123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131 |
- version=pmwiki-2.2.130 ordered=1 urlencoded=1
- agent=w3m/0.5.3+git20210102
- author=jrmu
- charset=UTF-8
- csum=
- ctime=1614073261
- host=38.87.162.8
- name=Openhttpd.Configure
- rev=39
- targets=Acme-client.Configure,Telnet.Http,Pf.Guide,Openssl.Http
- text=(:title Basic OpenHTTPd Configuration:)%0a%0a[[https://bsd.plumbing/about.html|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a%0a!! Overview%0a%0aPros:%0a# Lean: Small, no plugins%0a# Clean code%0a# Secure: Strict validity checking, privilege separation, strong cryptography%0a# Fast%0a# Easy to configure with good manpage documentation%0a%0a!! Docs and references%0a%0aYou'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages.%0a%0a!! Configuring%0a%0a'''NOTE''': You must replace example.com with your own domain%0a%0aCopy the example file in [@ /etc/examples/httpd.conf @]:%0a%0a[@%0a$ doas cp /etc/examples/httpd.conf /etc/httpd.conf%0a@]%0a%0a%0aEdit [@ /etc/httpd.conf @]:%0a%0a!!! Server block #1%0a%0a%0a[@%0aserver "example.com" {%0a listen on * port 80%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a location * {%0a block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a }%0a }%0a@]%0a%0aserver: this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a%0alisten on: tells the web server to listen on all IPs on port 80.%0a%0alocation: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%0alocation: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%0a'''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work.%0a%0a!!! Server block #2%0a%0a[@%0aserver "example.com" {%0a listen on * tls port 443%0a tls {%0a certificate "/etc/ssl/example.com.crt"%0a key "/etc/ssl/private/example.com.key"%0a }%0a location "/pub/*" {%0a directory auto index%0a }%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a}%0a@]%0a%0aThis block is similar to before. Replace [@ example.com @].%0a%0aThere are only two differences.%0a%0aLines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a%0aLines 7-9 say that for any request that begins with https://example.com/pub/ should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder it should be fine.%0a%0aMake sure to replace every instance of @@example.com@@ with your real hostname, then enable and start the web server:%0a%0a%0a!! Starting the server%0a%0a[@%0a$ doas rcctl enable httpd%0a$ doas rcctl start httpd%0a@]%0a%0a!! Testing, testing%0aLet's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a%0a[@%0a$ telnet example.com 80%0aGET /index.html HTTP/1.1%0aHost: example.com%0a@]%0a%0aYou should a response similar to the one below:%0a%0a[@%0aHTTP/1.0 302 Found%0aDate: Tue, 23 Feb 2021 14:01:28 GMT%0aOpenBSD httpd%0aConnection: close%0aContent-Type: text/html%0aContent-Length: 486%0aLocation: https://example.com/index.html%0a%0a%3c!DOCTYPE html>%0a%3chtml> %0a%3chead>%0a%3cmeta charset="utf-8"> %0a%3ctitle>302 Found%3c/title>%0a%3cstyle type="text/css">%3c!--%0abody { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0ahr { border: 0; border-bottom: 1px dashed; }%0a@media (prefers-color-scheme: dark) {%0abody { background-color: #1E1F21; color: #EEEFF1; }%0aa { color: #BAD7FF; }%0a}%0a-->%3c/style>%0a%3c/head>%0a%3cbody>%0a%3ch1>302 Found%3c/h1>%0a%3chr>%0a%3caddress>OpenBSD httpd%3c/address>%0a%3c/body>%0a%3c/html>%0aConnection closed by foreign host.%0a@]%0a%0a!!! Troubleshooting%0a%0aIf you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a%0aYou can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%0a[@%0apass in quick proto tcp to port {http https}%0a@]%0a%0aThen, reload the pf rulesets:%0a%0a[@%0a$ doas pfctl -f /etc/pf.conf%0a@]%0a%0a!! Adding TLS%0a%0aNext, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. %0a%0aGo do that now, I'll wait...%0a%0aOnce you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a%0a[@%0a tls {%0a certificate "/etc/ssl/example.com.crt"%0a key "/etc/ssl/private/example.com.key"%0a }%0a@]%0a%0achange [@ /etc/ssl/example.com.crt @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a%0aThen, restart the web server:%0a%0a[@%0a$ doas rcctl restart httpd%0a@]%0a%0aTo test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a%0a[@%0a$ openssl s_client -connect example.com:443%0a@]%0a%0aYou should see the correct SSL subject and issuer:%0a%0a[@%0a$ openssl s_client -connect example.org:443%0aCONNECTED(00000003)%0adepth=2 O = Digital Signature Trust Co., CN = DST Root CA X3%0averify return:1%0adepth=1 C = US, O = Let's Encrypt, CN = R3%0averify return:1%0adepth=0 CN = example.com%0averify return:1%0adepth=0 CN = example.com%0averify return:1%0awrite W BLOCK%0a---%0aCertificate chain%0a 0 s:/CN=example.com%0a i:/C=US/O=Let's Encrypt/CN=R3%0a 1 s:/C=US/O=Let's Encrypt/CN=R3%0a i:/O=Digital Signature Trust Co./CN=DST Root CA X3%0a---%0aServer certificate%0a-----BEGIN CERTIFICATE-----%0a...%0a-----END CERTIFICATE-----%0asubject=/CN=example.com%0aissuer=/C=US/O=Let's Encrypt/CN=R3%0a---%0aNo client certificate CA names sent%0aServer Temp Key: ECDH, X25519, 253 bits%0a---%0aSSL handshake has read 3730 bytes and written 367 bytes%0a---%0aNew, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384%0aServer public key is 4096 bit%0aSecure Renegotiation IS NOT supported%0aCompression: NONE%0aExpansion: NONE%0aNo ALPN negotiated%0aSSL-Session:%0a Protocol : TLSv1.3%0a Cipher : AEAD-AES256-GCM-SHA384%0a Session-ID:%0a Session-ID-ctx:%0a Master-Key:%0a Start Time: 1614233943%0a Timeout : 7200 (sec)%0a Verify return code: 0 (ok)%0a---%0a@]%0a%0aYou can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ). While you are likely to see an error such as 403 Forbidden if you havent set up a website, look for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a%0aAttach:ssl-cert.png%0a
- time=1639147446
- title=Basic OpenHTTPd Configuration
- author:1639147446=jrmu
- diff:1639147446:1626874065:=63c63%0a%3c certificate "/etc/ssl/example.com.crt"%0a---%0a> certificate "/etc/ssl/example.com.fullchain.pem"%0a163c163%0a%3c certificate "/etc/ssl/example.com.crt"%0a---%0a> certificate "/etc/ssl/example.com.fullchain.pem"%0a168c168%0a%3c change [@ /etc/ssl/example.com.crt @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a---%0a> change [@ /etc/ssl/example.com.fullchain.pem @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a
- host:1639147446=38.87.162.8
- author:1626874065=mistera
- diff:1626874065:1626787627:=233c233%0a%3c You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ). While you are likely to see an error such as 403 Forbidden if you havent set up a website, look for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a---%0a> You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ), then look for the SSL padlock, then view more information about the certificate:%0a
- host:1626874065=204.111.39.57
- author:1626787627=mistera
- diff:1626787627:1626783891:=5c5%0a%3c !! Overview%0a---%0a> !! Theory%0a
- host:1626787627=204.111.39.57
- author:1626783891=mistera
- diff:1626783891:1626702588:=168,169c168,169%0a%3c change [@ /etc/ssl/example.com.fullchain.pem @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a%3c %0a---%0a> Edit these lines so that the certificate and key match the real location of your SSL cert.%0a> %0a233c233%0a%3c You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ), then look for the SSL padlock, then view more information about the certificate:%0a---%0a> You can also visit the website using your web browser. Load https://example.com, then look for the SSL padlock, then view more information about the certificate:%0a
- host:1626783891=204.111.39.57
- author:1626702588=mistera
- diff:1626702588:1626702529:=87,88c87,88%0a%3c !! Starting the server%0a%3c %0a---%0a> !!! Starting the server%0a> %0a137c137%0a%3c !!! Troubleshooting%0a---%0a> !! Troubleshooting%0a
- host:1626702588=204.111.39.57
- author:1626702529=mistera
- diff:1626702529:1626700500:=24c24%0a%3c [@%0a---%0a> %25code%25[@%0a33,44c33,42%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c location * {%0a%3c block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c }%0a%3c }%0a---%0a> [@server "example.com" {%0a> listen on * port 80%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a> }%0a> location * {%0a> block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a> }%0a> }%0a86,88d83%0a%3c %0a%3c !!! Starting the server%0a%3c %0a94d88%0a%3c !! Testing, testing%0a155,159c149%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. %0a%3c %0a%3c Go do that now, I'll wait...%0a%3c %0a%3c Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a---%0a> Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a
- host:1626702529=204.111.39.57
- author:1626700500=mistera
- diff:1626700500:1626700425:=0a1%0a> %0a20c21,23%0a%3c '''NOTE''': You must replace example.com with your own domain%0a---%0a> '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a> %0a> Meaning, when you see [@ %3cexample.com> @] replace it with your web domain such as with user.host.ircnow.org. Completely remove the angle brackets! They are there to indicate that you should replace the text!%0a
- host:1626700500=204.111.39.57
- author:1626700425=mistera
- diff:1626700425:1626696883:=1d0%0a%3c %0a21,24c20,21%0a%3c '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a%3c %0a%3c Meaning, when you see [@ %3cexample.com> @] replace it with your web domain such as with user.host.ircnow.org. Completely remove the angle brackets! They are there to indicate that you should replace the text!%0a%3c %0a---%0a> '''NOTE''': You must replace example.com with your own domain:%0a> %0a27c24%0a%3c %25code%25[@%0a---%0a> [@%0a32,36c29,34%0a%3c Edit [@ /etc/httpd.conf @]:%0a%3c %0a%3c !!! Server block #1%0a%3c %0a%3c [@server "example.com" {%0a---%0a> Edit [@/etc/httpd.conf@]:%0a> %0a> !!! The first server block%0a> %0a> [@%0a> server "example.com" {%0a48,55c46,53%0a%3c server: this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c listen on: tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a---%0a> server (line 1): this specifies the hostname ([@example.com@]). Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a> %0a> listen on (line 2): tells the web server to listen on all IPs on port 80.%0a> %0a> location (lines 3-6): is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> location (lines 7-9): indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a> %0a58,59c56,57%0a%3c !!! Server block #2%0a%3c %0a---%0a> !!! The second server block%0a> %0a77,81c75,77%0a%3c This block is similar to before. Replace [@ example.com @].%0a%3c %0a%3c There are only two differences.%0a%3c %0a%3c Lines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a---%0a> This block is similar to before. There are only two differences.%0a> %0a> Line 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a
- host:1626700425=204.111.39.57
- author:1626696883=jrmu
- diff:1626696883:1626696853:=46c46%0a%3c server (line 1): this specifies the hostname ([@example.com@]). Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a---%0a> server (line 1): this specifies the hostname ([@example.com@])". Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a
- host:1626696883=198.251.81.119
- author:1626696853=jrmu
- diff:1626696853:1626696752:=46c46%0a%3c server (line 1): this specifies the hostname ([@example.com@])". Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a---%0a> server (line 1): this specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a
- host:1626696853=198.251.81.119
- author:1626696752=jrmu
- diff:1626696752:1626696585:=46,52c46,52%0a%3c server (line 1): this specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c listen on (line 2): tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c location (lines 3-6): is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c location (lines 7-9): indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a---%0a> server: this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a> %0a> listen on: tells the web server to listen on all IPs on port 80.%0a> %0a> location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a
- host:1626696752=198.251.81.119
- author:1626696585=jrmu
- diff:1626696585:1626696142:=20,21c20,21%0a%3c '''NOTE''': You must replace example.com with your own domain:%0a%3c %0a---%0a> '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a> %0a29,30c29,30%0a%3c Edit [@/etc/httpd.conf@]:%0a%3c %0a---%0a> Edit [@ /etc/httpd.conf @]:%0a> %0a34c34%0a%3c server "example.com" {%0a---%0a> server "%3cexample.com>" {%0a
- host:1626696585=198.251.81.119
- author:1626696142=mistera
- diff:1626696142:1626695724:=31,32d30%0a%3c !!! The first server block%0a%3c %0a50,53c48,51%0a%3c location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a---%0a> The location block (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a> %0a55,56d52%0a%3c %0a%3c !!! The second server block%0a
- host:1626696142=204.111.39.57
- author:1626695724=mistera
- diff:1626695724:1626695252:=20,21d19%0a%3c '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a%3c %0a28,30c26,27%0a%3c %0a%3c Edit [@ /etc/httpd.conf @]:%0a%3c %0a---%0a> Edit the contents of [@ /etc/httpd.conf @]:%0a> %0a32c29%0a%3c server "%3cexample.com>" {%0a---%0a> server "example.com" {%0a44,46c41,43%0a%3c server: this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c listen on: tells the web server to listen on all IPs on port 80.%0a---%0a> Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to your personal hostname, such as username.fruit.ircnow.org.%0a> %0a> Line 2 tells the web server to listen on all IPs on port 80.%0a
- host:1626695724=204.111.39.57
- author:1626695252=mistera
- diff:1626695252:1626695067:=26c26%0a%3c Edit the contents of [@ /etc/httpd.conf @]:%0a---%0a> Edit the contents of /etc/httpd.conf:%0a
- host:1626695252=204.111.39.57
- author:1626695067=mistera
- diff:1626695067:1614236130:=5,6d4%0a%3c !! Theory%0a%3c %0a14,15d11%0a%3c !! Docs and references%0a%3c %0a20c16%0a%3c Copy the example file in [@ /etc/examples/httpd.conf @]:%0a---%0a> Setting up OpenBSD's default web server, openhttpd, is relatively simple. Start off by copying the example file in /etc/examples/httpd.conf:%0a
- host:1626695067=204.111.39.57
- author:1614236130=jrmu
- diff:1614236130:1614235866:=44,45d43%0a%3c %0a%3c '''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work.%0a
- host:1614236130=198.251.81.119
- author:1614235866=jrmu
- diff:1614235866:1614234303:=208,209d207%0a%3c %0a%3c You can also visit the website using your web browser. Load https://example.com, then look for the SSL padlock, then view more information about the certificate:%0a
- host:1614235866=198.251.81.119
- author:1614234303=jrmu
- diff:1614234303:1614234186:=172c172%0a%3c ---%0a---%0a> --- %0a182c182%0a%3c -----END CERTIFICATE-----%0a---%0a> -----END CERTIFICATE----- %0a184,204c184,204%0a%3c issuer=/C=US/O=Let's Encrypt/CN=R3%0a%3c ---%0a%3c No client certificate CA names sent%0a%3c Server Temp Key: ECDH, X25519, 253 bits%0a%3c ---%0a%3c SSL handshake has read 3730 bytes and written 367 bytes%0a%3c ---%0a%3c New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384%0a%3c Server public key is 4096 bit%0a%3c Secure Renegotiation IS NOT supported%0a%3c Compression: NONE%0a%3c Expansion: NONE%0a%3c No ALPN negotiated%0a%3c SSL-Session:%0a%3c Protocol : TLSv1.3%0a%3c Cipher : AEAD-AES256-GCM-SHA384%0a%3c Session-ID:%0a%3c Session-ID-ctx:%0a%3c Master-Key:%0a%3c Start Time: 1614233943%0a%3c Timeout : 7200 (sec)%0a---%0a> issuer=/C=US/O=Let's Encrypt/CN=R3 %0a> --- %0a> No client certificate CA names sent %0a> Server Temp Key: ECDH, X25519, 253 bits %0a> --- %0a> SSL handshake has read 3730 bytes and written 367 bytes %0a> --- %0a> New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384 %0a> Server public key is 4096 bit %0a> Secure Renegotiation IS NOT supported %0a> Compression: NONE %0a> Expansion: NONE %0a> No ALPN negotiated %0a> SSL-Session: %0a> Protocol : TLSv1.3 %0a> Cipher : AEAD-AES256-GCM-SHA384 %0a> Session-ID: %0a> Session-ID-ctx: %0a> Master-Key: %0a> Start Time: 1614233943 %0a> Timeout : 7200 (sec) %0a
- host:1614234303=198.251.81.119
- author:1614234186=jrmu
- diff:1614234186:1614093252:=161,182d160%0a%3c $ openssl s_client -connect example.org:443%0a%3c CONNECTED(00000003)%0a%3c depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3%0a%3c verify return:1%0a%3c depth=1 C = US, O = Let's Encrypt, CN = R3%0a%3c verify return:1%0a%3c depth=0 CN = example.com%0a%3c verify return:1%0a%3c depth=0 CN = example.com%0a%3c verify return:1%0a%3c write W BLOCK%0a%3c --- %0a%3c Certificate chain%0a%3c 0 s:/CN=example.com%0a%3c i:/C=US/O=Let's Encrypt/CN=R3%0a%3c 1 s:/C=US/O=Let's Encrypt/CN=R3%0a%3c i:/O=Digital Signature Trust Co./CN=DST Root CA X3%0a%3c ---%0a%3c Server certificate%0a%3c -----BEGIN CERTIFICATE-----%0a%3c ...%0a%3c -----END CERTIFICATE----- %0a184,206c162%0a%3c issuer=/C=US/O=Let's Encrypt/CN=R3 %0a%3c --- %0a%3c No client certificate CA names sent %0a%3c Server Temp Key: ECDH, X25519, 253 bits %0a%3c --- %0a%3c SSL handshake has read 3730 bytes and written 367 bytes %0a%3c --- %0a%3c New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384 %0a%3c Server public key is 4096 bit %0a%3c Secure Renegotiation IS NOT supported %0a%3c Compression: NONE %0a%3c Expansion: NONE %0a%3c No ALPN negotiated %0a%3c SSL-Session: %0a%3c Protocol : TLSv1.3 %0a%3c Cipher : AEAD-AES256-GCM-SHA384 %0a%3c Session-ID: %0a%3c Session-ID-ctx: %0a%3c Master-Key: %0a%3c Start Time: 1614233943 %0a%3c Timeout : 7200 (sec) %0a%3c Verify return code: 0 (ok)%0a%3c ---%0a---%0a> issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3%0a
- host:1614234186=198.251.81.119
- author:1614093252=jrmu
- diff:1614093252:1614092486:=165c165%0a%3c Attach:ssl-cert.png%0a---%0a> {{ :openbsd:www:ssl-cert.png?direct |}}%0a
- host:1614093252=198.251.81.119
- author:1614092486=jrmu
- diff:1614092486:1614092283:=135,136c135,136%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a%3c %0a---%0a> Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, restart the web server:%0a> %0a138,141c138%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a---%0a> $ doas rcctl restart httpd%0a144,147c141,142%0a%3c Edit these lines so that the certificate and key match the real location of your SSL cert.%0a%3c %0a%3c Then, restart the web server:%0a%3c %0a---%0a> To test if your web server is working and has a correct SSL cert, run:%0a> %0a149c144%0a%3c $ doas rcctl restart httpd%0a---%0a> $ openssl s_client -connect example.com:443%0a152,157d146%0a%3c To test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a%3c %0a%3c [@%0a%3c $ openssl s_client -connect example.com:443%0a%3c @]%0a%3c %0a160c149%0a%3c [@%0a---%0a> %3ccode>%0a163c152%0a%3c @]%0a---%0a> %3c/code>%0a
- host:1614092486=198.251.81.119
- author:1614092283=jrmu
- diff:1614092283:1614091285:=135,137c135,137%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, restart the web server:%0a%3c %0a%3c [@%0a---%0a> Next, let's request an SSL cert using [[acme-client/configure|acme-client]], then restart the web server:%0a> %0a> %3ccode>%0a139,140c139,140%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a143c143%0a%3c [@%0a---%0a> %3ccode>%0a145c145%0a%3c @]%0a---%0a> %3c/code>%0a
- host:1614092283=198.251.81.119
- author:1614091285=jrmu
- diff:1614091285:1614090263:=119,120c119,120%0a%3c If you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a%3c %0a---%0a> If you were unable to establish the connection above, it may be because your firewall is blocking port 80.%0a> %0a132,133d131%0a%3c %0a%3c !! Adding TLS%0a
- host:1614091285=198.251.81.119
- author:1614090263=jrmu
- diff:1614090263:1614090067:=117,132d116%0a%3c !! Troubleshooting%0a%3c %0a%3c If you were unable to establish the connection above, it may be because your firewall is blocking port 80.%0a%3c %0a%3c You can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in quick proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a152a137,150%0a> %0a> !! Troubleshooting%0a> %0a> Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a> %0a> [@%0a> pass in proto tcp to port {http https}%0a> @]%0a> %0a> Then, reload the pf rulesets:%0a> %0a> [@%0a> $ doas pfctl -f /etc/pf.conf%0a> @]%0a\ No newline at end of file%0a
- host:1614090263=198.251.81.119
- author:1614090067=jrmu
- diff:1614090067:1614089124:=92c92%0a%3c Location: https://example.com/index.html%0a---%0a> Location: https://ircnow.org/index.html%0a
- host:1614090067=198.251.81.119
- author:1614089124=jrmu
- diff:1614089124:1614077762:=75,76c75,76%0a%3c Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a%3c %0a---%0a> Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use netcat%0a> %0a78,80c78%0a%3c $ telnet example.com 80%0a%3c GET /index.html HTTP/1.1%0a%3c Host: example.com%0a---%0a> $%0a86,93d83%0a%3c HTTP/1.0 302 Found%0a%3c Date: Tue, 23 Feb 2021 14:01:28 GMT%0a%3c OpenBSD httpd%0a%3c Connection: close%0a%3c Content-Type: text/html%0a%3c Content-Length: 486%0a%3c Location: https://ircnow.org/index.html%0a%3c %0a95c85%0a%3c %3chtml> %0a---%0a> %3chtml>%0a97c87%0a%3c %3cmeta charset="utf-8"> %0a---%0a> %3cmeta http-equiv="Content-Type" content="text/html; charset=utf-8"/>%0a100c90,91%0a%3c body { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a---%0a> body { background-color: white; color: black; font-family: 'Comic Sans%0a> MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a102,105c93%0a%3c @media (prefers-color-scheme: dark) {%0a%3c body { background-color: #1E1F21; color: #EEEFF1; }%0a%3c a { color: #BAD7FF; }%0a%3c }%0a---%0a> %0a114d101%0a%3c Connection closed by foreign host.%0a
- host:1614089124=198.251.81.119
- author:1614077762=jrmu
- diff:1614077762:1614077710:=
- host:1614077762=198.251.81.119
- author:1614077710=jrmu
- diff:1614077710:1614077287:=75,76c75,76%0a%3c Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use netcat%0a%3c %0a---%0a> Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a> %0a78c78%0a%3c $%0a---%0a> pass in proto tcp to port {http https}%0a81,82c81,82%0a%3c You should a response similar to the one below:%0a%3c %0a---%0a> Then, reload the pf rulesets:%0a> %0a83a84,96%0a> $ doas pfctl -f /etc/pf.conf%0a> @]%0a> %0a> At this point, you should test to see if the web server is working on port 80. This test should be run on some other computer besides the web server (your local workstation is fine). Make sure you have curl installed:%0a> %0a> [@%0a> $ doas pkg_add curl%0a> $ curl example.com%0a> @]%0a> %0a> You should a response similar to the one below:%0a> %0a> [@%0a104,105c117,118%0a%3c Next, let's request an SSL cert using [[acme-client/configure|acme-client]], then restart the web server:%0a%3c %0a---%0a> Now you will almost certainly want openhttpd to use an SSL cert, so follow the [[openbsd/acme-client|acme-client]] instructions, then reset your web server:%0a> %0a123,137c136%0a%3c {{ :openbsd:www:ssl-cert.png?direct |}}%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a\ No newline at end of file%0a---%0a> {{ :openbsd:www:ssl-cert.png?direct |}}%0a\ No newline at end of file%0a
- host:1614077710=198.251.81.119
- author:1614077287=jrmu
- diff:1614077287:1614076897:=22,23c22,23%0a%3c Edit the contents of /etc/httpd.conf:%0a%3c %0a---%0a> Let's break down the contents of /etc/httpd.conf:%0a> %0a66,68c66,73%0a%3c Lines 7-9 say that for any request that begins with https://example.com/pub/ should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder it should be fine.%0a%3c %0a%3c Make sure to replace every instance of @@example.com@@ with your real hostname, then enable and start the web server:%0a---%0a> Lines 7-9 indicate that%0a> location "/pub/*" {%0a> directory auto index%0a> }%0a> %0a> You must replace example.com everywhere with your domain name.%0a> %0a> Simply enable and start the web server:%0a
- host:1614077287=198.251.81.119
- author:1614076897=jrmu
- diff:1614076897:1614076621:=43,44c43,44%0a%3c Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a---%0a> Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, probably should be using TLS on port 443 instead.%0a> %0a62,69c62,64%0a%3c This block is similar to before. There are only two differences.%0a%3c %0a%3c Line 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a%3c %0a%3c Lines 7-9 indicate that%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a---%0a> This block is similar to before. It is for the hostname "example.com". The difference is the second line tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use.%0a> %0a> The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a
- host:1614076897=198.251.81.119
- author:1614076621=jrmu
- diff:1614076621:1614076414:=37,38c37,38%0a%3c Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to your personal hostname, such as username.fruit.ircnow.org.%0a%3c %0a---%0a> Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to you%0a> %0a41,43c41,43%0a%3c The location block (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, probably should be using TLS on port 443 instead.%0a---%0a> The location block (lines 3-6) says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> Lines 7-9 indicate that for all other requests, return a 302 forwarded%0a
- host:1614076621=198.251.81.119
- author:1614076414=jrmu
- diff:1614076414:1614076135:=37,45c37,42%0a%3c Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to you%0a%3c %0a%3c Line 2 tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c The location block (lines 3-6) says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c Lines 7-9 indicate that for all other requests, return a 302 forwarded%0a%3c %0a%3c [@%0a---%0a> The first line says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''.%0a> %0a> The second line tells the web server to listen on all IPs on port 80.%0a> %0a> The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a61,64d57%0a%3c %0a%3c This block is similar to before. It is for the hostname "example.com". The difference is the second line tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use.%0a%3c %0a%3c The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a
- host:1614076414=198.251.81.119
- author:1614076135=jrmu
- diff:1614076135:1614075220:=41c41%0a%3c The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a---%0a> The third line says that for %0a
- host:1614076135=198.251.81.119
- author:1614075220=jrmu
- diff:1614075220:1614073808:=22,23c22,23%0a%3c Let's break down the contents of /etc/httpd.conf:%0a%3c %0a---%0a> Here is what /etc/httpd.conf contains:%0a> %0a35,41d34%0a%3c @]%0a%3c %0a%3c The first line says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''.%0a%3c %0a%3c The second line tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c The third line says that for %0a
- host:1614075220=198.251.81.119
- author:1614073808=jrmu
- diff:1614073808:1614073724:=10,12c10%0a%3c # Easy to configure with good manpage documentation%0a%3c %0a%3c You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages.%0a---%0a> # Easy to configure with good documentation%0a
- host:1614073808=198.251.81.119
- author:1614073724=jrmu
- diff:1614073724:1614073670:=3,4c3,4%0a%3c [[https://bsd.plumbing/about.html|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a%3c %0a---%0a> [[https://bsd.plumbing/about.html|OpenHTTPd]]] is a light-weight web server developed by the OpenBSD dev team.%0a> %0a7c7%0a%3c # Clean code%0a---%0a> # Clean: The code is beautiful%0a
- host:1614073724=198.251.81.119
- author:1614073670=jrmu
- diff:1614073670:1614073261:=2,12d1%0a%3c %0a%3c [[https://bsd.plumbing/about.html|OpenHTTPd]]] is a light-weight web server developed by the OpenBSD dev team.%0a%3c %0a%3c Pros:%0a%3c # Lean: Small, no plugins%0a%3c # Clean: The code is beautiful%0a%3c # Secure: Strict validity checking, privilege separation, strong cryptography%0a%3c # Fast%0a%3c # Easy to configure with good documentation%0a%3c %0a%3c !! Configuring%0a
- host:1614073670=198.251.81.119
- author:1614073261=jrmu
- diff:1614073261:1614073261:=1,109d0%0a%3c (:title Basic OpenHTTPd Configuration:)%0a%3c %0a%3c Setting up OpenBSD's default web server, openhttpd, is relatively simple. Start off by copying the example file in /etc/examples/httpd.conf:%0a%3c %0a%3c [@%0a%3c $ doas cp /etc/examples/httpd.conf /etc/httpd.conf%0a%3c @]%0a%3c %0a%3c Here is what /etc/httpd.conf contains:%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c location * {%0a%3c block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c }%0a%3c }%0a%3c %0a%3c server "example.com" {%0a%3c listen on * tls port 443%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c You must replace example.com everywhere with your domain name.%0a%3c %0a%3c Simply enable and start the web server:%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable httpd%0a%3c $ doas rcctl start httpd%0a%3c @]%0a%3c %0a%3c Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a%3c At this point, you should test to see if the web server is working on port 80. This test should be run on some other computer besides the web server (your local workstation is fine). Make sure you have curl installed:%0a%3c %0a%3c [@%0a%3c $ doas pkg_add curl%0a%3c $ curl example.com%0a%3c @]%0a%3c %0a%3c You should a response similar to the one below:%0a%3c %0a%3c [@%0a%3c %3c!DOCTYPE html>%0a%3c %3chtml>%0a%3c %3chead>%0a%3c %3cmeta http-equiv="Content-Type" content="text/html; charset=utf-8"/>%0a%3c %3ctitle>302 Found%3c/title>%0a%3c %3cstyle type="text/css">%3c!--%0a%3c body { background-color: white; color: black; font-family: 'Comic Sans%0a%3c MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a%3c hr { border: 0; border-bottom: 1px dashed; }%0a%3c %0a%3c -->%3c/style>%0a%3c %3c/head>%0a%3c %3cbody>%0a%3c %3ch1>302 Found%3c/h1>%0a%3c %3chr>%0a%3c %3caddress>OpenBSD httpd%3c/address>%0a%3c %3c/body>%0a%3c %3c/html>%0a%3c @]%0a%3c %0a%3c Now you will almost certainly want openhttpd to use an SSL cert, so follow the [[openbsd/acme-client|acme-client]] instructions, then reset your web server:%0a%3c %0a%3c %3ccode>%0a%3c $ doas rcctl restart httpd%0a%3c %3c/code>%0a%3c %0a%3c To test if your web server is working and has a correct SSL cert, run:%0a%3c %0a%3c %3ccode>%0a%3c $ openssl s_client -connect example.com:443%0a%3c %3c/code>%0a%3c %0a%3c You should see the correct SSL subject and issuer:%0a%3c %0a%3c %3ccode>%0a%3c subject=/CN=example.com%0a%3c issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3%0a%3c %3c/code>%0a%3c %0a%3c {{ :openbsd:www:ssl-cert.png?direct |}}%0a\ No newline at end of file%0a
- host:1614073261=198.251.81.119
|