Blame
Date:
Fri Dec 2 05:00:19 2022
UTC
Message:
Daily backup
10
2021-12-17
targets=Openhttpd.Configure,Acme-client.Configure,Relayd.Acceleration,Telnet.Http,Pf.Guide
11
2021-12-23
text=(:title Hosting OpenHTTPd:)%0a%0a!! Goal%0a%0aThis is a guide for providing web hosting for multiple users. This setup will support multiple, custom domain names. Afterwards, we will use relayd to provide TLS encryption.%0a%0aThis guide assumes you have read the [[openhttpd/configure|basic openhttpd configuration]] guide. This is a slightly more advanced setup.%0a%0a!! Configuration%0a%0aFor each user we want to support, we must add two blocks to [[https://man.openbsd.org/httpd.conf|/etc/httpd.conf]]. Here's the first block:%0a%0a[@%0aserver "example.com" {%0a alias "www.example.com"%0a listen on * port 80%0a root "/htdocs/example.com/"%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a}%0a@]%0a%0aLine 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. Replace this with the domain that your user signed up for, such as @@username.fruit.ircnow.org@@. Your user can also custom request a domain. If your user has an alternative domain name he wishes to use, replace @@www.example.com@@ with that name. For each extra domain name, add a new alias line. If he does not have an alternative name, you can delete the @@alias "www.example.com"@@ line.%0a%0aLine 3 tells the web server to listen on all IPs on port 80.%0a%0aLine 4 tells us that the root directory for all web documents are in @@/var/www/htdocs/example.com/@@. A request to @@https://example.com/webpage.html@@ would reply with the file in @@/var/www/htdocs/example.com/webpage.html@@.%0a%0aLines 5-8 (the location block) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with @@http://example.com/.well-known/acme-challenge/@@, look for the documents in the new root /acme. By default, openhttpd chroots to @@/var/www@@, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%0a'''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work.%0a%0a'''Note''': Unlike in /etc/examples/httpd.conf, we will not automatically redirect to port 443. This is because some web browsers do not support TLS, and we do not want to break backwards compatibility.%0a%0aNotice that we do not add any blocks with TLS. TLS will be provided by [[relayd/acceleration|relayd]].%0a%0a!! Creating Web Files%0a%0aNext, we'll create a directory for each web folder, and a symbolic link in each user's home folder that points to that web folder:%0a%0a[@%0a$ doas mkdir -p /var/www/htdocs/example.com/%0a$ doas ln -s /var/www/htdocs/example.com/ /home/username/htdocs%0a$ doas chown -R username:daemon /var/www/htdocs/example.com/%0a@]%0a%0aMake sure to replace @@username@@ with the user's actual username, and @@example.com@@ with his actual domain.%0a%0aFrom now on, users will be able to create new web files by putting them in @@~/htdocs/@@. For your test below, you may want to create the file @@/home/username/htdocs/index.html@@.%0a%0a!! Start the Server and Test%0a%0aEnable and restart the web server:%0a%0a[@%0a$ doas rcctl enable httpd%0a$ doas rcctl restart httpd%0a@]%0a%0a!!! Testing Port 80%0a%0aLet's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a%0a[@%0a$ telnet example.com 80%0aGET /index.html HTTP/1.1%0aHost: example.com%0a@]%0a%0aYou should a response similar to the one below:%0a%0a[@%0aHTTP/1.1 200 OK%0aConnection: keep-alive%0aContent-Length: 34%0aContent-Type: text/html%0aDate: Sun, 28 Feb 2021 02:07:55 GMT%0aLast-Modified: Sat, 27 Feb 2021 10:22:27 GMT%0aServer: OpenBSD httpd%0a@]%0a%0a!!! Troubleshooting%0a%0aIf you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a%0aYou can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%0a[@%0apass in quick proto tcp to port {http https}%0a@]%0a%0aThen, reload the pf rulesets:%0a%0a[@%0a$ doas pfctl -f /etc/pf.conf%0a@]%0a%0a!! Adding TLS%0a%0aNext, you'll want to request an SSL cert using [[acme-client/configure|acme-client]] for each domain the user requested.%0a%0a!! TLS Acceleration%0a%0aFinally, you'll want to configure [[relayd/acceleration|relayd]] for TLS acceleration.%0a%0a!! Troubleshooting%0a%0aTo check for any configuration errors, run:%0a%0a[@%0a$ doas httpd -n%0a@]%0a%0aAt any time, you can run openhttpd in debug mode:%0a%0a[@%0a$ doas httpd -dvv%0a@]%0a
15
2021-12-23
diff:1640228762:1640228462:=21a22,24%0a> location * {%0a> block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a> }%0a32a36,37%0a> Lines 9-11 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a> %0a120c125%0a%3c @]%0a---%0a> @]%0a\ No newline at end of file%0a
18
2021-12-23
diff:1640228462:1640228234:=36c36%0a%3c Lines 9-11 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a---%0a> Lines 9-10 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a
21
2021-12-23
diff:1640228234:1614478150:=22,24d21%0a%3c location * {%0a%3c block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c }%0a36c33%0a%3c Lines 9-10 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a---%0a> Lines 8-10 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a
27
2021-12-17
diff:1614478104:1614477735:=77,79c77,80%0a%3c HTTP/1.1 200 OK%0a%3c Connection: keep-alive%0a%3c Content-Length: 34%0a---%0a> HTTP/1.0 302 Found%0a> Date: Tue, 23 Feb 2021 14:01:28 GMT%0a> OpenBSD httpd%0a> Connection: close%0a81,83c82,105%0a%3c Date: Sun, 28 Feb 2021 02:07:55 GMT%0a%3c Last-Modified: Sat, 27 Feb 2021 10:22:27 GMT%0a%3c Server: OpenBSD httpd%0a---%0a> Content-Length: 486%0a> Location: https://example.com/index.html%0a> %0a> %3c!DOCTYPE html>%0a> %3chtml> %0a> %3chead>%0a> %3cmeta charset="utf-8"> %0a> %3ctitle>302 Found%3c/title>%0a> %3cstyle type="text/css">%3c!--%0a> body { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a> hr { border: 0; border-bottom: 1px dashed; }%0a> @media (prefers-color-scheme: dark) {%0a> body { background-color: #1E1F21; color: #EEEFF1; }%0a> a { color: #BAD7FF; }%0a> }%0a> -->%3c/style>%0a> %3c/head>%0a> %3cbody>%0a> %3ch1>302 Found%3c/h1>%0a> %3chr>%0a> %3caddress>OpenBSD httpd%3c/address>%0a> %3c/body>%0a> %3c/html>%0a> Connection closed by foreign host.%0a100a123,134%0a> %0a> !!! Testing Port 8001%0a> %0a> Next, on the server itself, run the test again using telnet:%0a> %0a> [@%0a> $ telnet 127.0.0.1 8001%0a> GET /index.html HTTP/1.1%0a> Host: example.com%0a> @]%0a> %0a> This test must be run on the server.%0a
36
2021-12-17
diff:1614477694:1614447112:=17d16%0a%3c root "/htdocs/example.com/"%0a21a21,23%0a> location * {%0a> block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a> }%0a29,32c31,32%0a%3c Line 4 tells us that the root directory for all web documents are in @@/var/www/htdocs/example.com/@@. A request to @@https://example.com/webpage.html@@ would reply with the file in @@/var/www/htdocs/example.com/webpage.html@@.%0a%3c %0a%3c Lines 5-8 (the location block) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with @@http://example.com/.well-known/acme-challenge/@@, look for the documents in the new root /acme. By default, openhttpd chroots to @@/var/www@@, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a---%0a> The location block (lines 4-7) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with @@http://example.com/.well-known/acme-challenge/@@, look for the documents in the new root /acme. By default, openhttpd chroots to @@/var/www@@, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a37,39c37,57%0a%3c '''Note''': Unlike in /etc/examples/httpd.conf, we will not automatically redirect to port 443. This is because some web browsers do not support TLS, and we do not want to break backwards compatibility.%0a%3c %0a%3c Notice that we do not add any blocks with TLS. TLS will be provided by [[relayd/acceleration|relayd]].%0a---%0a> We then add a second block to /etc/httpd.conf:%0a> %0a> [@%0a> server "example.com" {%0a> alias "www.example.com"%0a> listen on * port 8001%0a> root "/htdocs/example.com/"%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a> }%0a> }%0a> @]%0a> %0a> This block is similar to before. There are only two differences.%0a> %0a> Line 3 tells the web server to listen on port 8001. There is nothing special about port 8001; it is an arbitrary port we chose. Users will not connect directly to port 8001. Instead, relayd will accept connections on port 443, the standard HTTPS port, then forward to port 8001.%0a> %0a> Line 4 tells us that the root directory for all web documents are in @@/var/www/htdocs/example.com/@@. A request to @@https://example.com/webpage.html@@ would reply with the file in @@/var/www/htdocs/example.com/webpage.html@@.%0a> %0a> Notice that none of our blocks use TLS. TLS will be provided by relayd.%0a
39
2021-12-17
diff:1614447112:1614444424:=160,174c160%0a%3c Finally, you'll want to configure [[relayd/acceleration|relayd]] for TLS acceleration.%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c To check for any configuration errors, run:%0a%3c %0a%3c [@%0a%3c $ doas httpd -n%0a%3c @]%0a%3c %0a%3c At any time, you can run openhttpd in debug mode:%0a%3c %0a%3c [@%0a%3c $ doas httpd -dvv%0a%3c @]%0a\ No newline at end of file%0a---%0a> Finally, you'll want to configure [[relayd/acceleration|relayd]] for TLS acceleration.%0a\ No newline at end of file%0a
42
2021-12-17
diff:1614444424:1614443455:=6,7d5%0a%3c %0a%3c This guide assumes you have read the [[openhttpd/configure|basic openhttpd configuration]] guide. This is a slightly more advanced setup.%0a
45
2021-12-17
diff:1614443455:1614443341:=145c145%0a%3c $ telnet 127.0.0.1 8001%0a---%0a> $ telnet example.com 8001%0a150,151c150,151%0a%3c This test must be run on the server.%0a%3c %0a---%0a> This test must be run on the server because port 8001 may be blocked by a firewall.%0a> %0a155,156d154%0a%3c %0a%3c !! TLS Acceleration%0a
48
2021-12-17
diff:1614443341:1614443260:=69c69%0a%3c From now on, users will be able to create new web files by putting them in @@~/htdocs/@@. For your test below, you may want to create the file @@/home/username/htdocs/index.html@@.%0a---%0a> From now on, users will be able to create new web files by putting them in @@~/htdocs/@@.%0a
51
2021-12-17
diff:1614443260:1614441966:=63d62%0a%3c $ doas ln -s /var/www/htdocs/example.com/ /home/username/htdocs%0a64a64%0a> $ doas ln -s /var/www/htdocs/example.com/ /home/username/htdocs%0a
54
2021-12-17
diff:1614441966:1614441869:=25c25%0a%3c Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. Replace this with the domain that your user signed up for, such as @@username.fruit.ircnow.org@@. Your user can also custom request a domain. If your user has an alternative domain name he wishes to use, replace @@www.example.com@@ with that name. For each extra domain name, add a new alias line. If he does not have an alternative name, you can delete the @@alias "www.example.com"@@ line.%0a---%0a> Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. Replace this with the domain that your user signed up for, such as @@username.fruit.ircnow.org@@. Your user can also custom request a domain. If your user has an alternative domain name he wishes to use, replace @@www.example.com@@ with that name. For each extra domain name, add a new alias line. If he does not, you can delete the @@alias "www.example.com"@@ line.%0a
57
2021-12-17
diff:1614441869:1614441425:=9c9%0a%3c For each user we want to support, we must add two blocks to [[https://man.openbsd.org/httpd.conf|/etc/httpd.conf]]. Here's the first block:%0a---%0a> We add one block to [[https://man.openbsd.org/httpd.conf|/etc/httpd.conf]]:%0a
60
2021-12-17
diff:1614441425:1614441345:=156c156,221%0a%3c Finally, you'll want to configure [[relayd/acceleration|relayd]] for TLS acceleration.%0a\ No newline at end of file%0a---%0a> Then, restart the web server:%0a> %0a> [@%0a> $ doas rcctl restart httpd%0a> @]%0a> %0a> To test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a> %0a> [@%0a> $ openssl s_client -connect example.com:443%0a> @]%0a> %0a> You should see the correct SSL subject and issuer:%0a> %0a> [@%0a> $ openssl s_client -connect example.org:443%0a> CONNECTED(00000003)%0a> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3%0a> verify return:1%0a> depth=1 C = US, O = Let's Encrypt, CN = R3%0a> verify return:1%0a> depth=0 CN = example.com%0a> verify return:1%0a> depth=0 CN = example.com%0a> verify return:1%0a> write W BLOCK%0a> ---%0a> Certificate chain%0a> 0 s:/CN=example.com%0a> i:/C=US/O=Let's Encrypt/CN=R3%0a> 1 s:/C=US/O=Let's Encrypt/CN=R3%0a> i:/O=Digital Signature Trust Co./CN=DST Root CA X3%0a> ---%0a> Server certificate%0a> -----BEGIN CERTIFICATE-----%0a> ...%0a> -----END CERTIFICATE-----%0a> subject=/CN=example.com%0a> issuer=/C=US/O=Let's Encrypt/CN=R3%0a> ---%0a> No client certificate CA names sent%0a> Server Temp Key: ECDH, X25519, 253 bits%0a> ---%0a> SSL handshake has read 3730 bytes and written 367 bytes%0a> ---%0a> New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384%0a> Server public key is 4096 bit%0a> Secure Renegotiation IS NOT supported%0a> Compression: NONE%0a> Expansion: NONE%0a> No ALPN negotiated%0a> SSL-Session:%0a> Protocol : TLSv1.3%0a> Cipher : AEAD-AES256-GCM-SHA384%0a> Session-ID:%0a> Session-ID-ctx:%0a> Master-Key:%0a> Start Time: 1614233943%0a> Timeout : 7200 (sec)%0a> Verify return code: 0 (ok)%0a> ---%0a> @]%0a> %0a> You can also visit the website using your web browser. Load https://example.com, then look for the SSL padlock, then view more information about the certificate:%0a> %0a> Attach:ssl-cert.png%0a
63
2021-12-17
diff:1614441345:1614439833:=80,81d79%0a%3c !!! Testing Port 80%0a%3c %0a124,125c122,123%0a%3c !!! Troubleshooting%0a%3c %0a---%0a> !! Troubleshooting%0a> %0a140,141c138,139%0a%3c !!! Testing Port 8001%0a%3c %0a---%0a> !! Testing Port 8001%0a> %0a221c219%0a%3c Attach:ssl-cert.png%0a---%0a> Attach:ssl-cert.png%0a\ No newline at end of file%0a
66
2021-12-17
diff:1614439833:1614439264:=25,26c25,26%0a%3c Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. Replace this with the domain that your user signed up for, such as @@username.fruit.ircnow.org@@. Your user can also custom request a domain. If your user has an alternative domain name he wishes to use, replace @@www.example.com@@ with that name. For each extra domain name, add a new alias line. If he does not, you can delete the @@alias "www.example.com"@@ line.%0a%3c %0a---%0a> Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. Replace this with the domain that your user signed up for, such as @@username.fruit.ircnow.org@@. Your user can also custom request a domain. If your user has an alternative domain name he wishes to use, replace @@www.example.com@@ with that name. If he does not, you can delete the @@alias "www.example.com"@@ line.%0a> %0a57,60c57,62%0a%3c !! Creating Web Files%0a%3c %0a%3c Next, we'll create a directory for each web folder, and a symbolic link in each user's home folder that points to that web folder:%0a%3c %0a---%0a> %0a> %0a> !! Start the Server and Test%0a> %0a> Enable and start the web server:%0a> %0a62,64c64,65%0a%3c $ doas mkdir -p /var/www/htdocs/example.com/%0a%3c $ doas chown -R username:daemon /var/www/htdocs/example.com/%0a%3c $ doas ln -s /var/www/htdocs/example.com/ /home/username/htdocs%0a---%0a> $ doas rcctl enable httpd%0a> $ doas rcctl start httpd%0a67,74c68,69%0a%3c Make sure to replace @@username@@ with the user's actual username, and @@example.com@@ with his actual domain.%0a%3c %0a%3c From now on, users will be able to create new web files by putting them in @@~/htdocs/@@.%0a%3c %0a%3c !! Start the Server and Test%0a%3c %0a%3c Enable and restart the web server:%0a%3c %0a---%0a> Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a> %0a76,77c71,73%0a%3c $ doas rcctl enable httpd%0a%3c $ doas rcctl restart httpd%0a---%0a> $ telnet example.com 80%0a> GET /index.html HTTP/1.1%0a> Host: example.com%0a80,81c76,77%0a%3c Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a%3c %0a---%0a> You should a response similar to the one below:%0a> %0a83,90d78%0a%3c $ telnet example.com 80%0a%3c GET /index.html HTTP/1.1%0a%3c Host: example.com%0a%3c @]%0a%3c %0a%3c You should a response similar to the one below:%0a%3c %0a%3c [@%0a138,141c126,129%0a%3c !! Testing Port 8001%0a%3c %0a%3c Next, on the server itself, run the test again using telnet:%0a%3c %0a---%0a> !! Adding TLS%0a> %0a> Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a> %0a143,145c131,134%0a%3c $ telnet example.com 8001%0a%3c GET /index.html HTTP/1.1%0a%3c Host: example.com%0a---%0a> tls {%0a> certificate "/etc/ssl/example.com.fullchain.pem"%0a> key "/etc/ssl/private/example.com.key"%0a> }%0a148,152c137%0a%3c This test must be run on the server because port 8001 may be blocked by a firewall.%0a%3c %0a%3c !! Adding TLS%0a%3c %0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]] for each domain the user requested.%0a---%0a> Edit these lines so that the certificate and key match the real location of your SSL cert.%0a
72
2021-12-17
diff:1614431977:1614428640:=39,44c39,42%0a%3c alias "www.example.com"%0a%3c listen on * port 8001%0a%3c root "/htdocs/example.com/"%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a---%0a> listen on * tls port 443%0a> tls {%0a> certificate "/etc/ssl/example.com.fullchain.pem"%0a> key "/etc/ssl/private/example.com.key"%0a45a44,50%0a> location "/pub/*" {%0a> directory auto index%0a> }%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a> }%0a51,59c56,60%0a%3c Line 3 tells the web server to listen on port 8001. There is nothing special about port 8001; it is an arbitrary port we chose. Users will not connect directly to port 8001. Instead, relayd will accept connections on port 443, the standard HTTPS port, then forward to port 8001.%0a%3c %0a%3c Line 4 tells us that the root directory for all web documents are in @@/var/www/htdocs/example.com/@@. A request to @@https://example.com/webpage.html@@ would reply with the file in @@/var/www/htdocs/example.com/webpage.html@@.%0a%3c %0a%3c Notice that none of our blocks use TLS. TLS will be provided by relayd.%0a%3c %0a%3c !! Start the Server and Test%0a%3c %0a%3c Enable and start the web server:%0a---%0a> Line 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a> %0a> Lines 7-9 say that for any request that begins with https://example.com/pub/ should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder it should be fine.%0a> %0a> Make sure to replace every instance of @@example.com@@ with your real hostname, then enable and start the web server:%0a
75
2021-12-17
diff:1614428640:1614428198:=9,10c9,10%0a%3c We add one block to [[https://man.openbsd.org/httpd.conf|/etc/httpd.conf]]:%0a%3c %0a---%0a> If [[https://man.openbsd.org/httpd.conf|/etc/httpd.conf]] '''already''' exists, skip this step. Otherwise, start by copying the example file in /etc/examples/httpd.conf:%0a> %0a11a12,17%0a> $ doas cp /etc/examples/httpd.conf /etc/httpd.conf%0a> @]%0a> %0a> Next, edit the contents of /etc/httpd.conf:%0a> %0a> [@%0a13d18%0a%3c alias "www.example.com"%0a25,32c30,37%0a%3c Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. Replace this with the domain that your user signed up for, such as @@username.fruit.ircnow.org@@. Your user can also custom request a domain. If your user has an alternative domain name he wishes to use, replace @@www.example.com@@ with that name. If he does not, you can delete the @@alias "www.example.com"@@ line.%0a%3c %0a%3c Line 3 tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c The location block (lines 4-7) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with @@http://example.com/.well-known/acme-challenge/@@, look for the documents in the new root /acme. By default, openhttpd chroots to @@/var/www@@, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c Lines 8-10 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a---%0a> Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to your personal hostname, such as username.fruit.ircnow.org.%0a> %0a> Line 2 tells the web server to listen on all IPs on port 80.%0a> %0a> The location block (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a> %0a34,35d38%0a%3c %0a%3c We then add a second block to /etc/httpd.conf:%0a
78
2021-12-17
diff:1614428198:1614427720:=1,10c1,17%0a%3c (:title Hosting OpenHTTPd:)%0a%3c %0a%3c !! Goal%0a%3c %0a%3c This is a guide for providing web hosting for multiple users. This setup will support multiple, custom domain names. Afterwards, we will use relayd to provide TLS encryption.%0a%3c %0a%3c !! Configuration%0a%3c %0a%3c If [[https://man.openbsd.org/httpd.conf|/etc/httpd.conf]] '''already''' exists, skip this step. Otherwise, start by copying the example file in /etc/examples/httpd.conf:%0a%3c %0a---%0a> (:title Basic OpenHTTPd Configuration:)%0a> %0a> [[https://bsd.plumbing/about.html|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a> %0a> Pros:%0a> # Lean: Small, no plugins%0a> # Clean code%0a> # Secure: Strict validity checking, privilege separation, strong cryptography%0a> # Fast%0a> # Easy to configure with good manpage documentation%0a> %0a> You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages.%0a> %0a> !! Configuring%0a> %0a> Setting up OpenBSD's default web server, openhttpd, is relatively simple. Start off by copying the example file in /etc/examples/httpd.conf:%0a> %0a15c22%0a%3c Next, edit the contents of /etc/httpd.conf:%0a---%0a> Edit the contents of /etc/httpd.conf:%0a
81
2021-12-17
diff:1614427720:1614427720:=1,213d0%0a%3c (:title Basic OpenHTTPd Configuration:)%0a%3c %0a%3c [[https://bsd.plumbing/about.html|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a%3c %0a%3c Pros:%0a%3c # Lean: Small, no plugins%0a%3c # Clean code%0a%3c # Secure: Strict validity checking, privilege separation, strong cryptography%0a%3c # Fast%0a%3c # Easy to configure with good manpage documentation%0a%3c %0a%3c You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages.%0a%3c %0a%3c !! Configuring%0a%3c %0a%3c Setting up OpenBSD's default web server, openhttpd, is relatively simple. Start off by copying the example file in /etc/examples/httpd.conf:%0a%3c %0a%3c [@%0a%3c $ doas cp /etc/examples/httpd.conf /etc/httpd.conf%0a%3c @]%0a%3c %0a%3c Edit the contents of /etc/httpd.conf:%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c location * {%0a%3c block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to your personal hostname, such as username.fruit.ircnow.org.%0a%3c %0a%3c Line 2 tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c The location block (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a%3c '''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work.%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * tls port 443%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c This block is similar to before. There are only two differences.%0a%3c %0a%3c Line 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a%3c %0a%3c Lines 7-9 say that for any request that begins with https://example.com/pub/ should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder it should be fine.%0a%3c %0a%3c Make sure to replace every instance of @@example.com@@ with your real hostname, then enable and start the web server:%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable httpd%0a%3c $ doas rcctl start httpd%0a%3c @]%0a%3c %0a%3c Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a%3c %0a%3c [@%0a%3c $ telnet example.com 80%0a%3c GET /index.html HTTP/1.1%0a%3c Host: example.com%0a%3c @]%0a%3c %0a%3c You should a response similar to the one below:%0a%3c %0a%3c [@%0a%3c HTTP/1.0 302 Found%0a%3c Date: Tue, 23 Feb 2021 14:01:28 GMT%0a%3c OpenBSD httpd%0a%3c Connection: close%0a%3c Content-Type: text/html%0a%3c Content-Length: 486%0a%3c Location: https://example.com/index.html%0a%3c %0a%3c %3c!DOCTYPE html>%0a%3c %3chtml> %0a%3c %3chead>%0a%3c %3cmeta charset="utf-8"> %0a%3c %3ctitle>302 Found%3c/title>%0a%3c %3cstyle type="text/css">%3c!--%0a%3c body { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a%3c hr { border: 0; border-bottom: 1px dashed; }%0a%3c @media (prefers-color-scheme: dark) {%0a%3c body { background-color: #1E1F21; color: #EEEFF1; }%0a%3c a { color: #BAD7FF; }%0a%3c }%0a%3c -->%3c/style>%0a%3c %3c/head>%0a%3c %3cbody>%0a%3c %3ch1>302 Found%3c/h1>%0a%3c %3chr>%0a%3c %3caddress>OpenBSD httpd%3c/address>%0a%3c %3c/body>%0a%3c %3c/html>%0a%3c Connection closed by foreign host.%0a%3c @]%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c If you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a%3c %0a%3c You can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in quick proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a%3c !! Adding TLS%0a%3c %0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a%3c %0a%3c [@%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a%3c @]%0a%3c %0a%3c Edit these lines so that the certificate and key match the real location of your SSL cert.%0a%3c %0a%3c Then, restart the web server:%0a%3c %0a%3c [@%0a%3c $ doas rcctl restart httpd%0a%3c @]%0a%3c %0a%3c To test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a%3c %0a%3c [@%0a%3c $ openssl s_client -connect example.com:443%0a%3c @]%0a%3c %0a%3c You should see the correct SSL subject and issuer:%0a%3c %0a%3c [@%0a%3c $ openssl s_client -connect example.org:443%0a%3c CONNECTED(00000003)%0a%3c depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3%0a%3c verify return:1%0a%3c depth=1 C = US, O = Let's Encrypt, CN = R3%0a%3c verify return:1%0a%3c depth=0 CN = example.com%0a%3c verify return:1%0a%3c depth=0 CN = example.com%0a%3c verify return:1%0a%3c write W BLOCK%0a%3c ---%0a%3c Certificate chain%0a%3c 0 s:/CN=example.com%0a%3c i:/C=US/O=Let's Encrypt/CN=R3%0a%3c 1 s:/C=US/O=Let's Encrypt/CN=R3%0a%3c i:/O=Digital Signature Trust Co./CN=DST Root CA X3%0a%3c ---%0a%3c Server certificate%0a%3c -----BEGIN CERTIFICATE-----%0a%3c ...%0a%3c -----END CERTIFICATE-----%0a%3c subject=/CN=example.com%0a%3c issuer=/C=US/O=Let's Encrypt/CN=R3%0a%3c ---%0a%3c No client certificate CA names sent%0a%3c Server Temp Key: ECDH, X25519, 253 bits%0a%3c ---%0a%3c SSL handshake has read 3730 bytes and written 367 bytes%0a%3c ---%0a%3c New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384%0a%3c Server public key is 4096 bit%0a%3c Secure Renegotiation IS NOT supported%0a%3c Compression: NONE%0a%3c Expansion: NONE%0a%3c No ALPN negotiated%0a%3c SSL-Session:%0a%3c Protocol : TLSv1.3%0a%3c Cipher : AEAD-AES256-GCM-SHA384%0a%3c Session-ID:%0a%3c Session-ID-ctx:%0a%3c Master-Key:%0a%3c Start Time: 1614233943%0a%3c Timeout : 7200 (sec)%0a%3c Verify return code: 0 (ok)%0a%3c ---%0a%3c @]%0a%3c %0a%3c You can also visit the website using your web browser. Load https://example.com, then look for the SSL padlock, then view more information about the certificate:%0a%3c %0a%3c Attach:ssl-cert.png%0a\ No newline at end of file%0a