version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=w3m/0.5.3+git20210102 author=jrmu charset=UTF-8 csum= ctime=1649022849 host=38.87.162.154 name=Openhttpd.Tls rev=13 targets=Tls.Overview,Openhttpd.Configure,Acme-client.Configure,Rcctl.Usage,Openssl.Http,Openhttpd.Website,Crontab.Edit,Pf.Guide text=(:title TLS for OpenHTTPd:)%0a%0aThis guide shows you how to enable [[tls/overview|TLS]] for [[https://bsd.plumbing/about.html|OpenHTTPd]]. It assumes you have already set up [[openhttpd/configure|plaintext OpenHTTPd]] listening on port 80, and you have successfully requested TLS certs using [[acme-client/configure|acme-client]].%0a%0a!! Docs and references%0a%0aConsult [[https://man.openbsd.org/httpd|httpd]], [[https://man.openbsd.org/httpd.conf|httpd.conf]], [[https://man.openbsd.org/acme-client|acme-client]], and [[https://man.openbsd.org/acme-client|acme-client.conf]] man pages. [[https://www.tiltedwindmillpress.com/product/httpd-and-relayd-mastery/|Httpd and Relayd Mastery]] also contains many helpful examples.%0a%0a!! Configuring%0a%0aIn the previous guide, we used /etc/examples/httpd.conf as a template for /etc/httpd.conf:%0a%0a[@%0aserver "example.com" {%0a listen on * port 80%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a location * {%0a block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a }%0a }%0a%0aserver "example.com" {%0a listen on * tls port 443%0a tls {%0a certificate "/etc/ssl/example.com.crt"%0a key "/etc/ssl/private/example.com.key"%0a }%0a location "/pub/*" {%0a directory auto index%0a }%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a}%0a@]%0a%0a'''NOTE''': You must replace example.com with your own domain%0a%0aWe commented out the second block in the [[openhttpd/configure|basic OpenHTTPd guide]] because we did not yet request TLS certs yet. Now that we have certs from [[acme-client/configure|acme-client]], we uncomment the second block.%0a%0a!! TLS Block Explained%0a%0aHere is a line-by-line description of the TLS block:%0a%0a[@%0aserver "example.com" {%0a listen on * tls port 443%0a tls {%0a certificate "/etc/ssl/example.com.crt"%0a key "/etc/ssl/private/example.com.key"%0a }%0a location "/pub/*" {%0a directory auto index%0a }%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a}%0a@]%0a%0aLines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Again, it is necessary to replace @@example.com@@ with your actual hostname.%0a%0aLines 7-9 say that, for any request beginning with https://example.com/pub/, the web server should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder, it should be fine.%0a%0aIn a normal production server, if OpenHTTPd is already running, reloading is best to avoid downtime:%0a%0a[@%0a$ doas rcctl reload httpd%0a@]%0a%0aFor your first test however, you will want to [[rcctl/usage|stop OpenHTTPd]]:%0a%0a[@%0a$ doas rcctl stop httpd%0a@]%0a%0aThen, check that your configuration is valid:%0a%0a[@%0a$ doas httpd -n%0a@]%0a%0aOnce you are certain it has been configured properly, you can start the server:%0a%0a[@%0a$ doas rcctl start httpd%0a@]%0a%0a!! Testing%0a%0aTo test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a%0a[@%0a$ openssl s_client -connect example.com:443%0a@]%0a%0a'''NOTE''': You must replace @@example.com@@ with your actual hostname.%0a%0aYou should see the correct SSL subject and issuer:%0a%0a[@%0a$ openssl s_client -connect example.org:443%0aCONNECTED(00000003)%0adepth=2 O = Digital Signature Trust Co., CN = DST Root CA X3%0averify return:1%0adepth=1 C = US, O = Let's Encrypt, CN = R3%0averify return:1%0adepth=0 CN = example.com%0averify return:1%0adepth=0 CN = example.com%0averify return:1%0awrite W BLOCK%0a---%0aCertificate chain%0a 0 s:/CN=example.com%0a i:/C=US/O=Let's Encrypt/CN=R3%0a 1 s:/C=US/O=Let's Encrypt/CN=R3%0a i:/O=Digital Signature Trust Co./CN=DST Root CA X3%0a---%0aServer certificate%0a-----BEGIN CERTIFICATE-----%0a...%0a-----END CERTIFICATE-----%0asubject=/CN=example.com%0aissuer=/C=US/O=Let's Encrypt/CN=R3%0a---%0aNo client certificate CA names sent%0aServer Temp Key: ECDH, X25519, 253 bits%0a---%0aSSL handshake has read 3730 bytes and written 367 bytes%0a---%0aNew, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384%0aServer public key is 4096 bit%0aSecure Renegotiation IS NOT supported%0aCompression: NONE%0aExpansion: NONE%0aNo ALPN negotiated%0aSSL-Session:%0a Protocol : TLSv1.3%0a Cipher : AEAD-AES256-GCM-SHA384%0a Session-ID:%0a Session-ID-ctx:%0a Master-Key:%0a Start Time: 1614233943%0a Timeout : 7200 (sec)%0a Verify return code: 0 (ok)%0a---%0a@]%0a%0aYou can also visit the website using your web browser. Open your web browser to @@https://example.com@@. If you see an error such as 403 Forbidden, it may mean you have not [[openhttpd/website|set up a website]].%0a%0aLook for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a%0aAttach:ssl-cert.png%0a%0a!! Automation%0a%0aLet's Encrypt TLS certs expire after 90 days. As a result, you are highly encouraged to automate the renewal of TLS certs. Otherwise, once a cert expires, your users may no longer be able to visit your site.%0a%0aWe can automate the request process using [[crontab/edit|crontab]].%0a%0a[@%0a$ doas crontab -e%0a@]%0a%0aAdd this line at the bottom:%0a%0a[@%0a~ ~ * * * acme-client example.com >> /var/log/acme-client.log 2>&1 && sleep 300 && rcctl reload httpd%0a@]%0a%0aThis cronjob will check the certificate once each day at a random time to see if it needs to be renewed. If it does, it will renew the cert, wait 300 seconds, then reload openhttpd to use it.%0a%0a!!! Troubleshooting%0a%0aIf you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 443.%0a%0aYou can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%0a[@%0apass in quick proto tcp to port {http https}%0a@]%0a%0aThen, reload the pf rulesets:%0a%0a[@%0a$ doas pfctl -f /etc/pf.conf%0a@]%0a time=1649046317 title=TLS for OpenHTTPd author:1649046317=jrmu diff:1649046317:1649045629:=174c174%0a%3c ~ ~ * * * acme-client example.com >> /var/log/acme-client.log 2>&1 && sleep 300 && rcctl reload httpd%0a---%0a> ~ ~ * * * acme-client example.com >> /var/log/acme-client.log 2>&1 && sleep 60 && rcctl reload httpd%0a177c177%0a%3c This cronjob will check the certificate once each day at a random time to see if it needs to be renewed. If it does, it will renew the cert, wait 300 seconds, then reload openhttpd to use it.%0a---%0a> This cronjob will check the certificate once each day at a random time to see if it needs to be renewed. If it does, it will renew the cert, wait 60 seconds, then reload openhttpd to use it.%0a host:1649046317=38.87.162.154 author:1649045629=jrmu diff:1649045629:1649045618:=177c177%0a%3c This cronjob will check the certificate once each day at a random time to see if it needs to be renewed. If it does, it will renew the cert, wait 60 seconds, then reload openhttpd to use it.%0a---%0a> This cronjob will check the certificate once each day at a random time to see if it needs to be renewed. If it does, it will renew the cert, sleep for 60 seconds, then reload openhttpd to use it.%0a host:1649045629=38.87.162.154 author:1649045618=jrmu diff:1649045618:1649045583:=177c177%0a%3c This cronjob will check the certificate once each day at a random time to see if it needs to be renewed. If it does, it will renew the cert, sleep for 60 seconds, then reload openhttpd to use it.%0a---%0a> This cronjob will check the certificate once each day at a random time to see if it needs to be renewed. If it does, it will renew the cert, then reload openhttpd to use it.%0a host:1649045618=38.87.162.154 author:1649045583=jrmu diff:1649045583:1649045148:=174c174%0a%3c ~ ~ * * * acme-client example.com >> /var/log/acme-client.log 2>&1 && sleep 60 && rcctl reload httpd%0a---%0a> ~ ~ * * * acme-client example.com >> /var/log/acme-client.log 2>&1 && rcctl reload httpd%0a host:1649045583=38.87.162.154 author:1649045148=jrmu diff:1649045148:1649043968:=160,177d159%0a%3c %0a%3c !! Automation%0a%3c %0a%3c Let's Encrypt TLS certs expire after 90 days. As a result, you are highly encouraged to automate the renewal of TLS certs. Otherwise, once a cert expires, your users may no longer be able to visit your site.%0a%3c %0a%3c We can automate the request process using [[crontab/edit|crontab]].%0a%3c %0a%3c [@%0a%3c $ doas crontab -e%0a%3c @]%0a%3c %0a%3c Add this line at the bottom:%0a%3c %0a%3c [@%0a%3c ~ ~ * * * acme-client example.com >> /var/log/acme-client.log 2>&1 && rcctl reload httpd%0a%3c @]%0a%3c %0a%3c This cronjob will check the certificate once each day at a random time to see if it needs to be renewed. If it does, it will renew the cert, then reload openhttpd to use it.%0a host:1649045148=38.87.162.154 author:1649043968=jrmu diff:1649043968:1649027060:= host:1649043968=38.87.162.154 author:1649027060=jrmu diff:1649027060:1649027007:=160d159%0a%3c %0a163,164c162,163%0a%3c If you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 443.%0a%3c %0a---%0a> If you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a> %0a175a175,176%0a> %0a> %0a host:1649027060=38.87.162.154 author:1649027007=jrmu diff:1649027007:1649025532:= host:1649027007=38.87.162.154 author:1649025532=jrmu diff:1649025532:1649023324:=24a25,46%0a> #server "example.com" {%0a> # listen on * tls port 443%0a> # tls {%0a> # certificate "/etc/ssl/example.com.crt"%0a> # key "/etc/ssl/private/example.com.key"%0a> # }%0a> # location "/pub/*" {%0a> # directory auto index%0a> # }%0a> # location "/.well-known/acme-challenge/*" {%0a> # root "/acme"%0a> # request strip 2%0a> # }%0a> #}%0a> @]%0a> %0a> '''NOTE''': You must replace example.com with your own domain%0a> %0a> We commented out the second block because we did not yet request TLS certs yet. Now%0a> %0a> %0a> [@%0a41,48c63,70%0a%3c '''NOTE''': You must replace example.com with your own domain%0a%3c %0a%3c We commented out the second block in the [[openhttpd/configure|basic OpenHTTPd guide]] because we did not yet request TLS certs yet. Now that we have certs from [[acme-client/configure|acme-client]], we uncomment the second block.%0a%3c %0a%3c !! TLS Block Explained%0a%3c %0a%3c Here is a line-by-line description of the TLS block:%0a%3c %0a---%0a> This block is similar to the previous one, with only two differences.%0a> %0a> Lines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a> %0a> Lines 7-9 say that for any request that begins with https://example.com/pub/ should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder it should be fine.%0a> %0a> Make sure to replace every instance of @@example.com@@ with your real hostname, then check that your configuration is valid%0a> %0a50,63c72%0a%3c server "example.com" {%0a%3c listen on * tls port 443%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.crt"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a---%0a> $ doas httpd -n%0a66,71c75,76%0a%3c Lines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Again, it is necessary to replace @@example.com@@ with your actual hostname.%0a%3c %0a%3c Lines 7-9 say that, for any request beginning with https://example.com/pub/, the web server should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder, it should be fine.%0a%3c %0a%3c In a normal production server, if OpenHTTPd is already running, reloading is best to avoid downtime:%0a%3c %0a---%0a> !! Starting the server%0a> %0a73c78,79%0a%3c $ doas rcctl reload httpd%0a---%0a> $ doas rcctl enable httpd%0a> $ doas rcctl start httpd%0a76,77c82,85%0a%3c For your first test however, you will want to [[rcctl/usage|stop OpenHTTPd]]:%0a%3c %0a---%0a> !! Testing, testing%0a> %0a> Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a> %0a79c87,89%0a%3c $ doas rcctl stop httpd%0a---%0a> $ telnet example.com 80%0a> GET /index.html HTTP/1.1%0a> Host: example.com%0a82,83c92,93%0a%3c Then, check that your configuration is valid:%0a%3c %0a---%0a> You should a response similar to the one below:%0a> %0a85c95,123%0a%3c $ doas httpd -n%0a---%0a> HTTP/1.0 302 Found%0a> Date: Tue, 23 Feb 2021 14:01:28 GMT%0a> OpenBSD httpd%0a> Connection: close%0a> Content-Type: text/html%0a> Content-Length: 486%0a> Location: https://example.com/index.html%0a> %0a> %3c!DOCTYPE html>%0a> %3chtml> %0a> %3chead>%0a> %3cmeta charset="utf-8"> %0a> %3ctitle>302 Found%3c/title>%0a> %3cstyle type="text/css">%3c!--%0a> body { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a> hr { border: 0; border-bottom: 1px dashed; }%0a> @media (prefers-color-scheme: dark) {%0a> body { background-color: #1E1F21; color: #EEEFF1; }%0a> a { color: #BAD7FF; }%0a> }%0a> -->%3c/style>%0a> %3c/head>%0a> %3cbody>%0a> %3ch1>302 Found%3c/h1>%0a> %3chr>%0a> %3caddress>OpenBSD httpd%3c/address>%0a> %3c/body>%0a> %3c/html>%0a> Connection closed by foreign host.%0a88,89c126,131%0a%3c Once you are certain it has been configured properly, you can start the server:%0a%3c %0a---%0a> !!! Troubleshooting%0a> %0a> If you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a> %0a> You can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a> %0a91c133%0a%3c $ doas rcctl start httpd%0a---%0a> pass in quick proto tcp to port {http https}%0a94,97c136,137%0a%3c !! Testing%0a%3c %0a%3c To test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a%3c %0a---%0a> Then, reload the pf rulesets:%0a> %0a99c139%0a%3c $ openssl s_client -connect example.com:443%0a---%0a> $ doas pfctl -f /etc/pf.conf%0a102,105c142,149%0a%3c '''NOTE''': You must replace @@example.com@@ with your actual hostname.%0a%3c %0a%3c You should see the correct SSL subject and issuer:%0a%3c %0a---%0a> !! Adding TLS%0a> %0a> Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. %0a> %0a> Go do that now, I'll wait...%0a> %0a> Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a> %0a106a151,173%0a> tls {%0a> certificate "/etc/ssl/example.com.crt"%0a> key "/etc/ssl/private/example.com.key"%0a> }%0a> @]%0a> %0a> change [@ /etc/ssl/example.com.crt @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a> %0a> Then, restart the web server:%0a> %0a> [@%0a> $ doas rcctl restart httpd%0a> @]%0a> %0a> To test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a> %0a> [@%0a> $ openssl s_client -connect example.com:443%0a> @]%0a> %0a> You should see the correct SSL subject and issuer:%0a> %0a> [@%0a155,158c222,223%0a%3c You can also visit the website using your web browser. Open your web browser to @@https://example.com@@. If you see an error such as 403 Forbidden, it may mean you have not [[openhttpd/website|set up a website]].%0a%3c %0a%3c Look for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a%3c %0a---%0a> You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ). While you are likely to see an error such as 403 Forbidden if you havent set up a website, look for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a> %0a160,176d224%0a%3c !!! Troubleshooting%0a%3c %0a%3c If you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a%3c %0a%3c You can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in quick proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a%3c %0a host:1649025532=38.87.162.154 author:1649023324=jrmu diff:1649023324:1649023176:=3,4c3,4%0a%3c This guide shows you how to enable [[tls/overview|TLS]] for [[https://bsd.plumbing/about.html|OpenHTTPd]]. It assumes you have already set up [[openhttpd/configure|plaintext OpenHTTPd]] listening on port 80, and you have successfully requested TLS certs using [[acme-client/configure|acme-client]].%0a%3c %0a---%0a> This guide shows you how to enable [[tls/overview|TLS]] for [[https://bsd.plumbing/about.html|OpenHTTPd]]. It assumes you have already set up [[openhttpd/configure|plaintext OpenHTTPd]] listening on port 80.%0a> %0a11,12c11,14%0a%3c In the previous guide, we used /etc/examples/httpd.conf as a template for /etc/httpd.conf:%0a%3c %0a---%0a> '''NOTE''': You must replace example.com with your own domain%0a> %0a> Copy the example file in [@ /etc/examples/httpd.conf @]:%0a> %0a13a16,21%0a> $ doas cp /etc/examples/httpd.conf /etc/httpd.conf%0a> @]%0a> %0a> Edit [@ /etc/httpd.conf @]:%0a> %0a> [@%0a24,38d31%0a%3c %0a%3c #server "example.com" {%0a%3c # listen on * tls port 443%0a%3c # tls {%0a%3c # certificate "/etc/ssl/example.com.crt"%0a%3c # key "/etc/ssl/private/example.com.key"%0a%3c # }%0a%3c # location "/pub/*" {%0a%3c # directory auto index%0a%3c # }%0a%3c # location "/.well-known/acme-challenge/*" {%0a%3c # root "/acme"%0a%3c # request strip 2%0a%3c # }%0a%3c #}%0a41,45c34,63%0a%3c '''NOTE''': You must replace example.com with your own domain%0a%3c %0a%3c We commented out the second block because we did not yet request TLS certs yet. Now%0a%3c %0a%3c %0a---%0a> Replace @@example.com@@ to your actual hostname. On other web servers, this might be known as the '''virtual host'''. %0a> %0a> @@listen on@@ tells the web server to listen on all IPs on port 80.%0a> %0a> The first @@location@@ block in lines 3-6 responds to verification requests according to the [[acme-client/configure|ACME]] protocol. For any request that begins with @@http://example.com/.well-known/acme-challenge/@@, httpd will look for the documents in the new root @@/acme@@. Since openhttpd chroots to /var/www by default, the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ tells openhttpd to search in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> The second @@location@@ block in lines 7-9 tell the web server to respond with HTTP 302 for all other requests. An HTTP 302 response forwards the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a> %0a> This second @@location@@ block is suggested by the OpenBSD team, but for accessibility reasons, we recommend removing the second location block.%0a> %0a> '''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work. The web server needs the listener block on port 80 for ACME protocol verification.%0a> %0a> The second block below should be commented out until after you have requested TLS certs.%0a> %0a> [@%0a> #server "example.com" {%0a> # listen on * tls port 443%0a> # tls {%0a> # certificate "/etc/ssl/example.com.crt"%0a> # key "/etc/ssl/private/example.com.key"%0a> # }%0a> # location "/pub/*" {%0a> # directory auto index%0a> # }%0a> # location "/.well-known/acme-challenge/*" {%0a> # root "/acme"%0a> # request strip 2%0a> # }%0a> #}%0a> @]%0a host:1649023324=38.87.162.154 author:1649023176=jrmu diff:1649023176:1649023033:=1,2c1,2%0a%3c (:title TLS for OpenHTTPd:)%0a%3c %0a---%0a> (:title Basic OpenHTTPd Configuration:)%0a> %0a4a5,13%0a> !! Overview%0a> %0a> Pros:%0a> # Lean: Small, no plugins%0a> # Clean code%0a> # Secure: Strict validity checking, privilege separation, strong cryptography%0a> # Fast%0a> # Easy to configure with good manpage documentation%0a> %0a7c16%0a%3c Consult [[https://man.openbsd.org/httpd|httpd]], [[https://man.openbsd.org/httpd.conf|httpd.conf]], [[https://man.openbsd.org/acme-client|acme-client]], and [[https://man.openbsd.org/acme-client|acme-client.conf]] man pages. [[https://www.tiltedwindmillpress.com/product/httpd-and-relayd-mastery/|Httpd and Relayd Mastery]] also contains many helpful examples.%0a---%0a> You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages. [[https://www.tiltedwindmillpress.com/product/httpd-and-relayd-mastery/|Httpd and Relayd Mastery]] also contains many helpful examples.%0a host:1649023176=38.87.162.154 author:1649023033=jrmu diff:1649023033:1649022849:=3c3%0a%3c This guide shows you how to enable [[tls/overview|TLS]] for [[https://bsd.plumbing/about.html|OpenHTTPd]]. It assumes you have already set up [[openhttpd/configure|plaintext OpenHTTPd]] listening on port 80.%0a---%0a> [[https://bsd.plumbing/about.html|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a host:1649023033=38.87.162.154 author:1649022849=jrmu diff:1649022849:1649022849:=1,253d0%0a%3c (:title Basic OpenHTTPd Configuration:)%0a%3c %0a%3c [[https://bsd.plumbing/about.html|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a%3c %0a%3c !! Overview%0a%3c %0a%3c Pros:%0a%3c # Lean: Small, no plugins%0a%3c # Clean code%0a%3c # Secure: Strict validity checking, privilege separation, strong cryptography%0a%3c # Fast%0a%3c # Easy to configure with good manpage documentation%0a%3c %0a%3c !! Docs and references%0a%3c %0a%3c You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages. [[https://www.tiltedwindmillpress.com/product/httpd-and-relayd-mastery/|Httpd and Relayd Mastery]] also contains many helpful examples.%0a%3c %0a%3c !! Configuring%0a%3c %0a%3c '''NOTE''': You must replace example.com with your own domain%0a%3c %0a%3c Copy the example file in [@ /etc/examples/httpd.conf @]:%0a%3c %0a%3c [@%0a%3c $ doas cp /etc/examples/httpd.conf /etc/httpd.conf%0a%3c @]%0a%3c %0a%3c Edit [@ /etc/httpd.conf @]:%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c location * {%0a%3c block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c Replace @@example.com@@ to your actual hostname. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c @@listen on@@ tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c The first @@location@@ block in lines 3-6 responds to verification requests according to the [[acme-client/configure|ACME]] protocol. For any request that begins with @@http://example.com/.well-known/acme-challenge/@@, httpd will look for the documents in the new root @@/acme@@. Since openhttpd chroots to /var/www by default, the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ tells openhttpd to search in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c The second @@location@@ block in lines 7-9 tell the web server to respond with HTTP 302 for all other requests. An HTTP 302 response forwards the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a%3c This second @@location@@ block is suggested by the OpenBSD team, but for accessibility reasons, we recommend removing the second location block.%0a%3c %0a%3c '''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work. The web server needs the listener block on port 80 for ACME protocol verification.%0a%3c %0a%3c The second block below should be commented out until after you have requested TLS certs.%0a%3c %0a%3c [@%0a%3c #server "example.com" {%0a%3c # listen on * tls port 443%0a%3c # tls {%0a%3c # certificate "/etc/ssl/example.com.crt"%0a%3c # key "/etc/ssl/private/example.com.key"%0a%3c # }%0a%3c # location "/pub/*" {%0a%3c # directory auto index%0a%3c # }%0a%3c # location "/.well-known/acme-challenge/*" {%0a%3c # root "/acme"%0a%3c # request strip 2%0a%3c # }%0a%3c #}%0a%3c @]%0a%3c %0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * tls port 443%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.crt"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c This block is similar to the previous one, with only two differences.%0a%3c %0a%3c Lines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a%3c %0a%3c Lines 7-9 say that for any request that begins with https://example.com/pub/ should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder it should be fine.%0a%3c %0a%3c Make sure to replace every instance of @@example.com@@ with your real hostname, then check that your configuration is valid%0a%3c %0a%3c [@%0a%3c $ doas httpd -n%0a%3c @]%0a%3c %0a%3c !! Starting the server%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable httpd%0a%3c $ doas rcctl start httpd%0a%3c @]%0a%3c %0a%3c !! Testing, testing%0a%3c %0a%3c Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a%3c %0a%3c [@%0a%3c $ telnet example.com 80%0a%3c GET /index.html HTTP/1.1%0a%3c Host: example.com%0a%3c @]%0a%3c %0a%3c You should a response similar to the one below:%0a%3c %0a%3c [@%0a%3c HTTP/1.0 302 Found%0a%3c Date: Tue, 23 Feb 2021 14:01:28 GMT%0a%3c OpenBSD httpd%0a%3c Connection: close%0a%3c Content-Type: text/html%0a%3c Content-Length: 486%0a%3c Location: https://example.com/index.html%0a%3c %0a%3c %3c!DOCTYPE html>%0a%3c %3chtml> %0a%3c %3chead>%0a%3c %3cmeta charset="utf-8"> %0a%3c %3ctitle>302 Found%3c/title>%0a%3c %3cstyle type="text/css">%3c!--%0a%3c body { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a%3c hr { border: 0; border-bottom: 1px dashed; }%0a%3c @media (prefers-color-scheme: dark) {%0a%3c body { background-color: #1E1F21; color: #EEEFF1; }%0a%3c a { color: #BAD7FF; }%0a%3c }%0a%3c -->%3c/style>%0a%3c %3c/head>%0a%3c %3cbody>%0a%3c %3ch1>302 Found%3c/h1>%0a%3c %3chr>%0a%3c %3caddress>OpenBSD httpd%3c/address>%0a%3c %3c/body>%0a%3c %3c/html>%0a%3c Connection closed by foreign host.%0a%3c @]%0a%3c %0a%3c !!! Troubleshooting%0a%3c %0a%3c If you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a%3c %0a%3c You can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in quick proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a%3c !! Adding TLS%0a%3c %0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. %0a%3c %0a%3c Go do that now, I'll wait...%0a%3c %0a%3c Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a%3c %0a%3c [@%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.crt"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a%3c @]%0a%3c %0a%3c change [@ /etc/ssl/example.com.crt @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a%3c %0a%3c Then, restart the web server:%0a%3c %0a%3c [@%0a%3c $ doas rcctl restart httpd%0a%3c @]%0a%3c %0a%3c To test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a%3c %0a%3c [@%0a%3c $ openssl s_client -connect example.com:443%0a%3c @]%0a%3c %0a%3c You should see the correct SSL subject and issuer:%0a%3c %0a%3c [@%0a%3c $ openssl s_client -connect example.org:443%0a%3c CONNECTED(00000003)%0a%3c depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3%0a%3c verify return:1%0a%3c depth=1 C = US, O = Let's Encrypt, CN = R3%0a%3c verify return:1%0a%3c depth=0 CN = example.com%0a%3c verify return:1%0a%3c depth=0 CN = example.com%0a%3c verify return:1%0a%3c write W BLOCK%0a%3c ---%0a%3c Certificate chain%0a%3c 0 s:/CN=example.com%0a%3c i:/C=US/O=Let's Encrypt/CN=R3%0a%3c 1 s:/C=US/O=Let's Encrypt/CN=R3%0a%3c i:/O=Digital Signature Trust Co./CN=DST Root CA X3%0a%3c ---%0a%3c Server certificate%0a%3c -----BEGIN CERTIFICATE-----%0a%3c ...%0a%3c -----END CERTIFICATE-----%0a%3c subject=/CN=example.com%0a%3c issuer=/C=US/O=Let's Encrypt/CN=R3%0a%3c ---%0a%3c No client certificate CA names sent%0a%3c Server Temp Key: ECDH, X25519, 253 bits%0a%3c ---%0a%3c SSL handshake has read 3730 bytes and written 367 bytes%0a%3c ---%0a%3c New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384%0a%3c Server public key is 4096 bit%0a%3c Secure Renegotiation IS NOT supported%0a%3c Compression: NONE%0a%3c Expansion: NONE%0a%3c No ALPN negotiated%0a%3c SSL-Session:%0a%3c Protocol : TLSv1.3%0a%3c Cipher : AEAD-AES256-GCM-SHA384%0a%3c Session-ID:%0a%3c Session-ID-ctx:%0a%3c Master-Key:%0a%3c Start Time: 1614233943%0a%3c Timeout : 7200 (sec)%0a%3c Verify return code: 0 (ok)%0a%3c ---%0a%3c @]%0a%3c %0a%3c You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ). While you are likely to see an error such as 403 Forbidden if you havent set up a website, look for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a%3c %0a%3c Attach:ssl-cert.png%0a host:1649022849=38.87.162.154