1 version=pmwiki-2.2.130 ordered=1 urlencoded=1
2 agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
7 host=2001:bc8:1830:1533::12
8 name=Openhttpd.Configure
10 targets=Acme-client.Configure,Telnet.Http,Pf.Guide,Openhttpd.Tls
11 text=(:title Basic OpenHTTPd Configuration:)%0a%0a[[https://learnbchs.org/|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a%0a!! Overview%0a%0aPros:%0a# Lean: Small, no plugins%0a# Clean code%0a# Secure: Strict validity checking, privilege separation, strong cryptography%0a# Fast%0a# Easy to configure with good manpage documentation%0a%0a!! Docs and references%0a%0aYou'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages. [[https://www.tiltedwindmillpress.com/product/httpd-and-relayd-mastery/|Httpd and Relayd Mastery]] also contains many helpful examples.%0a%0a!! Configuring%0a%0a'''NOTE''': You must replace example.com with your own domain%0a%0aCopy the example file in [@ /etc/examples/httpd.conf @]:%0a%0a[@%0a$ doas cp /etc/examples/httpd.conf /etc/httpd.conf%0a@]%0a%0aEdit [@ /etc/httpd.conf @]:%0a%0a[@%0aserver "example.com" {%0a listen on * port 80%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a location * {%0a block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a }%0a }%0a@]%0a%0aReplace @@example.com@@ to your actual hostname. On other web servers, this might be known as the '''virtual host'''. %0a%0a@@listen on@@ tells the web server to listen on all IPs on port 80.%0a%0aThe first @@location@@ block in lines 3-6 responds to verification requests according to the [[acme-client/configure|ACME]] protocol. For any request that begins with @@http://example.com/.well-known/acme-challenge/@@, httpd will look for the documents in the new root @@/acme@@. Since openhttpd chroots to /var/www by default, the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ tells openhttpd to search in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%0aThe second @@location@@ block in lines 7-9 tell the web server to respond with HTTP 302 for all other requests. An HTTP 302 response forwards the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%0aThis second @@location@@ block is suggested by the OpenBSD team, but for accessibility reasons, we recommend removing the second location block.%0a%0aTo allow plaintext requests on port 80, your conf file should now look like this:%0a%0a[@%0aserver "example.com" {%0a listen on * port 80%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a }%0a@]%0a%0a%0aWithin the framework of a virtual host, you can also create folders for users of your system:%0a%0a[@%0alocation match "/sites/([a-z|A-Z|-|_]+)/(.+)" {%0a request rewrite "/sites/%251/pub/%252"%0a}%0a@]%0a%0a'''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work. The web server needs the listener block on port 80 for ACME protocol verification.%0a%0aThe block for TLS on port 443 should be commented out until after you have requested TLS certs.%0a%0a[@%0a#server "example.com" {%0a# listen on * tls port 443%0a# tls {%0a# certificate "/etc/ssl/example.com.crt"%0a# key "/etc/ssl/private/example.com.key"%0a# }%0a# location "/pub/*" {%0a# directory auto index%0a# }%0a# location "/.well-known/acme-challenge/*" {%0a# root "/acme"%0a# request strip 2%0a# }%0a#}%0a@]%0a%0aMake sure to replace every instance of @@example.com@@ with your real hostname, then check that your configuration is valid:%0a%0a[@%0a$ doas httpd -n%0a@]%0a%0a!! Starting the server%0a%0a[@%0a$ doas rcctl enable httpd%0a$ doas rcctl start httpd%0a@]%0a%0a!! Testing%0a%0aLet's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a%0a[@%0a$ telnet example.com 80%0aGET /index.html HTTP/1.1%0aHost: example.com%0a@]%0a%0aYou should a response similar to the one below:%0a%0a[@%0aHTTP/1.0 302 Found%0aDate: Tue, 23 Feb 2021 14:01:28 GMT%0aOpenBSD httpd%0aConnection: close%0aContent-Type: text/html%0aContent-Length: 486%0aLocation: https://example.com/index.html%0a%0a%3c!DOCTYPE html>%0a%3chtml> %0a%3chead>%0a%3cmeta charset="utf-8"> %0a%3ctitle>302 Found%3c/title>%0a%3cstyle type="text/css">%3c!--%0abody { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0ahr { border: 0; border-bottom: 1px dashed; }%0a@media (prefers-color-scheme: dark) {%0abody { background-color: #1E1F21; color: #EEEFF1; }%0aa { color: #BAD7FF; }%0a}%0a-->%3c/style>%0a%3c/head>%0a%3cbody>%0a%3ch1>302 Found%3c/h1>%0a%3chr>%0a%3caddress>OpenBSD httpd%3c/address>%0a%3c/body>%0a%3c/html>%0aConnection closed by foreign host.%0a@]%0a%0a!!! Troubleshooting%0a%0aIf you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a%0aYou can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%0a[@%0apass in quick proto tcp to port {http https}%0a@]%0a%0aThen, reload the pf rulesets:%0a%0a[@%0a$ doas pfctl -f /etc/pf.conf%0a@]%0a%0a!! Adding TLS%0a%0aNext, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Then, you'll want to [[openhttpd/tls|add TLS to openhttpd]].%0a
13 title=Basic OpenHTTPd Configuration
14 author:1676633999=baytuch
15 diff:1676633999:1659916268:=65,72d64%0a%3c %0a%3c Within the framework of a virtual host, you can also create folders for users of your system:%0a%3c %0a%3c [@%0a%3c location match "/sites/([a-z|A-Z|-|_]+)/(.+)" {%0a%3c request rewrite "/sites/%251/pub/%252"%0a%3c }%0a%3c @]%0a
16 host:1676633999=2001:bc8:1830:1533::12
17 author:1659916268=tiramisu
18 diff:1659916268:1655191277:minor=3c3%0a%3c [[https://learnbchs.org/|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a---%0a> [[https://bsd.plumbing/about.html|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a
19 host:1659916268=2607:fb90:bdaa:a8fb:b247:8aa7:de83:2fe5
20 author:1655191277=jrmu
21 diff:1655191277:1655191244:=68c68%0a%3c The block for TLS on port 443 should be commented out until after you have requested TLS certs.%0a---%0a> The second block below should be commented out until after you have requested TLS certs.%0a
22 host:1655191277=38.87.162.154
23 author:1655191244=jrmu
24 diff:1655191244:1649022837:=52,64d51%0a%3c %0a%3c To allow plaintext requests on port 80, your conf file should now look like this:%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a
25 host:1655191244=38.87.162.154
26 author:1649022837=jrmu
27 diff:1649022837:1649021892:=55,56c55,56%0a%3c The second block below should be commented out until after you have requested TLS certs.%0a%3c %0a---%0a> !!! Server block #2%0a> %0a58,71c58,71%0a%3c #server "example.com" {%0a%3c # listen on * tls port 443%0a%3c # tls {%0a%3c # certificate "/etc/ssl/example.com.crt"%0a%3c # key "/etc/ssl/private/example.com.key"%0a%3c # }%0a%3c # location "/pub/*" {%0a%3c # directory auto index%0a%3c # }%0a%3c # location "/.well-known/acme-challenge/*" {%0a%3c # root "/acme"%0a%3c # request strip 2%0a%3c # }%0a%3c #}%0a---%0a> server "example.com" {%0a> listen on * tls port 443%0a> tls {%0a> certificate "/etc/ssl/example.com.crt"%0a> key "/etc/ssl/private/example.com.key"%0a> }%0a> location "/pub/*" {%0a> directory auto index%0a> }%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a> }%0a> }%0a74,75c74,83%0a%3c Make sure to replace every instance of @@example.com@@ with your real hostname, then check that your configuration is valid:%0a%3c %0a---%0a> This block is similar to before. Replace [@ example.com @].%0a> %0a> There are only two differences.%0a> %0a> Lines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a> %0a> Lines 7-9 say that for any request that begins with https://example.com/pub/ should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder it should be fine.%0a> %0a> Make sure to replace every instance of @@example.com@@ with your real hostname, then check that your configuration is valid%0a> %0a87,88c95,96%0a%3c !! Testing%0a%3c %0a---%0a> !! Testing, testing%0a> %0a149c157,237%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Then, you'll want to [[openhttpd/tls|add TLS to openhttpd]].%0a---%0a> Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. %0a> %0a> Go do that now, I'll wait...%0a> %0a> Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a> %0a> [@%0a> tls {%0a> certificate "/etc/ssl/example.com.crt"%0a> key "/etc/ssl/private/example.com.key"%0a> }%0a> @]%0a> %0a> change [@ /etc/ssl/example.com.crt @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a> %0a> Then, restart the web server:%0a> %0a> [@%0a> $ doas rcctl restart httpd%0a> @]%0a> %0a> To test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a> %0a> [@%0a> $ openssl s_client -connect example.com:443%0a> @]%0a> %0a> You should see the correct SSL subject and issuer:%0a> %0a> [@%0a> $ openssl s_client -connect example.org:443%0a> CONNECTED(00000003)%0a> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3%0a> verify return:1%0a> depth=1 C = US, O = Let's Encrypt, CN = R3%0a> verify return:1%0a> depth=0 CN = example.com%0a> verify return:1%0a> depth=0 CN = example.com%0a> verify return:1%0a> write W BLOCK%0a> ---%0a> Certificate chain%0a> 0 s:/CN=example.com%0a> i:/C=US/O=Let's Encrypt/CN=R3%0a> 1 s:/C=US/O=Let's Encrypt/CN=R3%0a> i:/O=Digital Signature Trust Co./CN=DST Root CA X3%0a> ---%0a> Server certificate%0a> -----BEGIN CERTIFICATE-----%0a> ...%0a> -----END CERTIFICATE-----%0a> subject=/CN=example.com%0a> issuer=/C=US/O=Let's Encrypt/CN=R3%0a> ---%0a> No client certificate CA names sent%0a> Server Temp Key: ECDH, X25519, 253 bits%0a> ---%0a> SSL handshake has read 3730 bytes and written 367 bytes%0a> ---%0a> New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384%0a> Server public key is 4096 bit%0a> Secure Renegotiation IS NOT supported%0a> Compression: NONE%0a> Expansion: NONE%0a> No ALPN negotiated%0a> SSL-Session:%0a> Protocol : TLSv1.3%0a> Cipher : AEAD-AES256-GCM-SHA384%0a> Session-ID:%0a> Session-ID-ctx:%0a> Master-Key:%0a> Start Time: 1614233943%0a> Timeout : 7200 (sec)%0a> Verify return code: 0 (ok)%0a> ---%0a> @]%0a> %0a> You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ). While you are likely to see an error such as 403 Forbidden if you havent set up a website, look for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a> %0a> Attach:ssl-cert.png%0a
28 host:1649022837=38.87.162.154
29 author:1649021892=jrmu
30 diff:1649021892:1649021380:=47,53c47,51%0a%3c The first @@location@@ block in lines 3-6 responds to verification requests according to the [[acme-client/configure|ACME]] protocol. For any request that begins with @@http://example.com/.well-known/acme-challenge/@@, httpd will look for the documents in the new root @@/acme@@. Since openhttpd chroots to /var/www by default, the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ tells openhttpd to search in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c The second @@location@@ block in lines 7-9 tell the web server to respond with HTTP 302 for all other requests. An HTTP 302 response forwards the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a%3c This second @@location@@ block is suggested by the OpenBSD team, but for accessibility reasons, we recommend removing the second location block.%0a%3c %0a%3c '''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work. The web server needs the listener block on port 80 for ACME protocol verification.%0a---%0a> The @@location@@ block in lines 3-6 responds to verification requests according to the [[acme-client/configure|ACME]] protocol. For any request that begins with @@http://example.com/.well-known/acme-challenge/@@, httpd will look for the documents in the new root @@/acme@@. Since openhttpd chroots to /var/www by default, the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ tells openhttpd to search in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a> %0a> '''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work.%0a
31 host:1649021892=38.87.162.154
32 author:1649021380=jrmu
33 diff:1649021380:1649021123:=43,47c43,47%0a%3c Replace @@example.com@@ to your actual hostname. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c @@listen on@@ tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c The @@location@@ block in lines 3-6 responds to verification requests according to the [[acme-client/configure|ACME]] protocol. For any request that begins with @@http://example.com/.well-known/acme-challenge/@@, httpd will look for the documents in the new root @@/acme@@. Since openhttpd chroots to /var/www by default, the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ tells openhttpd to search in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a---%0a> server: this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a> %0a> listen on: tells the web server to listen on all IPs on port 80.%0a> %0a> location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a
34 host:1649021380=38.87.162.154
35 author:1649021123=jrmu
36 diff:1649021123:1649021090:minor=27a28%0a> %0a28a30,32%0a> %0a> !!! Server block #1%0a> %0a
37 host:1649021123=38.87.162.154
38 author:1649021090=jrmu
39 diff:1649021090:1640690307:=16c16%0a%3c You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages. [[https://www.tiltedwindmillpress.com/product/httpd-and-relayd-mastery/|Httpd and Relayd Mastery]] also contains many helpful examples.%0a---%0a> You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages.%0a
40 host:1649021090=38.87.162.154
41 author:1640690307=Naglfar
42 diff:1640690307:1640530911:=68,71d67%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a
43 host:1640690307=92.191.225.58
44 author:1640530911=Naglfar
45 csum:1640530911=Remove duplicate: Location for acme-challenge already is in Server block 1
46 diff:1640530911:1640446640:=67a68,71%0a> }%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a
47 host:1640530911=92.191.225.58
48 author:1640446640=jrmu
49 diff:1640446640:1640446480:=84,85c84,88%0a%3c Make sure to replace every instance of @@example.com@@ with your real hostname, then check that your configuration is valid%0a%3c %0a---%0a> Make sure to replace every instance of @@example.com@@ with your real hostname, then enable and start the web server:%0a> %0a> %0a> !! Starting the server%0a> %0a87c90,91%0a%3c $ doas httpd -n%0a---%0a> $ doas rcctl enable httpd%0a> $ doas rcctl start httpd%0a90,96d93%0a%3c !! Starting the server%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable httpd%0a%3c $ doas rcctl start httpd%0a%3c @]%0a%3c %0a98d94%0a%3c %0a
50 host:1640446640=38.87.162.8
51 author:1640446480=jrmu
52 diff:1640446480:1640360897:=85a86,90%0a> !!! Check that your configuration is valid%0a> %0a> [@%0a> $ doas httpd -n%0a> @]%0a
53 host:1640446480=38.87.162.8
54 author:1640360897=Naglfar
55 csum:1640360897=Move Check to: Configuring
56 diff:1640360897:1640360742:=86c86%0a%3c !!! Check that your configuration is valid%0a---%0a> !! Check that your configuration is valid%0a
57 host:1640360897=92.191.225.58
58 author:1640360742=Naglfar
59 csum:1640360742=Add: Check that the configuration is valid
60 diff:1640360742:1639147446:=86,90d85%0a%3c !! Check that your configuration is valid%0a%3c %0a%3c [@%0a%3c $ doas httpd -n%0a%3c @]%0a
61 host:1640360742=92.191.225.58
62 author:1639147446=jrmu
63 diff:1639147446:1626874065:=63c63%0a%3c certificate "/etc/ssl/example.com.crt"%0a---%0a> certificate "/etc/ssl/example.com.fullchain.pem"%0a163c163%0a%3c certificate "/etc/ssl/example.com.crt"%0a---%0a> certificate "/etc/ssl/example.com.fullchain.pem"%0a168c168%0a%3c change [@ /etc/ssl/example.com.crt @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a---%0a> change [@ /etc/ssl/example.com.fullchain.pem @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a
64 host:1639147446=38.87.162.8
65 author:1626874065=mistera
66 diff:1626874065:1626787627:=233c233%0a%3c You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ). While you are likely to see an error such as 403 Forbidden if you havent set up a website, look for the SSL padlock in the address bar (which indicates your site is secure), then view more information about the certificate:%0a---%0a> You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ), then look for the SSL padlock, then view more information about the certificate:%0a
67 host:1626874065=204.111.39.57
68 author:1626787627=mistera
69 diff:1626787627:1626783891:=5c5%0a%3c !! Overview%0a---%0a> !! Theory%0a
70 host:1626787627=204.111.39.57
71 author:1626783891=mistera
72 diff:1626783891:1626702588:=168,169c168,169%0a%3c change [@ /etc/ssl/example.com.fullchain.pem @] and [@ /etc/ssl/private/example.com.key @] so that the certificate and key match the real location of your SSL cert.%0a%3c %0a---%0a> Edit these lines so that the certificate and key match the real location of your SSL cert.%0a> %0a233c233%0a%3c You can also visit the website using your web browser. Load your domain (e.g. [@ https://example.com @] ), then look for the SSL padlock, then view more information about the certificate:%0a---%0a> You can also visit the website using your web browser. Load https://example.com, then look for the SSL padlock, then view more information about the certificate:%0a
73 host:1626783891=204.111.39.57
74 author:1626702588=mistera
75 diff:1626702588:1626702529:=87,88c87,88%0a%3c !! Starting the server%0a%3c %0a---%0a> !!! Starting the server%0a> %0a137c137%0a%3c !!! Troubleshooting%0a---%0a> !! Troubleshooting%0a
76 host:1626702588=204.111.39.57
77 author:1626702529=mistera
78 diff:1626702529:1626700500:=24c24%0a%3c [@%0a---%0a> %25code%25[@%0a33,44c33,42%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c location * {%0a%3c block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c }%0a%3c }%0a---%0a> [@server "example.com" {%0a> listen on * port 80%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a> }%0a> location * {%0a> block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a> }%0a> }%0a86,88d83%0a%3c %0a%3c !!! Starting the server%0a%3c %0a94d88%0a%3c !! Testing, testing%0a155,159c149%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. %0a%3c %0a%3c Go do that now, I'll wait...%0a%3c %0a%3c Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a---%0a> Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a
79 host:1626702529=204.111.39.57
80 author:1626700500=mistera
81 diff:1626700500:1626700425:=0a1%0a> %0a20c21,23%0a%3c '''NOTE''': You must replace example.com with your own domain%0a---%0a> '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a> %0a> Meaning, when you see [@ %3cexample.com> @] replace it with your web domain such as with user.host.ircnow.org. Completely remove the angle brackets! They are there to indicate that you should replace the text!%0a
82 host:1626700500=204.111.39.57
83 author:1626700425=mistera
84 diff:1626700425:1626696883:=1d0%0a%3c %0a21,24c20,21%0a%3c '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a%3c %0a%3c Meaning, when you see [@ %3cexample.com> @] replace it with your web domain such as with user.host.ircnow.org. Completely remove the angle brackets! They are there to indicate that you should replace the text!%0a%3c %0a---%0a> '''NOTE''': You must replace example.com with your own domain:%0a> %0a27c24%0a%3c %25code%25[@%0a---%0a> [@%0a32,36c29,34%0a%3c Edit [@ /etc/httpd.conf @]:%0a%3c %0a%3c !!! Server block #1%0a%3c %0a%3c [@server "example.com" {%0a---%0a> Edit [@/etc/httpd.conf@]:%0a> %0a> !!! The first server block%0a> %0a> [@%0a> server "example.com" {%0a48,55c46,53%0a%3c server: this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c listen on: tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a---%0a> server (line 1): this specifies the hostname ([@example.com@]). Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a> %0a> listen on (line 2): tells the web server to listen on all IPs on port 80.%0a> %0a> location (lines 3-6): is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> location (lines 7-9): indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a> %0a58,59c56,57%0a%3c !!! Server block #2%0a%3c %0a---%0a> !!! The second server block%0a> %0a77,81c75,77%0a%3c This block is similar to before. Replace [@ example.com @].%0a%3c %0a%3c There are only two differences.%0a%3c %0a%3c Lines 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a---%0a> This block is similar to before. There are only two differences.%0a> %0a> Line 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a
85 host:1626700425=204.111.39.57
86 author:1626696883=jrmu
87 diff:1626696883:1626696853:=46c46%0a%3c server (line 1): this specifies the hostname ([@example.com@]). Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a---%0a> server (line 1): this specifies the hostname ([@example.com@])". Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a
88 host:1626696883=198.251.81.119
89 author:1626696853=jrmu
90 diff:1626696853:1626696752:=46c46%0a%3c server (line 1): this specifies the hostname ([@example.com@])". Change [@example.com@] to your personal hostname, such as [@username.fruit.ircnow.org@]. On other web servers, this might be known as the '''virtual host'''. %0a---%0a> server (line 1): this specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a
91 host:1626696853=198.251.81.119
92 author:1626696752=jrmu
93 diff:1626696752:1626696585:=46,52c46,52%0a%3c server (line 1): this specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c listen on (line 2): tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c location (lines 3-6): is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c location (lines 7-9): indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a---%0a> server: this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a> %0a> listen on: tells the web server to listen on all IPs on port 80.%0a> %0a> location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a
94 host:1626696752=198.251.81.119
95 author:1626696585=jrmu
96 diff:1626696585:1626696142:=20,21c20,21%0a%3c '''NOTE''': You must replace example.com with your own domain:%0a%3c %0a---%0a> '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a> %0a29,30c29,30%0a%3c Edit [@/etc/httpd.conf@]:%0a%3c %0a---%0a> Edit [@ /etc/httpd.conf @]:%0a> %0a34c34%0a%3c server "example.com" {%0a---%0a> server "%3cexample.com>" {%0a
97 host:1626696585=198.251.81.119
98 author:1626696142=mistera
99 diff:1626696142:1626695724:=31,32d30%0a%3c !!! The first server block%0a%3c %0a50,53c48,51%0a%3c location: (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c location: (Lines 7-9) indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a---%0a> The location block (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a> %0a55,56d52%0a%3c %0a%3c !!! The second server block%0a
100 host:1626696142=204.111.39.57
101 author:1626695724=mistera
102 diff:1626695724:1626695252:=20,21d19%0a%3c '''When you see %3ctext> it indicates that you must replace the text with something that fits your unique situation; do not just copy it in.'''%0a%3c %0a28,30c26,27%0a%3c %0a%3c Edit [@ /etc/httpd.conf @]:%0a%3c %0a---%0a> Edit the contents of [@ /etc/httpd.conf @]:%0a> %0a32c29%0a%3c server "%3cexample.com>" {%0a---%0a> server "example.com" {%0a44,46c41,43%0a%3c server: this block specifies the hostname ([@ example.com @])". Change [@ example.com @] to your personal hostname, such as [@ username.fruit.ircnow.org @]. On other web servers, this might be known as the '''virtual host'''. %0a%3c %0a%3c listen on: tells the web server to listen on all IPs on port 80.%0a---%0a> Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to your personal hostname, such as username.fruit.ircnow.org.%0a> %0a> Line 2 tells the web server to listen on all IPs on port 80.%0a
103 host:1626695724=204.111.39.57
104 author:1626695252=mistera
105 diff:1626695252:1626695067:=26c26%0a%3c Edit the contents of [@ /etc/httpd.conf @]:%0a---%0a> Edit the contents of /etc/httpd.conf:%0a
106 host:1626695252=204.111.39.57
107 author:1626695067=mistera
108 diff:1626695067:1614236130:=5,6d4%0a%3c !! Theory%0a%3c %0a14,15d11%0a%3c !! Docs and references%0a%3c %0a20c16%0a%3c Copy the example file in [@ /etc/examples/httpd.conf @]:%0a---%0a> Setting up OpenBSD's default web server, openhttpd, is relatively simple. Start off by copying the example file in /etc/examples/httpd.conf:%0a
109 host:1626695067=204.111.39.57
110 author:1614236130=jrmu
111 diff:1614236130:1614235866:=44,45d43%0a%3c %0a%3c '''Note''': You must have a server block listening on port 80. Do not delete this block or else [[acme-client/configure|acme-client]] will not work.%0a
112 host:1614236130=198.251.81.119
113 author:1614235866=jrmu
114 diff:1614235866:1614234303:=208,209d207%0a%3c %0a%3c You can also visit the website using your web browser. Load https://example.com, then look for the SSL padlock, then view more information about the certificate:%0a
115 host:1614235866=198.251.81.119
116 author:1614234303=jrmu
117 diff:1614234303:1614234186:=172c172%0a%3c ---%0a---%0a> --- %0a182c182%0a%3c -----END CERTIFICATE-----%0a---%0a> -----END CERTIFICATE----- %0a184,204c184,204%0a%3c issuer=/C=US/O=Let's Encrypt/CN=R3%0a%3c ---%0a%3c No client certificate CA names sent%0a%3c Server Temp Key: ECDH, X25519, 253 bits%0a%3c ---%0a%3c SSL handshake has read 3730 bytes and written 367 bytes%0a%3c ---%0a%3c New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384%0a%3c Server public key is 4096 bit%0a%3c Secure Renegotiation IS NOT supported%0a%3c Compression: NONE%0a%3c Expansion: NONE%0a%3c No ALPN negotiated%0a%3c SSL-Session:%0a%3c Protocol : TLSv1.3%0a%3c Cipher : AEAD-AES256-GCM-SHA384%0a%3c Session-ID:%0a%3c Session-ID-ctx:%0a%3c Master-Key:%0a%3c Start Time: 1614233943%0a%3c Timeout : 7200 (sec)%0a---%0a> issuer=/C=US/O=Let's Encrypt/CN=R3 %0a> --- %0a> No client certificate CA names sent %0a> Server Temp Key: ECDH, X25519, 253 bits %0a> --- %0a> SSL handshake has read 3730 bytes and written 367 bytes %0a> --- %0a> New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384 %0a> Server public key is 4096 bit %0a> Secure Renegotiation IS NOT supported %0a> Compression: NONE %0a> Expansion: NONE %0a> No ALPN negotiated %0a> SSL-Session: %0a> Protocol : TLSv1.3 %0a> Cipher : AEAD-AES256-GCM-SHA384 %0a> Session-ID: %0a> Session-ID-ctx: %0a> Master-Key: %0a> Start Time: 1614233943 %0a> Timeout : 7200 (sec) %0a
118 host:1614234303=198.251.81.119
119 author:1614234186=jrmu
120 diff:1614234186:1614093252:=161,182d160%0a%3c $ openssl s_client -connect example.org:443%0a%3c CONNECTED(00000003)%0a%3c depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3%0a%3c verify return:1%0a%3c depth=1 C = US, O = Let's Encrypt, CN = R3%0a%3c verify return:1%0a%3c depth=0 CN = example.com%0a%3c verify return:1%0a%3c depth=0 CN = example.com%0a%3c verify return:1%0a%3c write W BLOCK%0a%3c --- %0a%3c Certificate chain%0a%3c 0 s:/CN=example.com%0a%3c i:/C=US/O=Let's Encrypt/CN=R3%0a%3c 1 s:/C=US/O=Let's Encrypt/CN=R3%0a%3c i:/O=Digital Signature Trust Co./CN=DST Root CA X3%0a%3c ---%0a%3c Server certificate%0a%3c -----BEGIN CERTIFICATE-----%0a%3c ...%0a%3c -----END CERTIFICATE----- %0a184,206c162%0a%3c issuer=/C=US/O=Let's Encrypt/CN=R3 %0a%3c --- %0a%3c No client certificate CA names sent %0a%3c Server Temp Key: ECDH, X25519, 253 bits %0a%3c --- %0a%3c SSL handshake has read 3730 bytes and written 367 bytes %0a%3c --- %0a%3c New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384 %0a%3c Server public key is 4096 bit %0a%3c Secure Renegotiation IS NOT supported %0a%3c Compression: NONE %0a%3c Expansion: NONE %0a%3c No ALPN negotiated %0a%3c SSL-Session: %0a%3c Protocol : TLSv1.3 %0a%3c Cipher : AEAD-AES256-GCM-SHA384 %0a%3c Session-ID: %0a%3c Session-ID-ctx: %0a%3c Master-Key: %0a%3c Start Time: 1614233943 %0a%3c Timeout : 7200 (sec) %0a%3c Verify return code: 0 (ok)%0a%3c ---%0a---%0a> issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3%0a
121 host:1614234186=198.251.81.119
122 author:1614093252=jrmu
123 diff:1614093252:1614092486:=165c165%0a%3c Attach:ssl-cert.png%0a---%0a> {{ :openbsd:www:ssl-cert.png?direct |}}%0a
124 host:1614093252=198.251.81.119
125 author:1614092486=jrmu
126 diff:1614092486:1614092283:=135,136c135,136%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:%0a%3c %0a---%0a> Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, restart the web server:%0a> %0a138,141c138%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a---%0a> $ doas rcctl restart httpd%0a144,147c141,142%0a%3c Edit these lines so that the certificate and key match the real location of your SSL cert.%0a%3c %0a%3c Then, restart the web server:%0a%3c %0a---%0a> To test if your web server is working and has a correct SSL cert, run:%0a> %0a149c144%0a%3c $ doas rcctl restart httpd%0a---%0a> $ openssl s_client -connect example.com:443%0a152,157d146%0a%3c To test if your web server has a working SSL cert, use [[openssl/http|openssl]]:%0a%3c %0a%3c [@%0a%3c $ openssl s_client -connect example.com:443%0a%3c @]%0a%3c %0a160c149%0a%3c [@%0a---%0a> %3ccode>%0a163c152%0a%3c @]%0a---%0a> %3c/code>%0a
127 host:1614092486=198.251.81.119
128 author:1614092283=jrmu
129 diff:1614092283:1614091285:=135,137c135,137%0a%3c Next, you'll want to request an SSL cert using [[acme-client/configure|acme-client]]. Once you have a valid SSL cert, restart the web server:%0a%3c %0a%3c [@%0a---%0a> Next, let's request an SSL cert using [[acme-client/configure|acme-client]], then restart the web server:%0a> %0a> %3ccode>%0a139,140c139,140%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a143c143%0a%3c [@%0a---%0a> %3ccode>%0a145c145%0a%3c @]%0a---%0a> %3c/code>%0a
130 host:1614092283=198.251.81.119
131 author:1614091285=jrmu
132 diff:1614091285:1614090263:=119,120c119,120%0a%3c If you were unable to establish the connection above, it may be because your [[pf/guide|firewall]] is blocking port 80.%0a%3c %0a---%0a> If you were unable to establish the connection above, it may be because your firewall is blocking port 80.%0a> %0a132,133d131%0a%3c %0a%3c !! Adding TLS%0a
133 host:1614091285=198.251.81.119
134 author:1614090263=jrmu
135 diff:1614090263:1614090067:=117,132d116%0a%3c !! Troubleshooting%0a%3c %0a%3c If you were unable to establish the connection above, it may be because your firewall is blocking port 80.%0a%3c %0a%3c You can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in quick proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a152a137,150%0a> %0a> !! Troubleshooting%0a> %0a> Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a> %0a> [@%0a> pass in proto tcp to port {http https}%0a> @]%0a> %0a> Then, reload the pf rulesets:%0a> %0a> [@%0a> $ doas pfctl -f /etc/pf.conf%0a> @]%0a\ No newline at end of file%0a
136 host:1614090263=198.251.81.119
137 author:1614090067=jrmu
138 diff:1614090067:1614089124:=92c92%0a%3c Location: https://example.com/index.html%0a---%0a> Location: https://ircnow.org/index.html%0a
139 host:1614090067=198.251.81.119
140 author:1614089124=jrmu
141 diff:1614089124:1614077762:=75,76c75,76%0a%3c Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use [[telnet/http|telnet]]:%0a%3c %0a---%0a> Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use netcat%0a> %0a78,80c78%0a%3c $ telnet example.com 80%0a%3c GET /index.html HTTP/1.1%0a%3c Host: example.com%0a---%0a> $%0a86,93d83%0a%3c HTTP/1.0 302 Found%0a%3c Date: Tue, 23 Feb 2021 14:01:28 GMT%0a%3c OpenBSD httpd%0a%3c Connection: close%0a%3c Content-Type: text/html%0a%3c Content-Length: 486%0a%3c Location: https://ircnow.org/index.html%0a%3c %0a95c85%0a%3c %3chtml> %0a---%0a> %3chtml>%0a97c87%0a%3c %3cmeta charset="utf-8"> %0a---%0a> %3cmeta http-equiv="Content-Type" content="text/html; charset=utf-8"/>%0a100c90,91%0a%3c body { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a---%0a> body { background-color: white; color: black; font-family: 'Comic Sans%0a> MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a102,105c93%0a%3c @media (prefers-color-scheme: dark) {%0a%3c body { background-color: #1E1F21; color: #EEEFF1; }%0a%3c a { color: #BAD7FF; }%0a%3c }%0a---%0a> %0a114d101%0a%3c Connection closed by foreign host.%0a
142 host:1614089124=198.251.81.119
143 author:1614077762=jrmu
144 diff:1614077762:1614077710:=
145 host:1614077762=198.251.81.119
146 author:1614077710=jrmu
147 diff:1614077710:1614077287:=75,76c75,76%0a%3c Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use netcat%0a%3c %0a---%0a> Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a> %0a78c78%0a%3c $%0a---%0a> pass in proto tcp to port {http https}%0a81,82c81,82%0a%3c You should a response similar to the one below:%0a%3c %0a---%0a> Then, reload the pf rulesets:%0a> %0a83a84,96%0a> $ doas pfctl -f /etc/pf.conf%0a> @]%0a> %0a> At this point, you should test to see if the web server is working on port 80. This test should be run on some other computer besides the web server (your local workstation is fine). Make sure you have curl installed:%0a> %0a> [@%0a> $ doas pkg_add curl%0a> $ curl example.com%0a> @]%0a> %0a> You should a response similar to the one below:%0a> %0a> [@%0a104,105c117,118%0a%3c Next, let's request an SSL cert using [[acme-client/configure|acme-client]], then restart the web server:%0a%3c %0a---%0a> Now you will almost certainly want openhttpd to use an SSL cert, so follow the [[openbsd/acme-client|acme-client]] instructions, then reset your web server:%0a> %0a123,137c136%0a%3c {{ :openbsd:www:ssl-cert.png?direct |}}%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a\ No newline at end of file%0a---%0a> {{ :openbsd:www:ssl-cert.png?direct |}}%0a\ No newline at end of file%0a
148 host:1614077710=198.251.81.119
149 author:1614077287=jrmu
150 diff:1614077287:1614076897:=22,23c22,23%0a%3c Edit the contents of /etc/httpd.conf:%0a%3c %0a---%0a> Let's break down the contents of /etc/httpd.conf:%0a> %0a66,68c66,73%0a%3c Lines 7-9 say that for any request that begins with https://example.com/pub/ should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder it should be fine.%0a%3c %0a%3c Make sure to replace every instance of @@example.com@@ with your real hostname, then enable and start the web server:%0a---%0a> Lines 7-9 indicate that%0a> location "/pub/*" {%0a> directory auto index%0a> }%0a> %0a> You must replace example.com everywhere with your domain name.%0a> %0a> Simply enable and start the web server:%0a
151 host:1614077287=198.251.81.119
152 author:1614076897=jrmu
153 diff:1614076897:1614076621:=43,44c43,44%0a%3c Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, will be forwarded to use TLS on port 443 instead.%0a%3c %0a---%0a> Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, probably should be using TLS on port 443 instead.%0a> %0a62,69c62,64%0a%3c This block is similar to before. There are only two differences.%0a%3c %0a%3c Line 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run [[acme-client/configure|acme-client]], you will need to change the certificate and key to match your real files.%0a%3c %0a%3c Lines 7-9 indicate that%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a---%0a> This block is similar to before. It is for the hostname "example.com". The difference is the second line tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use.%0a> %0a> The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a
154 host:1614076897=198.251.81.119
155 author:1614076621=jrmu
156 diff:1614076621:1614076414:=37,38c37,38%0a%3c Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to your personal hostname, such as username.fruit.ircnow.org.%0a%3c %0a---%0a> Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to you%0a> %0a41,43c41,43%0a%3c The location block (lines 3-6) is used for requesting certificates using [[acme-client/configure|ACME]]. It says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for [[acme-client/configure|ACME]] verification, probably should be using TLS on port 443 instead.%0a---%0a> The location block (lines 3-6) says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a> Lines 7-9 indicate that for all other requests, return a 302 forwarded%0a
157 host:1614076621=198.251.81.119
158 author:1614076414=jrmu
159 diff:1614076414:1614076135:=37,45c37,42%0a%3c Line 1 says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''. You will want to change the domain to you%0a%3c %0a%3c Line 2 tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c The location block (lines 3-6) says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually @@/var/www/acme/@@. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a%3c %0a%3c Lines 7-9 indicate that for all other requests, return a 302 forwarded%0a%3c %0a%3c [@%0a---%0a> The first line says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''.%0a> %0a> The second line tells the web server to listen on all IPs on port 80.%0a> %0a> The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a> %0a61,64d57%0a%3c %0a%3c This block is similar to before. It is for the hostname "example.com". The difference is the second line tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use.%0a%3c %0a%3c The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a
160 host:1614076414=198.251.81.119
161 author:1614076135=jrmu
162 diff:1614076135:1614075220:=41c41%0a%3c The location block on the third line says that for any request that begins with http://example.com/.well-known/acme-challenge/, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive @@request strip 2@@ is needed so that openhttpd searches in @@/var/www/acme/@@ and not @@/var/www/acme/.well-known/acme-challenge/@@.%0a---%0a> The third line says that for %0a
163 host:1614076135=198.251.81.119
164 author:1614075220=jrmu
165 diff:1614075220:1614073808:=22,23c22,23%0a%3c Let's break down the contents of /etc/httpd.conf:%0a%3c %0a---%0a> Here is what /etc/httpd.conf contains:%0a> %0a35,41d34%0a%3c @]%0a%3c %0a%3c The first line says that this block is for the hostname "example.com". On other web servers, this might be known as the '''virtual host'''.%0a%3c %0a%3c The second line tells the web server to listen on all IPs on port 80.%0a%3c %0a%3c The third line says that for %0a
166 host:1614075220=198.251.81.119
167 author:1614073808=jrmu
168 diff:1614073808:1614073724:=10,12c10%0a%3c # Easy to configure with good manpage documentation%0a%3c %0a%3c You'll want to consult the [[https://man.openbsd.org/httpd|httpd]] and [[https://man.openbsd.org/httpd.conf|httpd.conf]] man pages.%0a---%0a> # Easy to configure with good documentation%0a
169 host:1614073808=198.251.81.119
170 author:1614073724=jrmu
171 diff:1614073724:1614073670:=3,4c3,4%0a%3c [[https://bsd.plumbing/about.html|OpenHTTPd]] is a light-weight web server developed by the OpenBSD dev team.%0a%3c %0a---%0a> [[https://bsd.plumbing/about.html|OpenHTTPd]]] is a light-weight web server developed by the OpenBSD dev team.%0a> %0a7c7%0a%3c # Clean code%0a---%0a> # Clean: The code is beautiful%0a
172 host:1614073724=198.251.81.119
173 author:1614073670=jrmu
174 diff:1614073670:1614073261:=2,12d1%0a%3c %0a%3c [[https://bsd.plumbing/about.html|OpenHTTPd]]] is a light-weight web server developed by the OpenBSD dev team.%0a%3c %0a%3c Pros:%0a%3c # Lean: Small, no plugins%0a%3c # Clean: The code is beautiful%0a%3c # Secure: Strict validity checking, privilege separation, strong cryptography%0a%3c # Fast%0a%3c # Easy to configure with good documentation%0a%3c %0a%3c !! Configuring%0a
175 host:1614073670=198.251.81.119
176 author:1614073261=jrmu
177 diff:1614073261:1614073261:=1,109d0%0a%3c (:title Basic OpenHTTPd Configuration:)%0a%3c %0a%3c Setting up OpenBSD's default web server, openhttpd, is relatively simple. Start off by copying the example file in /etc/examples/httpd.conf:%0a%3c %0a%3c [@%0a%3c $ doas cp /etc/examples/httpd.conf /etc/httpd.conf%0a%3c @]%0a%3c %0a%3c Here is what /etc/httpd.conf contains:%0a%3c %0a%3c [@%0a%3c server "example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c location * {%0a%3c block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c }%0a%3c }%0a%3c %0a%3c server "example.com" {%0a%3c listen on * tls port 443%0a%3c tls {%0a%3c certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c key "/etc/ssl/private/example.com.key"%0a%3c }%0a%3c location "/pub/*" {%0a%3c directory auto index%0a%3c }%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c You must replace example.com everywhere with your domain name.%0a%3c %0a%3c Simply enable and start the web server:%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable httpd%0a%3c $ doas rcctl start httpd%0a%3c @]%0a%3c %0a%3c Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in proto tcp to port {http https}%0a%3c @]%0a%3c %0a%3c Then, reload the pf rulesets:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a%3c At this point, you should test to see if the web server is working on port 80. This test should be run on some other computer besides the web server (your local workstation is fine). Make sure you have curl installed:%0a%3c %0a%3c [@%0a%3c $ doas pkg_add curl%0a%3c $ curl example.com%0a%3c @]%0a%3c %0a%3c You should a response similar to the one below:%0a%3c %0a%3c [@%0a%3c %3c!DOCTYPE html>%0a%3c %3chtml>%0a%3c %3chead>%0a%3c %3cmeta http-equiv="Content-Type" content="text/html; charset=utf-8"/>%0a%3c %3ctitle>302 Found%3c/title>%0a%3c %3cstyle type="text/css">%3c!--%0a%3c body { background-color: white; color: black; font-family: 'Comic Sans%0a%3c MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }%0a%3c hr { border: 0; border-bottom: 1px dashed; }%0a%3c %0a%3c -->%3c/style>%0a%3c %3c/head>%0a%3c %3cbody>%0a%3c %3ch1>302 Found%3c/h1>%0a%3c %3chr>%0a%3c %3caddress>OpenBSD httpd%3c/address>%0a%3c %3c/body>%0a%3c %3c/html>%0a%3c @]%0a%3c %0a%3c Now you will almost certainly want openhttpd to use an SSL cert, so follow the [[openbsd/acme-client|acme-client]] instructions, then reset your web server:%0a%3c %0a%3c %3ccode>%0a%3c $ doas rcctl restart httpd%0a%3c %3c/code>%0a%3c %0a%3c To test if your web server is working and has a correct SSL cert, run:%0a%3c %0a%3c %3ccode>%0a%3c $ openssl s_client -connect example.com:443%0a%3c %3c/code>%0a%3c %0a%3c You should see the correct SSL subject and issuer:%0a%3c %0a%3c %3ccode>%0a%3c subject=/CN=example.com%0a%3c issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3%0a%3c %3c/code>%0a%3c %0a%3c {{ :openbsd:www:ssl-cert.png?direct |}}%0a\ No newline at end of file%0a
178 host:1614073261=198.251.81.119
