220 lines
5.2 KiB
Groff
220 lines
5.2 KiB
Groff
|
.\" $OpenBSD: bgplg.8,v 1.16 2016/12/14 14:38:42 reyk Exp $
|
||
|
.\"
|
||
|
.\" Copyright (c) 2005, 2006, 2013 Reyk Floeter <reyk@openbsd.org>
|
||
|
.\"
|
||
|
.\" Permission to use, copy, modify, and distribute this software for any
|
||
|
.\" purpose with or without fee is hereby granted, provided that the above
|
||
|
.\" copyright notice and this permission notice appear in all copies.
|
||
|
.\"
|
||
|
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||
|
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||
|
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||
|
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||
|
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||
|
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||
|
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||
|
.\"
|
||
|
.Dd $Mdocdate: December 14 2016 $
|
||
|
.Dt BGPLG 8
|
||
|
.Os
|
||
|
.Sh NAME
|
||
|
.Nm bgplg
|
||
|
.Nd looking glass for the OpenBSD Border Gateway Protocol daemon
|
||
|
.Sh SYNOPSIS
|
||
|
.Nm bgplg
|
||
|
.Sh DESCRIPTION
|
||
|
The
|
||
|
.Nm
|
||
|
CGI program is a looking glass for the
|
||
|
.Xr bgpd 8
|
||
|
Border Gateway Protocol daemon.
|
||
|
The looking glass will provide a simple web interface with read-only
|
||
|
access to a restricted set of
|
||
|
.Xr bgpd 8
|
||
|
and system status information, which is typically used on route
|
||
|
servers by Internet Service Providers (ISPs) and Internet eXchange
|
||
|
points (IXs).
|
||
|
It is intended to be used in a
|
||
|
.Xr chroot 2
|
||
|
environment in
|
||
|
.Pa /var/www .
|
||
|
.Pp
|
||
|
.Nm
|
||
|
is disabled by default.
|
||
|
It requires four steps to enable the looking glass:
|
||
|
.Bl -enum
|
||
|
.It
|
||
|
Update the file permission mode to allow the execution of the
|
||
|
.Nm
|
||
|
CGI program and the additional statically linked programs that have
|
||
|
been installed into the
|
||
|
.Xr chroot 2
|
||
|
environment.
|
||
|
.Pp
|
||
|
For example,
|
||
|
to allow execution of
|
||
|
.Nm
|
||
|
and the statically-linked version of
|
||
|
.Xr bgpctl 8 :
|
||
|
.Bd -literal -offset indent
|
||
|
# chmod 0555 /var/www/cgi-bin/bgplg
|
||
|
# chmod 0555 /var/www/bin/bgpctl
|
||
|
.Ed
|
||
|
.Pp
|
||
|
External commands like
|
||
|
.Xr ping 8
|
||
|
and others will be hidden from the looking glass command
|
||
|
list unless given the correct permissions.
|
||
|
See the
|
||
|
.Sx FILES
|
||
|
section below for the list of installed programs.
|
||
|
.It
|
||
|
The programs
|
||
|
.Xr ping 8 ,
|
||
|
.Xr ping6 8 ,
|
||
|
.Xr traceroute 8
|
||
|
and
|
||
|
.Xr traceroute6 8
|
||
|
will require a copy of the resolver configuration file
|
||
|
.Xr resolv.conf 5
|
||
|
in the
|
||
|
.Xr chroot 2
|
||
|
environment for optional host name lookups.
|
||
|
.Bd -literal -offset indent
|
||
|
# mkdir /var/www/etc
|
||
|
# cp /etc/resolv.conf /var/www/etc
|
||
|
.Ed
|
||
|
.It
|
||
|
Start the Border Gateway Protocol daemon with a second,
|
||
|
restricted, control socket that can be used
|
||
|
from within the
|
||
|
.Xr chroot 2
|
||
|
environment.
|
||
|
See
|
||
|
.Xr bgpd.conf 5
|
||
|
for more information.
|
||
|
.Pp
|
||
|
For example,
|
||
|
add the following to
|
||
|
.Pa /etc/bgpd.conf
|
||
|
to have
|
||
|
.Xr bgpd 8
|
||
|
open a second, restricted, control socket:
|
||
|
.Pp
|
||
|
.Dl socket \&"/var/www/run/bgpd.rsock\&" restricted
|
||
|
.It
|
||
|
Start the
|
||
|
.Xr httpd 8
|
||
|
and
|
||
|
.Xr slowcgi 8
|
||
|
servers after configuring the related
|
||
|
.Ic server
|
||
|
section in
|
||
|
.Xr httpd.conf 5 .
|
||
|
For example:
|
||
|
.Bd -literal -offset indent
|
||
|
ext_addr="0.0.0.0"
|
||
|
|
||
|
server "lg.example.net" {
|
||
|
listen on $ext_addr port 80
|
||
|
location "/cgi-bin/*" {
|
||
|
fastcgi
|
||
|
root ""
|
||
|
}
|
||
|
}
|
||
|
.Ed
|
||
|
.El
|
||
|
.Sh FILES
|
||
|
.Bl -tag -width "/var/www/conf/bgplg.headXX" -compact
|
||
|
.It Pa /var/www/conf/bgplg.css
|
||
|
Optional
|
||
|
.Nm
|
||
|
CSS style sheet.
|
||
|
.It Pa /var/www/conf/bgplg.head
|
||
|
Optional
|
||
|
.Nm
|
||
|
HTML header.
|
||
|
.It Pa /var/www/conf/bgplg.foot
|
||
|
Optional
|
||
|
.Nm
|
||
|
HTML footer.
|
||
|
.It Pa /var/www/run/bgpd.rsock
|
||
|
Position of the second, restricted, control socket of
|
||
|
.Xr bgpd 8 .
|
||
|
.El
|
||
|
.Pp
|
||
|
The following statically linked executables have been installed into
|
||
|
the
|
||
|
.Xr chroot 2
|
||
|
environment of the
|
||
|
.Xr httpd 8
|
||
|
server.
|
||
|
To enable the corresponding functionality, use the
|
||
|
.Xr chmod 1
|
||
|
utility to manually set the file permission mode to 0555 or anything
|
||
|
appropriate.
|
||
|
Some of these executables need the set-user-ID bit,
|
||
|
so they should be mounted on a filesystem
|
||
|
without the
|
||
|
.Ic nosuid
|
||
|
option.
|
||
|
.Pp
|
||
|
.Bl -tag -width "/var/www/bin/traceroute6XX" -compact
|
||
|
.It Pa /var/www/cgi-bin/bgplg
|
||
|
The
|
||
|
.Nm
|
||
|
CGI executable.
|
||
|
.It Pa /var/www/bin/bgpctl
|
||
|
The
|
||
|
.Xr bgpctl 8
|
||
|
program used to query information from
|
||
|
.Xr bgpd 8
|
||
|
.It Pa /var/www/bin/ping
|
||
|
The
|
||
|
.Xr ping 8
|
||
|
program used to send ICMP ECHO_REQUEST packets to network hosts.
|
||
|
Requires the set-user-ID bit, set the permission mode to 4555.
|
||
|
.It Pa /var/www/bin/ping6
|
||
|
The
|
||
|
.Xr ping6 8
|
||
|
program used to send ICMPv6 ICMP6_ECHO_REQUEST packets to network hosts.
|
||
|
Requires the set-user-ID bit, set the permission mode to 4555.
|
||
|
.It Pa /var/www/bin/traceroute
|
||
|
The
|
||
|
.Xr traceroute 8
|
||
|
program used to print the route packets take to network hosts.
|
||
|
Requires the set-user-ID bit, set the permission mode to 4555.
|
||
|
.It Pa /var/www/bin/traceroute6
|
||
|
The
|
||
|
.Xr traceroute6 8
|
||
|
program used to print the route packets take to
|
||
|
.Xr inet6 4
|
||
|
network hosts.
|
||
|
Requires the set-user-ID bit, set the permission mode to 4555.
|
||
|
.El
|
||
|
.Sh SEE ALSO
|
||
|
.Xr bgpctl 8 ,
|
||
|
.Xr bgpd 8 ,
|
||
|
.Xr bgplgsh 8 ,
|
||
|
.Xr httpd 8 ,
|
||
|
.Xr slowcgi 8
|
||
|
.Sh HISTORY
|
||
|
The
|
||
|
.Nm
|
||
|
program first appeared in
|
||
|
.Ox 4.1 .
|
||
|
The initial implementation was done in 2005 for DE-CIX, the German
|
||
|
commercial internet exchange point.
|
||
|
.Sh AUTHORS
|
||
|
The
|
||
|
.Nm
|
||
|
program was written by
|
||
|
.An Reyk Floeter Aq Mt reyk@openbsd.org .
|
||
|
.Sh CAVEATS
|
||
|
To prevent commands from running endlessly,
|
||
|
.Nm
|
||
|
will kill the corresponding processes after a hard limit of 60 seconds.
|
||
|
For example, this can take effect when using
|
||
|
.Xr traceroute 8
|
||
|
with blackholed or bad routes.
|