NAME
bgplg
—
looking glass for the
OpenBSD Border Gateway Protocol daemon
SYNOPSIS
bgplg |
DESCRIPTION
The bgplg
CGI program is a looking glass
for the bgpd(8) Border Gateway Protocol daemon. The looking glass will
provide a simple web interface with read-only access to a restricted set of
bgpd(8) and system status information, which is typically used on
route servers by Internet Service Providers (ISPs) and Internet eXchange
points (IXs). It is intended to be used in a
chroot(2) environment in /var/www.
bgplg
is disabled by default. It requires
four steps to enable the looking glass:
- Update the file permission mode to allow the execution of the
bgplg
CGI program and the additional statically linked programs that have been installed into the chroot(2) environment.For example, to allow execution of
bgplg
and the statically-linked version of bgpctl(8):# chmod 0555 /var/www/cgi-bin/bgplg # chmod 0555 /var/www/bin/bgpctl
External commands like ping(8) and others will be hidden from the looking glass command list unless given the correct permissions. See the FILES section below for the list of installed programs.
- The programs ping(8),
ping6(8),
traceroute(8) and
traceroute6(8) will require a copy of the resolver
configuration file
resolv.conf(5) in the
chroot(2) environment for optional host name lookups.
# mkdir /var/www/etc # cp /etc/resolv.conf /var/www/etc
- Start the Border Gateway Protocol daemon with a second, restricted,
control socket that can be used from within the
chroot(2) environment. See
bgpd.conf(5) for more information.
For example, add the following to /etc/bgpd.conf to have bgpd(8) open a second, restricted, control socket:
socket "/var/www/run/bgpd.rsock" restricted
- Start the nginx(8) and
slowcgi(8) servers after configuring the related
server
section in /etc/nginx/nginx.conf. For example:# FastCGI to CGI wrapper server # location /cgi-bin/ { fastcgi_pass unix:run/slowcgi.sock; fastcgi_split_path_info ^(/cgi-bin/[^/]+)(.*); fastcgi_param PATH_INFO $fastcgi_path_info; include fastcgi_params; }
FILES
- /var/www/conf/bgplg.css
- Optional
bgplg
CSS style sheet. - /var/www/conf/bgplg.head
- Optional
bgplg
HTML header. - /var/www/conf/bgplg.foot
- Optional
bgplg
HTML footer. - /var/www/run/bgpd.rsock
- Position of the second, restricted, control socket of bgpd(8).
The following statically linked executables have been installed into the chroot(2) environment of the nginx(8) server. To enable the corresponding functionality, use the chmod(1) utility to manually set the file permission mode to 0555 or anything appropriate.
- /var/www/cgi-bin/bgplg
- The
bgplg
CGI executable. - /var/www/bin/bgpctl
- The bgpctl(8) program used to query information from bgpd(8)
- /var/www/bin/ping
- The ping(8) program used to send ICMP ECHO_REQUEST packets to network hosts. Requires the set-user-ID bit, set the permission mode to 4555.
- /var/www/bin/ping6
- The ping6(8) program used to send ICMPv6 ICMP6_ECHO_REQUEST packets to network hosts. Requires the set-user-ID bit, set the permission mode to 4555.
- /var/www/bin/traceroute
- The traceroute(8) program used to print the route packets take to network hosts. Requires the set-user-ID bit, set the permission mode to 4555.
- /var/www/bin/traceroute6
- The traceroute6(8) program used to print the route packets take to inet6(4) network hosts. Requires the set-user-ID bit, set the permission mode to 4555.
SEE ALSO
HISTORY
The bgplg
program first appeared in
OpenBSD 4.1. The initial implementation was done in
2005 for DE-CIX, the German commercial internet exchange point.
AUTHORS
The bgplg
program was written by
Reyk Floeter
<reyk@openbsd.org>.
CAVEATS
To prevent commands from running endlessly,
bgplg
will kill the corresponding processes after a
hard limit of 60 seconds. For example, this can take effect when using
traceroute(8) with blackholed or bad routes.