Note: this question is about the built-in OpenBSD http server named httpd
and its configuration. It does not apply to any other web servers.
Is it possible to make runtime conditional configurations of the new OpenBSD http server httpd
? A naïve example would be
server "myserver.com" {
if $REMOTE_ADDR == "127.0.0.1" block drop
}
to disallow local access.
Another, perhaps more relevant and illuminating, example would be in the case I am implementing an interface to a remote service that runs from a specific place, then I would benefit from something like
remote_service1_ip = "192.168.0.1"
server "myserver.com" {
location "/remote_service1_api/" {
if $REMOTE_ADDR != $remote_service1_ip block drop
}
}
If this is possible, what is the correct way of doing it?
More generally – there are a number of predefined macros specified in the man
-page of OpenBSD-httpd.conf
as described in the block
:
$DOCUMENT_URI
The request path.
$QUERY_STRING
The optional query string of the request.
$REMOTE_ADDR
The IP address of the connected client.
$REMOTE_PORT
The TCP source port of the connected client.
$REMOTE_USER
The remote user for HTTP authentication.
$REQUEST_URI
The request path and optional query string.
$SERVER_ADDR
The configured IP address of the server.
$SERVER_PORT
The configured TCP server port of the server.
$SERVER_NAME
The name of the server.
%n
The capture index n of a string that was captured by the enclosing location match option.
and I would like to know how to use them. Using $REMOTE_ADDR
in a redirection context seems rather silly to me, and I guess there should be something else to use them for, but I can't find or understand any such use case in the documentation.
Best Answer
while
httpd
supports usingpatterns
in the context of some keywords (alias match
,location match
,server match
) the functionality you are looking for is not implemented inhttpd
.i see two ways to realize your intentions:
openbsd-misc
mailing list - one of the authors ofhttpd
might pick you up therepf
to firewall. i do strongly recommend this way for various reasons includinghttpd
) does not have to take any loadIP
) wide level - i.e. a flooding client may not connect to thessh
porti my opinion,
pf
can be a very satisfying thing to learn.besides, i suspect a possible answer to an according post on
openbsd-misc
to be similar to my recommendation :)