BGPLG(8) FreeBSD System Manager's Manual BGPLG(8)
NAME
bgplg - looking glass for the OpenBSD Border Gateway Protocol daemon
SYNOPSIS
bgplg
DESCRIPTION
The bgplg CGI program is a looking glass for the bgpd(8) Border Gateway
Protocol daemon. The looking glass will provide a simple web interface
with read-only access to a restricted set of bgpd(8) and system status
information, which is typically used on route servers by Internet Service
Providers (ISPs) and Internet eXchange points (IXs). It is intended to
be used in a chroot(2) environment in /var/www.
bgplg is disabled by default. It requires four steps to enable the
looking glass:
1. Update the file permission mode to allow the execution of the bgplg
CGI program and the additional statically linked programs that have
been installed into the chroot(2) environment.
For example, to allow execution of bgplg and the statically-linked
version of bgpctl(8):
# chmod 0555 /var/www/cgi-bin/bgplg
# chmod 0555 /var/www/bin/bgpctl
External commands like ping(8) and others will be hidden from the
looking glass command list unless given the correct permissions.
See the FILES section below for the list of installed programs.
2. The programs ping(8), ping6(8), traceroute(8) and traceroute6(8)
will require a copy of the resolver configuration file
resolv.conf(5) in the chroot(2) environment for optional host name
lookups.
# mkdir /var/www/etc
# cp /etc/resolv.conf /var/www/etc
3. Start the Border Gateway Protocol daemon with a second, restricted,
control socket that can be used from within the chroot(2)
environment. See bgpd.conf(5) for more information.
For example, add the following to /etc/bgpd.conf to have bgpd(8)
open a second, restricted, control socket:
socket "/var/www/run/bgpd.rsock" restricted
4. Start the httpd(8) and slowcgi(8) servers after configuring the
related server section in httpd.conf(5). For example:
ext_addr="0.0.0.0"
server "lg.example.net" {
listen on $ext_addr port 80
location "/cgi-bin/*" {
fastcgi
root ""
}
}
FILES
/var/www/conf/bgplg.css Optional bgplg CSS style sheet.
/var/www/conf/bgplg.head Optional bgplg HTML header.
/var/www/conf/bgplg.foot Optional bgplg HTML footer.
/var/www/run/bgpd.rsock Position of the second, restricted, control
socket of bgpd(8).
The following statically linked executables have been installed into the
chroot(2) environment of the httpd(8) server. To enable the
corresponding functionality, use the chmod(1) utility to manually set the
file permission mode to 0555 or anything appropriate. Some of these
executables need the set-user-ID bit, so they should be mounted on a
filesystem without the nosuid option.
/var/www/cgi-bin/bgplg The bgplg CGI executable.
/var/www/bin/bgpctl The bgpctl(8) program used to query
information from bgpd(8)
/var/www/bin/ping The ping(8) program used to send ICMP
ECHO_REQUEST packets to network hosts.
Requires the set-user-ID bit, set the
permission mode to 4555.
/var/www/bin/ping6 The ping6(8) program used to send ICMPv6
ICMP6_ECHO_REQUEST packets to network hosts.
Requires the set-user-ID bit, set the
permission mode to 4555.
/var/www/bin/traceroute The traceroute(8) program used to print the
route packets take to network hosts.
Requires the set-user-ID bit, set the
permission mode to 4555.
/var/www/bin/traceroute6 The traceroute6(8) program used to print the
route packets take to inet6(4) network hosts.
Requires the set-user-ID bit, set the
permission mode to 4555.
SEE ALSO
bgpctl(8), bgpd(8), bgplgsh(8), httpd(8), slowcgi(8)
HISTORY
The bgplg program first appeared in OpenBSD 4.1. The initial
implementation was done in 2005 for DE-CIX, the German commercial
internet exchange point.
AUTHORS
The bgplg program was written by Reyk Floeter <
[email protected]>.
CAVEATS
To prevent commands from running endlessly, bgplg will kill the
corresponding processes after a hard limit of 60 seconds. For example,
this can take effect when using traceroute(8) with blackholed or bad
routes.
FreeBSD 14.1-RELEASE-p8 December 14, 2016 FreeBSD 14.1-RELEASE-p8