From: Chris Narkiewicz <hello@ezaquarii.com>
Subject: Support for basic auth in HTTP Server answer
To: tech@openbsd.org
Cc: kn@openbsd.org
Date: Wed, 17 Sep 2025 02:57:16 +0100

I'm currently experimenting with autoinstall over HTTP
in not-so-secure environment. The installer allows me to
fetch auto_install.conf using basic auth, but

    HTTP Server?

question does not accept servers with basic auth credentials,
preventing me from putting any sensitve data in siteXY.tgz archives.
This limitation doesn't affect autoinstall config and disklable
URLs, only sets.

This patch allowed me to download file sets from basic-auth
protected server:

--- distrib/miniroot/install.sub.orig	Wed Sep 17 02:22:11 2025
+++ distrib/miniroot/install.sub	Wed Sep 17 02:23:23 2025
@@ -1925,7 +1925,7 @@
 			HTTP_SERVER=${1%%/*}
 			# Repeat loop to get user to confirm server address.
 			;;
-		?(http?(s)://)+([A-Za-z0-9:.\[\]%_-]))
+               ?(http?(s)://)?(+(+([A-Za-z0-9:-_])@))+([A-Za-z0-9:.\[\]%_-]))
 			case $resp in
 			https://*)	_tls=force _http_proto=https;;
 			http://*)	_tls=no    _http_proto=http;;


Breaking it down:

orig:   ?(http?(s)://)........................+([A-Za-z0-9:.\[\]%_-]))
auth:                 ?(+(+([A-Za-z0-9:-_])@))
final:  ?(http?(s)://)?(+(+([A-Za-z0-9:-_])@))+([A-Za-z0-9:.\[\]%_-]))

Although my basic auth pattern is not completely strict, current host pattern
is not bullet-proof either.

In order to test this, I followed these steps:

0. create install.example.com mirror

    mkdir -p /var/www/install.example.com/sets
    cd /var/www/install.example.com/sets
    openrsync -rv rsync://mirror.planetunix.net/OpenBSD/7.7/amd64/ /var/www/example.com/sets/
    echo user:pass | htpasswd -I > /var/www/install.example.com/htpasswd

1. run httpd with the following config:
    
    server "install.example.com" {
        listen on 0.0.0.0 port 8080
        
        root "/install.example.com"
        directory index "index.html"
        
        location "/sets/*" {
            directory auto index
            root "/install.example.com/sets/"
            request strip 1
            authenticate with "/install.example.com/htpasswd"
        }
    }
    
2. Boot vmd with bsd.rd:

    vmctl create -s 40G disk.qcow2
    vmctl start -m 2G -L -d disk.qcow2 -b bsd.rd -c test

3. Use ed(1) to flip the pattern without rebuilding image:
    
    # ed /install.sub
    /\?(http/
    p
                   ?(http?(s)://)+([A-Za-z0-9:.\[\]%_-]))
    c
                   ?(http?(s)://)?(+(+([A-Za-z0-9:-_])@))+([A-Za-z0-9:.\[\]%_-]))
    .
    wq
    
4. Then Ctrl-D and choose (I)nstall when prompted
5. When prompted for HTTP Server? I provided http://user:pass@100.64.1.2:8080/sets
6. Happy outcome


Best regards,
Chris Narkiewicz