Index | Thread | Search

From:
Chris Narkiewicz <hello@ezaquarii.com>
Subject:
Support for basic auth in HTTP Server answer
To:
kn@openbsd.org
Cc:
tech@openbsd.org
Date:
Thu, 23 Oct 2025 20:22:50 +0100

Download raw body.

Thread 
Hello, I'm posting this patch again, after 7.8 release cycle completed
and hopefully the tolerance for riskier changes is back.

I'm currently experimenting with autoinstall over HTTP in
not-so-secure environment. The installer allows me to fetch
auto_install.conf using basic auth, but

    HTTP Server?

question does not accept servers with basic auth credentials,
preventing me from putting any sensitve data in siteXY.tgz archives.
This limitation doesn't affect autoinstall config and disklabel
URLs, only sets.

This patch allowed me to download file sets from basic-auth
protected server:

--- distrib/miniroot/install.sub.orig	Wed Sep 17 02:22:11 2025
+++ distrib/miniroot/install.sub	Wed Sep 17 02:23:23 2025
@@ -1925,7 +1925,7 @@
 			HTTP_SERVER=${1%%/*}
 			# Repeat loop to get user to confirm server address.
 			;;
-		?(http?(s)://)+([A-Za-z0-9:.\[\]%_-]))
+               ?(http?(s)://)?(+(+([A-Za-z0-9:-_])@))+([A-Za-z0-9:.\[\]%_-]))
 			case $resp in
 			https://*)	_tls=force _http_proto=https;;
 			http://*)	_tls=no    _http_proto=http;;


Breaking it down:

orig:   ?(http?(s)://)........................+([A-Za-z0-9:.\[\]%_-]))
auth:                 ?(+(+([A-Za-z0-9:-_])@))
final:  ?(http?(s)://)?(+(+([A-Za-z0-9:-_])@))+([A-Za-z0-9:.\[\]%_-]))

Although my basic auth pattern is not completely strict, current host
pattern is not bullet-proof either. Including A-Za-z0-9 allows me to
pick reasonably secure secret.

In order to test this, I followed these steps:

0. create install.example.com mirror

    mkdir -p /var/www/install.example.com/sets
    cd /var/www/install.example.com/sets
    openrsync -rv rsync://mirror.planetunix.net/OpenBSD/7.7/amd64/ /var/www/example.com/sets/
    echo user:pass | htpasswd -I > /var/www/install.example.com/htpasswd

1. run httpd with the following config:
    
    server "install.example.com" {
        listen on 0.0.0.0 port 8080
        
        root "/install.example.com"
        directory index "index.html"
        
        location "/sets/*" {
            directory auto index
            root "/install.example.com/sets/"
            request strip 1
            authenticate with "/install.example.com/htpasswd"
        }
    }
    
2. Boot vmd with bsd.rd:

    vmctl create -s 40G disk.qcow2
    vmctl start -m 2G -L -d disk.qcow2 -b bsd.rd -c test

3. Use ed(1) to flip the pattern without rebuilding image:
    
    # ed /install.sub
    /\?(http/
    p
                   ?(http?(s)://)+([A-Za-z0-9:.\[\]%_-]))
    c
                   ?(http?(s)://)?(+(+([A-Za-z0-9:-_])@))+([A-Za-z0-9:.\[\]%_-]))
    .
    wq
    
4. Then Ctrl-D and choose (I)nstall when prompted
5. When prompted for HTTP Server? I provided http://user:pass@100.64.1.2:8080/sets
6. Happy outcome


Best regards,
Chris Narkiewicz