OpenBSD httpd.conf conditionals

httpopenbsdopenbsd-httpdwebserver

Note: this question is about the built-in OpenBSD http server named httpd and its configuration. It does not apply to any other web servers.

Is it possible to make runtime conditional configurations of the new OpenBSD http server httpd? A naïve example would be

server "myserver.com" {
  if $REMOTE_ADDR == "127.0.0.1" block drop
}

to disallow local access.

Another, perhaps more relevant and illuminating, example would be in the case I am implementing an interface to a remote service that runs from a specific place, then I would benefit from something like

remote_service1_ip = "192.168.0.1"
server "myserver.com" {
  location "/remote_service1_api/" {
    if $REMOTE_ADDR != $remote_service1_ip block drop
  }
}

If this is possible, what is the correct way of doing it?

More generally – there are a number of predefined macros specified in the man-page of OpenBSD-httpd.conf as described in the block:

$DOCUMENT_URI
    The request path.
$QUERY_STRING
    The optional query string of the request.
$REMOTE_ADDR
    The IP address of the connected client.
$REMOTE_PORT
    The TCP source port of the connected client.
$REMOTE_USER
    The remote user for HTTP authentication.
$REQUEST_URI
    The request path and optional query string.
$SERVER_ADDR
    The configured IP address of the server.
$SERVER_PORT
    The configured TCP server port of the server.
$SERVER_NAME
    The name of the server.
%n
    The capture index n of a string that was captured by the enclosing location match option.

and I would like to know how to use them. Using $REMOTE_ADDR in a redirection context seems rather silly to me, and I guess there should be something else to use them for, but I can't find or understand any such use case in the documentation.

Best Answer

while httpd supports using patterns in the context of some keywords (alias match, location match, server match) the functionality you are looking for is not implemented in httpd.

i see two ways to realize your intentions:

crosspost on the openbsd-misc mailing list - one of the authors of httpd might pick you up there
use pf to firewall. i do strongly recommend this way for various reasons including
- higher grade of protection against denial-of-service types of attacks as the application (httpd) does not have to take any load
- packets from clients can be inspected and blocked on a global (IP) wide level - i.e. a flooding client may not connect to the ssh port

i my opinion, pf can be a very satisfying thing to learn.

besides, i suspect a possible answer to an according post on openbsd-misc to be similar to my recommendation :)

Related Solutions

HTTP proxy in OpenBSD 5.8 (replacing Apache ProxyPass)

Great question! OpenBSD's newly written httpd is not a fully-featured web-server, and nor is it intended to be. As for relayd, which was the precursor to httpd, I do not believe that it has any ability to do what you require, either.

The best general-purpose replacement for Apache bar none is still nginx.

It is readily available in the OpenBSD ports tree as www/nginx, and can be easily installed as a precompiled package with pkg_add(1) — doas pkg_add nginx.

Once you install nginx, you would use the proxy_pass directive, and it'll probably look like this:

location /someurl {
    proxy_pass http://192.168.123.123/someotherurl; 
}

As for ProxyPassReverse, nginx has a more appropriate name for it — proxy_redirect, and the default value of default should already be sufficient for your needs (that is, if your ProxyPassReverse and ProxyPass directives both had the same value). Good luck!

Best Answer

Related Solutions

HTTP proxy in OpenBSD 5.8 (replacing Apache ProxyPass)

Related Question