XMPP Service Operators - 2026-05-23

  1. jaj

    httpd + relayd openbsd gets you more or less everything you need. But it's not as comfortable as nginx

  2. jaj

    relayd handles things like redirecting http to https and reverse proxying

  3. icebound.dev

    > it seems they reported it and nginx either will shortly or has patched it but I haven't seen anything concrete yet :( moparisthebest, no patch from nginx 3 days later

  4. icebound.dev

    27 days left on the disclosure period before the POC is published

  5. icebound.dev

    I assume it will be until next weekend until all major distros have updated their repos, I assume the patch will be available on Sunday

  6. icebound.dev

    tom, thats because nginx does a lot more than just a webserver these days, this is why OpenBSD dropped it from base and wrote httpd and relayd. As jaj, explained, they both do different things, you can run relayd for proxying and redirects without needing to run a full blown http server, allowing you to strip down the attack surface massively. Note: OpenBSD httpd is portable and available on Linux-based platforms

  7. icebound.dev

    it is considerably slower though, as with all OpenBSD software, security comes before performance

  8. icebound.dev

    ~OpenBSD by default disables SMT~

  9. jonas’

    icebound.dev, "OpenBSD httpd is portable and available on Linux-based platforms" do you have a source for that? I tried to find it just now and all I can find is a fork on github which hasn't been updated in 6 years.

  10. icebound.dev

    > icebound.dev, "OpenBSD httpd is portable and available on Linux-based platforms" do you have a source for that? I tried to find it just now and all I can find is a fork on github which hasn't been updated in 6 years. Oh maybe they abandoned it

  11. icebound.dev

    nevermind ignore me, I think it was abandoned

  12. jonas’

    sad, I had my hopes up for a second there :)

  13. icebound.dev

    sorry :/

  14. jjj333_p [pain.agency]

    https://downloadable.pain.agency/file_share/019e5619-54ca-7845-88fc-d04033243bce/caddy%20my%20beloved.gif

  15. icebound.dev

    lol, wait until there is an RCE in caddy :p

  16. singpolyma

    s/is/is discovered

  17. jaj

    jonas’: you can run it in an openbsd VM 😜

  18. icebound.dev

    ^^^

  19. icebound.dev

    it will also piss off mopar if you did, so win win!

  20. jjj333_p [pain.agency]

    > lol, wait until there is an RCE in caddy :p i mean caddy is in go which is supposedly memory safe by way of garbage collector, so any rce would have to be some really bad logic flaw. worst im anticipating realistically happening is a dos (go makes most memory errors a "safe panic") which i can live with

  21. jjj333_p [pain.agency]

    might should take this to xmpp:operators-offtopic@group.pain.agency?join