1 aa513bf8 2023-01-22 jrmu version=pmwiki-2.2.130 ordered=1 urlencoded=1
2 aa513bf8 2023-01-22 jrmu agent=Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
3 aa513bf8 2023-01-22 jrmu author=tiramisu
4 aa513bf8 2023-01-22 jrmu charset=UTF-8
6 aa513bf8 2023-01-22 jrmu ctime=1614073261
7 aa513bf8 2023-01-22 jrmu host=2607:fb90:bdaa:a8fb:b247:8aa7:de83:2fe5
8 aa513bf8 2023-01-22 jrmu name=Openhttpd.Configure
10 aa513bf8 2023-01-22 jrmu targets=Acme-client.Configure,Telnet.Http,Pf.Guide,Openhttpd.Tls
11 aa513bf8 2023-01-22 jrmu text=(:title Basic OpenHTTPd Configuration:)%0a%0a[[https://learnbchs.org/|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a%0a!! Overview%0a%0aPros:%0a# Lean: Small, no plugins%0a# Clean code%0a# Secure: Strict validity checking, privilege separation, strong cryptography%0a# Fast%0a# Easy to configure with good manpage documentation%0a%0a!! Docs and references%0a%0aYou'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages. [[https://www.tiltedwindmillpress.com/product/httpd-and-relayd-mastery/|Httpd and Relayd Mastery]] also contains many helpful examples.%0a%0a!! Configuring%0a%0a'''NOTE''': You must replace example.com with your own domain%0a%0aCopy the example file in [@ /etc/examples/httpd.conf @]:%0a%0a[@%0a$ doas cp /etc/examples/httpd.conf /etc/httpd.conf%0a@]%0a%0aEdit [@ /etc/httpd.conf @]:%0a%0a[@%0aserver "example.com" {%0a listen on * port 80%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a location * {%0a block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a }%0a }%0a@]%0a%0aReplace @@example.com@@ to your actual hostname. On other web servers, this might be known as the '''virtual host'''. %0a%0a@@listen on@@ tells the web server to listen on all IPs on port 80.%0a%0aThe first @@location@@ block in lines 3-6 responds to verification requests according to the [[acme-client/configure|ACME]] protocol. For any request that begins with @@http://example.com/.well-known/acme-challenge/@@, httpd will look for the documents in the new root @@/acme@@. Since openhttpd chroots to /var/www by default, the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ tells openhttpd to search in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%0aThe second @@location@@ block in lines 7-9 tell the web server to respond with HTTP 302 for all other requests. An HTTP 302 response forwards the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%0aThis second @@location@@ block is suggested by the OpenBSD team, but for accessibility reasons, we recommend removing the second location block.%0a%0aTo allow plaintext requests on port 80, your conf file should now look like this:%0a%0a[@%0aserver "example.com" {%0a listen on * port 80%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a }%0a@]%0a%0a%0a'''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work. The web server needs the listener block on port 80 for ACME protocol verification.%0a%0aThe block for TLS on port 443 should be commented out until after you have requested TLS certs.%0a%0a[@%0a#server "example.com" {%0a# listen on * tls port 443%0a# tls {%0a# certificate "/etc/ssl/example.com.crt"%0a# key "/etc/ssl/private/example.com.key"%0a# }%0a# location "/pub/*" {%0a# directory auto index%0a# }%0a# location "/.well-known/acme-challenge/*" {%0a# root "/acme"%0a# request strip 2%0a# }%0a#}%0a@]%0a%0aMake sure to replace every instance of @@example.com@@ with your real hostname, then check that your configuration is valid:%0a%0a[@%0a$ doas httpd -n%0a@]%0a%0a!! Starting the server%0a%0a[@%0a$ doas rcctl enable httpd%0a$ doas rcctl start httpd%0a@]%0a%0a!! Testing%0a%0aLet's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a%0a[@%0a$ telnet example.com 80%0aGET /index.html HTTP/1.1%0aHost: example.com%0a@]%0a%0aYou should a response similar to the one below:%0a%0a[@%0aHTTP/1.0 302 Found%0aDate: Tue, 23 Feb 2021 14:01:28 GMT%0aOpenBSD httpd%0aConnection: close%0aContent-Type: text/html%0aContent-Length: 486%0aLocation: https://example.com/index.html%0a%0a%3c!DOCTYPE html>%0a%3chtml> %0a%3chead>%0a%3cmeta charset="utf-8"> %0a%3ctitle>302 Found%3c/title>%0a%3cstyle type="text/css">%3c!--%0abody { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0ahr { border: 0; border-bottom: 1px dashed; }%0a@media (prefers-color-scheme: dark) {%0abody { background-color: #1E1F21; color: #EEEFF1; }%0aa { color: #BAD7FF; }%0a}%0a-->%3c/style>%0a%3c/head>%0a%3cbody>%0a%3ch1>302 Found%3c/h1>%0a%3chr>%0a%3caddress>OpenBSD httpd%3c/address>%0a%3c/body>%0a%3c/html>%0aConnection closed by foreign host.%0a@]%0a%0a!!! Troubleshooting%0a%0aIf you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a%0aYou can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%0a[@%0apass in quick proto tcp to port {http https}%0a@]%0a%0aThen, reload the pf rulesets:%0a%0a[@%0a$ doas pfctl -f /etc/pf.conf%0a@]%0a%0a!! Adding TLS%0a%0aNext, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Then, you'll want to [[openhttpd/tls|add TLS to openhttpd]].%0a
12 aa513bf8 2023-01-22 jrmu time=1659916268
13 aa513bf8 2023-01-22 jrmu title=Basic OpenHTTPd Configuration
14 aa513bf8 2023-01-22 jrmu author:1659916268=tiramisu
15 aa513bf8 2023-01-22 jrmu diff:1659916268:1655191277:minor=3c3%0a%3c [[https://learnbchs.org/|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a---%0a> [[https://bsd.plumbing/about.html|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a
16 aa513bf8 2023-01-22 jrmu host:1659916268=2607:fb90:bdaa:a8fb:b247:8aa7:de83:2fe5
17 aa513bf8 2023-01-22 jrmu author:1655191277=jrmu
18 aa513bf8 2023-01-22 jrmu diff:1655191277:1655191244:=68c68%0a%3c The block for TLS on port 443 should be commented out until after you have requested TLS certs.%0a---%0a> The second block below should be commented out until after you have requested TLS certs.%0a
19 aa513bf8 2023-01-22 jrmu host:1655191277=38.87.162.154
20 aa513bf8 2023-01-22 jrmu author:1655191244=jrmu
21 aa513bf8 2023-01-22 jrmu diff:1655191244:1649022837:=52,64d51%0a%3c %0a%3c To allow plaintext requests on port 80, your conf file should now look like this:%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a
22 aa513bf8 2023-01-22 jrmu host:1655191244=38.87.162.154
23 aa513bf8 2023-01-22 jrmu author:1649022837=jrmu
24 aa513bf8 2023-01-22 jrmu diff:1649022837:1649021892:=55,56c55,56%0a%3c The second block below should be commented out until after you have requested TLS certs.%0a%3c %0a---%0a> !!! Server block #2%0a> %0a58,71c58,71%0a%3c #server "example.com" {%0a%3c # listen on * tls port 443%0a%3c # tls {%0a%3c # certificate "/etc/ssl/example.com.crt"%0a%3c # key "/etc/ssl/private/example.com.key"%0a%3c # }%0a%3c # location "/pub/*" {%0a%3c # directory auto index%0a%3c # }%0a%3c # location "/.well-known/acme-challenge/*" {%0a%3c # root "/acme"%0a%3c # request strip 2%0a%3c # }%0a%3c #}%0a---%0a> server "example.com" {%0a> listen on * tls port 443%0a> tls {%0a> certificate "/etc/ssl/example.com.crt"%0a> key "/etc/ssl/private/example.com.key"%0a> }%0a> location "/pub/*" {%0a> directory auto index%0a> }%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a> }%0a> }%0a74,75c74,83%0a%3c Make sure to replace every instance of @@example.com@@ with your real hostname, then check that your configuration is valid:%0a%3c %0a---%0a> This block is similar to before. Replace [@ example.com @].%0a> %0a> There are only two differences.%0a> %0a> Lines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a> %0a> Lines 7-9 say that for any request that begins with https://example.com/pub/ should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder it should be fine.%0a> %0a> Make sure to replace every instance of @@example.com@@ with your real hostname, then check that your configuration is valid%0a> %0a87,88c95,96%0a%3c !! Testing%0a%3c %0a---%0a> !! Testing, testing%0a> %0a149c157,237%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Then, you'll want to [[openhttpd/tls|add TLS to openhttpd]].%0a---%0a> Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. %0a> %0a> Go do that now, I'll wait...%0a> %0a> Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a> %0a> [@%0a> tls {%0a> certificate "/etc/ssl/example.com.crt"%0a> key "/etc/ssl/private/example.com.key"%0a> }%0a> @]%0a> %0a> change [@ /etc/ssl/example.com.crt @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a> %0a> Then, restart the web server:%0a> %0a> [@%0a> $ doas rcctl restart httpd%0a> @]%0a> %0a> To test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a> %0a> [@%0a> $ openssl s_client -connect example.com:443%0a> @]%0a> %0a> You should see the correct SSL subject and issuer:%0a> %0a> [@%0a> $ openssl s_client -connect example.org:443%0a> CONNECTED(00000003)%0a> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3%0a> verify return:1%0a> depth=1 C = US, O = Let's Encrypt, CN = R3%0a> verify return:1%0a> depth=0 CN = example.com%0a> verify return:1%0a> depth=0 CN = example.com%0a> verify return:1%0a> write W BLOCK%0a> ---%0a> Certificate chain%0a> 0 s:/CN=example.com%0a> i:/C=US/O=Let's Encrypt/CN=R3%0a> 1 s:/C=US/O=Let's Encrypt/CN=R3%0a> i:/O=Digital Signature Trust Co./CN=DST Root CA X3%0a> ---%0a> Server certificate%0a> -----BEGIN CERTIFICATE-----%0a> ...%0a> -----END CERTIFICATE-----%0a> subject=/CN=example.com%0a> issuer=/C=US/O=Let's Encrypt/CN=R3%0a> ---%0a> No client certificate CA names sent%0a> Server Temp Key: ECDH, X25519, 253 bits%0a> ---%0a> SSL handshake has read 3730 bytes and written 367 bytes%0a> ---%0a> New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384%0a> Server public key is 4096 bit%0a> Secure Renegotiation IS NOT supported%0a> Compression: NONE%0a> Expansion: NONE%0a> No ALPN negotiated%0a> SSL-Session:%0a> Protocol : TLSv1.3%0a> Cipher : AEAD-AES256-GCM-SHA384%0a> Session-ID:%0a> Session-ID-ctx:%0a> Master-Key:%0a> Start Time: 1614233943%0a> Timeout : 7200 (sec)%0a> Verify return code: 0 (ok)%0a> ---%0a> @]%0a> %0a> You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ). While you are likely to see an error such as 403 Forbidden if you havent set up a website, look for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a> %0a> Attach:ssl-cert.png%0a
25 aa513bf8 2023-01-22 jrmu host:1649022837=38.87.162.154
26 aa513bf8 2023-01-22 jrmu author:1649021892=jrmu
27 aa513bf8 2023-01-22 jrmu diff:1649021892:1649021380:=47,53c47,51%0a%3c The first @@location@@ block in lines 3-6 responds to verification requests according to the [[acme-client/configure|ACME]] protocol. For any request that begins with @@http://example.com/.well-known/acme-challenge/@@, httpd will look for the documents in the new root @@/acme@@. Since openhttpd chroots to /var/www by default, the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ tells openhttpd to search in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c The second @@location@@ block in lines 7-9 tell the web server to respond with HTTP 302 for all other requests. An HTTP 302 response forwards the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a%3c This second @@location@@ block is suggested by the OpenBSD team, but for accessibility reasons, we recommend removing the second location block.%0a%3c %0a%3c '''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work. The web server needs the listener block on port 80 for ACME protocol verification.%0a---%0a> The @@location@@ block in lines 3-6 responds to verification requests according to the [[acme-client/configure|ACME]] protocol. For any request that begins with @@http://example.com/.well-known/acme-challenge/@@, httpd will look for the documents in the new root @@/acme@@. Since openhttpd chroots to /var/www by default, the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ tells openhttpd to search in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a> %0a> '''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work.%0a
28 aa513bf8 2023-01-22 jrmu host:1649021892=38.87.162.154
29 aa513bf8 2023-01-22 jrmu author:1649021380=jrmu
30 aa513bf8 2023-01-22 jrmu diff:1649021380:1649021123:=43,47c43,47%0a%3c Replace @@example.com@@ to your actual hostname. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c @@listen on@@ tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c The @@location@@ block in lines 3-6 responds to verification requests according to the [[acme-client/configure|ACME]] protocol. For any request that begins with @@http://example.com/.well-known/acme-challenge/@@, httpd will look for the documents in the new root @@/acme@@. Since openhttpd chroots to /var/www by default, the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ tells openhttpd to search in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a---%0a> server: this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a> %0a> listen on: tells the web server to listen on all IPs on port 80.%0a> %0a> location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a
31 aa513bf8 2023-01-22 jrmu host:1649021380=38.87.162.154
32 aa513bf8 2023-01-22 jrmu author:1649021123=jrmu
33 aa513bf8 2023-01-22 jrmu diff:1649021123:1649021090:minor=27a28%0a> %0a28a30,32%0a> %0a> !!! Server block #1%0a> %0a
34 aa513bf8 2023-01-22 jrmu host:1649021123=38.87.162.154
35 aa513bf8 2023-01-22 jrmu author:1649021090=jrmu
36 aa513bf8 2023-01-22 jrmu diff:1649021090:1640690307:=16c16%0a%3c You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages. [[https://www.tiltedwindmillpress.com/product/httpd-and-relayd-mastery/|Httpd and Relayd Mastery]] also contains many helpful examples.%0a---%0a> You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages.%0a
37 aa513bf8 2023-01-22 jrmu host:1649021090=38.87.162.154
38 aa513bf8 2023-01-22 jrmu author:1640690307=Naglfar
39 aa513bf8 2023-01-22 jrmu diff:1640690307:1640530911:=68,71d67%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a
40 aa513bf8 2023-01-22 jrmu host:1640690307=92.191.225.58
41 aa513bf8 2023-01-22 jrmu author:1640530911=Naglfar
42 aa513bf8 2023-01-22 jrmu csum:1640530911=Remove duplicate: Location for acme-challenge already is in Server block 1
43 aa513bf8 2023-01-22 jrmu diff:1640530911:1640446640:=67a68,71%0a> }%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a
44 aa513bf8 2023-01-22 jrmu host:1640530911=92.191.225.58
45 aa513bf8 2023-01-22 jrmu author:1640446640=jrmu
46 aa513bf8 2023-01-22 jrmu diff:1640446640:1640446480:=84,85c84,88%0a%3c Make sure to replace every instance of @@example.com@@ with your real hostname, then check that your configuration is valid%0a%3c %0a---%0a> Make sure to replace every instance of @@example.com@@ with your real hostname, then enable and start the web server:%0a> %0a> %0a> !! Starting the server%0a> %0a87c90,91%0a%3c $ doas httpd -n%0a---%0a> $ doas rcctl enable httpd%0a> $ doas rcctl start httpd%0a90,96d93%0a%3c !! Starting the server%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable httpd%0a%3c $ doas rcctl start httpd%0a%3c @]%0a%3c %0a98d94%0a%3c %0a
47 aa513bf8 2023-01-22 jrmu host:1640446640=38.87.162.8
48 aa513bf8 2023-01-22 jrmu author:1640446480=jrmu
49 aa513bf8 2023-01-22 jrmu diff:1640446480:1640360897:=85a86,90%0a> !!! Check that your configuration is valid%0a> %0a> [@%0a> $ doas httpd -n%0a> @]%0a
50 aa513bf8 2023-01-22 jrmu host:1640446480=38.87.162.8
51 aa513bf8 2023-01-22 jrmu author:1640360897=Naglfar
52 aa513bf8 2023-01-22 jrmu csum:1640360897=Move Check to: Configuring
53 aa513bf8 2023-01-22 jrmu diff:1640360897:1640360742:=86c86%0a%3c !!! Check that your configuration is valid%0a---%0a> !! Check that your configuration is valid%0a
54 aa513bf8 2023-01-22 jrmu host:1640360897=92.191.225.58
55 aa513bf8 2023-01-22 jrmu author:1640360742=Naglfar
56 aa513bf8 2023-01-22 jrmu csum:1640360742=Add: Check that the configuration is valid
57 aa513bf8 2023-01-22 jrmu diff:1640360742:1639147446:=86,90d85%0a%3c !! Check that your configuration is valid%0a%3c %0a%3c [@%0a%3c $ doas httpd -n%0a%3c @]%0a
58 aa513bf8 2023-01-22 jrmu host:1640360742=92.191.225.58
59 aa513bf8 2023-01-22 jrmu author:1639147446=jrmu
60 aa513bf8 2023-01-22 jrmu diff:1639147446:1626874065:=63c63%0a%3c certificate "/etc/ssl/example.com.crt"%0a---%0a> certificate "/etc/ssl/example.com.fullchain.pem"%0a163c163%0a%3c certificate "/etc/ssl/example.com.crt"%0a---%0a> certificate "/etc/ssl/example.com.fullchain.pem"%0a168c168%0a%3c change [@ /etc/ssl/example.com.crt @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a---%0a> change [@ /etc/ssl/example.com.fullchain.pem @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a
61 aa513bf8 2023-01-22 jrmu host:1639147446=38.87.162.8
62 aa513bf8 2023-01-22 jrmu author:1626874065=mistera
63 aa513bf8 2023-01-22 jrmu diff:1626874065:1626787627:=233c233%0a%3c You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ). While you are likely to see an error such as 403 Forbidden if you havent set up a website, look for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a---%0a> You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ), then look for the SSL padlock, then view more information about the certificate:%0a
64 aa513bf8 2023-01-22 jrmu host:1626874065=204.111.39.57
65 aa513bf8 2023-01-22 jrmu author:1626787627=mistera
66 aa513bf8 2023-01-22 jrmu diff:1626787627:1626783891:=5c5%0a%3c !! Overview%0a---%0a> !! Theory%0a
67 aa513bf8 2023-01-22 jrmu host:1626787627=204.111.39.57
68 aa513bf8 2023-01-22 jrmu author:1626783891=mistera
69 aa513bf8 2023-01-22 jrmu diff:1626783891:1626702588:=168,169c168,169%0a%3c change [@ /etc/ssl/example.com.fullchain.pem @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a%3c %0a---%0a> Edit these lines so that the certificate and key match the real location of your SSL cert.%0a> %0a233c233%0a%3c You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ), then look for the SSL padlock, then view more information about the certificate:%0a---%0a> You can also visit the website using your web browser. Load https://example.com, then look for the SSL padlock, then view more information about the certificate:%0a
70 aa513bf8 2023-01-22 jrmu host:1626783891=204.111.39.57
71 aa513bf8 2023-01-22 jrmu author:1626702588=mistera
72 aa513bf8 2023-01-22 jrmu diff:1626702588:1626702529:=87,88c87,88%0a%3c !! Starting the server%0a%3c %0a---%0a> !!! Starting the server%0a> %0a137c137%0a%3c !!! Troubleshooting%0a---%0a> !! Troubleshooting%0a
73 aa513bf8 2023-01-22 jrmu host:1626702588=204.111.39.57
74 aa513bf8 2023-01-22 jrmu author:1626702529=mistera
75 aa513bf8 2023-01-22 jrmu diff:1626702529:1626700500:=24c24%0a%3c [@%0a---%0a> %25code%25[@%0a33,44c33,42%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c location * {%0a%3c block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c }%0a%3c }%0a---%0a> [@server "example.com" {%0a> listen on * port 80%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a> }%0a> location * {%0a> block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a> }%0a> }%0a86,88d83%0a%3c %0a%3c !!! Starting the server%0a%3c %0a94d88%0a%3c !! Testing, testing%0a155,159c149%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. %0a%3c %0a%3c Go do that now, I'll wait...%0a%3c %0a%3c Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a---%0a> Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a
76 aa513bf8 2023-01-22 jrmu host:1626702529=204.111.39.57
77 aa513bf8 2023-01-22 jrmu author:1626700500=mistera
78 aa513bf8 2023-01-22 jrmu diff:1626700500:1626700425:=0a1%0a> %0a20c21,23%0a%3c '''NOTE''': You must replace example.com with your own domain%0a---%0a> '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a> %0a> Meaning, when you see [@ %3cexample.com> @] replace it with your web domain such as with user.host.ircnow.org. Completely remove the angle brackets! They are there to indicate that you should replace the text!%0a
79 aa513bf8 2023-01-22 jrmu host:1626700500=204.111.39.57
80 aa513bf8 2023-01-22 jrmu author:1626700425=mistera
81 aa513bf8 2023-01-22 jrmu diff:1626700425:1626696883:=1d0%0a%3c %0a21,24c20,21%0a%3c '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a%3c %0a%3c Meaning, when you see [@ %3cexample.com> @] replace it with your web domain such as with user.host.ircnow.org. Completely remove the angle brackets! They are there to indicate that you should replace the text!%0a%3c %0a---%0a> '''NOTE''': You must replace example.com with your own domain:%0a> %0a27c24%0a%3c %25code%25[@%0a---%0a> [@%0a32,36c29,34%0a%3c Edit [@ /etc/httpd.conf @]:%0a%3c %0a%3c !!! Server block #1%0a%3c %0a%3c [@server "example.com" {%0a---%0a> Edit [@/etc/httpd.conf@]:%0a> %0a> !!! The first server block%0a> %0a> [@%0a> server "example.com" {%0a48,55c46,53%0a%3c server: this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c listen on: tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a---%0a> server (line 1): this specifies the hostname ([@example.com@]). Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a> %0a> listen on (line 2): tells the web server to listen on all IPs on port 80.%0a> %0a> location (lines 3-6): is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> location (lines 7-9): indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a> %0a58,59c56,57%0a%3c !!! Server block #2%0a%3c %0a---%0a> !!! The second server block%0a> %0a77,81c75,77%0a%3c This block is similar to before. Replace [@ example.com @].%0a%3c %0a%3c There are only two differences.%0a%3c %0a%3c Lines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a---%0a> This block is similar to before. There are only two differences.%0a> %0a> Line 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a
82 aa513bf8 2023-01-22 jrmu host:1626700425=204.111.39.57
83 aa513bf8 2023-01-22 jrmu author:1626696883=jrmu
84 aa513bf8 2023-01-22 jrmu diff:1626696883:1626696853:=46c46%0a%3c server (line 1): this specifies the hostname ([@example.com@]). Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a---%0a> server (line 1): this specifies the hostname ([@example.com@])". Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a
85 aa513bf8 2023-01-22 jrmu host:1626696883=198.251.81.119
86 aa513bf8 2023-01-22 jrmu author:1626696853=jrmu
87 aa513bf8 2023-01-22 jrmu diff:1626696853:1626696752:=46c46%0a%3c server (line 1): this specifies the hostname ([@example.com@])". Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a---%0a> server (line 1): this specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a
88 aa513bf8 2023-01-22 jrmu host:1626696853=198.251.81.119
89 aa513bf8 2023-01-22 jrmu author:1626696752=jrmu
90 aa513bf8 2023-01-22 jrmu diff:1626696752:1626696585:=46,52c46,52%0a%3c server (line 1): this specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c listen on (line 2): tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c location (lines 3-6): is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c location (lines 7-9): indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a---%0a> server: this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a> %0a> listen on: tells the web server to listen on all IPs on port 80.%0a> %0a> location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a
91 aa513bf8 2023-01-22 jrmu host:1626696752=198.251.81.119
92 aa513bf8 2023-01-22 jrmu author:1626696585=jrmu
93 aa513bf8 2023-01-22 jrmu diff:1626696585:1626696142:=20,21c20,21%0a%3c '''NOTE''': You must replace example.com with your own domain:%0a%3c %0a---%0a> '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a> %0a29,30c29,30%0a%3c Edit [@/etc/httpd.conf@]:%0a%3c %0a---%0a> Edit [@ /etc/httpd.conf @]:%0a> %0a34c34%0a%3c server "example.com" {%0a---%0a> server "%3cexample.com>" {%0a
94 aa513bf8 2023-01-22 jrmu host:1626696585=198.251.81.119
95 aa513bf8 2023-01-22 jrmu author:1626696142=mistera
96 aa513bf8 2023-01-22 jrmu diff:1626696142:1626695724:=31,32d30%0a%3c !!! The first server block%0a%3c %0a50,53c48,51%0a%3c location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a---%0a> The location block (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a> %0a55,56d52%0a%3c %0a%3c !!! The second server block%0a
97 aa513bf8 2023-01-22 jrmu host:1626696142=204.111.39.57
98 aa513bf8 2023-01-22 jrmu author:1626695724=mistera
99 aa513bf8 2023-01-22 jrmu diff:1626695724:1626695252:=20,21d19%0a%3c '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a%3c %0a28,30c26,27%0a%3c %0a%3c Edit [@ /etc/httpd.conf @]:%0a%3c %0a---%0a> Edit the contents of [@ /etc/httpd.conf @]:%0a> %0a32c29%0a%3c server "%3cexample.com>" {%0a---%0a> server "example.com" {%0a44,46c41,43%0a%3c server: this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c listen on: tells the web server to listen on all IPs on port 80.%0a---%0a> Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to your personal hostname, such as username.fruit.ircnow.org.%0a> %0a> Line 2 tells the web server to listen on all IPs on port 80.%0a
100 aa513bf8 2023-01-22 jrmu host:1626695724=204.111.39.57
101 aa513bf8 2023-01-22 jrmu author:1626695252=mistera
102 aa513bf8 2023-01-22 jrmu diff:1626695252:1626695067:=26c26%0a%3c Edit the contents of [@ /etc/httpd.conf @]:%0a---%0a> Edit the contents of /etc/httpd.conf:%0a
103 aa513bf8 2023-01-22 jrmu host:1626695252=204.111.39.57
104 aa513bf8 2023-01-22 jrmu author:1626695067=mistera
105 aa513bf8 2023-01-22 jrmu diff:1626695067:1614236130:=5,6d4%0a%3c !! Theory%0a%3c %0a14,15d11%0a%3c !! Docs and references%0a%3c %0a20c16%0a%3c Copy the example file in [@ /etc/examples/httpd.conf @]:%0a---%0a> Setting up OpenBSD's default web server, openhttpd, is relatively simple. Start off by copying the example file in /etc/examples/httpd.conf:%0a
106 aa513bf8 2023-01-22 jrmu host:1626695067=204.111.39.57
107 aa513bf8 2023-01-22 jrmu author:1614236130=jrmu
108 aa513bf8 2023-01-22 jrmu diff:1614236130:1614235866:=44,45d43%0a%3c %0a%3c '''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work.%0a
109 aa513bf8 2023-01-22 jrmu host:1614236130=198.251.81.119
110 aa513bf8 2023-01-22 jrmu author:1614235866=jrmu
111 aa513bf8 2023-01-22 jrmu diff:1614235866:1614234303:=208,209d207%0a%3c %0a%3c You can also visit the website using your web browser. Load https://example.com, then look for the SSL padlock, then view more information about the certificate:%0a
112 aa513bf8 2023-01-22 jrmu host:1614235866=198.251.81.119
113 aa513bf8 2023-01-22 jrmu author:1614234303=jrmu
114 aa513bf8 2023-01-22 jrmu diff:1614234303:1614234186:=172c172%0a%3c ---%0a---%0a> --- %0a182c182%0a%3c -----END CERTIFICATE-----%0a---%0a> -----END CERTIFICATE----- %0a184,204c184,204%0a%3c issuer=/C=US/O=Let's Encrypt/CN=R3%0a%3c ---%0a%3c No client certificate CA names sent%0a%3c Server Temp Key: ECDH, X25519, 253 bits%0a%3c ---%0a%3c SSL handshake has read 3730 bytes and written 367 bytes%0a%3c ---%0a%3c New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384%0a%3c Server public key is 4096 bit%0a%3c Secure Renegotiation IS NOT supported%0a%3c Compression: NONE%0a%3c Expansion: NONE%0a%3c No ALPN negotiated%0a%3c SSL-Session:%0a%3c Protocol : TLSv1.3%0a%3c Cipher : AEAD-AES256-GCM-SHA384%0a%3c Session-ID:%0a%3c Session-ID-ctx:%0a%3c Master-Key:%0a%3c Start Time: 1614233943%0a%3c Timeout : 7200 (sec)%0a---%0a> issuer=/C=US/O=Let's Encrypt/CN=R3 %0a> --- %0a> No client certificate CA names sent %0a> Server Temp Key: ECDH, X25519, 253 bits %0a> --- %0a> SSL handshake has read 3730 bytes and written 367 bytes %0a> --- %0a> New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384 %0a> Server public key is 4096 bit %0a> Secure Renegotiation IS NOT supported %0a> Compression: NONE %0a> Expansion: NONE %0a> No ALPN negotiated %0a> SSL-Session: %0a> Protocol : TLSv1.3 %0a> Cipher : AEAD-AES256-GCM-SHA384 %0a> Session-ID: %0a> Session-ID-ctx: %0a> Master-Key: %0a> Start Time: 1614233943 %0a> Timeout : 7200 (sec) %0a
115 aa513bf8 2023-01-22 jrmu host:1614234303=198.251.81.119
116 aa513bf8 2023-01-22 jrmu author:1614234186=jrmu
117 aa513bf8 2023-01-22 jrmu diff:1614234186:1614093252:=161,182d160%0a%3c $ openssl s_client -connect example.org:443%0a%3c CONNECTED(00000003)%0a%3c depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3%0a%3c verify return:1%0a%3c depth=1 C = US, O = Let's Encrypt, CN = R3%0a%3c verify return:1%0a%3c depth=0 CN = example.com%0a%3c verify return:1%0a%3c depth=0 CN = example.com%0a%3c verify return:1%0a%3c write W BLOCK%0a%3c --- %0a%3c Certificate chain%0a%3c 0 s:/CN=example.com%0a%3c i:/C=US/O=Let's Encrypt/CN=R3%0a%3c 1 s:/C=US/O=Let's Encrypt/CN=R3%0a%3c i:/O=Digital Signature Trust Co./CN=DST Root CA X3%0a%3c ---%0a%3c Server certificate%0a%3c -----BEGIN CERTIFICATE-----%0a%3c ...%0a%3c -----END CERTIFICATE----- %0a184,206c162%0a%3c issuer=/C=US/O=Let's Encrypt/CN=R3 %0a%3c --- %0a%3c No client certificate CA names sent %0a%3c Server Temp Key: ECDH, X25519, 253 bits %0a%3c --- %0a%3c SSL handshake has read 3730 bytes and written 367 bytes %0a%3c --- %0a%3c New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384 %0a%3c Server public key is 4096 bit %0a%3c Secure Renegotiation IS NOT supported %0a%3c Compression: NONE %0a%3c Expansion: NONE %0a%3c No ALPN negotiated %0a%3c SSL-Session: %0a%3c Protocol : TLSv1.3 %0a%3c Cipher : AEAD-AES256-GCM-SHA384 %0a%3c Session-ID: %0a%3c Session-ID-ctx: %0a%3c Master-Key: %0a%3c Start Time: 1614233943 %0a%3c Timeout : 7200 (sec) %0a%3c Verify return code: 0 (ok)%0a%3c ---%0a---%0a> issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3%0a
118 aa513bf8 2023-01-22 jrmu host:1614234186=198.251.81.119
119 aa513bf8 2023-01-22 jrmu author:1614093252=jrmu
120 aa513bf8 2023-01-22 jrmu diff:1614093252:1614092486:=165c165%0a%3c Attach:ssl-cert.png%0a---%0a> {{ :openbsd:www:ssl-cert.png?direct |}}%0a
121 aa513bf8 2023-01-22 jrmu host:1614093252=198.251.81.119
122 aa513bf8 2023-01-22 jrmu author:1614092486=jrmu
123 aa513bf8 2023-01-22 jrmu diff:1614092486:1614092283:=135,136c135,136%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a%3c %0a---%0a> Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, restart the web server:%0a> %0a138,141c138%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a---%0a> $ doas rcctl restart httpd%0a144,147c141,142%0a%3c Edit these lines so that the certificate and key match the real location of your SSL cert.%0a%3c %0a%3c Then, restart the web server:%0a%3c %0a---%0a> To test if your web server is working and has a correct SSL cert, run:%0a> %0a149c144%0a%3c $ doas rcctl restart httpd%0a---%0a> $ openssl s_client -connect example.com:443%0a152,157d146%0a%3c To test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a%3c %0a%3c [@%0a%3c $ openssl s_client -connect example.com:443%0a%3c @]%0a%3c %0a160c149%0a%3c [@%0a---%0a> %3ccode>%0a163c152%0a%3c @]%0a---%0a> %3c/code>%0a
124 aa513bf8 2023-01-22 jrmu host:1614092486=198.251.81.119
125 aa513bf8 2023-01-22 jrmu author:1614092283=jrmu
126 aa513bf8 2023-01-22 jrmu diff:1614092283:1614091285:=135,137c135,137%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, restart the web server:%0a%3c %0a%3c [@%0a---%0a> Next, let's request an SSL cert using [[acme-client/configure|acme-client]], then restart the web server:%0a> %0a> %3ccode>%0a139,140c139,140%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a143c143%0a%3c [@%0a---%0a> %3ccode>%0a145c145%0a%3c @]%0a---%0a> %3c/code>%0a
127 aa513bf8 2023-01-22 jrmu host:1614092283=198.251.81.119
128 aa513bf8 2023-01-22 jrmu author:1614091285=jrmu
129 aa513bf8 2023-01-22 jrmu diff:1614091285:1614090263:=119,120c119,120%0a%3c If you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a%3c %0a---%0a> If you were unable to establish the connection above, it may be because your firewall is blocking port 80.%0a> %0a132,133d131%0a%3c %0a%3c !! Adding TLS%0a
130 aa513bf8 2023-01-22 jrmu host:1614091285=198.251.81.119
131 aa513bf8 2023-01-22 jrmu author:1614090263=jrmu
132 aa513bf8 2023-01-22 jrmu diff:1614090263:1614090067:=117,132d116%0a%3c !! Troubleshooting%0a%3c %0a%3c If you were unable to establish the connection above, it may be because your firewall is blocking port 80.%0a%3c %0a%3c You can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in quick proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a152a137,150%0a> %0a> !! Troubleshooting%0a> %0a> Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a> %0a> [@%0a> pass in proto tcp to port {http https}%0a> @]%0a> %0a> Then, reload the pf rulesets:%0a> %0a> [@%0a> $ doas pfctl -f /etc/pf.conf%0a> @]%0a\ No newline at end of file%0a
133 aa513bf8 2023-01-22 jrmu host:1614090263=198.251.81.119
134 aa513bf8 2023-01-22 jrmu author:1614090067=jrmu
135 aa513bf8 2023-01-22 jrmu diff:1614090067:1614089124:=92c92%0a%3c Location: https://example.com/index.html%0a---%0a> Location: https://ircnow.org/index.html%0a
136 aa513bf8 2023-01-22 jrmu host:1614090067=198.251.81.119
137 aa513bf8 2023-01-22 jrmu author:1614089124=jrmu
138 aa513bf8 2023-01-22 jrmu diff:1614089124:1614077762:=75,76c75,76%0a%3c Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a%3c %0a---%0a> Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use netcat%0a> %0a78,80c78%0a%3c $ telnet example.com 80%0a%3c GET /index.html HTTP/1.1%0a%3c Host: example.com%0a---%0a> $%0a86,93d83%0a%3c HTTP/1.0 302 Found%0a%3c Date: Tue, 23 Feb 2021 14:01:28 GMT%0a%3c OpenBSD httpd%0a%3c Connection: close%0a%3c Content-Type: text/html%0a%3c Content-Length: 486%0a%3c Location: https://ircnow.org/index.html%0a%3c %0a95c85%0a%3c %3chtml> %0a---%0a> %3chtml>%0a97c87%0a%3c %3cmeta charset="utf-8"> %0a---%0a> %3cmeta http-equiv="Content-Type" content="text/html; charset=utf-8"/>%0a100c90,91%0a%3c body { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a---%0a> body { background-color: white; color: black; font-family: 'Comic Sans%0a> MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a102,105c93%0a%3c @media (prefers-color-scheme: dark) {%0a%3c body { background-color: #1E1F21; color: #EEEFF1; }%0a%3c a { color: #BAD7FF; }%0a%3c }%0a---%0a> %0a114d101%0a%3c Connection closed by foreign host.%0a
139 aa513bf8 2023-01-22 jrmu host:1614089124=198.251.81.119
140 aa513bf8 2023-01-22 jrmu author:1614077762=jrmu
141 aa513bf8 2023-01-22 jrmu diff:1614077762:1614077710:=
142 aa513bf8 2023-01-22 jrmu host:1614077762=198.251.81.119
143 aa513bf8 2023-01-22 jrmu author:1614077710=jrmu
144 aa513bf8 2023-01-22 jrmu diff:1614077710:1614077287:=75,76c75,76%0a%3c Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use netcat%0a%3c %0a---%0a> Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a> %0a78c78%0a%3c $%0a---%0a> pass in proto tcp to port {http https}%0a81,82c81,82%0a%3c You should a response similar to the one below:%0a%3c %0a---%0a> Then, reload the pf rulesets:%0a> %0a83a84,96%0a> $ doas pfctl -f /etc/pf.conf%0a> @]%0a> %0a> At this point, you should test to see if the web server is working on port 80. This test should be run on some other computer besides the web server (your local workstation is fine). Make sure you have curl installed:%0a> %0a> [@%0a> $ doas pkg_add curl%0a> $ curl example.com%0a> @]%0a> %0a> You should a response similar to the one below:%0a> %0a> [@%0a104,105c117,118%0a%3c Next, let's request an SSL cert using [[acme-client/configure|acme-client]], then restart the web server:%0a%3c %0a---%0a> Now you will almost certainly want openhttpd to use an SSL cert, so follow the [[openbsd/acme-client|acme-client]] instructions, then reset your web server:%0a> %0a123,137c136%0a%3c {{ :openbsd:www:ssl-cert.png?direct |}}%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a\ No newline at end of file%0a---%0a> {{ :openbsd:www:ssl-cert.png?direct |}}%0a\ No newline at end of file%0a
145 aa513bf8 2023-01-22 jrmu host:1614077710=198.251.81.119
146 aa513bf8 2023-01-22 jrmu author:1614077287=jrmu
147 aa513bf8 2023-01-22 jrmu diff:1614077287:1614076897:=22,23c22,23%0a%3c Edit the contents of /etc/httpd.conf:%0a%3c %0a---%0a> Let's break down the contents of /etc/httpd.conf:%0a> %0a66,68c66,73%0a%3c Lines 7-9 say that for any request that begins with https://example.com/pub/ should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder it should be fine.%0a%3c %0a%3c Make sure to replace every instance of @@example.com@@ with your real hostname, then enable and start the web server:%0a---%0a> Lines 7-9 indicate that%0a> location "/pub/*" {%0a> directory auto index%0a> }%0a> %0a> You must replace example.com everywhere with your domain name.%0a> %0a> Simply enable and start the web server:%0a
148 aa513bf8 2023-01-22 jrmu host:1614077287=198.251.81.119
149 aa513bf8 2023-01-22 jrmu author:1614076897=jrmu
150 aa513bf8 2023-01-22 jrmu diff:1614076897:1614076621:=43,44c43,44%0a%3c Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a---%0a> Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, probably should be using TLS on port 443 instead.%0a> %0a62,69c62,64%0a%3c This block is similar to before. There are only two differences.%0a%3c %0a%3c Line 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a%3c %0a%3c Lines 7-9 indicate that%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a---%0a> This block is similar to before. It is for the hostname "example.com". The difference is the second line tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use.%0a> %0a> The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a
151 aa513bf8 2023-01-22 jrmu host:1614076897=198.251.81.119
152 aa513bf8 2023-01-22 jrmu author:1614076621=jrmu
153 aa513bf8 2023-01-22 jrmu diff:1614076621:1614076414:=37,38c37,38%0a%3c Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to your personal hostname, such as username.fruit.ircnow.org.%0a%3c %0a---%0a> Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to you%0a> %0a41,43c41,43%0a%3c The location block (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, probably should be using TLS on port 443 instead.%0a---%0a> The location block (lines 3-6) says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> Lines 7-9 indicate that for all other requests, return a 302 forwarded%0a
154 aa513bf8 2023-01-22 jrmu host:1614076621=198.251.81.119
155 aa513bf8 2023-01-22 jrmu author:1614076414=jrmu
156 aa513bf8 2023-01-22 jrmu diff:1614076414:1614076135:=37,45c37,42%0a%3c Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to you%0a%3c %0a%3c Line 2 tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c The location block (lines 3-6) says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c Lines 7-9 indicate that for all other requests, return a 302 forwarded%0a%3c %0a%3c [@%0a---%0a> The first line says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''.%0a> %0a> The second line tells the web server to listen on all IPs on port 80.%0a> %0a> The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a61,64d57%0a%3c %0a%3c This block is similar to before. It is for the hostname "example.com". The difference is the second line tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use.%0a%3c %0a%3c The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a
157 aa513bf8 2023-01-22 jrmu host:1614076414=198.251.81.119
158 aa513bf8 2023-01-22 jrmu author:1614076135=jrmu
159 aa513bf8 2023-01-22 jrmu diff:1614076135:1614075220:=41c41%0a%3c The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a---%0a> The third line says that for %0a
160 aa513bf8 2023-01-22 jrmu host:1614076135=198.251.81.119
161 aa513bf8 2023-01-22 jrmu author:1614075220=jrmu
162 aa513bf8 2023-01-22 jrmu diff:1614075220:1614073808:=22,23c22,23%0a%3c Let's break down the contents of /etc/httpd.conf:%0a%3c %0a---%0a> Here is what /etc/httpd.conf contains:%0a> %0a35,41d34%0a%3c @]%0a%3c %0a%3c The first line says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''.%0a%3c %0a%3c The second line tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c The third line says that for %0a
163 aa513bf8 2023-01-22 jrmu host:1614075220=198.251.81.119
164 aa513bf8 2023-01-22 jrmu author:1614073808=jrmu
165 aa513bf8 2023-01-22 jrmu diff:1614073808:1614073724:=10,12c10%0a%3c # Easy to configure with good manpage documentation%0a%3c %0a%3c You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages.%0a---%0a> # Easy to configure with good documentation%0a
166 aa513bf8 2023-01-22 jrmu host:1614073808=198.251.81.119
167 aa513bf8 2023-01-22 jrmu author:1614073724=jrmu
168 aa513bf8 2023-01-22 jrmu diff:1614073724:1614073670:=3,4c3,4%0a%3c [[https://bsd.plumbing/about.html|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a%3c %0a---%0a> [[https://bsd.plumbing/about.html|OpenHTTPd]]] is a light-weight web server developed by the OpenBSD dev team.%0a> %0a7c7%0a%3c # Clean code%0a---%0a> # Clean: The code is beautiful%0a
169 aa513bf8 2023-01-22 jrmu host:1614073724=198.251.81.119
170 aa513bf8 2023-01-22 jrmu author:1614073670=jrmu
171 aa513bf8 2023-01-22 jrmu diff:1614073670:1614073261:=2,12d1%0a%3c %0a%3c [[https://bsd.plumbing/about.html|OpenHTTPd]]] is a light-weight web server developed by the OpenBSD dev team.%0a%3c %0a%3c Pros:%0a%3c # Lean: Small, no plugins%0a%3c # Clean: The code is beautiful%0a%3c # Secure: Strict validity checking, privilege separation, strong cryptography%0a%3c # Fast%0a%3c # Easy to configure with good documentation%0a%3c %0a%3c !! Configuring%0a
172 aa513bf8 2023-01-22 jrmu host:1614073670=198.251.81.119
173 aa513bf8 2023-01-22 jrmu author:1614073261=jrmu
174 aa513bf8 2023-01-22 jrmu diff:1614073261:1614073261:=1,109d0%0a%3c (:title Basic OpenHTTPd Configuration:)%0a%3c %0a%3c Setting up OpenBSD's default web server, openhttpd, is relatively simple. Start off by copying the example file in /etc/examples/httpd.conf:%0a%3c %0a%3c [@%0a%3c $ doas cp /etc/examples/httpd.conf /etc/httpd.conf%0a%3c @]%0a%3c %0a%3c Here is what /etc/httpd.conf contains:%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c location * {%0a%3c block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c }%0a%3c }%0a%3c %0a%3c server "example.com" {%0a%3c listen on * tls port 443%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c You must replace example.com everywhere with your domain name.%0a%3c %0a%3c Simply enable and start the web server:%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable httpd%0a%3c $ doas rcctl start httpd%0a%3c @]%0a%3c %0a%3c Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a%3c At this point, you should test to see if the web server is working on port 80. This test should be run on some other computer besides the web server (your local workstation is fine). Make sure you have curl installed:%0a%3c %0a%3c [@%0a%3c $ doas pkg_add curl%0a%3c $ curl example.com%0a%3c @]%0a%3c %0a%3c You should a response similar to the one below:%0a%3c %0a%3c [@%0a%3c %3c!DOCTYPE html>%0a%3c %3chtml>%0a%3c %3chead>%0a%3c %3cmeta http-equiv="Content-Type" content="text/html; charset=utf-8"/>%0a%3c %3ctitle>302 Found%3c/title>%0a%3c %3cstyle type="text/css">%3c!--%0a%3c body { background-color: white; color: black; font-family: 'Comic Sans%0a%3c MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a%3c hr { border: 0; border-bottom: 1px dashed; }%0a%3c %0a%3c -->%3c/style>%0a%3c %3c/head>%0a%3c %3cbody>%0a%3c %3ch1>302 Found%3c/h1>%0a%3c %3chr>%0a%3c %3caddress>OpenBSD httpd%3c/address>%0a%3c %3c/body>%0a%3c %3c/html>%0a%3c @]%0a%3c %0a%3c Now you will almost certainly want openhttpd to use an SSL cert, so follow the [[openbsd/acme-client|acme-client]] instructions, then reset your web server:%0a%3c %0a%3c %3ccode>%0a%3c $ doas rcctl restart httpd%0a%3c %3c/code>%0a%3c %0a%3c To test if your web server is working and has a correct SSL cert, run:%0a%3c %0a%3c %3ccode>%0a%3c $ openssl s_client -connect example.com:443%0a%3c %3c/code>%0a%3c %0a%3c You should see the correct SSL subject and issuer:%0a%3c %0a%3c %3ccode>%0a%3c subject=/CN=example.com%0a%3c issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3%0a%3c %3c/code>%0a%3c %0a%3c {{ :openbsd:www:ssl-cert.png?direct |}}%0a\ No newline at end of file%0a
175 aa513bf8 2023-01-22 jrmu host:1614073261=198.251.81.119
