1

I am writing a static webpage on an OpenBSD vm (here called example.com), and when I access the server with it's domain name over http I get httpd's 403 page, when I use telnet example.com 80 I get

Date: Tue, 12 Jul 2022 01:07:01 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 498

followed by some html of the site, and curl -I example.com returns HTTP/1.0 403 Forbidden... Connection: close. I assume it has something to do with my pf.conf, so here it is:

#       $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

IP4 = "10.0.0.1"
IP6 = "2001:db8::/80"
FlushUDP = "max-pkt-rate 10000/10 keep state (max 1000, source-track rule, max-src-nodes 200, max-src-states 200)"
Flush = "keep state (max 100, source-track rule, max-src-nodes 20, max-src-conn-rate 50/10 overload <abuse> flush global)"
block all
set skip on lo

set block-policy drop
set loginterface vio0
set syncookies adaptive (start 25%, end 12%)
table <abuse> persist file "/etc/pf/abuse"

block in log quick from <abuse>
pass in log quick proto udp to {$IP4 $IP6} port {domain, isakmp, ntp, ipsec-nat-t} $FlushUDP
block in log quick proto udp to {$IP4 $IP6}
block in log quick from urpf-failed
pass in on vio0 inet proto icmp icmp-type 8 code 0 $FlushUDP # icmp packets
pass in on vio0 inet proto icmp icmp-type 3 code 4 $FlushUDP # icmp needfrag (MTU)
pass in log quick on vio0 proto ipv6-icmp $FlushUDP
match in all scrub (no-df random-id max-mss 1440)
#came with the server
block return out log proto {tcp, udp} user _pbuild
block return in on ! lo0 proto tcp to port 6000:6010
match out on agress inet from !(egress:network) to any nat-to (egress:0)
#tcp rules
pass in on vio0 log quick proto tcp to {$IP4 $IP6} port domain $Flush
pass in on vio0 log quick proto tcp to {$IP4 $IP6} port auth $Flush
pass in on vio0 log quick proto tcp to {$IP4 $IP6} port {gopher www http https} $Flush
pass in on vio0 log quick proto tcp to {$IP4 $IP6} port { 6660:6669 6697} $Flush  #consdier adding more ports
pass in on vio0 log quick proto tcp to {$IP4 $IP6} port 1337 $Flush #bouncer

#my own rules
block in quick on vio0 proto tcp from any os {"Mac OS", NMAP}
#pass in on egress proto tcp from any to egress port { www, https, 6667, 6697, git} synproxy state
#block in quick on egress proto {tcp, udp, icmp} from any to any modulate state (if-bound)
antispoof for vio0 inet
antispoof for vio0 inet6
block return    # block stateless traffic
pass            # establish keep-state

, the contents of /etc/pf/abuse:

127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
224.0.0.0/3
192.168.0.0/16
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24

, and here is /etc/httpd.conf:

types{ include "/usr/share/misc/mime.types"}

server "example.com"{
        alias "www.example.com"
        listen on * port 80
        location "/.well-known/acme-challenge/*"{
                root "/htdocs/example.com"
                request strip 2
        }
}

hostname.vio0 contains inet autoconf & inet6 2a03:6000:6e64:618::221 64 on separate lines, mygate contains 2a03:6000:6e64:618::1 (so only the ipv6 address of a router), and resolv.conf contains nameserver [IP ADDRESS] # resolvd: vio0 & lookup file bind on separate lines, where [IP ADDRESS] is the ipv4 address of the server.

What I'm trying to get to is a telnet response of HTTP/1.0 302 Found or to reach index.htm, which right now is simple text.

CyberianTraveler
  • 25
  • 4
  • What is the output of `curl -I example.com`? – Paul Jul 12 '22 at 02:11
  • Also, does `pfctl -nf /etc/pf.conf` report anything? You should have `set skip on lo` as the first configuration after macros and tables, though that won't show from `pfctl`. – Paul Jul 12 '22 at 02:22
  • I didn't notice your configuration had maxed the window size. I'm pretty sure your final `pass` means everything passes that doesn't use `quick`. From `pf.conf(5)`: "Each time a packet processed by the packet filter comes in on or goes out through an interface, the filter rules are evaluated in sequential order, from first to last. For block and pass, the last matching rule decides what action is taken..." Rules should generally get more specific as you go down the configuration. – Paul Jul 12 '22 at 02:44
  • @Paul curl returns ```HTTP/1.0 403 Forbidden... Connection: close```, pfctl returns that lines 30-34 result in syntax errors (I didn't know pf would load a faulty conf), and I should omit the final ```pass```. – CyberianTraveler Jul 12 '22 at 03:12
  • @Paul After removing the final pass and removing the ``` on vio0``` parts of lines 30-34 to prevent teh syntax error, my connections are being refused. – CyberianTraveler Jul 12 '22 at 03:20
  • Please [edit](https://serverfault.com/posts/1105344/edit) your question with the output of the commands. The HTTP response must come from `httpd`. Does the `/var/www/htdocs` have permissions `755` and is `/var/www/htdocs/index.html` readable by `www`? – Paul Jul 12 '22 at 03:22
  • I think the `pf.conf` problem is a separate question. For now, just put `pass` back so you can fix `httpd`. – Paul Jul 12 '22 at 03:25
  • @Paul ```ls -l``` returns ```drwxr-xr-x 4 root daemon 512 Jul 7 08:32 htdocs```, so ```/var/www/htdocs``` has ```755```, and I got ```-rw-r--r-- 1 user www 77 Jul 12 05:42 /var/www/htdocs/example.com/index.htm``` for the other file, so it's in the ```www``` group. – CyberianTraveler Jul 12 '22 at 03:53

1 Answers1

0

The default index is index.html and the default index location is /var/www/htdocs, so /var/www/htdocs/index.html is the location that httpd is looking for when requests are sent to example.com or www.example.com.

The following server block should work based on your comments above:

types { include "/usr/share/misc/mime.types" }

server "example.com" {
        alias "www.example.com"
        listen on * port 80
        location "/.well-known/acme-challenge/*" {
                root "/htdocs/example.com"
                request strip 2
        }
        root "/var/www/htdocs/example.com"
        directory index index.htm
}

Alternatively, you should find your current index.htm:

curl -I example.com/example.com/index.htm
Paul
  • 3,037
  • 6
  • 27
  • 40