Blame
Date:
Mon Jan 23 05:00:25 2023
UTC
Message:
Daily backup
011
2022-08-08
text=(:title Basic OpenHTTPd Configuration:)%0a%0a[[https://learnbchs.org/|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a%0a!! Overview%0a%0aPros:%0a# Lean: Small, no plugins%0a# Clean code%0a# Secure: Strict validity checking, privilege separation, strong cryptography%0a# Fast%0a# Easy to configure with good manpage documentation%0a%0a!! Docs and references%0a%0aYou'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages. [[https://www.tiltedwindmillpress.com/product/httpd-and-relayd-mastery/|Httpd and Relayd Mastery]] also contains many helpful examples.%0a%0a!! Configuring%0a%0a'''NOTE''': You must replace example.com with your own domain%0a%0aCopy the example file in [@ /etc/examples/httpd.conf @]:%0a%0a[@%0a$ doas cp /etc/examples/httpd.conf /etc/httpd.conf%0a@]%0a%0aEdit [@ /etc/httpd.conf @]:%0a%0a[@%0aserver "example.com" {%0a listen on * port 80%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a location * {%0a block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a }%0a }%0a@]%0a%0aReplace @@example.com@@ to your actual hostname. On other web servers, this might be known as the '''virtual host'''. %0a%0a@@listen on@@ tells the web server to listen on all IPs on port 80.%0a%0aThe first @@location@@ block in lines 3-6 responds to verification requests according to the [[acme-client/configure|ACME]] protocol. For any request that begins with @@http://example.com/.well-known/acme-challenge/@@, httpd will look for the documents in the new root @@/acme@@. Since openhttpd chroots to /var/www by default, the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ tells openhttpd to search in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%0aThe second @@location@@ block in lines 7-9 tell the web server to respond with HTTP 302 for all other requests. An HTTP 302 response forwards the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%0aThis second @@location@@ block is suggested by the OpenBSD team, but for accessibility reasons, we recommend removing the second location block.%0a%0aTo allow plaintext requests on port 80, your conf file should now look like this:%0a%0a[@%0aserver "example.com" {%0a listen on * port 80%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a }%0a@]%0a%0a%0a'''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work. The web server needs the listener block on port 80 for ACME protocol verification.%0a%0aThe block for TLS on port 443 should be commented out until after you have requested TLS certs.%0a%0a[@%0a#server "example.com" {%0a# listen on * tls port 443%0a# tls {%0a# certificate "/etc/ssl/example.com.crt"%0a# key "/etc/ssl/private/example.com.key"%0a# }%0a# location "/pub/*" {%0a# directory auto index%0a# }%0a# location "/.well-known/acme-challenge/*" {%0a# root "/acme"%0a# request strip 2%0a# }%0a#}%0a@]%0a%0aMake sure to replace every instance of @@example.com@@ with your real hostname, then check that your configuration is valid:%0a%0a[@%0a$ doas httpd -n%0a@]%0a%0a!! Starting the server%0a%0a[@%0a$ doas rcctl enable httpd%0a$ doas rcctl start httpd%0a@]%0a%0a!! Testing%0a%0aLet's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a%0a[@%0a$ telnet example.com 80%0aGET /index.html HTTP/1.1%0aHost: example.com%0a@]%0a%0aYou should a response similar to the one below:%0a%0a[@%0aHTTP/1.0 302 Found%0aDate: Tue, 23 Feb 2021 14:01:28 GMT%0aOpenBSD httpd%0aConnection: close%0aContent-Type: text/html%0aContent-Length: 486%0aLocation: https://example.com/index.html%0a%0a%3c!DOCTYPE html>%0a%3chtml> %0a%3chead>%0a%3cmeta charset="utf-8"> %0a%3ctitle>302 Found%3c/title>%0a%3cstyle type="text/css">%3c!--%0abody { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0ahr { border: 0; border-bottom: 1px dashed; }%0a@media (prefers-color-scheme: dark) {%0abody { background-color: #1E1F21; color: #EEEFF1; }%0aa { color: #BAD7FF; }%0a}%0a-->%3c/style>%0a%3c/head>%0a%3cbody>%0a%3ch1>302 Found%3c/h1>%0a%3chr>%0a%3caddress>OpenBSD httpd%3c/address>%0a%3c/body>%0a%3c/html>%0aConnection closed by foreign host.%0a@]%0a%0a!!! Troubleshooting%0a%0aIf you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a%0aYou can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%0a[@%0apass in quick proto tcp to port {http https}%0a@]%0a%0aThen, reload the pf rulesets:%0a%0a[@%0a$ doas pfctl -f /etc/pf.conf%0a@]%0a%0a!! Adding TLS%0a%0aNext, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Then, you'll want to [[openhttpd/tls|add TLS to openhttpd]].%0a
015
2022-08-08
diff:1659916268:1655191277:minor=3c3%0a%3c [[https://learnbchs.org/|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a---%0a> [[https://bsd.plumbing/about.html|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a
018
2022-06-15
diff:1655191277:1655191244:=68c68%0a%3c The block for TLS on port 443 should be commented out until after you have requested TLS certs.%0a---%0a> The second block below should be commented out until after you have requested TLS certs.%0a
021
2022-06-15
diff:1655191244:1649022837:=52,64d51%0a%3c %0a%3c To allow plaintext requests on port 80, your conf file should now look like this:%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a
024
2022-04-06
diff:1649022837:1649021892:=55,56c55,56%0a%3c The second block below should be commented out until after you have requested TLS certs.%0a%3c %0a---%0a> !!! Server block #2%0a> %0a58,71c58,71%0a%3c #server "example.com" {%0a%3c # listen on * tls port 443%0a%3c # tls {%0a%3c # certificate "/etc/ssl/example.com.crt"%0a%3c # key "/etc/ssl/private/example.com.key"%0a%3c # }%0a%3c # location "/pub/*" {%0a%3c # directory auto index%0a%3c # }%0a%3c # location "/.well-known/acme-challenge/*" {%0a%3c # root "/acme"%0a%3c # request strip 2%0a%3c # }%0a%3c #}%0a---%0a> server "example.com" {%0a> listen on * tls port 443%0a> tls {%0a> certificate "/etc/ssl/example.com.crt"%0a> key "/etc/ssl/private/example.com.key"%0a> }%0a> location "/pub/*" {%0a> directory auto index%0a> }%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a> }%0a> }%0a74,75c74,83%0a%3c Make sure to replace every instance of @@example.com@@ with your real hostname, then check that your configuration is valid:%0a%3c %0a---%0a> This block is similar to before. Replace [@ example.com @].%0a> %0a> There are only two differences.%0a> %0a> Lines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a> %0a> Lines 7-9 say that for any request that begins with https://example.com/pub/ should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder it should be fine.%0a> %0a> Make sure to replace every instance of @@example.com@@ with your real hostname, then check that your configuration is valid%0a> %0a87,88c95,96%0a%3c !! Testing%0a%3c %0a---%0a> !! Testing, testing%0a> %0a149c157,237%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Then, you'll want to [[openhttpd/tls|add TLS to openhttpd]].%0a---%0a> Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. %0a> %0a> Go do that now, I'll wait...%0a> %0a> Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a> %0a> [@%0a> tls {%0a> certificate "/etc/ssl/example.com.crt"%0a> key "/etc/ssl/private/example.com.key"%0a> }%0a> @]%0a> %0a> change [@ /etc/ssl/example.com.crt @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a> %0a> Then, restart the web server:%0a> %0a> [@%0a> $ doas rcctl restart httpd%0a> @]%0a> %0a> To test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a> %0a> [@%0a> $ openssl s_client -connect example.com:443%0a> @]%0a> %0a> You should see the correct SSL subject and issuer:%0a> %0a> [@%0a> $ openssl s_client -connect example.org:443%0a> CONNECTED(00000003)%0a> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3%0a> verify return:1%0a> depth=1 C = US, O = Let's Encrypt, CN = R3%0a> verify return:1%0a> depth=0 CN = example.com%0a> verify return:1%0a> depth=0 CN = example.com%0a> verify return:1%0a> write W BLOCK%0a> ---%0a> Certificate chain%0a> 0 s:/CN=example.com%0a> i:/C=US/O=Let's Encrypt/CN=R3%0a> 1 s:/C=US/O=Let's Encrypt/CN=R3%0a> i:/O=Digital Signature Trust Co./CN=DST Root CA X3%0a> ---%0a> Server certificate%0a> -----BEGIN CERTIFICATE-----%0a> ...%0a> -----END CERTIFICATE-----%0a> subject=/CN=example.com%0a> issuer=/C=US/O=Let's Encrypt/CN=R3%0a> ---%0a> No client certificate CA names sent%0a> Server Temp Key: ECDH, X25519, 253 bits%0a> ---%0a> SSL handshake has read 3730 bytes and written 367 bytes%0a> ---%0a> New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384%0a> Server public key is 4096 bit%0a> Secure Renegotiation IS NOT supported%0a> Compression: NONE%0a> Expansion: NONE%0a> No ALPN negotiated%0a> SSL-Session:%0a> Protocol : TLSv1.3%0a> Cipher : AEAD-AES256-GCM-SHA384%0a> Session-ID:%0a> Session-ID-ctx:%0a> Master-Key:%0a> Start Time: 1614233943%0a> Timeout : 7200 (sec)%0a> Verify return code: 0 (ok)%0a> ---%0a> @]%0a> %0a> You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ). While you are likely to see an error such as 403 Forbidden if you havent set up a website, look for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a> %0a> Attach:ssl-cert.png%0a
027
2022-04-06
diff:1649021892:1649021380:=47,53c47,51%0a%3c The first @@location@@ block in lines 3-6 responds to verification requests according to the [[acme-client/configure|ACME]] protocol. For any request that begins with @@http://example.com/.well-known/acme-challenge/@@, httpd will look for the documents in the new root @@/acme@@. Since openhttpd chroots to /var/www by default, the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ tells openhttpd to search in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c The second @@location@@ block in lines 7-9 tell the web server to respond with HTTP 302 for all other requests. An HTTP 302 response forwards the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a%3c This second @@location@@ block is suggested by the OpenBSD team, but for accessibility reasons, we recommend removing the second location block.%0a%3c %0a%3c '''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work. The web server needs the listener block on port 80 for ACME protocol verification.%0a---%0a> The @@location@@ block in lines 3-6 responds to verification requests according to the [[acme-client/configure|ACME]] protocol. For any request that begins with @@http://example.com/.well-known/acme-challenge/@@, httpd will look for the documents in the new root @@/acme@@. Since openhttpd chroots to /var/www by default, the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ tells openhttpd to search in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a> %0a> '''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work.%0a
030
2022-04-06
diff:1649021380:1649021123:=43,47c43,47%0a%3c Replace @@example.com@@ to your actual hostname. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c @@listen on@@ tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c The @@location@@ block in lines 3-6 responds to verification requests according to the [[acme-client/configure|ACME]] protocol. For any request that begins with @@http://example.com/.well-known/acme-challenge/@@, httpd will look for the documents in the new root @@/acme@@. Since openhttpd chroots to /var/www by default, the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ tells openhttpd to search in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a---%0a> server: this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a> %0a> listen on: tells the web server to listen on all IPs on port 80.%0a> %0a> location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a
033
2022-04-06
diff:1649021123:1649021090:minor=27a28%0a> %0a28a30,32%0a> %0a> !!! Server block #1%0a> %0a
036
2022-04-06
diff:1649021090:1640690307:=16c16%0a%3c You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages. [[https://www.tiltedwindmillpress.com/product/httpd-and-relayd-mastery/|Httpd and Relayd Mastery]] also contains many helpful examples.%0a---%0a> You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages.%0a
039
2021-12-29
diff:1640690307:1640530911:=68,71d67%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a
042
2021-12-27
csum:1640530911=Remove duplicate: Location for acme-challenge already is in Server block 1
043
2021-12-27
diff:1640530911:1640446640:=67a68,71%0a> }%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a
046
2021-12-26
diff:1640446640:1640446480:=84,85c84,88%0a%3c Make sure to replace every instance of @@example.com@@ with your real hostname, then check that your configuration is valid%0a%3c %0a---%0a> Make sure to replace every instance of @@example.com@@ with your real hostname, then enable and start the web server:%0a> %0a> %0a> !! Starting the server%0a> %0a87c90,91%0a%3c $ doas httpd -n%0a---%0a> $ doas rcctl enable httpd%0a> $ doas rcctl start httpd%0a90,96d93%0a%3c !! Starting the server%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable httpd%0a%3c $ doas rcctl start httpd%0a%3c @]%0a%3c %0a98d94%0a%3c %0a
049
2021-12-26
diff:1640446480:1640360897:=85a86,90%0a> !!! Check that your configuration is valid%0a> %0a> [@%0a> $ doas httpd -n%0a> @]%0a
053
2021-12-25
diff:1640360897:1640360742:=86c86%0a%3c !!! Check that your configuration is valid%0a---%0a> !! Check that your configuration is valid%0a
057
2021-12-25
diff:1640360742:1639147446:=86,90d85%0a%3c !! Check that your configuration is valid%0a%3c %0a%3c [@%0a%3c $ doas httpd -n%0a%3c @]%0a
060
2021-12-17
diff:1639147446:1626874065:=63c63%0a%3c certificate "/etc/ssl/example.com.crt"%0a---%0a> certificate "/etc/ssl/example.com.fullchain.pem"%0a163c163%0a%3c certificate "/etc/ssl/example.com.crt"%0a---%0a> certificate "/etc/ssl/example.com.fullchain.pem"%0a168c168%0a%3c change [@ /etc/ssl/example.com.crt @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a---%0a> change [@ /etc/ssl/example.com.fullchain.pem @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a
063
2021-12-17
diff:1626874065:1626787627:=233c233%0a%3c You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ). While you are likely to see an error such as 403 Forbidden if you havent set up a website, look for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a---%0a> You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ), then look for the SSL padlock, then view more information about the certificate:%0a
069
2021-12-17
diff:1626783891:1626702588:=168,169c168,169%0a%3c change [@ /etc/ssl/example.com.fullchain.pem @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a%3c %0a---%0a> Edit these lines so that the certificate and key match the real location of your SSL cert.%0a> %0a233c233%0a%3c You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ), then look for the SSL padlock, then view more information about the certificate:%0a---%0a> You can also visit the website using your web browser. Load https://example.com, then look for the SSL padlock, then view more information about the certificate:%0a
072
2021-12-17
diff:1626702588:1626702529:=87,88c87,88%0a%3c !! Starting the server%0a%3c %0a---%0a> !!! Starting the server%0a> %0a137c137%0a%3c !!! Troubleshooting%0a---%0a> !! Troubleshooting%0a
075
2021-12-17
diff:1626702529:1626700500:=24c24%0a%3c [@%0a---%0a> %25code%25[@%0a33,44c33,42%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c location * {%0a%3c block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c }%0a%3c }%0a---%0a> [@server "example.com" {%0a> listen on * port 80%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a> }%0a> location * {%0a> block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a> }%0a> }%0a86,88d83%0a%3c %0a%3c !!! Starting the server%0a%3c %0a94d88%0a%3c !! Testing, testing%0a155,159c149%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. %0a%3c %0a%3c Go do that now, I'll wait...%0a%3c %0a%3c Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a---%0a> Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a
078
2021-12-17
diff:1626700500:1626700425:=0a1%0a> %0a20c21,23%0a%3c '''NOTE''': You must replace example.com with your own domain%0a---%0a> '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a> %0a> Meaning, when you see [@ %3cexample.com> @] replace it with your web domain such as with user.host.ircnow.org. Completely remove the angle brackets! They are there to indicate that you should replace the text!%0a
081
2021-12-17
diff:1626700425:1626696883:=1d0%0a%3c %0a21,24c20,21%0a%3c '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a%3c %0a%3c Meaning, when you see [@ %3cexample.com> @] replace it with your web domain such as with user.host.ircnow.org. Completely remove the angle brackets! They are there to indicate that you should replace the text!%0a%3c %0a---%0a> '''NOTE''': You must replace example.com with your own domain:%0a> %0a27c24%0a%3c %25code%25[@%0a---%0a> [@%0a32,36c29,34%0a%3c Edit [@ /etc/httpd.conf @]:%0a%3c %0a%3c !!! Server block #1%0a%3c %0a%3c [@server "example.com" {%0a---%0a> Edit [@/etc/httpd.conf@]:%0a> %0a> !!! The first server block%0a> %0a> [@%0a> server "example.com" {%0a48,55c46,53%0a%3c server: this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c listen on: tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a---%0a> server (line 1): this specifies the hostname ([@example.com@]). Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a> %0a> listen on (line 2): tells the web server to listen on all IPs on port 80.%0a> %0a> location (lines 3-6): is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> location (lines 7-9): indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a> %0a58,59c56,57%0a%3c !!! Server block #2%0a%3c %0a---%0a> !!! The second server block%0a> %0a77,81c75,77%0a%3c This block is similar to before. Replace [@ example.com @].%0a%3c %0a%3c There are only two differences.%0a%3c %0a%3c Lines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a---%0a> This block is similar to before. There are only two differences.%0a> %0a> Line 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a
084
2021-12-17
diff:1626696883:1626696853:=46c46%0a%3c server (line 1): this specifies the hostname ([@example.com@]). Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a---%0a> server (line 1): this specifies the hostname ([@example.com@])". Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a
087
2021-12-17
diff:1626696853:1626696752:=46c46%0a%3c server (line 1): this specifies the hostname ([@example.com@])". Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a---%0a> server (line 1): this specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a
090
2021-12-17
diff:1626696752:1626696585:=46,52c46,52%0a%3c server (line 1): this specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c listen on (line 2): tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c location (lines 3-6): is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c location (lines 7-9): indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a---%0a> server: this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a> %0a> listen on: tells the web server to listen on all IPs on port 80.%0a> %0a> location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a
093
2021-12-17
diff:1626696585:1626696142:=20,21c20,21%0a%3c '''NOTE''': You must replace example.com with your own domain:%0a%3c %0a---%0a> '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a> %0a29,30c29,30%0a%3c Edit [@/etc/httpd.conf@]:%0a%3c %0a---%0a> Edit [@ /etc/httpd.conf @]:%0a> %0a34c34%0a%3c server "example.com" {%0a---%0a> server "%3cexample.com>" {%0a
096
2021-12-17
diff:1626696142:1626695724:=31,32d30%0a%3c !!! The first server block%0a%3c %0a50,53c48,51%0a%3c location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a---%0a> The location block (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a> %0a55,56d52%0a%3c %0a%3c !!! The second server block%0a
099
2021-12-17
diff:1626695724:1626695252:=20,21d19%0a%3c '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a%3c %0a28,30c26,27%0a%3c %0a%3c Edit [@ /etc/httpd.conf @]:%0a%3c %0a---%0a> Edit the contents of [@ /etc/httpd.conf @]:%0a> %0a32c29%0a%3c server "%3cexample.com>" {%0a---%0a> server "example.com" {%0a44,46c41,43%0a%3c server: this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c listen on: tells the web server to listen on all IPs on port 80.%0a---%0a> Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to your personal hostname, such as username.fruit.ircnow.org.%0a> %0a> Line 2 tells the web server to listen on all IPs on port 80.%0a
102
2021-12-17
diff:1626695252:1626695067:=26c26%0a%3c Edit the contents of [@ /etc/httpd.conf @]:%0a---%0a> Edit the contents of /etc/httpd.conf:%0a
105
2021-12-17
diff:1626695067:1614236130:=5,6d4%0a%3c !! Theory%0a%3c %0a14,15d11%0a%3c !! Docs and references%0a%3c %0a20c16%0a%3c Copy the example file in [@ /etc/examples/httpd.conf @]:%0a---%0a> Setting up OpenBSD's default web server, openhttpd, is relatively simple. Start off by copying the example file in /etc/examples/httpd.conf:%0a
108
2021-12-17
diff:1614236130:1614235866:=44,45d43%0a%3c %0a%3c '''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work.%0a
111
2021-12-17
diff:1614235866:1614234303:=208,209d207%0a%3c %0a%3c You can also visit the website using your web browser. Load https://example.com, then look for the SSL padlock, then view more information about the certificate:%0a
114
2021-12-17
diff:1614234303:1614234186:=172c172%0a%3c ---%0a---%0a> --- %0a182c182%0a%3c -----END CERTIFICATE-----%0a---%0a> -----END CERTIFICATE----- %0a184,204c184,204%0a%3c issuer=/C=US/O=Let's Encrypt/CN=R3%0a%3c ---%0a%3c No client certificate CA names sent%0a%3c Server Temp Key: ECDH, X25519, 253 bits%0a%3c ---%0a%3c SSL handshake has read 3730 bytes and written 367 bytes%0a%3c ---%0a%3c New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384%0a%3c Server public key is 4096 bit%0a%3c Secure Renegotiation IS NOT supported%0a%3c Compression: NONE%0a%3c Expansion: NONE%0a%3c No ALPN negotiated%0a%3c SSL-Session:%0a%3c Protocol : TLSv1.3%0a%3c Cipher : AEAD-AES256-GCM-SHA384%0a%3c Session-ID:%0a%3c Session-ID-ctx:%0a%3c Master-Key:%0a%3c Start Time: 1614233943%0a%3c Timeout : 7200 (sec)%0a---%0a> issuer=/C=US/O=Let's Encrypt/CN=R3 %0a> --- %0a> No client certificate CA names sent %0a> Server Temp Key: ECDH, X25519, 253 bits %0a> --- %0a> SSL handshake has read 3730 bytes and written 367 bytes %0a> --- %0a> New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384 %0a> Server public key is 4096 bit %0a> Secure Renegotiation IS NOT supported %0a> Compression: NONE %0a> Expansion: NONE %0a> No ALPN negotiated %0a> SSL-Session: %0a> Protocol : TLSv1.3 %0a> Cipher : AEAD-AES256-GCM-SHA384 %0a> Session-ID: %0a> Session-ID-ctx: %0a> Master-Key: %0a> Start Time: 1614233943 %0a> Timeout : 7200 (sec) %0a
117
2021-12-17
diff:1614234186:1614093252:=161,182d160%0a%3c $ openssl s_client -connect example.org:443%0a%3c CONNECTED(00000003)%0a%3c depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3%0a%3c verify return:1%0a%3c depth=1 C = US, O = Let's Encrypt, CN = R3%0a%3c verify return:1%0a%3c depth=0 CN = example.com%0a%3c verify return:1%0a%3c depth=0 CN = example.com%0a%3c verify return:1%0a%3c write W BLOCK%0a%3c --- %0a%3c Certificate chain%0a%3c 0 s:/CN=example.com%0a%3c i:/C=US/O=Let's Encrypt/CN=R3%0a%3c 1 s:/C=US/O=Let's Encrypt/CN=R3%0a%3c i:/O=Digital Signature Trust Co./CN=DST Root CA X3%0a%3c ---%0a%3c Server certificate%0a%3c -----BEGIN CERTIFICATE-----%0a%3c ...%0a%3c -----END CERTIFICATE----- %0a184,206c162%0a%3c issuer=/C=US/O=Let's Encrypt/CN=R3 %0a%3c --- %0a%3c No client certificate CA names sent %0a%3c Server Temp Key: ECDH, X25519, 253 bits %0a%3c --- %0a%3c SSL handshake has read 3730 bytes and written 367 bytes %0a%3c --- %0a%3c New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384 %0a%3c Server public key is 4096 bit %0a%3c Secure Renegotiation IS NOT supported %0a%3c Compression: NONE %0a%3c Expansion: NONE %0a%3c No ALPN negotiated %0a%3c SSL-Session: %0a%3c Protocol : TLSv1.3 %0a%3c Cipher : AEAD-AES256-GCM-SHA384 %0a%3c Session-ID: %0a%3c Session-ID-ctx: %0a%3c Master-Key: %0a%3c Start Time: 1614233943 %0a%3c Timeout : 7200 (sec) %0a%3c Verify return code: 0 (ok)%0a%3c ---%0a---%0a> issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3%0a
120
2021-12-17
diff:1614093252:1614092486:=165c165%0a%3c Attach:ssl-cert.png%0a---%0a> {{ :openbsd:www:ssl-cert.png?direct |}}%0a
123
2021-12-17
diff:1614092486:1614092283:=135,136c135,136%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a%3c %0a---%0a> Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, restart the web server:%0a> %0a138,141c138%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a---%0a> $ doas rcctl restart httpd%0a144,147c141,142%0a%3c Edit these lines so that the certificate and key match the real location of your SSL cert.%0a%3c %0a%3c Then, restart the web server:%0a%3c %0a---%0a> To test if your web server is working and has a correct SSL cert, run:%0a> %0a149c144%0a%3c $ doas rcctl restart httpd%0a---%0a> $ openssl s_client -connect example.com:443%0a152,157d146%0a%3c To test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a%3c %0a%3c [@%0a%3c $ openssl s_client -connect example.com:443%0a%3c @]%0a%3c %0a160c149%0a%3c [@%0a---%0a> %3ccode>%0a163c152%0a%3c @]%0a---%0a> %3c/code>%0a
126
2021-12-17
diff:1614092283:1614091285:=135,137c135,137%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, restart the web server:%0a%3c %0a%3c [@%0a---%0a> Next, let's request an SSL cert using [[acme-client/configure|acme-client]], then restart the web server:%0a> %0a> %3ccode>%0a139,140c139,140%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a143c143%0a%3c [@%0a---%0a> %3ccode>%0a145c145%0a%3c @]%0a---%0a> %3c/code>%0a
129
2021-12-17
diff:1614091285:1614090263:=119,120c119,120%0a%3c If you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a%3c %0a---%0a> If you were unable to establish the connection above, it may be because your firewall is blocking port 80.%0a> %0a132,133d131%0a%3c %0a%3c !! Adding TLS%0a
132
2021-12-17
diff:1614090263:1614090067:=117,132d116%0a%3c !! Troubleshooting%0a%3c %0a%3c If you were unable to establish the connection above, it may be because your firewall is blocking port 80.%0a%3c %0a%3c You can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in quick proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a152a137,150%0a> %0a> !! Troubleshooting%0a> %0a> Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a> %0a> [@%0a> pass in proto tcp to port {http https}%0a> @]%0a> %0a> Then, reload the pf rulesets:%0a> %0a> [@%0a> $ doas pfctl -f /etc/pf.conf%0a> @]%0a\ No newline at end of file%0a
135
2021-12-17
diff:1614090067:1614089124:=92c92%0a%3c Location: https://example.com/index.html%0a---%0a> Location: https://ircnow.org/index.html%0a
138
2021-12-17
diff:1614089124:1614077762:=75,76c75,76%0a%3c Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a%3c %0a---%0a> Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use netcat%0a> %0a78,80c78%0a%3c $ telnet example.com 80%0a%3c GET /index.html HTTP/1.1%0a%3c Host: example.com%0a---%0a> $%0a86,93d83%0a%3c HTTP/1.0 302 Found%0a%3c Date: Tue, 23 Feb 2021 14:01:28 GMT%0a%3c OpenBSD httpd%0a%3c Connection: close%0a%3c Content-Type: text/html%0a%3c Content-Length: 486%0a%3c Location: https://ircnow.org/index.html%0a%3c %0a95c85%0a%3c %3chtml> %0a---%0a> %3chtml>%0a97c87%0a%3c %3cmeta charset="utf-8"> %0a---%0a> %3cmeta http-equiv="Content-Type" content="text/html; charset=utf-8"/>%0a100c90,91%0a%3c body { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a---%0a> body { background-color: white; color: black; font-family: 'Comic Sans%0a> MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a102,105c93%0a%3c @media (prefers-color-scheme: dark) {%0a%3c body { background-color: #1E1F21; color: #EEEFF1; }%0a%3c a { color: #BAD7FF; }%0a%3c }%0a---%0a> %0a114d101%0a%3c Connection closed by foreign host.%0a
144
2021-12-17
diff:1614077710:1614077287:=75,76c75,76%0a%3c Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use netcat%0a%3c %0a---%0a> Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a> %0a78c78%0a%3c $%0a---%0a> pass in proto tcp to port {http https}%0a81,82c81,82%0a%3c You should a response similar to the one below:%0a%3c %0a---%0a> Then, reload the pf rulesets:%0a> %0a83a84,96%0a> $ doas pfctl -f /etc/pf.conf%0a> @]%0a> %0a> At this point, you should test to see if the web server is working on port 80. This test should be run on some other computer besides the web server (your local workstation is fine). Make sure you have curl installed:%0a> %0a> [@%0a> $ doas pkg_add curl%0a> $ curl example.com%0a> @]%0a> %0a> You should a response similar to the one below:%0a> %0a> [@%0a104,105c117,118%0a%3c Next, let's request an SSL cert using [[acme-client/configure|acme-client]], then restart the web server:%0a%3c %0a---%0a> Now you will almost certainly want openhttpd to use an SSL cert, so follow the [[openbsd/acme-client|acme-client]] instructions, then reset your web server:%0a> %0a123,137c136%0a%3c {{ :openbsd:www:ssl-cert.png?direct |}}%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a\ No newline at end of file%0a---%0a> {{ :openbsd:www:ssl-cert.png?direct |}}%0a\ No newline at end of file%0a
147
2021-12-17
diff:1614077287:1614076897:=22,23c22,23%0a%3c Edit the contents of /etc/httpd.conf:%0a%3c %0a---%0a> Let's break down the contents of /etc/httpd.conf:%0a> %0a66,68c66,73%0a%3c Lines 7-9 say that for any request that begins with https://example.com/pub/ should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder it should be fine.%0a%3c %0a%3c Make sure to replace every instance of @@example.com@@ with your real hostname, then enable and start the web server:%0a---%0a> Lines 7-9 indicate that%0a> location "/pub/*" {%0a> directory auto index%0a> }%0a> %0a> You must replace example.com everywhere with your domain name.%0a> %0a> Simply enable and start the web server:%0a
150
2021-12-17
diff:1614076897:1614076621:=43,44c43,44%0a%3c Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a---%0a> Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, probably should be using TLS on port 443 instead.%0a> %0a62,69c62,64%0a%3c This block is similar to before. There are only two differences.%0a%3c %0a%3c Line 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a%3c %0a%3c Lines 7-9 indicate that%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a---%0a> This block is similar to before. It is for the hostname "example.com". The difference is the second line tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use.%0a> %0a> The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a
153
2021-12-17
diff:1614076621:1614076414:=37,38c37,38%0a%3c Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to your personal hostname, such as username.fruit.ircnow.org.%0a%3c %0a---%0a> Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to you%0a> %0a41,43c41,43%0a%3c The location block (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, probably should be using TLS on port 443 instead.%0a---%0a> The location block (lines 3-6) says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> Lines 7-9 indicate that for all other requests, return a 302 forwarded%0a
156
2021-12-17
diff:1614076414:1614076135:=37,45c37,42%0a%3c Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to you%0a%3c %0a%3c Line 2 tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c The location block (lines 3-6) says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c Lines 7-9 indicate that for all other requests, return a 302 forwarded%0a%3c %0a%3c [@%0a---%0a> The first line says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''.%0a> %0a> The second line tells the web server to listen on all IPs on port 80.%0a> %0a> The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a61,64d57%0a%3c %0a%3c This block is similar to before. It is for the hostname "example.com". The difference is the second line tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use.%0a%3c %0a%3c The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a
159
2021-12-17
diff:1614076135:1614075220:=41c41%0a%3c The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a---%0a> The third line says that for %0a
162
2021-12-17
diff:1614075220:1614073808:=22,23c22,23%0a%3c Let's break down the contents of /etc/httpd.conf:%0a%3c %0a---%0a> Here is what /etc/httpd.conf contains:%0a> %0a35,41d34%0a%3c @]%0a%3c %0a%3c The first line says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''.%0a%3c %0a%3c The second line tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c The third line says that for %0a
165
2021-12-17
diff:1614073808:1614073724:=10,12c10%0a%3c # Easy to configure with good manpage documentation%0a%3c %0a%3c You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages.%0a---%0a> # Easy to configure with good documentation%0a
168
2021-12-17
diff:1614073724:1614073670:=3,4c3,4%0a%3c [[https://bsd.plumbing/about.html|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a%3c %0a---%0a> [[https://bsd.plumbing/about.html|OpenHTTPd]]] is a light-weight web server developed by the OpenBSD dev team.%0a> %0a7c7%0a%3c # Clean code%0a---%0a> # Clean: The code is beautiful%0a
171
2021-12-17
diff:1614073670:1614073261:=2,12d1%0a%3c %0a%3c [[https://bsd.plumbing/about.html|OpenHTTPd]]] is a light-weight web server developed by the OpenBSD dev team.%0a%3c %0a%3c Pros:%0a%3c # Lean: Small, no plugins%0a%3c # Clean: The code is beautiful%0a%3c # Secure: Strict validity checking, privilege separation, strong cryptography%0a%3c # Fast%0a%3c # Easy to configure with good documentation%0a%3c %0a%3c !! Configuring%0a
174
2021-12-17
diff:1614073261:1614073261:=1,109d0%0a%3c (:title Basic OpenHTTPd Configuration:)%0a%3c %0a%3c Setting up OpenBSD's default web server, openhttpd, is relatively simple. Start off by copying the example file in /etc/examples/httpd.conf:%0a%3c %0a%3c [@%0a%3c $ doas cp /etc/examples/httpd.conf /etc/httpd.conf%0a%3c @]%0a%3c %0a%3c Here is what /etc/httpd.conf contains:%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c location * {%0a%3c block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c }%0a%3c }%0a%3c %0a%3c server "example.com" {%0a%3c listen on * tls port 443%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c You must replace example.com everywhere with your domain name.%0a%3c %0a%3c Simply enable and start the web server:%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable httpd%0a%3c $ doas rcctl start httpd%0a%3c @]%0a%3c %0a%3c Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a%3c At this point, you should test to see if the web server is working on port 80. This test should be run on some other computer besides the web server (your local workstation is fine). Make sure you have curl installed:%0a%3c %0a%3c [@%0a%3c $ doas pkg_add curl%0a%3c $ curl example.com%0a%3c @]%0a%3c %0a%3c You should a response similar to the one below:%0a%3c %0a%3c [@%0a%3c %3c!DOCTYPE html>%0a%3c %3chtml>%0a%3c %3chead>%0a%3c %3cmeta http-equiv="Content-Type" content="text/html; charset=utf-8"/>%0a%3c %3ctitle>302 Found%3c/title>%0a%3c %3cstyle type="text/css">%3c!--%0a%3c body { background-color: white; color: black; font-family: 'Comic Sans%0a%3c MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a%3c hr { border: 0; border-bottom: 1px dashed; }%0a%3c %0a%3c -->%3c/style>%0a%3c %3c/head>%0a%3c %3cbody>%0a%3c %3ch1>302 Found%3c/h1>%0a%3c %3chr>%0a%3c %3caddress>OpenBSD httpd%3c/address>%0a%3c %3c/body>%0a%3c %3c/html>%0a%3c @]%0a%3c %0a%3c Now you will almost certainly want openhttpd to use an SSL cert, so follow the [[openbsd/acme-client|acme-client]] instructions, then reset your web server:%0a%3c %0a%3c %3ccode>%0a%3c $ doas rcctl restart httpd%0a%3c %3c/code>%0a%3c %0a%3c To test if your web server is working and has a correct SSL cert, run:%0a%3c %0a%3c %3ccode>%0a%3c $ openssl s_client -connect example.com:443%0a%3c %3c/code>%0a%3c %0a%3c You should see the correct SSL subject and issuer:%0a%3c %0a%3c %3ccode>%0a%3c subject=/CN=example.com%0a%3c issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3%0a%3c %3c/code>%0a%3c %0a%3c {{ :openbsd:www:ssl-cert.png?direct |}}%0a\ No newline at end of file%0a