The www/purritobin port

purritobin-0.6.7p4 – minimalistic command line pastebin (cvsweb github mirror)


Purrito Bin is an ultra fast, minimalistic, encrypted command
line paste-bin server written in C++ for handling large number
of requests.

It is very easy to integrate with any standard http server such as
httpd(8), apache or nginx and follows the KISS principle towards
handling pastes. It supports pledge(2) and unveil(2) in OpenBSD
to be secure to outside script attacks.
WWW: https://bsd.ac/


| Running PurritoBin on OpenBSD

Set proper daemon flags

You need to set at least the following option for PurritoBin
  -d    # e.g. https://bsd.ac/
                     # needs to include the trailing slash

  rcctl set purritobin flags -d 

To take a quick look at all the possible options and descriptions
  purrito -h

For an in-depth explanation
  man purrito

Exposing a webserver

PurritoBin saves all the pastes to a single folder.
By default it is the folder ${LOCALSTATEDIR}/www/purritobin.
So it is possible to just expose the folder via httpd(8)

sample httpd(8) configuration

# so that non suffixed paste files are recognized as
# plain text files
default type text/plain

server "bsd.ac" {
	alias "www.bsd.ac"
	listen on $ext_if port $http_port
	location "/.well-known/acme-challenge/*" {
		root { "/acme" }
		request strip 2
	location "/*" {
		block return 301 "https://$HTTP_HOST$REQUEST_URI"

server "bsd.ac" {
	alias "www.bsd.ac"
	listen on $ext_if tls port $https_port
	tls {
		certificate "/etc/ssl/bsd.ac.crt"
		key "/etc/ssl/private/bsd.ac.key"
	root "/purritobin"
	directory index "index.html"

sample nginx(8) configuration
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
	worker_connections 1024;

http {
	include	           /etc/nginx/mime.types;
	default_type       text/plain;
	charset            utf-8;
	log_format  main   '$remote_addr - $remote_user [$time_local] "$request" '
			   '$status $body_bytes_sent "$http_referer" '
			   '"$http_user_agent" "$http_x_forwarded_for"';
	access_log         /var/log/nginx/access.log  main;
	sendfile           on;
	keepalive_timeout  65;

	server {
		listen 80 default_server;
		location / {
			return 301 https://$host$request_uri;
		location /.well-known/acme-challenge/ {
			alias /var/www/acme-challenge/;

	server {
		listen 443 ssl;
		server_name bsd.ac www.bsd.ac;

		ssl_certificate     /etc/ssl/bsd.ac.crt;
		ssl_certificate_key /etc/ssl/private/bsd.ac.key;

		# to allow online paste submission
		add_header 'Access-Control-Allow-Origin' 'https://bsd.ac:42069';

		root /var/www/purritobin;
		location /.well-known/acme-challenge/ {
			alias /var/www/acme-challenge/;

Encrypted pastes

The default clients of PurritoBin are installed to

To enable server side support for these pastes
make sure that paste.html file located at
is available for viewing, typically possible by just
dumping the file into ${LOCALSTATEDIR}/www/purritobin

Online pasting through web-portal

To paste using the javascript form, the CORS header
from both the paste server and the http server need to
allow each other in the "Access-Control-Allow-Origin"
HTTP header.

An example for setting the CORS header in purrito(1)
is available in the man page. As httpd(8) does not allow
setting HTTP headers, relayd(8) can be used as a workaround,
or the above nginx(8) example can be used.

PF bruteforce blocking

PurritoBin exposes ports using -p  (by default: 42069) for
clients to post their pastes.
PurritoBin does not enforce any rate limiting for number of pastes
at a time as this can be done much better using pf(4)

sample pf.conf for rate limiting
table  persist

set skip on lo

block return	# block stateless traffic
pass		# establish keep-state

block quick from 

# no more than 1 connection every 3 seconds
pass in on egress proto tcp from any to any port $purritobin_port \
		flags S/SA keep state \
		(max-src-conn-rate 1/3, \
		overload  flush global)

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild


Aisha Tammy

Only for arches

aarch64 alpha amd64 arm hppa i386 mips64 mips64el powerpc powerpc64 riscv64 sparc64


net www

Library dependencies

Build dependencies