.\" $OpenBSD: bgplg.8,v 1.16 2016/12/14 14:38:42 reyk Exp $ .\" .\" Copyright (c) 2005, 2006, 2013 Reyk Floeter .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .Dd $Mdocdate: December 14 2016 $ .Dt BGPLG 8 .Os .Sh NAME .Nm bgplg .Nd looking glass for the OpenBSD Border Gateway Protocol daemon .Sh SYNOPSIS .Nm bgplg .Sh DESCRIPTION The .Nm CGI program is a looking glass for the .Xr bgpd 8 Border Gateway Protocol daemon. The looking glass will provide a simple web interface with read-only access to a restricted set of .Xr bgpd 8 and system status information, which is typically used on route servers by Internet Service Providers (ISPs) and Internet eXchange points (IXs). It is intended to be used in a .Xr chroot 2 environment in .Pa /var/www . .Pp .Nm is disabled by default. It requires four steps to enable the looking glass: .Bl -enum .It Update the file permission mode to allow the execution of the .Nm CGI program and the additional statically linked programs that have been installed into the .Xr chroot 2 environment. .Pp For example, to allow execution of .Nm and the statically-linked version of .Xr bgpctl 8 : .Bd -literal -offset indent # chmod 0555 /var/www/cgi-bin/bgplg # chmod 0555 /var/www/bin/bgpctl .Ed .Pp External commands like .Xr ping 8 and others will be hidden from the looking glass command list unless given the correct permissions. See the .Sx FILES section below for the list of installed programs. .It The programs .Xr ping 8 , .Xr ping6 8 , .Xr traceroute 8 and .Xr traceroute6 8 will require a copy of the resolver configuration file .Xr resolv.conf 5 in the .Xr chroot 2 environment for optional host name lookups. .Bd -literal -offset indent # mkdir /var/www/etc # cp /etc/resolv.conf /var/www/etc .Ed .It Start the Border Gateway Protocol daemon with a second, restricted, control socket that can be used from within the .Xr chroot 2 environment. See .Xr bgpd.conf 5 for more information. .Pp For example, add the following to .Pa /etc/bgpd.conf to have .Xr bgpd 8 open a second, restricted, control socket: .Pp .Dl socket \&"/var/www/run/bgpd.rsock\&" restricted .It Start the .Xr httpd 8 and .Xr slowcgi 8 servers after configuring the related .Ic server section in .Xr httpd.conf 5 . For example: .Bd -literal -offset indent ext_addr="0.0.0.0" server "lg.example.net" { listen on $ext_addr port 80 location "/cgi-bin/*" { fastcgi root "" } } .Ed .El .Sh FILES .Bl -tag -width "/var/www/conf/bgplg.headXX" -compact .It Pa /var/www/conf/bgplg.css Optional .Nm CSS style sheet. .It Pa /var/www/conf/bgplg.head Optional .Nm HTML header. .It Pa /var/www/conf/bgplg.foot Optional .Nm HTML footer. .It Pa /var/www/run/bgpd.rsock Position of the second, restricted, control socket of .Xr bgpd 8 . .El .Pp The following statically linked executables have been installed into the .Xr chroot 2 environment of the .Xr httpd 8 server. To enable the corresponding functionality, use the .Xr chmod 1 utility to manually set the file permission mode to 0555 or anything appropriate. Some of these executables need the set-user-ID bit, so they should be mounted on a filesystem without the .Ic nosuid option. .Pp .Bl -tag -width "/var/www/bin/traceroute6XX" -compact .It Pa /var/www/cgi-bin/bgplg The .Nm CGI executable. .It Pa /var/www/bin/bgpctl The .Xr bgpctl 8 program used to query information from .Xr bgpd 8 .It Pa /var/www/bin/ping The .Xr ping 8 program used to send ICMP ECHO_REQUEST packets to network hosts. Requires the set-user-ID bit, set the permission mode to 4555. .It Pa /var/www/bin/ping6 The .Xr ping6 8 program used to send ICMPv6 ICMP6_ECHO_REQUEST packets to network hosts. Requires the set-user-ID bit, set the permission mode to 4555. .It Pa /var/www/bin/traceroute The .Xr traceroute 8 program used to print the route packets take to network hosts. Requires the set-user-ID bit, set the permission mode to 4555. .It Pa /var/www/bin/traceroute6 The .Xr traceroute6 8 program used to print the route packets take to .Xr inet6 4 network hosts. Requires the set-user-ID bit, set the permission mode to 4555. .El .Sh SEE ALSO .Xr bgpctl 8 , .Xr bgpd 8 , .Xr bgplgsh 8 , .Xr httpd 8 , .Xr slowcgi 8 .Sh HISTORY The .Nm program first appeared in .Ox 4.1 . The initial implementation was done in 2005 for DE-CIX, the German commercial internet exchange point. .Sh AUTHORS The .Nm program was written by .An Reyk Floeter Aq Mt reyk@openbsd.org . .Sh CAVEATS To prevent commands from running endlessly, .Nm will kill the corresponding processes after a hard limit of 60 seconds. For example, this can take effect when using .Xr traceroute 8 with blackholed or bad routes.