A blog on Computer Science, Security, Programming, and more...

HeapSpray Blog » Category: General


Some Updates

Written by Matt

Recently switched to a new hosting provider and purged most of the stuff from the database.

Blog now runs under OpenBSD 5.2, and I've increased security a bit. I've detailed all my steps for building the chroot and I'll post them in parts later on, from Packet Filter rules to chroots and daemon configurations. I see very little on OpenBSD on the 'net in general, especially on this, so it would probably be a worthwhile contribution.

I'll add some more functionality to the blog later this week.

Topic: General tags: OpenBSD, meta, hosting

Written From Scratch

Written by Matt

The backend

This system runs OpenBSD, web server is a chrooted, statically compiled nginx installation, using FastCGI for PHP, which is also chrooted and compiled with -fstack-protect, the two communicate through a TCP socket, neither have access to any files, they can't even see the underlying system. The database is PostgreSQL which also communicates with FastCGI PHP through a TCP socket, using the pgsql.so module loaded from within the chroot. PostgreSQL might as well be running on another system, as it is also chrooted, but outside of FastCGI and nginx's chroot. Packet Filter disallows any connections that don't go directly into the web server port, and the kernel is in Security Level 2 on boot, which means any change in the PF rules requires physical access and a reboot, as you'd have to access the system before SSH is started through the VNC which only listens locally on the host address.

Setting this up was something else. There was absolutely nothing online that described how to link together FastCGI PHP and PostgreSQL. OpenBSD is incredibly obscure search-wise when looking for problems. The stuff I did find seemed to have been written by morons as half the directions were completely off, or they'd skip over huge steps. I've got it all running now, in a VM nonetheless. I've made a copy of it for future use, just need to change the credentials for different uses.

The blog system

Beyond that, the entire blog system was written from scratch using PHP 5.3 with suhosin (hardened PHP) and PostgreSQL. I don't really like wordpress, nor trust the security of it. Every packaged blog system either feels cheap or has too many flaws. I also wrote my own BBCode parser, which is what I use to generate the markup for these posts. Much better than just submitting raw HTML as this validates the tag pairs before they are submitted. The output validates under XHTML 1.1 strict. Keeps me from making mistakes, and it's neat in general.

Since I'll probably be posting code on here a lot I also imported Google's JS library prettify, which along with the BBCode parser makes it easy to include properly formatted and syntax highlighted code:

/* Comment Sample */
#include <stdio.h>

int main(int argc, char **argv){
  fprintf(stdout, "Hello, world!\n");
  return 0;

It's a very nice library. The only thing that's left to implement in the parser is tables, which will require some nested tag checks, but I just have to generalize it a bit more, it's already pretty flexible anyway.

Topic: General tags: sysadmin, php, nginx, OpenBSD, meta