Introducing OpenBSD's new httpd [pdf]

Apache was removed from base in 2014, but nginx was added to base in 2011.

Sysadmins had ~2 years to migrate from Apache to nginx (and if they didn't want to migrate, they could continue to use Apache from ports).

For nginx, they only had 6 months to migrate (though again, they can still use nginx from ports).

So no, they didn't have to migrate the http configuration twice a year, more like twice in 4 years, although, considering that OpenBSD only ever included into base 3 web servers, more like twice in 16 years.

That's correct. They are still available in the ports. If were operating a complex setup, you probably already used nginx from ports before.

Not being in the base means that it doesn't get the same security attention as its not officially part of OpenBSD anymore.

Those sysadmins could still use nginx from ports. That's what I did, and will continue to do until httpd gets SNI support. Nothing broke for anyone during this time.

Don't forget yet another hand-written HTTP parser, and the complete lack of a test suite.

On a more flamebaity note, I don't know why you'd even want to write something like this in C. Writing a server for one of the most prevalent network protocols on the Internet in C, in 2015, just seems like masochism. This code reinvents so many wheels for the 1000th time in C code history, it's just tiresome to read. C++ would've reduced and simplified the code substantially and there are a growing number of other fine choices these days.

I don't see anything wrong with that code.

There is nothing wrong with using the stack for what it was designed for.

The function names are self-explanatory.

The "style" might not be yours, but it doesn't make it bad.

And as described in the slides, it was derived from relayd.

Can you link to specific examples? I'm currently not taking your word for it. The file has comments. Maybe too few and too terse for you, but that isn't what you've said. Yes, some buffers are stack-allocated, but what's wrong with that? No unsafe functions are used to write to them. Discussing style, unless it's really terrible which is also not the case and moreover it is well documented (as OpenBSD KNF), is a waste of time.

This certainly is not how I would have written this code, but I will say it is very consistent in its implementation. That alone is extremely important and underrated, so kudos for that.

The code is based on their relayd, so that's why it has the 2006-2015 copyright

What's wrong with stack allocated buffers? They are faster (no malloc/free) and the stack is large enough to hold couple of KiB of data.

> The "new" is a bit off too, the copyright runs 2006-2015.

As the presentation says, it's based on relayd, so the code is not all new, a lot of it is reused.

OpenBSD has added support into libressl for privilege separated processes that hold SSL keys, any operation requiring the use of private keys such as the creation of session keys, and signing things are shuttled off via a small api to a separate process. This is somewhat analogous to what ssh-agent does for openssh clients.

OpenBSD's TLS private key consuming daemons have moved to this model or are in the process of doing so. This helps to mitigate the problem of access to process memory results in disclosed private keys, also the requirement of the daemon's user facing bits to have access to the keyfiles.

http://article.gmane.org/gmane.os.openbsd.cvs/139527/

At work, we run stud in a freebsd jail to handle SSL termination. It uses the haproxy proxy protocol (v1) to send the client IP to the http daemon.

Downsides include: Three sockets per client connection (this gets problematic around 1M client connections). Lack of information about the SSL negotiation in the http context. Stud doesn't have the typical graceful restart options that are typical with web servers.

On the plus side, stud is a lot less code than an http server, so its easier to modify things if you need to. I added sha-1/sha-2 cert switching for example. Would have been doable in an https server too, but a lot more to avoid.

I'm not into the specifics of https but i've been writing a lot of gateways for other protocols and it's never as easy as "just forward the message". Protocols some times have state that the proxy must be aware of and sometimes the forwarding is conditional which means that the proxy must understand both types of protocol and be able to act based on information in it. Say for example you want to block all requests to a specific resource, if your https server knows about this you might be able to reject the request before you decrypt everything of it.

Proxying typically loses a lot of information, like client address, client certificate info and so on. If you take care to make carry over everything transparently, it would more accurately be called privilege separation (ala sshd).

SNI, for example. If you're running multiple virtual hosts, the proxy would have to be aware of all of them. But yes, SSL termination is not uncommon, especially if you have a frontend/backend architecture.

We run exactly that setup. Apache on the front end proxying and doing SSL for a mish-mash of Java EE, .Net and native apache modules.

There's very little latency added, it allows centralised logging and TBH apache is a ton more reliable than anything else out there. Does about 2-3 million requests a day.

That's how plan9 does it. Ssl is a wrapper around whatever connection.

At least they added Comic Neue. I'm a bit disappointed that a project like OpenBSD that is so vocal about free software is promoting a proprietary font like Comic Sans MS.

I love these tiny easter eggs that the OpenBSD proyect leaves around and only Windows users will come across.

So much passive agressiveness in such a fun way!

In one of the comments on the "featuritis" tagged issues:

> I add the label "featuritis" to remind us of extra features (eg. ldap) that we reject now but might want to reinspect later.

So it's not that httpd will never be extended beyond the basics, but these issues are simply out of scope right now. I like that approach.

What is wrong with compressing static files?

More information: http://bsd.plumbing/about.html

In cases like this, turn to Qualys' SSL tester: https://www.ssllabs.com/ssltest/analyze.html?d=ezequiel-garz...

It shows your server as sending only one certificate, the one with "CN=ns.ezequiel-garzon.net". It's missing the next one in the chain, "CN=StartCom Class 1 Primary Intermediate Server CA". I don't know the configuration details for the server you're using, but many servers use a separate "chain" file for the intermediates; if that's the case, you should put the main certificate in one file and the "StartCom Class 1 Primary Intermediate Server CA" in the other file.

And why it works in some browsers? Notice that Qualys listed the intermediate as "Extra download"; some browsers can download the intermediate certificate directly from the CA's web server. Some browsers cache the intermediate certificates they've seen, so if you've visited a properly-configured server with the same intermediate before, the browser will use the copy from its cache. But it's not recommended to depend on this; you should always include all intermediates.

Works fine here. Where are you getting an error? Maybe that client doesn't have StartCom's root cert in its trust store.

According to man 5 httpd.conf[1] (via man 8 httpd), it's a PEM-encoded private key. The TLS section has further configuration options.

[1] - http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/...

Why bother with FastCGI? Why not just use reverse proxy HTTP instead? Why introduce yet another protocol when HTTP works fine?

I didn't write this, but I agree with it - https://ef.gy/fastcgi-is-pointless

relayd does reverse proxying in OpenBSD:

https://calomel.org/relayd.html

So there's no need for httpd to do it as well.

This is needed at least for PHP. Granted, PHP has a built-in web server, but it's really just for testing and not meant to be a replacement for fpm.

Maybe reverse proxying is coming up next, as well as HTTP2. But once again, the goal is not to have a full-featured server that can replace Nginx. Rather something small, simple and secure.

Why is it a bad choice? Why does it need reverse proxy functionality? Why not use some reverse proxy software (e.g. HAProxy) in order to follow the UNIX modular principle? I'm not trying to argue here, but rather trying to understand.

I believe relayd is mean to serve that purpose.