OpenBSD 6.6 BGP Looking Glass
I’ve written about OpenBSD and BGP Looking Glasses previously and before that. OpenBSD has since removed nginx from base, and replaced it with their own httpd. This is OK with me since I prefer having my OpenBSD systems fully self-contained and running from base.
Install your system as you choose, I did a fairly default install as per the FAQ. My hardware in this case is virtual VMware hardware, 1 vCPU, 1GB vRAM, 12GB vHDD, and 1 vNIC connected to a network shared between both BGP routers.
The applicable configuration files, and changes are below.
rc.conf.local
bgpd_flags=
httpd_flags=
slowcgi_flags=
httpd.conf
Copy this from /etc/examples/httpd.conf
to /etc/httpd.conf
and add the following to your HTTPS section. You may want to use acme-client
to setup a letsencrypt certificate for your looking glass and keep it current.
location "/cgi-bin/*" {
fastcgi
root ""
}
and add the following if you want to serve the CGI as the index:
location "/" {
block return 302 "https://$HTTP_HOST/cgi-bin/bgplg"
}
/etc/fstab
/var
will need to be mounted without the nosuid option present by default.
The following will need to be run to allow ping, ping6, traceroute, and traceroute6 to function and resolve domains in the chroot:
chmod 0555 /var/www/cgi-bin/bgplg
chmod 0555 /var/www/bin/bgpctl
mkdir /var/www/etc
cp /etc/resolv.conf /var/www/etc
chmod 4555 /var/www/bin/ping
chmod 4555 /var/www/bin/ping6
chmod 4555 /var/www/bin/traceroute
chmod 4555 /var/www/bin/traceroute6
bgpd.conf
The last stage is to configure your BGP peering sessions in /etc/bgpd.conf
# global configuration
AS 65003
router-id x.x.x.195
fib-update no
# restricted socket for bgplg(8)
socket "/var/www/run/bgpd.rsock" restricted
neighbor 192.0.2.193 {
remote-as 65003
descr BGP1
announce none
}
neighbor 192.0.2.194 {
remote-as 65003
descr BGP2
announce none
}
neighbor 2001:DB8::193 {
remote-as 65003
descr BGP1-v6
announce none
}
neighbor 2001:DB8::194 {
remote-as 65003
descr BGP2-v6
announce none
}
# see all prefixes, since we want the visibility for a looking glass
allow from any