>   message
>
> - The "/root/sshd" from this patch is a self-contained sshd
>   without the need of any external library.  It is *not* a copy
>   of /usr/sbin/sshd and you have to compile it yourself (and I
>   don't remenber how)
>
>
> Best regards,
> --
> Manuel Giraud
>

Re: httpd & pixelfed

[Rubén Llorente]

Wild guess:

When a request is made against a picture in /storage/, it triggers the 
location not found * rule.


The rewritten request does never hit the location "/storage/*" rule 
because it now requests /index.php$something instead of any object 
within /storage.


Try placing a matching /storage rule before the location not found * 
rule and see what happens. This is where the rule belongs anyway, 
because specific rules ought to be placed before more generic rules.




Am Jam wrote:

Hi Everyone,

I am trying to install and run pixelfed (think of it as a self-hosted 
instagram alternative) on OpenBSD 7.5, but I am having a problem with my 
/etc/httpd.conf. Unfortunately, pixelfed's installation instructions 
only provide an nginx example. For those of you familiar with nextcloud, 
pixelfed is similar -- it's essentially a large php application that one 
can unpack under /var/www/.


I have chosen to "install" (i.e. unpack) pixelfed into 
/var/www/pixelfed. After chown -R www:www'ing the entire directory, 
everything "works" except for one critical part -- none of the images 
load, which, for an instagram alternative, is an issue :)


What works is everything else -- I can browse around, create a user, 
login, adjust my settings, and post images (which ultimately don't show 
up). Everything works except displaying images. This expands to more 
than just uploaded photos -- for example, the main page's header image 
won't load.


I believe I have pinpointed the issue, but I struggle to translate that 
into my /etc/httpd.conf.


Most of what makes pixelfed work is located in /var/www/pixelfed/public, 
and hence pixelfed requires that the root directory be 
/var/www/pixelfed/public.

So in /etc/httpd.conf I have the following lines:
-   root "/pixelfed/public"
-   directory index "index.php"

However, for some bizarre reason, all the images are stored in 
/var/www/pixelfed/storage (note: *not* /var/www/pixelfed/public/storage).
And part of the pixelfed installation process includes creating the 
following symlink in /var/www/pixelfed:
-   lrwxr-xr-x  1 root  www    37B May 27 12:15 storage@ -> 
/var/www/pixelfed/storage/app/public/


That, unfortunately, is "outside" of the root directory specified in 
/etc/httpd.conf.


My /etc/httpd.conf is below, and you can see that I have tried to re-set 
the root directory whenever someone navigates to "/storage/*", but it 
doesn't work. Does anyone know what I'm doing wrong?


P.S. -
Running the following makes all images work, but I hesitate to use this 
as a long-term solution:

-   cd /var/www/pixlfed/public
-   cp -a /var/www/pixelfed/storage /var/www/pixelfed/public/storage_blah
-   ln -s /var/www/pixelfed/public/storage_blah/app/public storage


Many Thanks.

/etc/httpd.conf:

server "www.domain.com " {
         listen on * tls port 443

         # acme-challenge TLS location
         location "/.well-known/acme-challenge/*" {
                 root "/acme"
                 request strip 2
         }

         # enable HTTP Strict Transport Security
         hsts {
                 preload
                 subdomains
                 max-age 15768000
         }

         tls {
                 certificate "/etc/ssl/domain.com.fullchain.pem"
                 key "/etc/ssl/private/domain.com.key"
         }

         # set logs
         log {
                 access "pixelfed-access.log"
                 error "pixelfed-error.log"
         }

         # set max upload size to 1G (in bytes)
         connection max request body 1048576000
         connection max requests 1000
         connection request timeout 3600
         connection timeout 3600

         root "/pixelfed/public"
         directory index "index.php"

         # works roughly like the `try_files` line of an nginx config
         location not found "*" {
                 request rewrite "/index.php?$QUERY_STRING"
                 fastcgi socket "/run/php-fpm.sock"
         }

         location "/storage/*" {
                 root "/pixelfed/storage/app/public"
                 fastcgi socket "/run/php-fpm.sock"
         }

         location "/*.php" {
                 fastcgi socket "/run/php-fpm.sock"
         }
  }

[7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

[Radek]

Hello,
I have two redundant firewalls with CARP: [krz75-MAS]<->[krz75-SLA]. I'm trying 
to set up redundant IPSEC VPN on it.

- CARP + pfsync is working as expected - ca 1-2 pings lost at switchover.
- sasyncd seems to work as expected  - flows and SADs are replicated between 
nodes
- isakmpd is running with "-S -K" on both nodes
- IPSEC/npppd is working as expected on [krz75-MAS] - client can connect to VPN 
node
- IPSEC/npppd is working as expected on [krz75-SLA] (when running as master) - 
client can connect to VPN node

Problem to solve:
When I perform the switchover between nodes the "new master" doesn't pick up 
the VPN sessions. Clinet needs to disconnect, to wait several dozen seconds and 
then to reconnect to VPN at new master.

Can anybody help me out with making it working?
Thanks!

Configs on both nodes are the same.


May 27 17:37:22 krz75-SLA reorder_kernel: kernel relinking done
May 27 17:37:28 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
file or directory
May 27 17:38:00 krz75-SLA last message repeated 8 times
May 27 17:40:03 krz75-SLA last message repeated 31 times
May 27 17:42:46 krz75-SLA last message repeated 41 times
May 27 17:42:49 krz75-SLA /bsd: carp100: state transition: BACKUP -> MASTER
May 27 17:42:49 krz75-SLA /bsd: carp2: state transition: BACKUP -> MASTER
May 27 17:42:50 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
file or directory
May 27 17:42:52 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
file or directory
May 27 17:42:52 krz75-SLA /bsd: carp0: state transition: BACKUP -> MASTER
May 27 17:42:52 krz75-SLA isakmpd[98426]: conf_set_now: duplicate tag 
[peer-10.0.15.11]:Refcount, ignoring...
May 27 17:42:52 krz75-SLA isakmpd[98426]: message_recv: cleartext phase 2 
message
May 27 17:42:52 krz75-SLA isakmpd[98426]: dropped message from 10.0.15.11 port 
500 due to notification type INVALID_FLAGS
May 27 17:42:56 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
file or directory
May 27 17:42:58 krz75-SLA /bsd: carp100: state transition: MASTER -> BACKUP
May 27 17:42:58 krz75-SLA /bsd: carp2: state transition: MASTER -> BACKUP
May 27 17:42:59 krz75-SLA isakmpd[98426]: message_recv: invalid cookie(s) 
e0f66ed709fcf140 16c20619d6f11bf4
May 27 17:42:59 krz75-SLA isakmpd[98426]: dropped message from 10.0.15.11 port 
500 due to notification type INVALID_COOKIE
May 27 17:42:59 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
file or directory
May 27 17:42:59 krz75-SLA /bsd: carp0: state transition: MASTER -> BACKUP
May 27 17:43:03 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
file or directory
May 27 17:43:07 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
file or directory
May 27 17:43:08 krz75-SLA isakmpd[98426]: sendmsg (36, 0x73a6d3321e08, 0): 
Network is unreachable
May 27 17:43:11 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
file or directory
May 27 17:43:15 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
file or directory
May 27 17:43:19 krz75-SLA isakmpd[98426]: sendmsg (36, 0x73a6d3321e08, 0): 
Network is unreachable
May 27 17:43:19 krz75-SLA isakmpd[98426]: transport_send_messages: giving up on 
exchange peer-10.0.15.11, no response from peer 10.0.15.11:500
May 27 17:43:19 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No such 
file or directory

[root@@krz75-MAS~:]ipsecctl -sa
FLOWS:
flow esp in proto udp from 10.0.15.11 port l2tp to 10.0.15.216 port l2tp peer 
10.0.15.11 srcid 10.0.15.216/32 dstid 10.0.15.11/32 type require
flow esp out proto udp from 10.0.15.216 port l2tp to 10.0.15.11 port l2tp peer 
10.0.15.11 srcid 10.0.15.216/32 dstid 10.0.15.11/32 type require

SAD:
esp transport from 10.0.15.11 to 10.0.15.216 spi 0x6df78c14 auth hmac-sha1 enc 
aes
esp transport from 10.0.15.216 to 10.0.15.11 spi 0xabdcff29 auth hmac-sha1 enc 
aes

[root@@krz75-SLA~:]ipsecctl -sa
FLOWS:
flow esp in proto udp from 10.0.15.11 port l2tp to 10.0.15.216 port l2tp peer 
10.0.15.11 srcid 10.0.15.216/32 dstid 10.0.15.11/32 type require
flow esp out proto udp from 10.0.15.216 port l2tp to 10.0.15.11 port l2tp peer 
10.0.15.11 srcid 10.0.15.216/32 dstid 10.0.15.11/32 type require

SAD:
esp transport from 10.0.15.11 to 10.0.15.216 spi 0x6df78c14 auth hmac-sha1 enc 
aes
esp transport from 10.0.15.216 to 10.0.15.11 spi 0xabdcff29 auth hmac-sha1 enc 
aes


[root@@krz75-MAS~:]cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1
net.inet.esp.enable=1
# CARP
net.inet.carp.allow=1 
net.inet.carp.preempt=1  

[root@@krz75-SLA~:]cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1
net.inet.esp.enable=1
# CARP
net.inet.carp.allow=1  
net.inet.carp.preempt=1 

[root@@krz75-SLA~:]egrep -e ips -e sas -e isa /etc/rc.conf.local
ipsec=YES
ipsec_rules=/etc/ipsec.conf
isakmpd_flags="-S -K"
sasyncd_flags=

[root@@krz75-MAS~:]egrep -e ips -e sas -e isa /etc/rc.conf.local
ipsec=YES
ipsec_rules=/etc/ipsec.conf
isakmpd_flags="-S -K"
sasyncd_fl

Re: ifconfig autoconf stopped working - how to debug?

[Chris Narkiewicz]

On Mon, May 27, 2024 at 03:06:04PM +0100, Zé Loff wrote:
> On Mon, May 27, 2024 at 01:51:25PM +0100, Chris Narkiewicz wrote:
> dhcpleased now handles this.  You can run it with -d and with one or
> more "-v"s.  You can also use dhcpleasectl to request a new lease.

I run dhcpleased -d -vvv and here is the output:

state_transition[vio0] Down -> Rebooting, timo: 1
DHCPREQUEST on vio0
iface_timeout[1]: Rebooting
state_transition[vio0] Rebooting -> Rebooting, timo: 2
DHCPREQUEST on vio0
iface_timeout[1]: Rebooting
deleting AAA.BBB.CCC.DDD from vio0 (lease from 0.0.0.0)
state_transition[vio0] Rebooting -> Init, timo: 1
DHCPDISCOVER on vio0
deconfigure_interface vio0
iface_timeout[1]: Init
state_transition[vio0] Init -> Init, timo: 2
DHCPDISCOVER on vio0
iface_timeout[1]: Init
state_transition[vio0] Init -> Init, timo: 4

and so on, so on, so on, timo: 8, 16, 32, 64...

The weird thing is that AAA.BBB.CCC.DDD is the IP address
I'm expecting to receive, but it's not listed in ifconfig vio0 output.

Best regards,
Chris Narkiewicz

httpd & pixelfed

[Am Jam]

Hi Everyone,

I am trying to install and run pixelfed (think of it as a self-hosted
instagram alternative) on OpenBSD 7.5, but I am having a problem with my
/etc/httpd.conf. Unfortunately, pixelfed's installation instructions only
provide an nginx example. For those of you familiar with nextcloud,
pixelfed is similar -- it's essentially a large php application that one
can unpack under /var/www/.

I have chosen to "install" (i.e. unpack) pixelfed into /var/www/pixelfed.
After chown -R www:www'ing the entire directory, everything "works" except
for one critical part -- none of the images load, which, for an instagram
alternative, is an issue :)

What works is everything else -- I can browse around, create a user, login,
adjust my settings, and post images (which ultimately don't show up).
Everything works except displaying images. This expands to more than just
uploaded photos -- for example, the main page's header image won't load.

I believe I have pinpointed the issue, but I struggle to translate that
into my /etc/httpd.conf.

Most of what makes pixelfed work is located in /var/www/pixelfed/public,
and hence pixelfed requires that the root directory be
/var/www/pixelfed/public.
So in /etc/httpd.conf I have the following lines:
-   root "/pixelfed/public"
-   directory index "index.php"

However, for some bizarre reason, all the images are stored in
/var/www/pixelfed/storage (note: *not* /var/www/pixelfed/public/storage).
And part of the pixelfed installation process includes creating the
following symlink in /var/www/pixelfed:
-   lrwxr-xr-x  1 root  www37B May 27 12:15 storage@ ->
/var/www/pixelfed/storage/app/public/

That, unfortunately, is "outside" of the root directory specified in
/etc/httpd.conf.

My /etc/httpd.conf is below, and you can see that I have tried to re-set
the root directory whenever someone navigates to "/storage/*", but it
doesn't work. Does anyone know what I'm doing wrong?

P.S. -
Running the following makes all images work, but I hesitate to use this as
a long-term solution:
-   cd /var/www/pixlfed/public
-   cp -a /var/www/pixelfed/storage /var/www/pixelfed/public/storage_blah
-   ln -s /var/www/pixelfed/public/storage_blah/app/public storage


Many Thanks.

/etc/httpd.conf:

server "www.domain.com" {

listen on * tls port 443



# acme-challenge TLS location

location "/.well-known/acme-challenge/*" {

root "/acme"

request strip 2

}



# enable HTTP Strict Transport Security

hsts {

preload

subdomains

max-age 15768000

}



tls {

certificate "/etc/ssl/domain.com.fullchain.pem"

key "/etc/ssl/private/domain.com.key"

}



# set logs

log {

access "pixelfed-access.log"

error "pixelfed-error.log"

}



# set max upload size to 1G (in bytes)

connection max request body 1048576000

connection max requests 1000

connection request timeout 3600

connection timeout 3600



root "/pixelfed/public"

directory index "index.php"



# works roughly like the `try_files` line of an nginx config

location not found "*" {

request rewrite "/index.php?$QUERY_STRING"

fastcgi socket "/run/php-fpm.sock"

}



location "/storage/*" {

root "/pixelfed/storage/app/public"

fastcgi socket "/run/php-fpm.sock"

}



location "/*.php" {

fastcgi socket "/run/php-fpm.sock"

}


 }

Re: ifconfig autoconf stopped working - how to debug?

[deich...@placebonol.com]

Besides the other comments I'd use tcpdump to see if there was any response 
from the DHCP server.

In addition configuring the interface using the IP address assigned by DHCP is 
a really bad idea.  Someday that address could get assigned to a different 
system, this will most occur when you least expect it.

Fixing a problem is always better than a bandaid solution.  

diana

On May 27, 2024 8:38:42 AM MDT, Souji Thenria  wrote:
>On Mon May 27, 2024 at 1:51 PM BST, Chris Narkiewicz wrote:
>> I have a netcup VPS and it crashed recently. After service restoration
>> and fsck, the system cannot obtain IPv4 using autoconf.
>> 
>> I'm wondering how I can debug DHCP autoconfiguration.  dhclient -v -d
>> doesn't show anything, as the functionality has been mmoved to
>> ifconfig.
>> 
>> ifconfig vio0 debug doesn't print anything.
>> 
>> Best regards,
>> Chris Narkiewicz
>
>Hi Chris,
>
>I had the same issue with one of my VPSs hosted at netcup after I
>rebooted it some weeks ago. It looked like the DHCP server did not
>respond.
>
>In the end, I assigned my IP address statically and removed the DHCP
>configuration.
>
>Regards,
>Souji
>

Re: ifconfig autoconf stopped working - how to debug?

[Souji Thenria]

On Mon May 27, 2024 at 1:51 PM BST, Chris Narkiewicz wrote:

I have a netcup VPS and it crashed recently. After service restoration
and fsck, the system cannot obtain IPv4 using autoconf.

I'm wondering how I can debug DHCP autoconfiguration.  dhclient -v -d
doesn't show anything, as the functionality has been mmoved to
ifconfig.

ifconfig vio0 debug doesn't print anything.

Best regards,
Chris Narkiewicz


Hi Chris,

I had the same issue with one of my VPSs hosted at netcup after I
rebooted it some weeks ago. It looked like the DHCP server did not
respond.

In the end, I assigned my IP address statically and removed the DHCP
configuration.

Regards,
Souji

Re: ifconfig autoconf stopped working - how to debug?

[Zé Loff]

On Mon, May 27, 2024 at 01:51:25PM +0100, Chris Narkiewicz wrote:
> I have a netcup VPS and it crashed recently. After service restoration
> and fsck, the system cannot obtain IPv4 using autoconf.
> 
> I'm wondering how I can debug DHCP autoconfiguration.  dhclient -v -d
> doesn't show anything, as the functionality has been mmoved to
> ifconfig.

dhcpleased now handles this.  You can run it with -d and with one or
more "-v"s.  You can also use dhcpleasectl to request a new lease.

> 
> ifconfig vio0 debug doesn't print anything.
> 
> Best regards,
> Chris Narkiewicz
> 

-- 
 

ifconfig autoconf stopped working - how to debug?

[Chris Narkiewicz]

I have a netcup VPS and it crashed recently. After service restoration
and fsck, the system cannot obtain IPv4 using autoconf.

I'm wondering how I can debug DHCP autoconfiguration.  dhclient -v -d
doesn't show anything, as the functionality has been mmoved to
ifconfig.

ifconfig vio0 debug doesn't print anything.

Best regards,
Chris Narkiewicz

Re: disk encryption for remote server

[Manuel Giraud]

Stefan Kreutz  writes:

> Can you access the machine's serial console, maybe redirected over IP?

I concur that a remote serial console access (maybe via a web interface
serviced by your provider) is your best option here.

I used to do (almost) FDE without console access but here is list of
drawbacks/requirements:

- It is not really FDE because / was not encrypted

- It required patching /etc/rc with the patch at the end of this
  message
  
- The "/root/sshd" from this patch is a self-contained sshd
  without the need of any external library.  It is *not* a copy
  of /usr/sbin/sshd and you have to compile it yourself (and I
  don't remenber how)

--- rc.orig	Wed Jul 27 15:23:24 2011
+++ /etc/rc	Thu Jul 28 15:28:28 2011
@@ -294,8 +294,18 @@
 		exit 1
 		;;
 	8)
-		echo "Automatic file system check failed; help!"
-		exit 1
+		echo "Automatic file system check failed; help (from outterspace)!"
+		ifconfig em0 a.b.c.d netmask 255.255.255.0
+		route -qn add default a.b.c.1
+		mount -uw /
+		/root/sshd -De \
+			-o PasswordAuthentication=no \
+			-o ChallengeResponseAuthentication=no \
+			-o UsePrivilegeSeparation=no \
+			-o UseDNS=no
+		mount -ur /
+		route -qn flush
+		ifconfig em0 down delete
 		;;
 	12)
 		echo "Boot interrupted."

Best regards,
-- 
Manuel Giraud

Re: disk encryption for remote server

[Ampie Niemand]

On Sun, May 26, 2024 at 08:33:59PM +0100, 04-psyche.tot...@icloud.com wrote:

Hi everyone,

Is there any way to use disk encryption without having physical access to the 
device?

You could use a USB keydisk (make sure you, and your assistant on the 
remote server, have copious backup(s) of 
this!) as an encryption device, as per this document:

https://www.openbsd.org/faq/faq14.html#softraidFDE

Cheers
Ampie


A few potential ideas:
- is there a way to enter the encryption passphrase via ssh?
- is there a way to create a non encrypted partition on the same hard drive, 
where the keydisk would be stored, and automatically used? (For various 
reasons, an external usb key is not feasible). And yes, I realize this would 
weaken the security significantly, but I'd still like to know if it's feasible?

My guess is that it's not possible, but I wanted to ask to make sure.

Cheers,
Jake