+-------------------------------------------------------------------------------
| Running PurritoBin on OpenBSD
+-------------------------------------------------------------------------------

Set proper daemon flags
=======================

You need to set at least the following option for PurritoBin
  -d <domain-name>   # e.g. https://bsd.ac/
                     # needs to include the trailing slash

  rcctl set purritobin flags -d <domain-name>

To take a quick look at all the possible options and descriptions
  purrito -h

For an in-depth explanation
  man purrito


Exposing a webserver
====================

PurritoBin saves all the pastes to a single folder.
By default it is the folder /var/www/purritobin.
So it is possible to just expose the folder via httpd(8)

sample httpd(8) configuration
-----------------------------
http_port=80
https_port=443
ext_if=egress

# so that non suffixed paste files are recognized as
# plain text files
default type text/plain

server "bsd.ac" {
	alias "www.bsd.ac"
	listen on $ext_if port $http_port
	location "/.well-known/acme-challenge/*" {
		root { "/acme" }
		request strip 2
	}
	location "/*" {
		block return 301 "https://$HTTP_HOST$REQUEST_URI"
	}
}

server "bsd.ac" {
	alias "www.bsd.ac"
	listen on $ext_if tls port $https_port
	tls {
		certificate "/etc/ssl/bsd.ac.crt"
		key "/etc/ssl/private/bsd.ac.key"
	}
	root "/purritobin"
	directory index "index.html"
}


sample nginx(8) configuration
-----------------------------
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
	worker_connections 1024;
}

http {
	include	           /etc/nginx/mime.types;
	default_type       text/plain;
	charset            utf-8;
	log_format  main   '$remote_addr - $remote_user [$time_local] "$request" '
			   '$status $body_bytes_sent "$http_referer" '
			   '"$http_user_agent" "$http_x_forwarded_for"';
	access_log         /var/log/nginx/access.log  main;
	sendfile           on;
	keepalive_timeout  65;

	server {
		listen 80 default_server;
		location / {
			return 301 https://$host$request_uri;
		}
		location /.well-known/acme-challenge/ {
			alias /var/www/acme-challenge/;
		}
	}

	server {
		listen 443 ssl;
		server_name bsd.ac www.bsd.ac;

		ssl_certificate     /etc/ssl/bsd.ac.crt;
		ssl_certificate_key /etc/ssl/private/bsd.ac.key;

		# to allow online paste submission
		add_header 'Access-Control-Allow-Origin' 'https://bsd.ac:42069';

		root /var/www/purritobin;
		location /.well-known/acme-challenge/ {
			alias /var/www/acme-challenge/;
		}
	}
}


Encrypted pastes
================

The default clients of PurritoBin are installed to
/usr/local/share/PurritoBin/POSIX_shell_client.sh

To enable server side support for these pastes
make sure that paste.html file located at
/usr/local/share/PurritoBin/paste.html
is available for viewing, typically possible by just
dumping the file into /var/www/purritobin


Online pasting through web-portal
=================================

To paste using the javascript form, the CORS header
from both the paste server and the http server need to
allow each other in the "Access-Control-Allow-Origin"
HTTP header.

An example for setting the CORS header in purrito(1)
is available in the man page. As httpd(8) does not allow
setting HTTP headers, relayd(8) can be used as a workaround,
or the above nginx(8) example can be used.


PF bruteforce blocking
======================

PurritoBin exposes ports using -p <port> (by default: 42069) for
clients to post their pastes.
PurritoBin does not enforce any rate limiting for number of pastes
at a time as this can be done much better using pf(4)

sample pf.conf for rate limiting
--------------------------------
table <bruteforce> persist
purritobin_port=42069

set skip on lo

block return	# block stateless traffic
pass		# establish keep-state

block quick from <bruteforce>

# no more than 1 connection every 3 seconds
pass in on egress proto tcp from any to any port $purritobin_port \
		flags S/SA keep state \
		(max-src-conn-rate 1/3, \
		overload <bruteforce> flush global)

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
