Home Explore Help
Register Sign In
EPuters_Mirrors
/
almanack_mirror
Watch 2
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: main
Branches Tags
almanack_mir...
/
wiki.d
/
Openhttpd.Configure

Openhttpd.Configure 48 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131 
  1. version=pmwiki-2.2.130 ordered=1 urlencoded=1
    2. 

  2. agent=w3m/0.5.3+git20210102
    3. 

  3. author=jrmu
    4. 

  4. charset=UTF-8
    5. 

  5. csum=
    6. 

  6. ctime=1614073261
    7. 

  7. host=38.87.162.8
    8. 

  8. name=Openhttpd.Configure
    9. 

  9. rev=39
    10. 

  10. targets=Acme-client.Configure,Telnet.Http,Pf.Guide,Openssl.Http
    11. 

  11. text=(:title Basic OpenHTTPd Configuration:)%0a%0a[[https://bsd.plumbing/about.html|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a%0a!! Overview%0a%0aPros:%0a# Lean: Small, no plugins%0a# Clean code%0a# Secure: Strict validity checking, privilege separation, strong cryptography%0a# Fast%0a# Easy to configure with good manpage documentation%0a%0a!! Docs and references%0a%0aYou'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages.%0a%0a!! Configuring%0a%0a'''NOTE''': You must replace example.com with your own domain%0a%0aCopy the example file in [@ /etc/examples/httpd.conf @]:%0a%0a[@%0a$ doas cp /etc/examples/httpd.conf /etc/httpd.conf%0a@]%0a%0a%0aEdit [@ /etc/httpd.conf @]:%0a%0a!!! Server block #1%0a%0a%0a[@%0aserver "example.com" {%0a       listen on * port 80%0a       location "/.well-known/acme-challenge/*" {%0a               root "/acme"%0a               request strip 2%0a       }%0a       location * {%0a                 block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a       }%0a }%0a@]%0a%0aserver:  this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a%0alisten on: tells the web server to listen on all IPs on port 80.%0a%0alocation: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%0alocation: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%0a'''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work.%0a%0a!!! Server block #2%0a%0a[@%0aserver "example.com" {%0a        listen on * tls port 443%0a        tls {%0a                certificate "/etc/ssl/example.com.crt"%0a                key "/etc/ssl/private/example.com.key"%0a        }%0a        location "/pub/*" {%0a                directory auto index%0a        }%0a        location "/.well-known/acme-challenge/*" {%0a                root "/acme"%0a                request strip 2%0a        }%0a}%0a@]%0a%0aThis block is similar to before. Replace [@ example.com @].%0a%0aThere are only two differences.%0a%0aLines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a%0aLines 7-9 say that for any request that begins with https://example.com/pub/ should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder it should be fine.%0a%0aMake sure to replace every instance of @@example.com@@ with your real hostname, then enable and start the web server:%0a%0a%0a!! Starting the server%0a%0a[@%0a$ doas rcctl enable httpd%0a$ doas rcctl start httpd%0a@]%0a%0a!! Testing, testing%0aLet's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a%0a[@%0a$ telnet example.com 80%0aGET /index.html HTTP/1.1%0aHost: example.com%0a@]%0a%0aYou should a response similar to the one below:%0a%0a[@%0aHTTP/1.0 302 Found%0aDate: Tue, 23 Feb 2021 14:01:28 GMT%0aOpenBSD httpd%0aConnection: close%0aContent-Type: text/html%0aContent-Length: 486%0aLocation: https://example.com/index.html%0a%0a%3c!DOCTYPE html>%0a%3chtml> %0a%3chead>%0a%3cmeta charset="utf-8"> %0a%3ctitle>302 Found%3c/title>%0a%3cstyle type="text/css">%3c!--%0abody { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0ahr { border: 0; border-bottom: 1px dashed; }%0a@media (prefers-color-scheme: dark) {%0abody { background-color: #1E1F21; color: #EEEFF1; }%0aa { color: #BAD7FF; }%0a}%0a-->%3c/style>%0a%3c/head>%0a%3cbody>%0a%3ch1>302 Found%3c/h1>%0a%3chr>%0a%3caddress>OpenBSD httpd%3c/address>%0a%3c/body>%0a%3c/html>%0aConnection closed by foreign host.%0a@]%0a%0a!!! Troubleshooting%0a%0aIf you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a%0aYou can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%0a[@%0apass in quick proto tcp to port {http https}%0a@]%0a%0aThen, reload the pf rulesets:%0a%0a[@%0a$ doas pfctl -f /etc/pf.conf%0a@]%0a%0a!! Adding TLS%0a%0aNext, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. %0a%0aGo do that now, I'll wait...%0a%0aOnce you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a%0a[@%0a        tls {%0a                certificate "/etc/ssl/example.com.crt"%0a                key "/etc/ssl/private/example.com.key"%0a        }%0a@]%0a%0achange [@ /etc/ssl/example.com.crt @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a%0aThen, restart the web server:%0a%0a[@%0a$ doas rcctl restart httpd%0a@]%0a%0aTo test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a%0a[@%0a$ openssl s_client -connect example.com:443%0a@]%0a%0aYou should see the correct SSL subject and issuer:%0a%0a[@%0a$ openssl s_client -connect example.org:443%0aCONNECTED(00000003)%0adepth=2 O = Digital Signature Trust Co., CN = DST Root CA X3%0averify return:1%0adepth=1 C = US, O = Let's Encrypt, CN = R3%0averify return:1%0adepth=0 CN = example.com%0averify return:1%0adepth=0 CN = example.com%0averify return:1%0awrite W BLOCK%0a---%0aCertificate chain%0a 0 s:/CN=example.com%0a   i:/C=US/O=Let's Encrypt/CN=R3%0a 1 s:/C=US/O=Let's Encrypt/CN=R3%0a   i:/O=Digital Signature Trust Co./CN=DST Root CA X3%0a---%0aServer certificate%0a-----BEGIN CERTIFICATE-----%0a...%0a-----END CERTIFICATE-----%0asubject=/CN=example.com%0aissuer=/C=US/O=Let's Encrypt/CN=R3%0a---%0aNo client certificate CA names sent%0aServer Temp Key: ECDH, X25519, 253 bits%0a---%0aSSL handshake has read 3730 bytes and written 367 bytes%0a---%0aNew, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384%0aServer public key is 4096 bit%0aSecure Renegotiation IS NOT supported%0aCompression: NONE%0aExpansion: NONE%0aNo ALPN negotiated%0aSSL-Session:%0a    Protocol  : TLSv1.3%0a    Cipher    : AEAD-AES256-GCM-SHA384%0a    Session-ID:%0a    Session-ID-ctx:%0a    Master-Key:%0a    Start Time: 1614233943%0a    Timeout   : 7200 (sec)%0a    Verify return code: 0 (ok)%0a---%0a@]%0a%0aYou can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ). While you are likely to see an error such as 403 Forbidden if you havent set up a website, look for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a%0aAttach:ssl-cert.png%0a
    12. 

  12. time=1639147446
    13. 

  13. title=Basic OpenHTTPd Configuration
    14. 

  14. author:1639147446=jrmu
    15. 

  15. diff:1639147446:1626874065:=63c63%0a%3c                 certificate "/etc/ssl/example.com.crt"%0a---%0a>                 certificate "/etc/ssl/example.com.fullchain.pem"%0a163c163%0a%3c                 certificate "/etc/ssl/example.com.crt"%0a---%0a>                 certificate "/etc/ssl/example.com.fullchain.pem"%0a168c168%0a%3c change [@ /etc/ssl/example.com.crt @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a---%0a> change [@ /etc/ssl/example.com.fullchain.pem @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a
    16. 

  16. host:1639147446=38.87.162.8
    17. 

  17. author:1626874065=mistera
    18. 

  18. diff:1626874065:1626787627:=233c233%0a%3c You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ). While you are likely to see an error such as 403 Forbidden if you havent set up a website, look for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a---%0a> You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ), then look for the SSL padlock, then view more information about the certificate:%0a
    19. 

  19. host:1626874065=204.111.39.57
    20. 

  20. author:1626787627=mistera
    21. 

  21. diff:1626787627:1626783891:=5c5%0a%3c !! Overview%0a---%0a> !! Theory%0a
    22. 

  22. host:1626787627=204.111.39.57
    23. 

  23. author:1626783891=mistera
    24. 

  24. diff:1626783891:1626702588:=168,169c168,169%0a%3c change [@ /etc/ssl/example.com.fullchain.pem @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a%3c %0a---%0a> Edit these lines so that the certificate and key match the real location of your SSL cert.%0a> %0a233c233%0a%3c You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ), then look for the SSL padlock, then view more information about the certificate:%0a---%0a> You can also visit the website using your web browser. Load https://example.com, then look for the SSL padlock, then view more information about the certificate:%0a
    25. 

  25. host:1626783891=204.111.39.57
    26. 

  26. author:1626702588=mistera
    27. 

  27. diff:1626702588:1626702529:=87,88c87,88%0a%3c !! Starting the server%0a%3c %0a---%0a> !!! Starting the server%0a> %0a137c137%0a%3c !!! Troubleshooting%0a---%0a> !! Troubleshooting%0a
    28. 

  28. host:1626702588=204.111.39.57
    29. 

  29. author:1626702529=mistera
    30. 

  30. diff:1626702529:1626700500:=24c24%0a%3c [@%0a---%0a> %25code%25[@%0a33,44c33,42%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c        listen on * port 80%0a%3c        location "/.well-known/acme-challenge/*" {%0a%3c                root "/acme"%0a%3c                request strip 2%0a%3c        }%0a%3c        location * {%0a%3c                  block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c        }%0a%3c  }%0a---%0a> [@server "example.com" {%0a>         listen on * port 80%0a>         location "/.well-known/acme-challenge/*" {%0a>                 root "/acme"%0a>                 request strip 2%0a>         }%0a>         location * {%0a>                 block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a>         }%0a> }%0a86,88d83%0a%3c %0a%3c !!! Starting the server%0a%3c %0a94d88%0a%3c !! Testing, testing%0a155,159c149%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. %0a%3c %0a%3c Go do that now, I'll wait...%0a%3c %0a%3c Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a---%0a> Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a
    31. 

  31. host:1626702529=204.111.39.57
    32. 

  32. author:1626700500=mistera
    33. 

  33. diff:1626700500:1626700425:=0a1%0a> %0a20c21,23%0a%3c '''NOTE''': You must replace example.com with your own domain%0a---%0a> '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a> %0a> Meaning, when you see [@ %3cexample.com> @] replace it with your web domain such as with user.host.ircnow.org. Completely remove the angle brackets! They are there to indicate that you should replace the text!%0a
    34. 

  34. host:1626700500=204.111.39.57
    35. 

  35. author:1626700425=mistera
    36. 

  36. diff:1626700425:1626696883:=1d0%0a%3c %0a21,24c20,21%0a%3c '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a%3c %0a%3c Meaning, when you see [@ %3cexample.com> @] replace it with your web domain such as with user.host.ircnow.org. Completely remove the angle brackets! They are there to indicate that you should replace the text!%0a%3c %0a---%0a> '''NOTE''': You must replace example.com with your own domain:%0a> %0a27c24%0a%3c %25code%25[@%0a---%0a> [@%0a32,36c29,34%0a%3c Edit [@ /etc/httpd.conf @]:%0a%3c %0a%3c !!! Server block #1%0a%3c %0a%3c [@server "example.com" {%0a---%0a> Edit [@/etc/httpd.conf@]:%0a> %0a> !!! The first server block%0a> %0a> [@%0a> server "example.com" {%0a48,55c46,53%0a%3c server:  this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c listen on: tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a---%0a> server (line 1): this specifies the hostname ([@example.com@]). Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a> %0a> listen on (line 2): tells the web server to listen on all IPs on port 80.%0a> %0a> location (lines 3-6): is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> location (lines 7-9): indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a> %0a58,59c56,57%0a%3c !!! Server block #2%0a%3c %0a---%0a> !!! The second server block%0a> %0a77,81c75,77%0a%3c This block is similar to before. Replace [@ example.com @].%0a%3c %0a%3c There are only two differences.%0a%3c %0a%3c Lines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a---%0a> This block is similar to before. There are only two differences.%0a> %0a> Line 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a
    37. 

  37. host:1626700425=204.111.39.57
    38. 

  38. author:1626696883=jrmu
    39. 

  39. diff:1626696883:1626696853:=46c46%0a%3c server (line 1): this specifies the hostname ([@example.com@]). Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a---%0a> server (line 1): this specifies the hostname ([@example.com@])". Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a
    40. 

  40. host:1626696883=198.251.81.119
    41. 

  41. author:1626696853=jrmu
    42. 

  42. diff:1626696853:1626696752:=46c46%0a%3c server (line 1): this specifies the hostname ([@example.com@])". Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a---%0a> server (line 1): this specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a
    43. 

  43. host:1626696853=198.251.81.119
    44. 

  44. author:1626696752=jrmu
    45. 

  45. diff:1626696752:1626696585:=46,52c46,52%0a%3c server (line 1): this specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c listen on (line 2): tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c location (lines 3-6): is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c location (lines 7-9): indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a---%0a> server:  this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a> %0a> listen on: tells the web server to listen on all IPs on port 80.%0a> %0a> location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a
    46. 

  46. host:1626696752=198.251.81.119
    47. 

  47. author:1626696585=jrmu
    48. 

  48. diff:1626696585:1626696142:=20,21c20,21%0a%3c '''NOTE''': You must replace example.com with your own domain:%0a%3c %0a---%0a> '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a> %0a29,30c29,30%0a%3c Edit [@/etc/httpd.conf@]:%0a%3c %0a---%0a> Edit [@ /etc/httpd.conf @]:%0a> %0a34c34%0a%3c server "example.com" {%0a---%0a> server "%3cexample.com>" {%0a
    49. 

  49. host:1626696585=198.251.81.119
    50. 

  50. author:1626696142=mistera
    51. 

  51. diff:1626696142:1626695724:=31,32d30%0a%3c !!! The first server block%0a%3c %0a50,53c48,51%0a%3c location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a---%0a> The location block (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a> %0a55,56d52%0a%3c %0a%3c !!! The second server block%0a
    52. 

  52. host:1626696142=204.111.39.57
    53. 

  53. author:1626695724=mistera
    54. 

  54. diff:1626695724:1626695252:=20,21d19%0a%3c '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a%3c %0a28,30c26,27%0a%3c %0a%3c Edit [@ /etc/httpd.conf @]:%0a%3c %0a---%0a> Edit the contents of [@ /etc/httpd.conf @]:%0a> %0a32c29%0a%3c server "%3cexample.com>" {%0a---%0a> server "example.com" {%0a44,46c41,43%0a%3c server:  this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c listen on: tells the web server to listen on all IPs on port 80.%0a---%0a> Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to your personal hostname, such as username.fruit.ircnow.org.%0a> %0a> Line 2 tells the web server to listen on all IPs on port 80.%0a
    55. 

  55. host:1626695724=204.111.39.57
    56. 

  56. author:1626695252=mistera
    57. 

  57. diff:1626695252:1626695067:=26c26%0a%3c Edit the contents of [@ /etc/httpd.conf @]:%0a---%0a> Edit the contents of /etc/httpd.conf:%0a
    58. 

  58. host:1626695252=204.111.39.57
    59. 

  59. author:1626695067=mistera
    60. 

  60. diff:1626695067:1614236130:=5,6d4%0a%3c !! Theory%0a%3c %0a14,15d11%0a%3c !! Docs and references%0a%3c %0a20c16%0a%3c Copy the example file in [@ /etc/examples/httpd.conf @]:%0a---%0a> Setting up OpenBSD's default web server, openhttpd, is relatively simple. Start off by copying the example file in /etc/examples/httpd.conf:%0a
    61. 

  61. host:1626695067=204.111.39.57
    62. 

  62. author:1614236130=jrmu
    63. 

  63. diff:1614236130:1614235866:=44,45d43%0a%3c %0a%3c '''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work.%0a
    64. 

  64. host:1614236130=198.251.81.119
    65. 

  65. author:1614235866=jrmu
    66. 

  66. diff:1614235866:1614234303:=208,209d207%0a%3c %0a%3c You can also visit the website using your web browser. Load https://example.com, then look for the SSL padlock, then view more information about the certificate:%0a
    67. 

  67. host:1614235866=198.251.81.119
    68. 

  68. author:1614234303=jrmu
    69. 

  69. diff:1614234303:1614234186:=172c172%0a%3c ---%0a---%0a> ---                                             %0a182c182%0a%3c -----END CERTIFICATE-----%0a---%0a> -----END CERTIFICATE-----                                                               %0a184,204c184,204%0a%3c issuer=/C=US/O=Let's Encrypt/CN=R3%0a%3c ---%0a%3c No client certificate CA names sent%0a%3c Server Temp Key: ECDH, X25519, 253 bits%0a%3c ---%0a%3c SSL handshake has read 3730 bytes and written 367 bytes%0a%3c ---%0a%3c New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384%0a%3c Server public key is 4096 bit%0a%3c Secure Renegotiation IS NOT supported%0a%3c Compression: NONE%0a%3c Expansion: NONE%0a%3c No ALPN negotiated%0a%3c SSL-Session:%0a%3c     Protocol  : TLSv1.3%0a%3c     Cipher    : AEAD-AES256-GCM-SHA384%0a%3c     Session-ID:%0a%3c     Session-ID-ctx:%0a%3c     Master-Key:%0a%3c     Start Time: 1614233943%0a%3c     Timeout   : 7200 (sec)%0a---%0a> issuer=/C=US/O=Let's Encrypt/CN=R3                                                      %0a> ---                                                                                     %0a> No client certificate CA names sent                                                     %0a> Server Temp Key: ECDH, X25519, 253 bits                                                 %0a> ---                                                                                     %0a> SSL handshake has read 3730 bytes and written 367 bytes         %0a> ---                                                                                     %0a> New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384              %0a> Server public key is 4096 bit                                                           %0a> Secure Renegotiation IS NOT supported                                                   %0a> Compression: NONE                                                                       %0a> Expansion: NONE                                                                         %0a> No ALPN negotiated                                                                      %0a> SSL-Session:                                                                            %0a>     Protocol  : TLSv1.3                                                                 %0a>     Cipher    : AEAD-AES256-GCM-SHA384                                                  %0a>     Session-ID:                                                                         %0a>     Session-ID-ctx:                                                                     %0a>     Master-Key:                                                                         %0a>     Start Time: 1614233943                                                              %0a>     Timeout   : 7200 (sec)                                                              %0a
    70. 

  70. host:1614234303=198.251.81.119
    71. 

  71. author:1614234186=jrmu
    72. 

  72. diff:1614234186:1614093252:=161,182d160%0a%3c $ openssl s_client -connect example.org:443%0a%3c CONNECTED(00000003)%0a%3c depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3%0a%3c verify return:1%0a%3c depth=1 C = US, O = Let's Encrypt, CN = R3%0a%3c verify return:1%0a%3c depth=0 CN = example.com%0a%3c verify return:1%0a%3c depth=0 CN = example.com%0a%3c verify return:1%0a%3c write W BLOCK%0a%3c ---                                             %0a%3c Certificate chain%0a%3c  0 s:/CN=example.com%0a%3c    i:/C=US/O=Let's Encrypt/CN=R3%0a%3c  1 s:/C=US/O=Let's Encrypt/CN=R3%0a%3c    i:/O=Digital Signature Trust Co./CN=DST Root CA X3%0a%3c ---%0a%3c Server certificate%0a%3c -----BEGIN CERTIFICATE-----%0a%3c ...%0a%3c -----END CERTIFICATE-----                                                               %0a184,206c162%0a%3c issuer=/C=US/O=Let's Encrypt/CN=R3                                                      %0a%3c ---                                                                                     %0a%3c No client certificate CA names sent                                                     %0a%3c Server Temp Key: ECDH, X25519, 253 bits                                                 %0a%3c ---                                                                                     %0a%3c SSL handshake has read 3730 bytes and written 367 bytes         %0a%3c ---                                                                                     %0a%3c New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384              %0a%3c Server public key is 4096 bit                                                           %0a%3c Secure Renegotiation IS NOT supported                                                   %0a%3c Compression: NONE                                                                       %0a%3c Expansion: NONE                                                                         %0a%3c No ALPN negotiated                                                                      %0a%3c SSL-Session:                                                                            %0a%3c     Protocol  : TLSv1.3                                                                 %0a%3c     Cipher    : AEAD-AES256-GCM-SHA384                                                  %0a%3c     Session-ID:                                                                         %0a%3c     Session-ID-ctx:                                                                     %0a%3c     Master-Key:                                                                         %0a%3c     Start Time: 1614233943                                                              %0a%3c     Timeout   : 7200 (sec)                                                              %0a%3c     Verify return code: 0 (ok)%0a%3c ---%0a---%0a> issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3%0a
    73. 

  73. host:1614234186=198.251.81.119
    74. 

  74. author:1614093252=jrmu
    75. 

  75. diff:1614093252:1614092486:=165c165%0a%3c Attach:ssl-cert.png%0a---%0a> {{ :openbsd:www:ssl-cert.png?direct |}}%0a
    76. 

  76. host:1614093252=198.251.81.119
    77. 

  77. author:1614092486=jrmu
    78. 

  78. diff:1614092486:1614092283:=135,136c135,136%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a%3c %0a---%0a> Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, restart the web server:%0a> %0a138,141c138%0a%3c         tls {%0a%3c                 certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c                 key "/etc/ssl/private/example.com.key"%0a%3c         }%0a---%0a> $ doas rcctl restart httpd%0a144,147c141,142%0a%3c Edit these lines so that the certificate and key match the real location of your SSL cert.%0a%3c %0a%3c Then, restart the web server:%0a%3c %0a---%0a> To test if your web server is working and has a correct SSL cert, run:%0a> %0a149c144%0a%3c $ doas rcctl restart httpd%0a---%0a> $ openssl s_client -connect example.com:443%0a152,157d146%0a%3c To test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a%3c %0a%3c [@%0a%3c $ openssl s_client -connect example.com:443%0a%3c @]%0a%3c %0a160c149%0a%3c [@%0a---%0a> %3ccode>%0a163c152%0a%3c @]%0a---%0a> %3c/code>%0a
    79. 

  79. host:1614092486=198.251.81.119
    80. 

  80. author:1614092283=jrmu
    81. 

  81. diff:1614092283:1614091285:=135,137c135,137%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, restart the web server:%0a%3c %0a%3c [@%0a---%0a> Next, let's request an SSL cert using [[acme-client/configure|acme-client]], then restart the web server:%0a> %0a> %3ccode>%0a139,140c139,140%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a143c143%0a%3c [@%0a---%0a> %3ccode>%0a145c145%0a%3c @]%0a---%0a> %3c/code>%0a
    82. 

  82. host:1614092283=198.251.81.119
    83. 

  83. author:1614091285=jrmu
    84. 

  84. diff:1614091285:1614090263:=119,120c119,120%0a%3c If you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a%3c %0a---%0a> If you were unable to establish the connection above, it may be because your firewall is blocking port 80.%0a> %0a132,133d131%0a%3c %0a%3c !! Adding TLS%0a
    85. 

  85. host:1614091285=198.251.81.119
    86. 

  86. author:1614090263=jrmu
    87. 

  87. diff:1614090263:1614090067:=117,132d116%0a%3c !! Troubleshooting%0a%3c %0a%3c If you were unable to establish the connection above, it may be because your firewall is blocking port 80.%0a%3c %0a%3c You can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in quick proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a152a137,150%0a> %0a> !! Troubleshooting%0a> %0a> Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a> %0a> [@%0a> pass in proto tcp to port {http https}%0a> @]%0a> %0a> Then, reload the pf rulesets:%0a> %0a> [@%0a> $ doas pfctl -f /etc/pf.conf%0a> @]%0a\ No newline at end of file%0a
    88. 

  88. host:1614090263=198.251.81.119
    89. 

  89. author:1614090067=jrmu
    90. 

  90. diff:1614090067:1614089124:=92c92%0a%3c Location: https://example.com/index.html%0a---%0a> Location: https://ircnow.org/index.html%0a
    91. 

  91. host:1614090067=198.251.81.119
    92. 

  92. author:1614089124=jrmu
    93. 

  93. diff:1614089124:1614077762:=75,76c75,76%0a%3c Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a%3c %0a---%0a> Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use netcat%0a> %0a78,80c78%0a%3c $ telnet example.com 80%0a%3c GET /index.html HTTP/1.1%0a%3c Host: example.com%0a---%0a> $%0a86,93d83%0a%3c HTTP/1.0 302 Found%0a%3c Date: Tue, 23 Feb 2021 14:01:28 GMT%0a%3c OpenBSD httpd%0a%3c Connection: close%0a%3c Content-Type: text/html%0a%3c Content-Length: 486%0a%3c Location: https://ircnow.org/index.html%0a%3c %0a95c85%0a%3c %3chtml> %0a---%0a> %3chtml>%0a97c87%0a%3c %3cmeta charset="utf-8"> %0a---%0a> %3cmeta http-equiv="Content-Type" content="text/html; charset=utf-8"/>%0a100c90,91%0a%3c body { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a---%0a> body { background-color: white; color: black; font-family: 'Comic Sans%0a>  MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a102,105c93%0a%3c @media (prefers-color-scheme: dark) {%0a%3c body { background-color: #1E1F21; color: #EEEFF1; }%0a%3c a { color: #BAD7FF; }%0a%3c }%0a---%0a> %0a114d101%0a%3c Connection closed by foreign host.%0a
    94. 

  94. host:1614089124=198.251.81.119
    95. 

  95. author:1614077762=jrmu
    96. 

  96. diff:1614077762:1614077710:=
    97. 

  97. host:1614077762=198.251.81.119
    98. 

  98. author:1614077710=jrmu
    99. 

  99. diff:1614077710:1614077287:=75,76c75,76%0a%3c Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use netcat%0a%3c %0a---%0a> Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a> %0a78c78%0a%3c $%0a---%0a> pass in proto tcp to port {http https}%0a81,82c81,82%0a%3c You should a response similar to the one below:%0a%3c %0a---%0a> Then, reload the pf rulesets:%0a> %0a83a84,96%0a> $ doas pfctl -f /etc/pf.conf%0a> @]%0a> %0a> At this point, you should test to see if the web server is working on port 80. This test should be run on some other computer besides the web server (your local workstation is fine). Make sure you have curl installed:%0a> %0a> [@%0a> $ doas pkg_add curl%0a> $ curl example.com%0a> @]%0a> %0a> You should a response similar to the one below:%0a> %0a> [@%0a104,105c117,118%0a%3c Next, let's request an SSL cert using [[acme-client/configure|acme-client]], then restart the web server:%0a%3c %0a---%0a> Now you will almost certainly want openhttpd to use an SSL cert, so follow the [[openbsd/acme-client|acme-client]] instructions, then reset your web server:%0a> %0a123,137c136%0a%3c {{ :openbsd:www:ssl-cert.png?direct |}}%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a\ No newline at end of file%0a---%0a> {{ :openbsd:www:ssl-cert.png?direct |}}%0a\ No newline at end of file%0a
    100. 

  100. host:1614077710=198.251.81.119
    101. 

  101. author:1614077287=jrmu
    102. 

  102. diff:1614077287:1614076897:=22,23c22,23%0a%3c Edit the contents of /etc/httpd.conf:%0a%3c %0a---%0a> Let's break down the contents of /etc/httpd.conf:%0a> %0a66,68c66,73%0a%3c Lines 7-9 say that for any request that begins with https://example.com/pub/ should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder it should be fine.%0a%3c %0a%3c Make sure to replace every instance of @@example.com@@ with your real hostname, then enable and start the web server:%0a---%0a> Lines 7-9 indicate that%0a>         location "/pub/*" {%0a>                 directory auto index%0a>         }%0a> %0a> You must replace example.com everywhere with your domain name.%0a> %0a> Simply enable and start the web server:%0a
    103. 

  103. host:1614077287=198.251.81.119
    104. 

  104. author:1614076897=jrmu
    105. 

  105. diff:1614076897:1614076621:=43,44c43,44%0a%3c Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a---%0a> Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, probably should be using TLS on port 443 instead.%0a> %0a62,69c62,64%0a%3c This block is similar to before. There are only two differences.%0a%3c %0a%3c Line 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a%3c %0a%3c Lines 7-9 indicate that%0a%3c         location "/pub/*" {%0a%3c                 directory auto index%0a%3c         }%0a---%0a> This block is similar to before. It is for the hostname "example.com". The difference is the second line tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use.%0a> %0a> The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a
    106. 

  106. host:1614076897=198.251.81.119
    107. 

  107. author:1614076621=jrmu
    108. 

  108. diff:1614076621:1614076414:=37,38c37,38%0a%3c Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to your personal hostname, such as username.fruit.ircnow.org.%0a%3c %0a---%0a> Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to you%0a> %0a41,43c41,43%0a%3c The location block (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, probably should be using TLS on port 443 instead.%0a---%0a> The location block (lines 3-6) says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> Lines 7-9 indicate that for all other requests, return a 302 forwarded%0a
    109. 

  109. host:1614076621=198.251.81.119
    110. 

  110. author:1614076414=jrmu
    111. 

  111. diff:1614076414:1614076135:=37,45c37,42%0a%3c Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to you%0a%3c %0a%3c Line 2 tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c The location block (lines 3-6) says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c Lines 7-9 indicate that for all other requests, return a 302 forwarded%0a%3c %0a%3c [@%0a---%0a> The first line says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''.%0a> %0a> The second line tells the web server to listen on all IPs on port 80.%0a> %0a> The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a61,64d57%0a%3c %0a%3c This block is similar to before. It is for the hostname "example.com". The difference is the second line tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use.%0a%3c %0a%3c The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a
    112. 

  112. host:1614076414=198.251.81.119
    113. 

  113. author:1614076135=jrmu
    114. 

  114. diff:1614076135:1614075220:=41c41%0a%3c The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a---%0a> The third line says that for %0a
    115. 

  115. host:1614076135=198.251.81.119
    116. 

  116. author:1614075220=jrmu
    117. 

  117. diff:1614075220:1614073808:=22,23c22,23%0a%3c Let's break down the contents of /etc/httpd.conf:%0a%3c %0a---%0a> Here is what /etc/httpd.conf contains:%0a> %0a35,41d34%0a%3c @]%0a%3c %0a%3c The first line says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''.%0a%3c %0a%3c The second line tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c The third line says that for %0a
    118. 

  118. host:1614075220=198.251.81.119
    119. 

  119. author:1614073808=jrmu
    120. 

  120. diff:1614073808:1614073724:=10,12c10%0a%3c # Easy to configure with good manpage documentation%0a%3c %0a%3c You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages.%0a---%0a> # Easy to configure with good documentation%0a
    121. 

  121. host:1614073808=198.251.81.119
    122. 

  122. author:1614073724=jrmu
    123. 

  123. diff:1614073724:1614073670:=3,4c3,4%0a%3c [[https://bsd.plumbing/about.html|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a%3c %0a---%0a> [[https://bsd.plumbing/about.html|OpenHTTPd]]] is a light-weight web server developed by the OpenBSD dev team.%0a> %0a7c7%0a%3c # Clean code%0a---%0a> # Clean: The code is beautiful%0a
    124. 

  124. host:1614073724=198.251.81.119
    125. 

  125. author:1614073670=jrmu
    126. 

  126. diff:1614073670:1614073261:=2,12d1%0a%3c %0a%3c [[https://bsd.plumbing/about.html|OpenHTTPd]]] is a light-weight web server developed by the OpenBSD dev team.%0a%3c %0a%3c Pros:%0a%3c # Lean: Small, no plugins%0a%3c # Clean: The code is beautiful%0a%3c # Secure: Strict validity checking, privilege separation, strong cryptography%0a%3c # Fast%0a%3c # Easy to configure with good documentation%0a%3c %0a%3c !! Configuring%0a
    127. 

  127. host:1614073670=198.251.81.119
    128. 

  128. author:1614073261=jrmu
    129. 

  129. diff:1614073261:1614073261:=1,109d0%0a%3c (:title Basic OpenHTTPd Configuration:)%0a%3c %0a%3c Setting up OpenBSD's default web server, openhttpd, is relatively simple. Start off by copying the example file in /etc/examples/httpd.conf:%0a%3c %0a%3c [@%0a%3c $ doas cp /etc/examples/httpd.conf /etc/httpd.conf%0a%3c @]%0a%3c %0a%3c Here is what /etc/httpd.conf contains:%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c         listen on * port 80%0a%3c         location "/.well-known/acme-challenge/*" {%0a%3c                 root "/acme"%0a%3c                 request strip 2%0a%3c         }%0a%3c         location * {%0a%3c                 block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c         }%0a%3c }%0a%3c %0a%3c server "example.com" {%0a%3c         listen on * tls port 443%0a%3c         tls {%0a%3c                 certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c                 key "/etc/ssl/private/example.com.key"%0a%3c         }%0a%3c         location "/pub/*" {%0a%3c                 directory auto index%0a%3c         }%0a%3c         location "/.well-known/acme-challenge/*" {%0a%3c                 root "/acme"%0a%3c                 request strip 2%0a%3c         }%0a%3c }%0a%3c @]%0a%3c %0a%3c You must replace example.com everywhere with your domain name.%0a%3c %0a%3c Simply enable and start the web server:%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable httpd%0a%3c $ doas rcctl start httpd%0a%3c @]%0a%3c %0a%3c Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a%3c At this point, you should test to see if the web server is working on port 80. This test should be run on some other computer besides the web server (your local workstation is fine). Make sure you have curl installed:%0a%3c %0a%3c [@%0a%3c $ doas pkg_add curl%0a%3c $ curl example.com%0a%3c @]%0a%3c %0a%3c You should a response similar to the one below:%0a%3c %0a%3c [@%0a%3c %3c!DOCTYPE html>%0a%3c %3chtml>%0a%3c %3chead>%0a%3c %3cmeta http-equiv="Content-Type" content="text/html; charset=utf-8"/>%0a%3c %3ctitle>302 Found%3c/title>%0a%3c %3cstyle type="text/css">%3c!--%0a%3c body { background-color: white; color: black; font-family: 'Comic Sans%0a%3c  MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a%3c hr { border: 0; border-bottom: 1px dashed; }%0a%3c %0a%3c -->%3c/style>%0a%3c %3c/head>%0a%3c %3cbody>%0a%3c %3ch1>302 Found%3c/h1>%0a%3c %3chr>%0a%3c %3caddress>OpenBSD httpd%3c/address>%0a%3c %3c/body>%0a%3c %3c/html>%0a%3c @]%0a%3c %0a%3c Now you will almost certainly want openhttpd to use an SSL cert, so follow the [[openbsd/acme-client|acme-client]] instructions, then reset your web server:%0a%3c %0a%3c %3ccode>%0a%3c $ doas rcctl restart httpd%0a%3c %3c/code>%0a%3c %0a%3c To test if your web server is working and has a correct SSL cert, run:%0a%3c %0a%3c %3ccode>%0a%3c $ openssl s_client -connect example.com:443%0a%3c %3c/code>%0a%3c %0a%3c You should see the correct SSL subject and issuer:%0a%3c %0a%3c %3ccode>%0a%3c subject=/CN=example.com%0a%3c issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3%0a%3c %3c/code>%0a%3c %0a%3c {{ :openbsd:www:ssl-cert.png?direct |}}%0a\ No newline at end of file%0a
    130. 

  130. host:1614073261=198.251.81.119
    131. 

  131.