openbsd

Thoughts about programming and other things I want to share

I wanted a shell script to analyze my access logs from httpd. I found Bash Script to Parse and Analyze Nginx Access Logs from @ruanbekker, adopted it and modified it for httpd.

You can see

You can download the script here.

#!/bin/sh

LOGFILE="/var/www/logs/access.log"
RESPONSE_CODE="200"

filters() {
grep $RESPONSE_CODE \
| grep -v "<UNKNOWN>" \
| grep -v "favicon.ico" \
| grep -v "logfile turned over"
}

filter_response_codes()
{
grep -v "<UNKNOWN>" \
| grep -v "logfile turned over" \
| awk '{print $10}'
}

filter_404_response() {
grep "404"
}

ips() {
awk '{print $2}'
}

pages() {
awk '{print $8}'
}

domain() {
awk '{print $1}'
}

methods() {
awk '{print $7}' | cut -d'"' -f2
}

sort_count() {
sort | uniq -c
}

sort_desc() {
sort -rn
}

top_ten() {
head -10
}

sep() {
echo "=================================================="
}

##
# Actions
##
action_request_ips() {
	echo ""
	echo "Top requests from IPs"
	sep
	cat $LOGFILE \
		| filters \
		| ips \
		| sort_count \
		| sort_desc \
		| top_ten
	echo ""
}

action_request_methods() {
	echo ""
	echo "Count requests methods"
	sep
	cat $LOGFILE \
		| filters \
		| methods \
		| sort_count
	echo ""
}

action_pages() {
	echo ""
	echo "Top requested pages"
	sep
	cat $LOGFILE \
		| filters \
		| pages \
		| sort_count \
		| sort_desc \
		| top_ten
	echo ""
}

action_404() {
	echo ""
	echo "Top requests 404"
	sep
	cat $LOGFILE \
		| filter_404_response \
		| pages \
		| sort_count \
		| sort_desc \
		| top_ten
	echo ""
}

action_response_codes() {
	echo ""
	echo "Response code"
	sep
	cat $LOGFILE \
		| filter_response_codes \
		| sort_count \
		| sort_desc
	echo ""
}

action_request_ips
action_request_methods
action_response_codes
action_pages
action_404

Output

$ analyze_access_log

Top requests from IPs
==================================================
13 1.2.3.4
 8 1.2.3.5
 8 1.2.3.6
 4 1.2.3.7
 4 1.2.3.8
 2 1.2.3.9
 2 1.2.3.10
 2 1.2.3.11
 2 1.2.3.12
 2 1.2.3.13


Count requests methods
==================================================
1146 GET
  10 HEAD


Response code
==================================================
1190 200
 792 304
 615 301
  80 404
   8 400
   5 403
   1 405
   1 206
   1 0


Top requested pages
==================================================
 694 /atom.xml
 136 /
  92 /xxx
  46 /yyy
  23 /zzz
  20 /aaa
  17 /eee/fff
  16 /humans.txt
  14 /foo/bar
  12 /something/else


Top requests 404
==================================================
  61 /robots.txt
   5 /css_.php
   2 /admin
   2 /.git/config
   1 /wp-login.php?action=register
   1 /login
   1 /user/register
   1 /index.php?option=com_user%2526task=register
   1 /etc/passwd
   1 /console

You can download the script here

#openbsd #httpd #sh

Populate /etc/mail/aliases

echo "root: YOUR_LOCAL_USER" >> /etc/mail/aliases

That means that all emails sent to root are going to YOUR_LOCAL_USER.

If you want you can add some other aliases, like “contact” or “hi”.

echo "contact: YOUR_LOCAL_USER" >> /etc/mail/aliases
echo "hi: YOUR_LOCAL_USER" >> /etc/mail/aliases

After we add all our aliases it’s necessary to run newaliases.

newaliases
/etc/mail/aliases: 70 aliases

Now you should create an SSL certificate like /acme-client-openbsd/ or use an existing one.

Now we can populate /etc/mail/smtpd.conf and replace example.com with your domain. Everything we want is to receive emails from other for local users and deliver all emails to users mbox => /var/mail/YOUR_LOCAL_USER

table aliases file:/etc/mail/aliases

pki example.com key "/path/to/your/example.com.key"
pki example.com certificate "/path/to/your/example.com.crt"

listen on egress tls pki example.com
listen on egress port 587 hostname example.com tls-require pki example.com auth mask-source

accept from any for domain "example.com" alias <aliases> deliver to mbox
accept from any for local alias <aliases> deliver to mbox
accept from local for any relay

That’s it. OpenSMTPD is listen on port 25 and 587 and accept encrypted connections. The key and certificate location are configured with the pki keyword. And the messages are delivered to system mbox of the user (/var/mail/YOUR_LOCAL_USER).

Populate /etc/mail/mailname with your domain.

echo "example.com">/etc/mail/mailname

Now you can check you configuration smtpd -n and when everything looks ok, you can restart OpenSMTPD rcctl restart smtpd

Check your OpenSMTPD server with telnet telnet exmaple.com

EHLO exmaple.com
MAIL FROM: <from@somehwere.tld>
RCPT TO: <to@example.com>
DATA
Subject: This is just a test
<- blank line ->
This is a test :)
<- blank line ->
.
QUIT

If it’s says something like 250 2.0.0: 574eff74 Message accepted for delivery, congratulation OpenSMTPD works.

#openbsd

Populate /etc/acme-client.conf and replace example.com with your domain

authority letsencrypt {
  api url "https://acme-v01.api.letsencrypt.org/directory"
  account key "/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
  api url "https://acme-staging.api.letsencrypt.org/directory"
  account key "/etc/acme/letsencrypt-staging-privkey.pem"
}
domain example.com {
  alternative names { example.com }
  domain key "/etc/ssl/private/example.com.key"
  domain certificate "/etc/ssl/example.com.crt"
  domain full chain certificate "/etc/ssl/example.com.pem"
  sign with letsencrypt
}

Create directories

mkdir -p -m 700 /etc/acme
mkdir -p -m 700 /etc/ssl/acme/private
mkdir -p -m 755 /var/www/acme

Populate /etc/httpd.conf

server "example.com" {
  listen on * port 80
  root "/htdocs/example.com"
  location "/.well-known/acme-challenge/*" {
    root { "/acme", strip 2 }
  }
}

Check the configuration and restart httpd

httpd -n

When everything looks ok, restart httpd

rcctl restart httpd

Run the acme-client

acme-client -vAD example.com

Now enable HTTPS and restart httpd

Populate /etc/httpd.conf and add a new server section for HTTPS

server "example.com" {
  listen on * tls port 443
  root "/htdocs/example.com"
  tls {
    certificate "/etc/ssl/example.com.pem"
    key "/etc/ssl/private/example.com.key"
  }
  location "/.well-known/acme-challenge/*" {
    root { "/acme", strip 2 }
  }
}

Check the configuration and restart httpd httpd -n and rcctl restart httpd

Now you should reach your website over HTTPS

#openbsd

OpenBSD comes with a built-in webserver called httpd, written by Reyk Flöter.

So that means in contrast to most Linux distributions, this is not a rebranded version of the Apache webserver. Instead, it’s a very basic webserver.

The idea behind this is very much in line with the larger OpenBSD philosophy that security is top priority and performance may take a hit in achieving that.

Basic configuration

Populate /etc/httpd.conf and replace example.com with your domain

server "example.com" {
  listen on * port 80
  root "/htdocs/example.com"
}
The httpd daemon is chrooted to /var/www by default. So `/htdocs/example.com` means `/var/www/htdocs/exmaple.com` here.

That’s the whole configuration you need. Now we create our document root on the filesystem and add a simple index.html placeholder.

mkdir -p /var/www/htdocs/example.com
echo "Hello World from OpenBSD 6.3" > /var/www/htdocs/example.com/index.html

You can check your configuration with

httpd -n

When everything looks good, we can enable (start on boot) and start httpd

rcctl enable httpd
rcctl start httpd

Now you should reach your website with your IP address. That is a very basic configuration to serve static content, you can read more about in the manpage HTTPD.CONF(5). If you like, you can configure HTTPS with Let’s encrypt now.

#openbsd

Create a new instance and select OpenBSD 6.3 as operating system. After a minute you can login on your new instance over ssh.

First we set the installurl and then we should patch the machine with syspatch.

The /etc/installurl file contains a single line specifying an OpenBSD mirror server URL. syspatch is a utility to fetch, verify, install and revert OpenBSD binary patches.

echo 'https://fastly.cdn.openbsd.org/pub/OpenBSD' > /etc/installurl && syspatch

Now we create a new user to the system with adduser and then we add them to /etc/doas.conf.

With doas, we can execute commands as another user, for example as root.

echo "permit YOUR_NEW_USER" > /etc/doas.conf

Add a ssh key to you new user. Open a Terminal on your local machine and execute

ssh-copy-id -i path/to/your/public.key YOUR_NEW_USER@server

Switch back to your OpenBSD instance and edit the ssh daemon configuration in /etc/ssh/sshd_config.

We don’t allow login over ssh as root

PermitRootLogin no

We disable login with passsword over ssh

PasswordAuthentication no

Now check the configuration with sshd -t and restart the ssh daemon with rcctl restart sshd Now you should be able to login with YOUR_NEW_USER over ssh without a password. If it works, close your root connection and switch to YOUR_NEW_USER.

We need to set some network informations. You can find all information on my vultr

Populate the /etc/mygate file with your gateway

echo YOUR_GATEWAY > /etc/mygate

Populate /etc/hostname.vio0 with following text

inet YOUR_INSTANCE_IP 255.255.254.0 NONE
inet6 autoconf -autoconfprivacy -soii

Populate /etc/resolv.conf with following text

nameserver 108.61.10.10
lookup file bind

That’s it. No we have a running OpenBSD 6.3 instance on vultr. Maybe, you want configure a webserver now.

#openbsd