OpenBSD HTTP(S) Server
source link: https://jagtalon.com/openbsd-https-server/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
OpenBSD HTTP(S) Server
Updated 2021-03-18. (Tested on OpenBSD 6.8)
I’m learning about OpenBSD, and my first goal is to set up a dedicated page for my generative art on my server.
I’m glad that OpenBSD comes with a built-in web server called httpd so I don’t have to install any additional software. To configure it, I wrote the following in /etc/httpd.conf:
server "art.jagtalon.com" {
listen on * port 80
root "/htdocs/art.jagtalon.com"
}This listens to HTTP requests and serves the files that are in /var/www/htdocs/art.jagtalon.com. This means I also have to create that directory:
$ mkdir -p /var/www/htdocs/art.jagtalon.comI then checked if my configuration is correct:
$ httpd -nSince everything is good, I enabled and started httpd using rcctl:
$ rcctl enable httpd
$ rcctl start httpdAnd then I added a test file to test if everything is working in htdocs/art.jagtalon.com/index.html:
<html>
<body>Hello, world</body>
</html>Finally, I added an A record to my DNS provider using the IP address of my instance. And that’s it!
Enabling HTTPS
Even though HTTP is good enough for this website, it’s important to also add HTTPS support because browsers are starting to move to HTTPS-only content. First, I setup acme-client by adding this to /etc/acme-client.conf:
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-privkey.pem"
}
domain art.jagtalon.com {
domain key "/etc/ssl/private/art.jagtalon.com.key"
domain certificate "/etc/ssl/art.jagtalon.com.crt"
domain full chain certificate "/etc/ssl/art.jagtalon.com.fullchain.pem"
sign with letsencrypt
}Then I created the necessary directories (on OpenBSD.Amsterdam, I only had to make this directory):
$mkdir -p -m 700 /etc/ssl/acme/privateA verification request will be sent to httpd, so we update /etc/httpd.conf as well. This validates that I own the domain:
server "art.jagtalon.com" {
listen on * port 80
root "/htdocs/art.jagtalon.com"
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}As always, check the configuration and restart httpd:
$ httpd -n
$ rcctl restart httpdLet’s get a certificate from from Let’s Encrypt:
$ acme-client -v art.jagtalon.comThe certificate that we got lasts 90 days, so we run cron to attempt to renew the certificate every day. I ran crontab -e and set it to renew at 3am every day:
0 3 * * * acme-client art.jagtalon.com && rcctl reload httpdFinally, we enable HTTPS! Pfew. I modified /etc/httpd.conf to listen for HTTPS requests and redirect all HTTP to HTTPS:
server "art.jagtalon.com" {
listen on * port 80
block return 301 "https://art.jagtalon.com$REQUEST_URI"
}
server "art.jagtalon.com" {
listen on * tls port 443
root "/htdocs/art.jagtalon.com"
tls {
certificate "/etc/ssl/art.jagtalon.com.fullchain.pem"
key "/etc/ssl/private/art.jagtalon.com.key"
}
location "./well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}Don’t forget to check the configuration and restart httpd:
$ httpd -n
$ rcctl restart httpdChange Permissions
I’d like to be able to easily write into the directory, so I changed the permissions to be owned by me:
$ doas chown -R jag:jag /var/www/htdocs/art.jagtalon.comReferences:
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK