sometimes, you wanna restrict access to a webserver based on ip addresses. here a little howto.

Update nginx Config for your vhost

and forward temporary/permanent to a sorry host.

--->8- snip -8<---

    location / {
      allow 192.0.2.0/24;
      allow 2001:db8::/32;
      deny all;
      error_page 403 =301 https://sorry.your.domain;
    }

or move the ip’s to a dedicated file and include it here …

--->8- snip -8<---

    location / {
      include incl/admin_ip.txt;
      deny all;
      error_page 403 =301 https://sorry.your.domain;
    }

Admin IP’s

cat ../incl/admin_ip.txt

Little Test with HTMX & Nginx

recently, i saw the Keynote - “Full-Stack Python” (Andy “Pandy” Knight) and i read an article about html & websockets. So I thought why not give it a try?

Preview

Requirements

the usual stuff:

• Virtual Machine (here: OpenBSD VM)
• FQDN Pointing to your Box
• SSL Cert

Webroot

on your webserver, create a new webroot wherever you have your pages located.

su - webmaster
mkdir -p /var/www/virtual/your.page.de
cd /var/www/virtual/your.page.de/

main.py

the main part of the python code …

Flask & JWT

getting your hands dirty with Flask and JWT

Source

• https://dev.to/grahammorby/jwt-auth-in-flask-python-18i4

with some modifications by myself …

Environment

Test under macOS & OpenBSD, Poetry installed and working

Script

build virtual env

export app="app100"
export FLASK_APP="${app}/app"
poetry new ${app}
cd ${app}

set python 3.10

poetry env use $(which python3.10)
gsed -i "s/python = \"^3.*$/python = \"^3.10\"/" pyproject.toml
poetry lock

add packages

wget -4 -O requirements.txt https://raw.githubusercontent.com/GrahamMorbyDev/jwt-flask/master/requirements.txt
echo "marshmallow-sqlalchemy" >> requirements.txt
poetry add $(awk -F '==' '!/sha256/{print $1}' requirements.txt |tr '\n' ' ')
wget -4 -O ${app}/app.py https://raw.githubusercontent.com/GrahamMorbyDev/jwt-flask/master/app.py
poetry shell

create db

How to enable Logging with Headers for Nginx

Assuming you have a running setup and you want to enable logging with headers for debug and learning purposes ?

Add Lua

doas pkg_add nginx-lua--

and you get …

doas pkg_info -L nginx-lua--
Information for inst:nginx-lua-1.20.1p0

Files:
/var/www/modules/ndk_http_module.so
/var/www/modules/ngx_http_lua_module.so

Enable Modules in /etc/nginx/nginx.conf

add two lines on Top

load_module "modules/ndk_http_module.so";
load_module "modules/ngx_http_lua_module.so";

Enhance Logging

add the following to the “http” Section

log_format log_req_resp   '$remote_addr - $remote_user [$time_local] '
                          '"$request" $status $body_bytes_sent '
                          '"$http_referer" "$http_user_agent" '
                          '$request_time req_header:"$req_header" '
                          'resp_header:"$resp_header"';

Enable Logging

add the following lines to your virtual Host Section

Assuming you have a Website with some higher load, higher demand for availability, or both of them. You can do the following:

• Duplicate your Webserver (and the Content of Course) as much as you need
• Put a Loadbalancer in Front the Webserver, best in Combination with a Firewall Ruleset
• Terminate TLS on the Loadbalancer once, or on each Webserver directly. Whatever you prefer.
• You can also double the Loadbalancer with two Boxes the get redundancy on this level.

Network Diagram

                   +----------------+
                   |       www      |
                   +--------+-------+
                            |
                   +--------+--------+
                   | 136.244.113.129 | vio0
                   |  Loadbalancer   |
                   |   10.24.96.3    | vio1
                   +--------+--------+
                            |
        +---------------------------------------+
        |                   |                   |
        |                   |                   |
+-------+-------+  +--------+-------+  +--------+-------+
|     www1      |  |      www2      |  |      www3      |
|  10.24.96.4   |  |   10.24.96.5   |  |   10.24.96.6   |
+---------------+  +----------------+  +----------------+

Config Web1 - 3

You can run any Kind of Webserver you want. Apache, Nginx, Httpd, … here is the Config for Nginx on OpenBSD.

Install NGINX & PHP

pkg_add nginx php--%7.4
rcctl enable nginx php74_fpm

Edit php.ini

sed -i s'/date.timezone = UTC.*/date.timezone = Europe\/Zurich/'  /etc/php-7.4.ini
sed -i s'/short_open_tag = Off.*/short_open_tag = On/'  /etc/php-7.4.ini

Stop 7.3 & Start 7.4

rcctl stop php73_fpm
rcctl restart nginx php74_fpm

Uninstall PHP 7.3

pkg_del php--%7.3
pkg_del -a

sha256: 850d0140d76843ff867fcf764ff3313d19cf8d967c611e180b6a264e7bc274c4

… and you thought that cgi is dead …

nginx.conf

cat << 'EOF' > /etc/nginx/nginx.conf
worker_processes  1;

worker_rlimit_nofile 1024;
events {
    worker_connections  800;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    index         index.html index.htm;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  logs/access.log  main;
    access_log  syslog:server=unix:/dev/log,severity=notice main;

    keepalive_timeout  65;

    server_tokens off;

    server {
        listen       80;
        listen       [::]:80;
        server_name  localhost;
        root         /var/www/htdocs;

        # FastCGI to CGI wrapper server
        #
        location /cgi-bin/ {
            #error_log     /var/log/slowcgi/errors;
            fastcgi_pass   unix:run/slowcgi.sock;
            fastcgi_split_path_info ^(/cgi-bin/[^/]+)(.*);
            fastcgi_param  PATH_INFO $fastcgi_path_info;
            include        fastcgi_params;
        }
    }
}
'EOF'

chmod 644 /etc/nginx/nginx.conf
rcctl enable nginx
rcctl start nginx

Slowcgi

rcctl enable slowcgi
rcctl start slowcgi

CGI

cat << 'EOF' > /var/www/cgi-bin/test.cgi
#!/bin/sh

echo "Content-type: text/html\n\n";
echo "<HTML>\n";
echo "<HEAD>\n";
echo "  <title>Ich bin ein Titel :)</title>\n";
echo "</HEAD>\n";
echo "Test from /bin/sh ..!\n";
echo "</HTML>\n";
EOF

chown www /var/www/cgi-bin/test.cgi
chmod 500 /var/www/cgi-bin/test.cgi

Install Interpreter (Chrooted !)

mkdir /var/www/bin/
cp /bin/sh /var/www/bin/

Test

curl http://ip-of-device/cgi-bin/test.cgi

Troubleshoot

chroot /var/www/ cgi-bin/test.cgi

sha256: cb939fe359ec8b8611392b03c702d42de819c4a51b81c120a70fe4a8d7ff6770

Install NGINX & PHP

pkg_add nginx php--%7.3
rcctl enable nginx php73_fpm

Edit php.ini

sed -i s'/date.timezone = UTC.*/date.timezone = Europe\/Zurich/'  /etc/php-7.3.ini
sed -i s'/short_open_tag = Off.*/short_open_tag = On/'  /etc/php-7.3.ini

nginx.conf

mkdir /var/log/nginx

cat << 'EOF' > /etc/nginx/nginx.conf
worker_processes  1;

worker_rlimit_nofile 1024;

events {
    worker_connections  800;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    index         index.php index.html index.htm;

    keepalive_timeout  65;

    server_tokens off;

    proxy_cache_valid any 0s;

    log_format  main  '$remote_addr - $ssl_client_serial - [$time_local] - "$request" - $status - $body_bytes_sent';

    map $ssl_client_serial $ssl_access {
      default 0;
      WFuDgzQBZXV740D3 1;   # Hans Muster
      EDugUslEX1Et90WX 0;   # Beat Breu
      2DF3C663741296F5 1;   # Ruedi Ruessel
    }
    #
    # HTTP -> Redirect to HTTPS
    #
    server {
        listen        80;
        server_name   localhost;
        access_log    logs/host.access.log  main;
        return 301    https://$host$request_uri;
    }
    #
    # HTTPS server
    #
    server {
        listen        443 ssl;
        server_name   localhost;
        access_log    /var/log/nginx/puffy205.log main;
        error_log     /var/log/nginx/puffy205-error.log;

        ssl_certificate             /etc/ssl/combo/host.crt;
        ssl_certificate_key         /etc/ssl/combo/host.crt;
        ssl_session_timeout         5m;
        ssl_session_cache           shared:SSL:1m;
        ssl_ciphers                 HIGH:!aNULL:!MD5:!RC4;
        ssl_prefer_server_ciphers   on;

        ssl_client_certificate      /etc/ssl/combo/root.crt;
        ssl_verify_client           optional;

        root                        /var/www/htdocs;

        location / {
          # Block if no Cert
          if ($ssl_client_verify != SUCCESS) {
            return 403;
          }
          # Block if not whitelisted
          if ($ssl_access = 0) {
            return 403;
          }
        }

        location ~ \.php$ {
          try_files      $uri $uri/ =404;
          fastcgi_pass   unix:run/php-fpm.sock;
          fastcgi_index  index.php;
          fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
          fastcgi_param  SSL_CLIENT_SERIAL $ssl_client_serial;
          include        fastcgi_params;
        }
    }
}
EOF

Root Cert, Server Cert

mkdir -p /etc/ssl/combo/
cat << 'EOF' > /etc/ssl/combo/host.crt
-----BEGIN CERTIFICATE-----
MIID6jCCAtKgAwIBAgIIaGXwEvomrIYwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UE
BhMCQ0gxFDASBgNVBAgTC1N3aXR6ZXJsYW5kMQ8wDQYDVQQHEwZadXJpY2gxEjAQ
BgNVBAoTCVN0b2VnZSBBRzEQMA4GA1UEAxMHcm9vdCBDQTAeFw0yMDA0MDIxNTE1
MDBaFw0yMjA2MTExNTE1MDBaMGIxCzAJBgNVBAYTAkNIMRQwEgYDVQQIEwtTd2l0
emVybGFuZDEPMA0GA1UEBxMGWnVyaWNoMRIwEAYDVQQKEwlTdG9lZ2UgQUcxGDAW
BgNVBAMTD3B1ZmZ5MjA1LnBsYW5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKiWF3qZvvXDPxuwhMHE3WDIQIJvRPKmBQQsEnnn598tD+W7aeSgvnZ3
Oel3n4WRl6syNF3CLPo3EbMy8VgZrCOul8Uvjro9WLZeL7tG5CndRFZu9Erzq2Ic
KodQGxEc3jC3UxFypr4OuUAigrlWi5dRp3dhzP4/xqQ42c1axPoI/YDzIdw5O6WZ
QWZf0YfsAIbbkw3YymLBoZQxyBmhasaU6xBnIAMLuYA6IVqz3QoGHxDr8bij34y5
TRb0575TzTdAtmWhN3GE+xGOJ/KPQ6MZjaA9oz15bMVuVg1uZgUXE5K22kx6eZLk
ejhV4nxnokftPJBZfaC9LbX661B9GTUCAwEAAaOBqzCBqDAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBT9D1+1pNUT3SuAfeptzaeszgUivTALBgNVHQ8EBAMCBeAwEwYD
VR0lBAwwCgYIKwYBBQUHAwEwJAYDVR0RBB0wG4IPcHVmZnkyMDUucGxhbmV0gghw
dWZmeTIwNTARBglghkgBhvhCAQEEBAMCBkAwHgYJYIZIAYb4QgENBBEWD3hjYSBj
ZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAKfRir/cZkKdeoDWV5qN3NNw/
AWNJZjkA6KvFwuXjvMR00/vlaqTuOOBKEU5CtxnHDKhfpkjSnX7ynoJXoAQYkNag
3reSKkFZ1TX1yz/Pf/f8YLbiA3e1hx9E0E5gAENtYB6vkZh5quhRnqsHSJpJP6H6
IYaZLh7w4+RL5qvQmN1tlyKwInrJmY6jsLPhALUDFQewDPJDla/iJ6ivlHsvCtMC
MA/slsJ2iWaHbAIzCXZyBeJHR949zJvja0jJPJHVDknsKypO9WEeMclaSoY1AfVI
dGg5W8ahwxuwX2e3ygbORoG0R1Qoeqdp8+VRvOpxM4R97NPtkEq/XPgrtWnoyQ==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAqJYXepm+9cM/G7CEwcTdYMhAgm9E8qYFBCwSeefn3y0P5btp
...
AsoXCZvnbPzWsP8M2JokEngD0201NZN8/aBuDi0+aF1b3xA1vtKumdM=
-----END RSA PRIVATE KEY-----
EOF
chmod 440 /etc/ssl/combo/host.crt

cat << 'EOF' > /etc/ssl/combo/root.crt
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIIe1F3tBzaragwDQYJKoZIhvcNAQEMBQAwWjELMAkGA1UE
BhMCQ0gxFDASBgNVBAgTC1N3aXR6ZXJsYW5kMQ8wDQYDVQQHEwZadXJpY2gxEjAQ
BgNVBAoTCVN0b2VnZSBBRzEQMA4GA1UEAxMHcm9vdCBDQTAeFw0xOTA2MDUyMDA0
MDBaFw0yOTA2MDUyMDA0MDBaMFoxCzAJBgNVBAYTAkNIMRQwEgYDVQQIEwtTd2l0
emVybGFuZDEPMA0GA1UEBxMGWnVyaWNoMRIwEAYDVQQKEwlTdG9lZ2UgQUcxEDAO
BgNVBAMTB3Jvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8
kBixlR0b3tE7Db6CuFTYeKdSGbnLx2Df8zir0ueFlv6JX5rLgbWbb5rMnWOH1O1N
AmCbuh0CrXD1evl1Glyf3hmumIvW4GVfWcQNvBsq1iUfoJn24qGnTu502xX1Gv5F
TCOxq2HqdLEwsktl2Pn76/49quj1PlBSSpYLWBsvqj1NkNIXgMzUjBURF+fEtRby
SE5RLbw+fubAw1e9K3Xu5VLgItno3g9t2B4MKTApsCZsOR288kedrAUxFhyB2pD/
6L9sbyM1h5r+EMjAzyeTeUKtXXqC+AyLthkw3eB58UY/QxpoNiggQY+5yd57yzxK
Ox1QHh+kj2+8eK5b3+pFAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFG8FFqfTRx/lTT0qfF/tEknHS7LSMAsGA1UdDwQEAwIBBjARBglghkgBhvhC
AQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG
9w0BAQwFAAOCAQEATzFY8H0EX+yFWEgRtGNciIp0WsQ53cjRnNxdkDsW+W2gB+cs
QdS2LBoWts5jLHXrZstJAoy1qyEhqyYvXFMf4SsfKsrXfli7fgod5figyVjhmz41
6v/Ss668kyjWOYkY3CYqPTJolxDuIpMIq/AMGurlcf6oTDdP/FPs4nvdGed16Qjp
849n7r+ugQKrbDC4VpDXcZECXlQjI3QgUeXKqly0LXcwqFXqC3+m1O6YTwyIFrLy
8ZyWjAKN4NdKd88eiczvEj3uQVXhqkbmiEyp3q5jsXcQLzblJ0aCABqppvGLgASq
Z9QeBLjqhJ3DIcgKcHqJsox+xKrDLtIvgYmaOg==
-----END CERTIFICATE-----
EOF
chmod 440 /etc/ssl/combo/root.crt

index.php

cat << 'EOF' > /var/www/htdocs/index.php
Hi <?
  $array = [
    "WFuDgzQBZXV740D3" => "Hans Muster",
    "EDugUslEX1Et90WX" => "Beat Breu",
    "2DF3C663741296F5" => "Ruedi Ruessel"
  ];
  echo $array[$_SERVER['SSL_CLIENT_SERIAL']];
?>, your Certificat Serial Number is
<?
  echo $_SERVER['SSL_CLIENT_SERIAL'];
?>
EOF

Start all stuff

rcctl restart nginx php73_fpm

Open Webpage:

puffy205

Requirement

• Webserver http
• Webserver https
• Protected Folder https://egal.com/protected with Client Certificate

/etc/httpd.conf

# $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $

server "*" {
  listen on * port 8080
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}

/etc/nginx/nginx.conf

# Take note of http://wiki.nginx.org/Pitfalls

#user  www;
worker_processes  1;

#load_module "modules/ngx_stream_module.so";

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
#error_log  syslog:server=unix:/dev/log,severity=notice;

#pid        logs/nginx.pid;

worker_rlimit_nofile 1024;
events {
    worker_connections  800;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    index         index.html index.htm;

    #access_log  logs/access.log  main;

    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server_tokens off;

    server {
        listen       80;
        listen       [::]:80;
        server_name  localhost;
        root         /var/www/htdocs;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root  /var/www/htdocs;
        }
    }


    # HTTPS server
    server {
        listen       443 ssl;
        server_name  localhost;
        root         /var/www/htdocs;

        ssl_certificate      /etc/ssl/puffy201.planet.crt;
        ssl_certificate_key  /etc/ssl/private/puffy201.planet.key;

        ssl_session_timeout  5m;
        ssl_session_cache    shared:SSL:1m;

        ssl_ciphers  HIGH:!aNULL:!MD5:!RC4;
        ssl_prefer_server_ciphers   on;

        ssl_client_certificate /etc/ssl/root_ca.crt;
        ssl_verify_client optional;


    location /secure
    {
        if ($ssl_client_verify != SUCCESS) {
             return 403;
        }

        proxy_pass  http://127.0.0.1:8080;

        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

        ### Set headers ####
        proxy_headers_hash_max_size 51200;
        proxy_headers_hash_bucket_size 6400;
        proxy_set_header        Accept-Encoding   "";
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header        X-Forwarded-Proto $scheme;
        add_header              Front-End-Https   on;

        proxy_redirect     off;
    }

    location /
    {
        proxy_pass  http://127.0.0.1:8080;

        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

        ### Set headers ####
        proxy_headers_hash_max_size 51200;
        proxy_headers_hash_bucket_size 6400;
        proxy_set_header        Accept-Encoding   "";
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header        X-Forwarded-Proto $scheme;
        add_header              Front-End-Https   on;

        proxy_redirect     off;
      }
    }
}

sha256: 66399e64ba490e0bdaa65dac27a679891a89c1a99ae57055b73fb3839cb2ee76