commit ca950cf596d408fbc3efbcf1af55c9dd3c99cd6f from: jrmu date: Wed Apr 06 17:22:51 2022 UTC Daily Backup commit - 3735aa826de7406b32b4733a6f4beea65b6dec83 commit + ca950cf596d408fbc3efbcf1af55c9dd3c99cd6f blob - /dev/null blob + cc2c629c8f8b2256ead40c25a7ed9389a56a4119 (mode 644) --- /dev/null +++ wiki.d/Debate.Debiandanger,del-1649046638 @@ -0,0 +1,21 @@ +version=pmwiki-2.2.130 ordered=1 urlencoded=1 +agent=w3m/0.5.3+git20210102 +author=jrmu +charset=UTF-8 +csum= +ctime=1609037843 +host=38.87.162.154 +name=Debate.Debiandanger +rev=3 +targets= +text=(:delete:)%0a +time=1649046625 +author:1649046625=jrmu +diff:1649046625:1629737305:=1c1,4%0a%3c (:delete:)%0a---%0a> [@%0a> [03:36:18] %3cjrmu> https://itsfoss.com/goobuntu-glinux-google/%0a> [03:36:28] %3cjrmu> ``No More Ubuntu! Debian is the New Choice For Google’s In-house Linux Distribution''%0a> @]%0a\ No newline at end of file%0a +host:1649046625=38.87.162.154 +author:1629737305=mkf +diff:1629737305:1609037843:=1d0%0a%3c [@%0a4d2%0a%3c @]%0a\ No newline at end of file%0a +host:1629737305=198.251.81.133 +author:1609037843=jrmu +diff:1609037843:1609037843:=1,2d0%0a%3c [03:36:18] %3cjrmu> https://itsfoss.com/goobuntu-glinux-google/%0a%3c [03:36:28] %3cjrmu> ``No More Ubuntu! Debian is the New Choice For Google’s In-house Linux Distribution''%0a +host:1609037843=198.251.81.119 blob - /dev/null blob + 8d4b4e35bb20299ee98979fd8342e375d1704fac (mode 644) --- /dev/null +++ wiki.d/Openbsd.Censord,del-1649139411 @@ -0,0 +1,15 @@ +version=pmwiki-2.2.130 ordered=1 urlencoded=1 +agent=Mozilla/5.0 (X11; OpenBSD amd64; rv:76.0) Gecko/20100101 Firefox/76.0 +author=jrmu +charset=UTF-8 +csum= +ctime=1597744024 +host=38.81.163.143 +name=Openbsd.Censord +rev=1 +targets= +text=banned words list:%0a%0aEnglish%0a%0aSwedish: Fitta, Kuk, Hora, Knulla, Slampa, Slyna, Bög, Jävel, Kuksugare, Mammaknullare, Idiot, %0a%0aChinese:%0a%0aSpanish:%0a%0aGerman:%0a%0aGreek:%0a%0aDutch:%0a%0aJapanese:%0a%0aRussian:%0a%0aArabic:%0a%0aUrdu:%0a%0aHindi:%0a%0aTamil:%0a%0aTurkish: sikerim, piç, orospu çocuğu.%0a%0ahttps://github.com/first20hours/google-10000-english +time=1597744024 +author:1597744024=jrmu +diff:1597744024:1597744024:=1,31d0%0a%3c banned words list:%0a%3c %0a%3c English%0a%3c %0a%3c Swedish: Fitta, Kuk, Hora, Knulla, Slampa, Slyna, Bög, Jävel, Kuksugare, Mammaknullare, Idiot, %0a%3c %0a%3c Chinese:%0a%3c %0a%3c Spanish:%0a%3c %0a%3c German:%0a%3c %0a%3c Greek:%0a%3c %0a%3c Dutch:%0a%3c %0a%3c Japanese:%0a%3c %0a%3c Russian:%0a%3c %0a%3c Arabic:%0a%3c %0a%3c Urdu:%0a%3c %0a%3c Hindi:%0a%3c %0a%3c Tamil:%0a%3c %0a%3c Turkish: sikerim, piç, orospu çocuğu.%0a%3c %0a%3c https://github.com/first20hours/google-10000-english%0a\ No newline at end of file%0a +host:1597744024=38.81.163.143 blob - /dev/null blob + 56cc49254739e36674a748ac6b58b3c9cdb8b4ee (mode 644) --- /dev/null +++ wiki.d/Openhttpd.CGI @@ -0,0 +1,36 @@ +version=pmwiki-2.2.130 ordered=1 urlencoded=1 +agent=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36 +author=gtlsgamr +charset=UTF-8 +csum= +ctime=1649171332 +host=103.247.6.189 +name=Openhttpd.CGI +rev=8 +targets= +text=CGI (Common Gateway Interface). It is a way to communicate between browser and server. Simple scripts used to do simple tasks.%0a%0a%0a!! Docs and References%0aYou'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages to know about httpd config blocks.%0a!! Writing the script%0aWe will use C language to create the script.%0aCreate the script at your home directory @@/home/username/hello.c@@%0a%0a%0a[@%0a#include %3cstdio.h>%0a %0aint main(void)%0a{%0a puts("Status: 200 OK\r");%0a puts("Content-Type: text/html\r");%0a puts("\r");%0a puts("Hello, world!\n");%0a return 0;%0a}%0a@]%0a%0aYour script is ready, but you still need to compile it.%0a%0a[@%0a$ cd /home/username%0a$ cc hello.c -o hello.cgi%0a$ doas mv hello.cgi /var/www/htdocs/yoursite/cgi-bin/%0a@]%0a%0aMake the script executable%0a[@%0a$ doas chmod +x /var/www/htdocs/yoursite/cgi-bin/hello.cgi%0a@]%0a%0a!! Configuring httpd.conf%0aAdd the cgi block to your /etc/httpd.conf block for your website. It should look like this:%0a%0a[@%0aserver "example.com" {%0a listen on * port 80%0a root "/htdocs/yoursite"%0a connection max request body 104857600%0a location "/cgi-bin/*"{%0a root "/htdocs/yoursite/"%0a fastcgi%0a }%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a}%0a@]%0a%0a%0a'''NOTE''': You must replace example.com with your own domain%0a%0aNow any scripts that you add in [@ /var/www/htdocs/yoursite/cgi-bin @] directory will be accessible by [@ http://example.com/cgi-bin/scriptname @]%0a%0aMake sure you edit the block accordingly if you are using [[https://wiki.ircnow.org/index.php?n=Openhttpd.Tls |TLS]].%0a%0aenable the server to run the script, we will use [[https://man.openbsd.org/slowcgi.8| Slowcgi ]].%0a%0aEnable and start slowcgi%0a[@%0a$ doas rcctl enable slowcgi%0a$ doas rcctl start slowcgi%0a@] %0a%0aEnable and start httpd if you haven't already%0a[@%0a$ doas rcctl enable httpd%0a$ doas rcctl start httpd%0a@]%0a%0aGo to @@http://example.com/cgi-bin/hello.cgi@@ and you will see "Hello world" printed on your screen!%0a%0a +time=1649175728 +author:1649175728=gtlsgamr +diff:1649175728:1649175673:=0a1,2%0a> '''NOTE: THIS GUIDE IS A WORK IN PROGRESS. DO NOT FOLLOW IT FOR NOW'''%0a> %0a +host:1649175728=103.247.6.189 +author:1649175673=gtlsgamr +diff:1649175673:1649175649:minor=63c63%0a%3c Make sure you edit the block accordingly if you are using [[https://wiki.ircnow.org/index.php?n=Openhttpd.Tls |TLS]].%0a---%0a> Make sure you edit the block accordingly if you are using [[https://wiki.ircnow.org/index.php?n=Openhttpd.Tls | TLS]].%0a +host:1649175673=103.247.6.189 +author:1649175649=gtlsgamr +diff:1649175649:1649175542:=63c63%0a%3c Make sure you edit the block accordingly if you are using [[https://wiki.ircnow.org/index.php?n=Openhttpd.Tls | TLS]].%0a---%0a> Make sure you edit the block accordingly if you are using TLS.%0a +host:1649175649=103.247.6.189 +author:1649175542=gtlsgamr +diff:1649175542:1649171556:=10,12c10,12%0a%3c Create the script at your home directory @@/home/username/hello.c@@%0a%3c %0a%3c %0a---%0a> Create the script at @@/var/www/htdocs/yoursite/cgi-bin/hello.c@@%0a> %0a> %0a14c14%0a%3c #include %3cstdio.h>%0a---%0a> #include %3cstdio.h>%0a16,23c16,23%0a%3c int main(void)%0a%3c {%0a%3c puts("Status: 200 OK\r");%0a%3c puts("Content-Type: text/html\r");%0a%3c puts("\r");%0a%3c puts("Hello, world!\n");%0a%3c return 0;%0a%3c }%0a---%0a> int main(void)%0a> {%0a> puts("Status: 200 OK\r");%0a> puts("Content-Type: text/html\r");%0a> puts("\r");%0a> puts("Hello, world!\n");%0a> return 0;%0a> }%0a29,31c29,30%0a%3c $ cd /home/username%0a%3c $ cc hello.c -o hello.cgi%0a%3c $ doas mv hello.cgi /var/www/htdocs/yoursite/cgi-bin/%0a---%0a> $ cd /var/www/htdocs/yoursite/cgi-bin%0a> $ doas cc hello.c -o hello.cgi%0a36c35%0a%3c $ doas chmod +x /var/www/htdocs/yoursite/cgi-bin/hello.cgi%0a---%0a> $ doas chmod +x hello.cgi%0a +host:1649175542=103.247.6.189 +author:1649171556=gtlsgamr +diff:1649171556:1649171525:minor=35c35%0a%3c $ doas chmod +x hello.cgi%0a---%0a> doas chmod +x hello.cgi%0a68,69c68,69%0a%3c $ doas rcctl enable slowcgi%0a%3c $ doas rcctl start slowcgi%0a---%0a> doas rcctl enable slowcgi%0a> doas rcctl start slowcgi%0a74,75c74,75%0a%3c $ doas rcctl enable httpd%0a%3c $ doas rcctl start httpd%0a---%0a> doas rcctl enable httpd%0a> doas rcctl start httpd%0a +host:1649171556=103.247.6.189 +author:1649171525=gtlsgamr +diff:1649171525:1649171492:minor=29d28%0a%3c $ cd /var/www/htdocs/yoursite/cgi-bin%0a +host:1649171525=103.247.6.189 +author:1649171492=gtlsgamr +diff:1649171492:1649171332:=14c14%0a%3c #include %3cstdio.h>%0a---%0a> #include %3cstdio.h> /* puts(3) */%0a +host:1649171492=103.247.6.189 +author:1649171332=gtlsgamr +diff:1649171332:1649171332:=1,79d0%0a%3c '''NOTE: THIS GUIDE IS A WORK IN PROGRESS. DO NOT FOLLOW IT FOR NOW'''%0a%3c %0a%3c CGI (Common Gateway Interface). It is a way to communicate between browser and server. Simple scripts used to do simple tasks.%0a%3c %0a%3c %0a%3c !! Docs and References%0a%3c You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages to know about httpd config blocks.%0a%3c !! Writing the script%0a%3c We will use C language to create the script.%0a%3c Create the script at @@/var/www/htdocs/yoursite/cgi-bin/hello.c@@%0a%3c %0a%3c %0a%3c [@%0a%3c #include %3cstdio.h> /* puts(3) */%0a%3c %0a%3c int main(void)%0a%3c {%0a%3c puts("Status: 200 OK\r");%0a%3c puts("Content-Type: text/html\r");%0a%3c puts("\r");%0a%3c puts("Hello, world!\n");%0a%3c return 0;%0a%3c }%0a%3c @]%0a%3c %0a%3c Your script is ready, but you still need to compile it.%0a%3c %0a%3c [@%0a%3c $ doas cc hello.c -o hello.cgi%0a%3c @]%0a%3c %0a%3c Make the script executable%0a%3c [@%0a%3c doas chmod +x hello.cgi%0a%3c @]%0a%3c %0a%3c !! Configuring httpd.conf%0a%3c Add the cgi block to your /etc/httpd.conf block for your website. It should look like this:%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 80%0a%3c root "/htdocs/yoursite"%0a%3c connection max request body 104857600%0a%3c location "/cgi-bin/*"{%0a%3c root "/htdocs/yoursite/"%0a%3c fastcgi%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c %0a%3c '''NOTE''': You must replace example.com with your own domain%0a%3c %0a%3c Now any scripts that you add in [@ /var/www/htdocs/yoursite/cgi-bin @] directory will be accessible by [@ http://example.com/cgi-bin/scriptname @]%0a%3c %0a%3c Make sure you edit the block accordingly if you are using TLS.%0a%3c %0a%3c enable the server to run the script, we will use [[https://man.openbsd.org/slowcgi.8| Slowcgi ]].%0a%3c %0a%3c Enable and start slowcgi%0a%3c [@%0a%3c doas rcctl enable slowcgi%0a%3c doas rcctl start slowcgi%0a%3c @] %0a%3c %0a%3c Enable and start httpd if you haven't already%0a%3c [@%0a%3c doas rcctl enable httpd%0a%3c doas rcctl start httpd%0a%3c @]%0a%3c %0a%3c Go to @@http://example.com/cgi-bin/hello.cgi@@ and you will see "Hello world" printed on your screen!%0a%3c %0a%3c %0a\ No newline at end of file%0a +host:1649171332=103.247.6.189 blob - /dev/null blob + ffabc5caae4744bf2d75a2b9709d68b87f1a026b (mode 644) --- /dev/null +++ wiki.d/Openhttpd.Tls @@ -0,0 +1,52 @@ +version=pmwiki-2.2.130 ordered=1 urlencoded=1 +agent=w3m/0.5.3+git20210102 +author=jrmu +charset=UTF-8 +csum= +ctime=1649022849 +host=38.87.162.154 +name=Openhttpd.Tls +rev=13 +targets=Tls.Overview,Openhttpd.Configure,Acme-client.Configure,Rcctl.Usage,Openssl.Http,Openhttpd.Website,Crontab.Edit,Pf.Guide +text=(:title TLS for OpenHTTPd:)%0a%0aThis guide shows you how to enable [[tls/overview|TLS]] for [[https://bsd.plumbing/about.html|OpenHTTPd]]. It assumes you have already set up [[openhttpd/configure|plaintext OpenHTTPd]] listening on port 80, and you have successfully requested TLS certs using [[acme-client/configure|acme-client]].%0a%0a!! Docs and references%0a%0aConsult [[https://man.openbsd.org/httpd|httpd]], [[https://man.openbsd.org/httpd.conf|httpd.conf]], [[https://man.openbsd.org/acme-client|acme-client]], and [[https://man.openbsd.org/acme-client|acme-client.conf]] man pages. [[https://www.tiltedwindmillpress.com/product/httpd-and-relayd-mastery/|Httpd and Relayd Mastery]] also contains many helpful examples.%0a%0a!! Configuring%0a%0aIn the previous guide, we used /etc/examples/httpd.conf as a template for /etc/httpd.conf:%0a%0a[@%0aserver "example.com" {%0a listen on * port 80%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a location * {%0a block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a }%0a }%0a%0aserver "example.com" {%0a listen on * tls port 443%0a tls {%0a certificate "/etc/ssl/example.com.crt"%0a key "/etc/ssl/private/example.com.key"%0a }%0a location "/pub/*" {%0a directory auto index%0a }%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a}%0a@]%0a%0a'''NOTE''': You must replace example.com with your own domain%0a%0aWe commented out the second block in the [[openhttpd/configure|basic OpenHTTPd guide]] because we did not yet request TLS certs yet. Now that we have certs from [[acme-client/configure|acme-client]], we uncomment the second block.%0a%0a!! TLS Block Explained%0a%0aHere is a line-by-line description of the TLS block:%0a%0a[@%0aserver "example.com" {%0a listen on * tls port 443%0a tls {%0a certificate "/etc/ssl/example.com.crt"%0a key "/etc/ssl/private/example.com.key"%0a }%0a location "/pub/*" {%0a directory auto index%0a }%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a}%0a@]%0a%0aLines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Again, it is necessary to replace @@example.com@@ with your actual hostname.%0a%0aLines 7-9 say that, for any request beginning with https://example.com/pub/, the web server should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder, it should be fine.%0a%0aIn a normal production server, if OpenHTTPd is already running, reloading is best to avoid downtime:%0a%0a[@%0a$ doas rcctl reload httpd%0a@]%0a%0aFor your first test however, you will want to [[rcctl/usage|stop OpenHTTPd]]:%0a%0a[@%0a$ doas rcctl stop httpd%0a@]%0a%0aThen, check that your configuration is valid:%0a%0a[@%0a$ doas httpd -n%0a@]%0a%0aOnce you are certain it has been configured properly, you can start the server:%0a%0a[@%0a$ doas rcctl start httpd%0a@]%0a%0a!! Testing%0a%0aTo test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a%0a[@%0a$ openssl s_client -connect example.com:443%0a@]%0a%0a'''NOTE''': You must replace @@example.com@@ with your actual hostname.%0a%0aYou should see the correct SSL subject and issuer:%0a%0a[@%0a$ openssl s_client -connect example.org:443%0aCONNECTED(00000003)%0adepth=2 O = Digital Signature Trust Co., CN = DST Root CA X3%0averify return:1%0adepth=1 C = US, O = Let's Encrypt, CN = R3%0averify return:1%0adepth=0 CN = example.com%0averify return:1%0adepth=0 CN = example.com%0averify return:1%0awrite W BLOCK%0a---%0aCertificate chain%0a 0 s:/CN=example.com%0a i:/C=US/O=Let's Encrypt/CN=R3%0a 1 s:/C=US/O=Let's Encrypt/CN=R3%0a i:/O=Digital Signature Trust Co./CN=DST Root CA X3%0a---%0aServer certificate%0a-----BEGIN CERTIFICATE-----%0a...%0a-----END CERTIFICATE-----%0asubject=/CN=example.com%0aissuer=/C=US/O=Let's Encrypt/CN=R3%0a---%0aNo client certificate CA names sent%0aServer Temp Key: ECDH, X25519, 253 bits%0a---%0aSSL handshake has read 3730 bytes and written 367 bytes%0a---%0aNew, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384%0aServer public key is 4096 bit%0aSecure Renegotiation IS NOT supported%0aCompression: NONE%0aExpansion: NONE%0aNo ALPN negotiated%0aSSL-Session:%0a Protocol : TLSv1.3%0a Cipher : AEAD-AES256-GCM-SHA384%0a Session-ID:%0a Session-ID-ctx:%0a Master-Key:%0a Start Time: 1614233943%0a Timeout : 7200 (sec)%0a Verify return code: 0 (ok)%0a---%0a@]%0a%0aYou can also visit the website using your web browser. Open your web browser to @@https://example.com@@. If you see an error such as 403 Forbidden, it may mean you have not [[openhttpd/website|set up a website]].%0a%0aLook for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a%0aAttach:ssl-cert.png%0a%0a!! Automation%0a%0aLet's Encrypt TLS certs expire after 90 days. As a result, you are highly encouraged to automate the renewal of TLS certs. Otherwise, once a cert expires, your users may no longer be able to visit your site.%0a%0aWe can automate the request process using [[crontab/edit|crontab]].%0a%0a[@%0a$ doas crontab -e%0a@]%0a%0aAdd this line at the bottom:%0a%0a[@%0a~ ~ * * * acme-client example.com >> /var/log/acme-client.log 2>&1 && sleep 300 && rcctl reload httpd%0a@]%0a%0aThis cronjob will check the certificate once each day at a random time to see if it needs to be renewed. If it does, it will renew the cert, wait 300 seconds, then reload openhttpd to use it.%0a%0a!!! Troubleshooting%0a%0aIf you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 443.%0a%0aYou can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%0a[@%0apass in quick proto tcp to port {http https}%0a@]%0a%0aThen, reload the pf rulesets:%0a%0a[@%0a$ doas pfctl -f /etc/pf.conf%0a@]%0a +time=1649046317 +title=TLS for OpenHTTPd +author:1649046317=jrmu +diff:1649046317:1649045629:=174c174%0a%3c ~ ~ * * * acme-client example.com >> /var/log/acme-client.log 2>&1 && sleep 300 && rcctl reload httpd%0a---%0a> ~ ~ * * * acme-client example.com >> /var/log/acme-client.log 2>&1 && sleep 60 && rcctl reload httpd%0a177c177%0a%3c This cronjob will check the certificate once each day at a random time to see if it needs to be renewed. If it does, it will renew the cert, wait 300 seconds, then reload openhttpd to use it.%0a---%0a> This cronjob will check the certificate once each day at a random time to see if it needs to be renewed. If it does, it will renew the cert, wait 60 seconds, then reload openhttpd to use it.%0a +host:1649046317=38.87.162.154 +author:1649045629=jrmu +diff:1649045629:1649045618:=177c177%0a%3c This cronjob will check the certificate once each day at a random time to see if it needs to be renewed. If it does, it will renew the cert, wait 60 seconds, then reload openhttpd to use it.%0a---%0a> This cronjob will check the certificate once each day at a random time to see if it needs to be renewed. If it does, it will renew the cert, sleep for 60 seconds, then reload openhttpd to use it.%0a +host:1649045629=38.87.162.154 +author:1649045618=jrmu +diff:1649045618:1649045583:=177c177%0a%3c This cronjob will check the certificate once each day at a random time to see if it needs to be renewed. If it does, it will renew the cert, sleep for 60 seconds, then reload openhttpd to use it.%0a---%0a> This cronjob will check the certificate once each day at a random time to see if it needs to be renewed. If it does, it will renew the cert, then reload openhttpd to use it.%0a +host:1649045618=38.87.162.154 +author:1649045583=jrmu +diff:1649045583:1649045148:=174c174%0a%3c ~ ~ * * * acme-client example.com >> /var/log/acme-client.log 2>&1 && sleep 60 && rcctl reload httpd%0a---%0a> ~ ~ * * * acme-client example.com >> /var/log/acme-client.log 2>&1 && rcctl reload httpd%0a +host:1649045583=38.87.162.154 +author:1649045148=jrmu +diff:1649045148:1649043968:=160,177d159%0a%3c %0a%3c !! Automation%0a%3c %0a%3c Let's Encrypt TLS certs expire after 90 days. As a result, you are highly encouraged to automate the renewal of TLS certs. Otherwise, once a cert expires, your users may no longer be able to visit your site.%0a%3c %0a%3c We can automate the request process using [[crontab/edit|crontab]].%0a%3c %0a%3c [@%0a%3c $ doas crontab -e%0a%3c @]%0a%3c %0a%3c Add this line at the bottom:%0a%3c %0a%3c [@%0a%3c ~ ~ * * * acme-client example.com >> /var/log/acme-client.log 2>&1 && rcctl reload httpd%0a%3c @]%0a%3c %0a%3c This cronjob will check the certificate once each day at a random time to see if it needs to be renewed. If it does, it will renew the cert, then reload openhttpd to use it.%0a +host:1649045148=38.87.162.154 +author:1649043968=jrmu +diff:1649043968:1649027060:= +host:1649043968=38.87.162.154 +author:1649027060=jrmu +diff:1649027060:1649027007:=160d159%0a%3c %0a163,164c162,163%0a%3c If you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 443.%0a%3c %0a---%0a> If you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a> %0a175a175,176%0a> %0a> %0a +host:1649027060=38.87.162.154 +author:1649027007=jrmu +diff:1649027007:1649025532:= +host:1649027007=38.87.162.154 +author:1649025532=jrmu +diff:1649025532:1649023324:=24a25,46%0a> #server "example.com" {%0a> # listen on * tls port 443%0a> # tls {%0a> # certificate "/etc/ssl/example.com.crt"%0a> # key "/etc/ssl/private/example.com.key"%0a> # }%0a> # location "/pub/*" {%0a> # directory auto index%0a> # }%0a> # location "/.well-known/acme-challenge/*" {%0a> # root "/acme"%0a> # request strip 2%0a> # }%0a> #}%0a> @]%0a> %0a> '''NOTE''': You must replace example.com with your own domain%0a> %0a> We commented out the second block because we did not yet request TLS certs yet. Now%0a> %0a> %0a> [@%0a41,48c63,70%0a%3c '''NOTE''': You must replace example.com with your own domain%0a%3c %0a%3c We commented out the second block in the [[openhttpd/configure|basic OpenHTTPd guide]] because we did not yet request TLS certs yet. Now that we have certs from [[acme-client/configure|acme-client]], we uncomment the second block.%0a%3c %0a%3c !! TLS Block Explained%0a%3c %0a%3c Here is a line-by-line description of the TLS block:%0a%3c %0a---%0a> This block is similar to the previous one, with only two differences.%0a> %0a> Lines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a> %0a> Lines 7-9 say that for any request that begins with https://example.com/pub/ should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder it should be fine.%0a> %0a> Make sure to replace every instance of @@example.com@@ with your real hostname, then check that your configuration is valid%0a> %0a50,63c72%0a%3c server "example.com" {%0a%3c listen on * tls port 443%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.crt"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a---%0a> $ doas httpd -n%0a66,71c75,76%0a%3c Lines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Again, it is necessary to replace @@example.com@@ with your actual hostname.%0a%3c %0a%3c Lines 7-9 say that, for any request beginning with https://example.com/pub/, the web server should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder, it should be fine.%0a%3c %0a%3c In a normal production server, if OpenHTTPd is already running, reloading is best to avoid downtime:%0a%3c %0a---%0a> !! Starting the server%0a> %0a73c78,79%0a%3c $ doas rcctl reload httpd%0a---%0a> $ doas rcctl enable httpd%0a> $ doas rcctl start httpd%0a76,77c82,85%0a%3c For your first test however, you will want to [[rcctl/usage|stop OpenHTTPd]]:%0a%3c %0a---%0a> !! Testing, testing%0a> %0a> Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a> %0a79c87,89%0a%3c $ doas rcctl stop httpd%0a---%0a> $ telnet example.com 80%0a> GET /index.html HTTP/1.1%0a> Host: example.com%0a82,83c92,93%0a%3c Then, check that your configuration is valid:%0a%3c %0a---%0a> You should a response similar to the one below:%0a> %0a85c95,123%0a%3c $ doas httpd -n%0a---%0a> HTTP/1.0 302 Found%0a> Date: Tue, 23 Feb 2021 14:01:28 GMT%0a> OpenBSD httpd%0a> Connection: close%0a> Content-Type: text/html%0a> Content-Length: 486%0a> Location: https://example.com/index.html%0a> %0a> %3c!DOCTYPE html>%0a> %3chtml> %0a> %3chead>%0a> %3cmeta charset="utf-8"> %0a> %3ctitle>302 Found%3c/title>%0a> %3cstyle type="text/css">%3c!--%0a> body { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a> hr { border: 0; border-bottom: 1px dashed; }%0a> @media (prefers-color-scheme: dark) {%0a> body { background-color: #1E1F21; color: #EEEFF1; }%0a> a { color: #BAD7FF; }%0a> }%0a> -->%3c/style>%0a> %3c/head>%0a> %3cbody>%0a> %3ch1>302 Found%3c/h1>%0a> %3chr>%0a> %3caddress>OpenBSD httpd%3c/address>%0a> %3c/body>%0a> %3c/html>%0a> Connection closed by foreign host.%0a88,89c126,131%0a%3c Once you are certain it has been configured properly, you can start the server:%0a%3c %0a---%0a> !!! Troubleshooting%0a> %0a> If you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a> %0a> You can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a> %0a91c133%0a%3c $ doas rcctl start httpd%0a---%0a> pass in quick proto tcp to port {http https}%0a94,97c136,137%0a%3c !! Testing%0a%3c %0a%3c To test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a%3c %0a---%0a> Then, reload the pf rulesets:%0a> %0a99c139%0a%3c $ openssl s_client -connect example.com:443%0a---%0a> $ doas pfctl -f /etc/pf.conf%0a102,105c142,149%0a%3c '''NOTE''': You must replace @@example.com@@ with your actual hostname.%0a%3c %0a%3c You should see the correct SSL subject and issuer:%0a%3c %0a---%0a> !! Adding TLS%0a> %0a> Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. %0a> %0a> Go do that now, I'll wait...%0a> %0a> Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a> %0a106a151,173%0a> tls {%0a> certificate "/etc/ssl/example.com.crt"%0a> key "/etc/ssl/private/example.com.key"%0a> }%0a> @]%0a> %0a> change [@ /etc/ssl/example.com.crt @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a> %0a> Then, restart the web server:%0a> %0a> [@%0a> $ doas rcctl restart httpd%0a> @]%0a> %0a> To test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a> %0a> [@%0a> $ openssl s_client -connect example.com:443%0a> @]%0a> %0a> You should see the correct SSL subject and issuer:%0a> %0a> [@%0a155,158c222,223%0a%3c You can also visit the website using your web browser. Open your web browser to @@https://example.com@@. If you see an error such as 403 Forbidden, it may mean you have not [[openhttpd/website|set up a website]].%0a%3c %0a%3c Look for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a%3c %0a---%0a> You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ). While you are likely to see an error such as 403 Forbidden if you havent set up a website, look for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a> %0a160,176d224%0a%3c !!! Troubleshooting%0a%3c %0a%3c If you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a%3c %0a%3c You can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in quick proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a%3c %0a +host:1649025532=38.87.162.154 +author:1649023324=jrmu +diff:1649023324:1649023176:=3,4c3,4%0a%3c This guide shows you how to enable [[tls/overview|TLS]] for [[https://bsd.plumbing/about.html|OpenHTTPd]]. It assumes you have already set up [[openhttpd/configure|plaintext OpenHTTPd]] listening on port 80, and you have successfully requested TLS certs using [[acme-client/configure|acme-client]].%0a%3c %0a---%0a> This guide shows you how to enable [[tls/overview|TLS]] for [[https://bsd.plumbing/about.html|OpenHTTPd]]. It assumes you have already set up [[openhttpd/configure|plaintext OpenHTTPd]] listening on port 80.%0a> %0a11,12c11,14%0a%3c In the previous guide, we used /etc/examples/httpd.conf as a template for /etc/httpd.conf:%0a%3c %0a---%0a> '''NOTE''': You must replace example.com with your own domain%0a> %0a> Copy the example file in [@ /etc/examples/httpd.conf @]:%0a> %0a13a16,21%0a> $ doas cp /etc/examples/httpd.conf /etc/httpd.conf%0a> @]%0a> %0a> Edit [@ /etc/httpd.conf @]:%0a> %0a> [@%0a24,38d31%0a%3c %0a%3c #server "example.com" {%0a%3c # listen on * tls port 443%0a%3c # tls {%0a%3c # certificate "/etc/ssl/example.com.crt"%0a%3c # key "/etc/ssl/private/example.com.key"%0a%3c # }%0a%3c # location "/pub/*" {%0a%3c # directory auto index%0a%3c # }%0a%3c # location "/.well-known/acme-challenge/*" {%0a%3c # root "/acme"%0a%3c # request strip 2%0a%3c # }%0a%3c #}%0a41,45c34,63%0a%3c '''NOTE''': You must replace example.com with your own domain%0a%3c %0a%3c We commented out the second block because we did not yet request TLS certs yet. Now%0a%3c %0a%3c %0a---%0a> Replace @@example.com@@ to your actual hostname. On other web servers, this might be known as the '''virtual host'''. %0a> %0a> @@listen on@@ tells the web server to listen on all IPs on port 80.%0a> %0a> The first @@location@@ block in lines 3-6 responds to verification requests according to the [[acme-client/configure|ACME]] protocol. For any request that begins with @@http://example.com/.well-known/acme-challenge/@@, httpd will look for the documents in the new root @@/acme@@. Since openhttpd chroots to /var/www by default, the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ tells openhttpd to search in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> The second @@location@@ block in lines 7-9 tell the web server to respond with HTTP 302 for all other requests. An HTTP 302 response forwards the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a> %0a> This second @@location@@ block is suggested by the OpenBSD team, but for accessibility reasons, we recommend removing the second location block.%0a> %0a> '''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work. The web server needs the listener block on port 80 for ACME protocol verification.%0a> %0a> The second block below should be commented out until after you have requested TLS certs.%0a> %0a> [@%0a> #server "example.com" {%0a> # listen on * tls port 443%0a> # tls {%0a> # certificate "/etc/ssl/example.com.crt"%0a> # key "/etc/ssl/private/example.com.key"%0a> # }%0a> # location "/pub/*" {%0a> # directory auto index%0a> # }%0a> # location "/.well-known/acme-challenge/*" {%0a> # root "/acme"%0a> # request strip 2%0a> # }%0a> #}%0a> @]%0a +host:1649023324=38.87.162.154 +author:1649023176=jrmu +diff:1649023176:1649023033:=1,2c1,2%0a%3c (:title TLS for OpenHTTPd:)%0a%3c %0a---%0a> (:title Basic OpenHTTPd Configuration:)%0a> %0a4a5,13%0a> !! Overview%0a> %0a> Pros:%0a> # Lean: Small, no plugins%0a> # Clean code%0a> # Secure: Strict validity checking, privilege separation, strong cryptography%0a> # Fast%0a> # Easy to configure with good manpage documentation%0a> %0a7c16%0a%3c Consult [[https://man.openbsd.org/httpd|httpd]], [[https://man.openbsd.org/httpd.conf|httpd.conf]], [[https://man.openbsd.org/acme-client|acme-client]], and [[https://man.openbsd.org/acme-client|acme-client.conf]] man pages. [[https://www.tiltedwindmillpress.com/product/httpd-and-relayd-mastery/|Httpd and Relayd Mastery]] also contains many helpful examples.%0a---%0a> You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages. [[https://www.tiltedwindmillpress.com/product/httpd-and-relayd-mastery/|Httpd and Relayd Mastery]] also contains many helpful examples.%0a +host:1649023176=38.87.162.154 +author:1649023033=jrmu +diff:1649023033:1649022849:=3c3%0a%3c This guide shows you how to enable [[tls/overview|TLS]] for [[https://bsd.plumbing/about.html|OpenHTTPd]]. It assumes you have already set up [[openhttpd/configure|plaintext OpenHTTPd]] listening on port 80.%0a---%0a> [[https://bsd.plumbing/about.html|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a +host:1649023033=38.87.162.154 +author:1649022849=jrmu +diff:1649022849:1649022849:=1,253d0%0a%3c (:title Basic OpenHTTPd Configuration:)%0a%3c %0a%3c [[https://bsd.plumbing/about.html|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a%3c %0a%3c !! Overview%0a%3c %0a%3c Pros:%0a%3c # Lean: Small, no plugins%0a%3c # Clean code%0a%3c # Secure: Strict validity checking, privilege separation, strong cryptography%0a%3c # Fast%0a%3c # Easy to configure with good manpage documentation%0a%3c %0a%3c !! Docs and references%0a%3c %0a%3c You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages. [[https://www.tiltedwindmillpress.com/product/httpd-and-relayd-mastery/|Httpd and Relayd Mastery]] also contains many helpful examples.%0a%3c %0a%3c !! Configuring%0a%3c %0a%3c '''NOTE''': You must replace example.com with your own domain%0a%3c %0a%3c Copy the example file in [@ /etc/examples/httpd.conf @]:%0a%3c %0a%3c [@%0a%3c $ doas cp /etc/examples/httpd.conf /etc/httpd.conf%0a%3c @]%0a%3c %0a%3c Edit [@ /etc/httpd.conf @]:%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c location * {%0a%3c block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c Replace @@example.com@@ to your actual hostname. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c @@listen on@@ tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c The first @@location@@ block in lines 3-6 responds to verification requests according to the [[acme-client/configure|ACME]] protocol. For any request that begins with @@http://example.com/.well-known/acme-challenge/@@, httpd will look for the documents in the new root @@/acme@@. Since openhttpd chroots to /var/www by default, the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ tells openhttpd to search in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c The second @@location@@ block in lines 7-9 tell the web server to respond with HTTP 302 for all other requests. An HTTP 302 response forwards the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a%3c This second @@location@@ block is suggested by the OpenBSD team, but for accessibility reasons, we recommend removing the second location block.%0a%3c %0a%3c '''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work. The web server needs the listener block on port 80 for ACME protocol verification.%0a%3c %0a%3c The second block below should be commented out until after you have requested TLS certs.%0a%3c %0a%3c [@%0a%3c #server "example.com" {%0a%3c # listen on * tls port 443%0a%3c # tls {%0a%3c # certificate "/etc/ssl/example.com.crt"%0a%3c # key "/etc/ssl/private/example.com.key"%0a%3c # }%0a%3c # location "/pub/*" {%0a%3c # directory auto index%0a%3c # }%0a%3c # location "/.well-known/acme-challenge/*" {%0a%3c # root "/acme"%0a%3c # request strip 2%0a%3c # }%0a%3c #}%0a%3c @]%0a%3c %0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * tls port 443%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.crt"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c This block is similar to the previous one, with only two differences.%0a%3c %0a%3c Lines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a%3c %0a%3c Lines 7-9 say that for any request that begins with https://example.com/pub/ should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder it should be fine.%0a%3c %0a%3c Make sure to replace every instance of @@example.com@@ with your real hostname, then check that your configuration is valid%0a%3c %0a%3c [@%0a%3c $ doas httpd -n%0a%3c @]%0a%3c %0a%3c !! Starting the server%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable httpd%0a%3c $ doas rcctl start httpd%0a%3c @]%0a%3c %0a%3c !! Testing, testing%0a%3c %0a%3c Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a%3c %0a%3c [@%0a%3c $ telnet example.com 80%0a%3c GET /index.html HTTP/1.1%0a%3c Host: example.com%0a%3c @]%0a%3c %0a%3c You should a response similar to the one below:%0a%3c %0a%3c [@%0a%3c HTTP/1.0 302 Found%0a%3c Date: Tue, 23 Feb 2021 14:01:28 GMT%0a%3c OpenBSD httpd%0a%3c Connection: close%0a%3c Content-Type: text/html%0a%3c Content-Length: 486%0a%3c Location: https://example.com/index.html%0a%3c %0a%3c %3c!DOCTYPE html>%0a%3c %3chtml> %0a%3c %3chead>%0a%3c %3cmeta charset="utf-8"> %0a%3c %3ctitle>302 Found%3c/title>%0a%3c %3cstyle type="text/css">%3c!--%0a%3c body { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a%3c hr { border: 0; border-bottom: 1px dashed; }%0a%3c @media (prefers-color-scheme: dark) {%0a%3c body { background-color: #1E1F21; color: #EEEFF1; }%0a%3c a { color: #BAD7FF; }%0a%3c }%0a%3c -->%3c/style>%0a%3c %3c/head>%0a%3c %3cbody>%0a%3c %3ch1>302 Found%3c/h1>%0a%3c %3chr>%0a%3c %3caddress>OpenBSD httpd%3c/address>%0a%3c %3c/body>%0a%3c %3c/html>%0a%3c Connection closed by foreign host.%0a%3c @]%0a%3c %0a%3c !!! Troubleshooting%0a%3c %0a%3c If you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a%3c %0a%3c You can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in quick proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a%3c !! Adding TLS%0a%3c %0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. %0a%3c %0a%3c Go do that now, I'll wait...%0a%3c %0a%3c Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a%3c %0a%3c [@%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.crt"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a%3c @]%0a%3c %0a%3c change [@ /etc/ssl/example.com.crt @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a%3c %0a%3c Then, restart the web server:%0a%3c %0a%3c [@%0a%3c $ doas rcctl restart httpd%0a%3c @]%0a%3c %0a%3c To test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a%3c %0a%3c [@%0a%3c $ openssl s_client -connect example.com:443%0a%3c @]%0a%3c %0a%3c You should see the correct SSL subject and issuer:%0a%3c %0a%3c [@%0a%3c $ openssl s_client -connect example.org:443%0a%3c CONNECTED(00000003)%0a%3c depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3%0a%3c verify return:1%0a%3c depth=1 C = US, O = Let's Encrypt, CN = R3%0a%3c verify return:1%0a%3c depth=0 CN = example.com%0a%3c verify return:1%0a%3c depth=0 CN = example.com%0a%3c verify return:1%0a%3c write W BLOCK%0a%3c ---%0a%3c Certificate chain%0a%3c 0 s:/CN=example.com%0a%3c i:/C=US/O=Let's Encrypt/CN=R3%0a%3c 1 s:/C=US/O=Let's Encrypt/CN=R3%0a%3c i:/O=Digital Signature Trust Co./CN=DST Root CA X3%0a%3c ---%0a%3c Server certificate%0a%3c -----BEGIN CERTIFICATE-----%0a%3c ...%0a%3c -----END CERTIFICATE-----%0a%3c subject=/CN=example.com%0a%3c issuer=/C=US/O=Let's Encrypt/CN=R3%0a%3c ---%0a%3c No client certificate CA names sent%0a%3c Server Temp Key: ECDH, X25519, 253 bits%0a%3c ---%0a%3c SSL handshake has read 3730 bytes and written 367 bytes%0a%3c ---%0a%3c New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384%0a%3c Server public key is 4096 bit%0a%3c Secure Renegotiation IS NOT supported%0a%3c Compression: NONE%0a%3c Expansion: NONE%0a%3c No ALPN negotiated%0a%3c SSL-Session:%0a%3c Protocol : TLSv1.3%0a%3c Cipher : AEAD-AES256-GCM-SHA384%0a%3c Session-ID:%0a%3c Session-ID-ctx:%0a%3c Master-Key:%0a%3c Start Time: 1614233943%0a%3c Timeout : 7200 (sec)%0a%3c Verify return code: 0 (ok)%0a%3c ---%0a%3c @]%0a%3c %0a%3c You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ). While you are likely to see an error such as 403 Forbidden if you havent set up a website, look for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a%3c %0a%3c Attach:ssl-cert.png%0a +host:1649022849=38.87.162.154 blob - /dev/null blob + 451a801f3788dd832c51032a0440635d1cd39a71 (mode 644) --- /dev/null +++ wiki.d/Openhttpd.Website @@ -0,0 +1,34 @@ +version=pmwiki-2.2.130 ordered=1 urlencoded=1 +agent=w3m/0.5.3+git20210102 +author=jrmu +charset=UTF-8 +csum= +ctime=1649025763 +host=38.87.162.154 +name=Openhttpd.Website +rev=7 +targets=Openhttpd.Configure,Openhttpd.Tls,Chroot.Intro,Pmwiki.Install,Dokuwiki.Install,Cvs.Cvsweb,Cgit.Install,Gotweb.Install,Paster.Install,Squirrelmail.Install,Wordpress.Install +text=(:title Setting Up a Website:)%0a%0a!! Before You Begin%0a%0aThis guide assumes you have already correctly [[openhttpd/configure|configured OpenHTTPd]] and set up [[openhttpd/tls|TLS]].%0a%0a!! Finding the Document Root%0a%0aTo set up a website, put files in your document root. You'll want to check @@/etc/httpd.conf@@. Here is a sample server block:%0a%0a[@%0aserver "example.com" {%0a listen on * tls port 443%0a tls {%0a certificate "/etc/ssl/example.com.fullchain.pem"%0a key "/etc/ssl/private/example.com.key"%0a }%0a location "/pub/*" {%0a directory auto index%0a }%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a}%0a@]%0a%0aIn this example, the only document root in the configuration is for ACME verification, not for your website. Since the document root is not specified, OpenHTTPd defaults to @@/htdocs@@. Since OpenHTTPd runs in a [[chroot/intro|chroot]] by default, this means your files should go in @@/var/www/htdocs/@@.%0a%0a!! Creating a Webpage%0a%0aCreate your own webpage by editing @@/var/www/htdocs/index.html@@.%0a%0aSave this page, then load https://example.com/index.html in your web browser to view.%0a%0a'''NOTE''': Make sure to replace @@example.com@@ with your actual hostname.%0a%0aAs practice, you can try setting up the following web sites:%0a%0a|| border=1 width=100%25 class="sortable simpletable"%0a||! Name ||! Type ||%0a|| [[pmwiki/install|pmwiki]] || wiki ||%0a|| [[Dokuwiki/install|Dokuwiki]] || wiki ||%0a|| [[Cvs.Cvsweb|CVSWeb]] || CVS Code Hosting ||%0a|| [[Cgit/Install|Cgit]] || Git code hosting ||%0a|| [[Gotweb/Install|Gotweb]] || Got code hosting ||%0a|| [[Paster.Install|Paster]] || Pastebin ||%0a|| [[Squirrelmail/Install|Squirrelmail]] || Webmail ||%0a|| [[Wordpress/Install|Wordpress]] || Blog ||%0a +time=1649026992 +title=Setting Up a Website +author:1649026992=jrmu +diff:1649026992:1649026853:=32c32%0a%3c Create your own webpage by editing @@/var/www/htdocs/index.html@@.%0a---%0a> Create your own webpage by editing @@/var/www/htdocs/index.html@@. Here is a sample page:%0a +host:1649026992=38.87.162.154 +author:1649026853=jrmu +diff:1649026853:1649026719:=40,49c40,47%0a%3c || border=1 width=100%25 class="sortable simpletable"%0a%3c ||! Name ||! Type ||%0a%3c || [[pmwiki/install|pmwiki]] || wiki ||%0a%3c || [[Dokuwiki/install|Dokuwiki]] || wiki ||%0a%3c || [[Cvs.Cvsweb|CVSWeb]] || CVS Code Hosting ||%0a%3c || [[Cgit/Install|Cgit]] || Git code hosting ||%0a%3c || [[Gotweb/Install|Gotweb]] || Got code hosting ||%0a%3c || [[Paster.Install|Paster]] || Pastebin ||%0a%3c || [[Squirrelmail/Install|Squirrelmail]] || Webmail ||%0a%3c || [[Wordpress/Install|Wordpress]] || Blog ||%0a---%0a> [[pmwiki/install|wiki]]%0a> [[Cvs.Cvsweb|CVSWeb]]%0a> [[Paster.Install|Paster]]%0a> [[Dokuwiki/install|Dokuwiki]]%0a> [[Squirrelmail/Install|Squirrelmail]]%0a> [[Wordpress/Install|Wordpress]]%0a> [[Cgit/Install|Cgit]]%0a> [[Gotweb/Install|Gotweb]]%0a +host:1649026853=38.87.162.154 +author:1649026719=jrmu +diff:1649026719:1649026407:=9,10c9,10%0a%3c To set up a website, put files in your document root. You'll want to check @@/etc/httpd.conf@@. Here is a sample server block:%0a%3c %0a---%0a> To set up a website, put files in your document root. You'll want to check @@/etc/httpd.conf@@:%0a> %0a13,16c13,16%0a%3c listen on * tls port 443%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c key "/etc/ssl/private/example.com.key"%0a---%0a> listen on * port 80%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a18,19c18,19%0a%3c location "/pub/*" {%0a%3c directory auto index%0a---%0a> location * {%0a> block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a21,24d20%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a25a22,36%0a> %0a> server "example.com" {%0a> listen on * tls port 443%0a> tls {%0a> certificate "/etc/ssl/example.com.fullchain.pem"%0a> key "/etc/ssl/private/example.com.key"%0a> }%0a> location "/pub/*" {%0a> directory auto index%0a> }%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a> }%0a> }%0a28c39%0a%3c In this example, the only document root in the configuration is for ACME verification, not for your website. Since the document root is not specified, OpenHTTPd defaults to @@/htdocs@@. Since OpenHTTPd runs in a [[chroot/intro|chroot]] by default, this means your files should go in @@/var/www/htdocs/@@.%0a---%0a> In this case, the only document root in the configuration is for ACME verification, not for your website. So, since the document root is not specified, OpenHTTPd defaults to @@/htdocs@@. Since OpenHTTPd runs in a [[chroot/intro|chroot]] by default, this means your files should go in @@/var/www/htdocs/@@.%0a +host:1649026719=38.87.162.154 +author:1649026407=jrmu +diff:1649026407:1649026324:=44,47d43%0a%3c %0a%3c Save this page, then load https://example.com/index.html in your web browser to view.%0a%3c %0a%3c '''NOTE''': Make sure to replace @@example.com@@ with your actual hostname.%0a +host:1649026407=38.87.162.154 +author:1649026324=jrmu +diff:1649026324:1649026096:=1,10c1,2%0a%3c (:title Setting Up a Website:)%0a%3c %0a%3c !! Before You Begin%0a%3c %0a%3c This guide assumes you have already correctly [[openhttpd/configure|configured OpenHTTPd]] and set up [[openhttpd/tls|TLS]].%0a%3c %0a%3c !! Finding the Document Root%0a%3c %0a%3c To set up a website, put files in your document root. You'll want to check @@/etc/httpd.conf@@:%0a%3c %0a---%0a> To set up a website, put files in your document root.%0a> %0a39,43c31%0a%3c In this case, the only document root in the configuration is for ACME verification, not for your website. So, since the document root is not specified, OpenHTTPd defaults to @@/htdocs@@. Since OpenHTTPd runs in a [[chroot/intro|chroot]] by default, this means your files should go in @@/var/www/htdocs/@@.%0a%3c %0a%3c !! Creating a Webpage%0a%3c %0a%3c Create your own webpage by editing @@/var/www/htdocs/index.html@@. Here is a sample page:%0a---%0a> In this example, the document root is not specified, so the default is @@/htdocs@@. Since OpenHTTPd runs in a [[chroot/intro|chroot]] by default, this means your files should go in @@/var/www/htdocs/@@.%0a +host:1649026324=38.87.162.154 +author:1649026096=jrmu +diff:1649026096:1649025763:=32,42d31%0a%3c %0a%3c As practice, you can try setting up the following web sites:%0a%3c %0a%3c [[pmwiki/install|wiki]]%0a%3c [[Cvs.Cvsweb|CVSWeb]]%0a%3c [[Paster.Install|Paster]]%0a%3c [[Dokuwiki/install|Dokuwiki]]%0a%3c [[Squirrelmail/Install|Squirrelmail]]%0a%3c [[Wordpress/Install|Wordpress]]%0a%3c [[Cgit/Install|Cgit]]%0a%3c [[Gotweb/Install|Gotweb]]%0a +host:1649026096=38.87.162.154 +author:1649025763=jrmu +diff:1649025763:1649025763:=1,31d0%0a%3c To set up a website, put files in your document root.%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c location * {%0a%3c block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c }%0a%3c }%0a%3c %0a%3c server "example.com" {%0a%3c listen on * tls port 443%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c In this example, the document root is not specified, so the default is @@/htdocs@@. Since OpenHTTPd runs in a [[chroot/intro|chroot]] by default, this means your files should go in @@/var/www/htdocs/@@.%0a +host:1649025763=38.87.162.154 blob - /dev/null blob + 729ecef7efbb72764623fe8e82409d0bfba26298 (mode 644) --- /dev/null +++ wiki.d/Soju.Guide @@ -0,0 +1,15 @@ +version=pmwiki-2.2.130 ordered=1 urlencoded=1 +agent=Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.0.0 Mobile Safari/537.36 +author=Yonle +charset=UTF-8 +csum= +ctime=1648914367 +host=182.1.47.69 +name=Soju.Guide +rev=1 +targets= +text=## Soju%0a[Soju](https://soju.im) is A user-friendly IRC bouncer. Just like [ZNC](http://wiki.ircnow.org/index.php?n=Znc.Install), It runs on a server and stays connected after you turn off your computer or phone. It saves chat messages and replays them when you reconnect, and also helps to hide your IP address. If you are running it on IRCNow, your server may also offer DDoS protection to keep you online.%0a%0a## Getting started%0aStarting by compiling from source. You need `go` or `golang` installed for compiling soju, and `scdoc` for the documentation (optional).%0a%0a### Getting source code from git repository%0aClone the repository with `git clone` command.%0a%0a```%0acd ~%0agit clone --depth=1 https://git.sr.ht/~emersion/soju%0a```%0a%0a### Getting source code from release%0aWe're gonna fetch a tarball from upstream then extract them%0a%0a```%0aftp https://git.sr.ht/~emersion/soju/refs/download/v0.4.0/soju-0.4.0.tar.gz%0atar -xvzf soju-0.4.0.tar.gz%0acd soju-0.4.0%0a```%0a%0a### Compiling Soju%0aWhen you've been fetch the source code, start compiling by typing `make`. Before begin compiling, make sure that `go` or `golang` is installed in your VPS.%0a%0a```%0amake%0a```%0a%0aWhen building is done, Run `doas make install` to install soju into your system.%0a%0a## Configuration%0aSoju has a small server configuration which is easy to configure.%0a%0aSee [soju.1 - Config File](https://soju.im/doc/soju.1.html#CONFIG_FILE) for more information about configuration file.%0a%0aAfter configuring soju config file, Start by creating a bouncer user. You may specify `-admin` at the end for making the user as admin %0a%0a```%0a$ sojuctl create-user yourname -admin%0aPassword:%0a```%0a%0aIn case if you want to change password, do `sojuctl change-password yourname`.%0a%0a## Setting up & Connecting into network%0aStart the server by executing `soju -config soju.conf`. Modify `soju.conf` into your config filename to use your config. %0a%0aConnect into your bouncer with these credential:%0a%0aSASL Username: yourname%0aSASL Password: [your bouncer user password]%0aSASL Mechanism: PLAIN%0a%0aThen, Add a network into your bouncer by messaging to `BouncerServ`%0a%0a```%0a/msg BouncerServ network create -addr irc.ircnow.org:6697 -name IRCNow%0a```%0a%0aAfter executing this command, You will be connected into your network. %0a%0aOptionally, You may also set SASL plain / external (certfp) authentication. %0a %0aFor SASL Plain, You may do%0a```%0a/msg BouncerServ sasl set-plain -network NetworkName yourname password%0a```%0a %0aThen, reconnect the network by doing `/msg BouncerServ network update -network NetworkName`. %0a%0a## Client Compatibility%0aSoju require atleast IRCv3 supported client with `cap-3.2` support. See the [IRCv3 support tables](https://ircv3.net/software/clients) for a more general list of clients.%0a%0a## Also Read%0a- [soju(1)](https://soju.im/doc/soju.1.html)%0a- [soju - Getting started](https://git.sr.ht/~emersion/soju/tree/HEAD/item/doc/getting-started.md)%0a- [soju - Clients](https://git.sr.ht/~emersion/soju/tree/HEAD/item/contrib/clients.md)%0a- [catsit - process supervisor](https://git.causal.agency/catsit)%0a +time=1648914367 +author:1648914367=Yonle +diff:1648914367:1648914367:minor=1,80d0%0a%3c ## Soju%0a%3c [Soju](https://soju.im) is A user-friendly IRC bouncer. Just like [ZNC](http://wiki.ircnow.org/index.php?n=Znc.Install), It runs on a server and stays connected after you turn off your computer or phone. It saves chat messages and replays them when you reconnect, and also helps to hide your IP address. If you are running it on IRCNow, your server may also offer DDoS protection to keep you online.%0a%3c %0a%3c ## Getting started%0a%3c Starting by compiling from source. You need `go` or `golang` installed for compiling soju, and `scdoc` for the documentation (optional).%0a%3c %0a%3c ### Getting source code from git repository%0a%3c Clone the repository with `git clone` command.%0a%3c %0a%3c ```%0a%3c cd ~%0a%3c git clone --depth=1 https://git.sr.ht/~emersion/soju%0a%3c ```%0a%3c %0a%3c ### Getting source code from release%0a%3c We're gonna fetch a tarball from upstream then extract them%0a%3c %0a%3c ```%0a%3c ftp https://git.sr.ht/~emersion/soju/refs/download/v0.4.0/soju-0.4.0.tar.gz%0a%3c tar -xvzf soju-0.4.0.tar.gz%0a%3c cd soju-0.4.0%0a%3c ```%0a%3c %0a%3c ### Compiling Soju%0a%3c When you've been fetch the source code, start compiling by typing `make`. Before begin compiling, make sure that `go` or `golang` is installed in your VPS.%0a%3c %0a%3c ```%0a%3c make%0a%3c ```%0a%3c %0a%3c When building is done, Run `doas make install` to install soju into your system.%0a%3c %0a%3c ## Configuration%0a%3c Soju has a small server configuration which is easy to configure.%0a%3c %0a%3c See [soju.1 - Config File](https://soju.im/doc/soju.1.html#CONFIG_FILE) for more information about configuration file.%0a%3c %0a%3c After configuring soju config file, Start by creating a bouncer user. You may specify `-admin` at the end for making the user as admin %0a%3c %0a%3c ```%0a%3c $ sojuctl create-user yourname -admin%0a%3c Password:%0a%3c ```%0a%3c %0a%3c In case if you want to change password, do `sojuctl change-password yourname`.%0a%3c %0a%3c ## Setting up & Connecting into network%0a%3c Start the server by executing `soju -config soju.conf`. Modify `soju.conf` into your config filename to use your config. %0a%3c %0a%3c Connect into your bouncer with these credential:%0a%3c %0a%3c SASL Username: yourname%0a%3c SASL Password: [your bouncer user password]%0a%3c SASL Mechanism: PLAIN%0a%3c %0a%3c Then, Add a network into your bouncer by messaging to `BouncerServ`%0a%3c %0a%3c ```%0a%3c /msg BouncerServ network create -addr irc.ircnow.org:6697 -name IRCNow%0a%3c ```%0a%3c %0a%3c After executing this command, You will be connected into your network. %0a%3c %0a%3c Optionally, You may also set SASL plain / external (certfp) authentication. %0a%3c %0a%3c For SASL Plain, You may do%0a%3c ```%0a%3c /msg BouncerServ sasl set-plain -network NetworkName yourname password%0a%3c ```%0a%3c %0a%3c Then, reconnect the network by doing `/msg BouncerServ network update -network NetworkName`. %0a%3c %0a%3c ## Client Compatibility%0a%3c Soju require atleast IRCv3 supported client with `cap-3.2` support. See the [IRCv3 support tables](https://ircv3.net/software/clients) for a more general list of clients.%0a%3c %0a%3c ## Also Read%0a%3c - [soju(1)](https://soju.im/doc/soju.1.html)%0a%3c - [soju - Getting started](https://git.sr.ht/~emersion/soju/tree/HEAD/item/doc/getting-started.md)%0a%3c - [soju - Clients](https://git.sr.ht/~emersion/soju/tree/HEAD/item/contrib/clients.md)%0a%3c - [catsit - process supervisor](https://git.causal.agency/catsit)%0a +host:1648914367=182.1.47.69