1. 32
  1.  

  2. 7

    I frown at putting all of Perl into a chroot, but there isn’t really a good alternative. You could use FastCGI, run the Perl process outside of the chroot and leave its socket in /var/www, so that httpd/nginx only has access to the socket and there are no Perl guts inside the chroot to use, but the Perl script should really then be chrooted separately.

    This gets much uglier with big things like Ruby on Rails.

    1. 3

      The purpose of the perl-in-chroot portion of the article was more like ‘hey, this is how you would do it if you wanted to’. As I mentioned in the article itself, I only host static content.

      1. 1

        Hopefully it'l eventually support something like proxying to a second http daemon, so for Perl you could chroot perl + Starman, and have httpd proxy to it

      2. 2

        I tried out httpd, and wanted to love it. While I enjoyed the simplicity of the config, the inability to set custom headers (in my case I wanted to add HSTS) for some static content, was a complete blocker. I ended up just sticking with nginx.

        1. 1

          The config sample given reminds me of nginx. Presumably this is only the beginning and more stuff will be added? That said, how much demand is there on OpenBSD to provide great support for more complicated web sites?

          1. 6

            I agree, that simpler functionality is great. relayd supports adding headers though, so hopefully it is just a matter of time before the httpd server gets that feature. I do consider the ability to add headers to responses an important feature of an http server though. It lets the user set cache headers, hsts, content securiy policy, etc.

            I didn’t find the lack of deflate/gzip compression a big deal, but that could be a sticking point for some people too.

            As far as how much demand? I guess it depends. Do the OpenBSD devs want httpd to be used? If you target too small a feature set, then very few people will use it. If you target too large, then you waste effort, increase maintenance costs (more code to manage), and increase the bug surface – when you could simply have exotic users use something more featureful from ports.

            I approached the new httpd as a means to serve static content in a secure manner. My needs were quite basic: https, hsts header, cache headers. The current incarnation failed to meet those needs, so I was unable to use it.

            Instead I have a very simple nginx config:

            server {
                listen 443 ssl;
                server_name servername.tld;
                root /the/path;
            
                add_header Strict-Transport-Security max-age=31536000;
                add_header Cache-Control public;
            
                location ^~ /static/ {
                    expires 1w;
                }
            
                location / {
                    index index.html index.htm;
                    expires 2h;
                }
            }
            
            1. 4

              Fair enough. I agree with everything you’ve said. I wasn’t trying to dismiss the ability to add headers as not necessary, just that it seems likely that httpd is very young and has a small target “customer” base. I imagine the number of largish websites running OpenBSD is small, but again I’m speculating, and dont' know for sure.

              I look forward to developments here though, and I’d really like to give OpenBSD a try, so maybe I’ll try it out, get frustrated with it and submit patches. :)

        2. 1

          When was Perl included in the standard OpenBSD distro? I’m really happy to see that Perl is becoming a OS standard, because it should be. I checked http://www.openbsd.org/cgi-bin/man.cgi and saw that it ships with Perl 5. I’m new to the BSD community, but how long would it take for it to update to Perl 6, if ever?

          1. 3

            It’s been included with the base OS since at least 2.3, so 16 years or so? Our package tools are written in Perl.

            It does see occasional updates when new 5.x releases come out, so I would assume when Perl 6 is formally released and considered the standard over 5, it will be updated in the tree.