commit 6f5121b2fe9bd31eb2b4affbaca4102476941251 from: Bradley Taunt date: Thu Oct 24 18:09:48 2024 UTC Initial, WIP commit commit - /dev/null commit + 6f5121b2fe9bd31eb2b4affbaca4102476941251 blob - /dev/null blob + a2b32f9267be748758616261e325f5df82715dd3 (mode 644) --- /dev/null +++ README.md @@ -0,0 +1,3 @@ +# httpd.rocks + +Work in progress... blob - /dev/null blob + 691287b6e353f56675fffd37fe96ead589956f33 (mode 644) --- /dev/null +++ _footer.html @@ -0,0 +1,2 @@ + + \ No newline at end of file blob - /dev/null blob + de4723502052d2d2ada53fd2fe14582901ea7ed0 (mode 644) --- /dev/null +++ _header.html @@ -0,0 +1,10 @@ + + + + + + httpd.rocks + + + + \ No newline at end of file blob - /dev/null blob + 92afbdb12cba4d0017410b983bccfc3951c681e4 (mode 644) --- /dev/null +++ build.sh @@ -0,0 +1,2 @@ +# ! /bin/sh +(cat _header.html; lowdown index.md; cat _footer.html) > index.html \ No newline at end of file blob - /dev/null blob + 9479a182ccc48373cc830413a3dd6560e0087018 (mode 644) --- /dev/null +++ index.html @@ -0,0 +1,139 @@ + + + + + + httpd.rocks + + + +

httpd rocks

A barebones guide to setup an HTTPS-enabled web server with httpd on OpenBSD

Help improve this website: git.btxx.org/httpd.rocks

Before You Begin…

This guide assumes you have already setup OpenBSD on your desired server of choice. Most commands will need to run via doas, since you should be logged in as a created user - never root directly.

All the examples in this guide use httpd.rocks for the domains (how meta…). Please remember to change this to your desired URL.

Prep Your Domain(s)

Make sure your DNS records are setup and working as intended with your desired domain. You can check their status with:

dig httpd.rocks
+

`pf.conf`

Before doing anything else, you need to make sure your /etc/pf.conf is allowing traffic on ports 80 and 443. Make sure you include the following:

pass in on egress proto tcp from any to any port 80
+pass in on egress proto tcp from any to any port 443
+
+pass out on egress from any to any
+

`httpd.conf`

Make initial website folder and files:

doas mkdir -p /var/www/htdocs/httpd.rocks
+

Place your website files into this new folder and set proper permissions:

doas chmod -R 755 /var/www/htdocs/httpd.rocks
+doas chown -R www:www /var/www/htdocs/httpd.rocks
+

Create the initial /etc/httpd.conf file:

server "httpd.rocks" {
+    listen on * port 80
+    root "/htdocs/httpd.rocks"
+
+    location "/.well-known/acme-challenge/*" {
+        root "/acme"
+        request strip 2
+    }
+}
+
+server "www.httpd.rocks" {
+    listen on * port 80
+    block return 301 "http://httpd.rocks$REQUEST_URI"
+}
+

We need to create proper directories for acme-client (our next steps) and set their permissions:

doas mkdir -p -m 750 /etc/ssl/private
+doas mkdir -p -m 755 /var/www/acme
+

Then get httpd up and running:

doas rcctl start httpd
+

Note: If you encounter runtime errors with httpd, you might be required to add the following to your /etc/rc.conf.local file:

httpd_flags=""
+

If everything was setup properly, you should be able to visit the HTTP-only version of your website online.

`acme-client.conf`

Create the /etc/acme-client.conf file and include the following:

authority letsencrypt {
+    api url "https://acme-v02.api.letsencrypt.org/directory"
+    account key "/etc/acme/letsencrypt-privkey.pem"
+}
+domain httpd.rocks {
+    alternative names { www.httpd.rocks }
+    domain key "/etc/ssl/private/httpd.rocks.key"
+    domain certificate "/etc/ssl/private/httpd.rocks.crt"
+    sign with letsencrypt
+}
+

Note: The alternative names { www.httpd.rocks } will be needed later to forward all www. requests to standard https://.

Now we can run the core acme-client command to generate our certificates:

doas acme-client -v httpd.rocks
+

If everything goes smoothly, your new certificates should be generated and issued. The next thing you will want to do is automatically check for expired certs. Setup the following cronjob by running crontab -e and entering in:

0 0 * * * acme-client httpd.rocks && rcctl reload httpd
+

This will check if you need to renew certificates every day at midnight (server time).

`httpd.conf` (again)

Now we alter our existing /etc/httpd.conf to properly setup HTTPS and forward all HTTP traffic:

server "httpd.rocks" {
+  listen on * tls port 443
+  root "/htdocs/httpd.rocks"
+  tls {
+    certificate "/etc/ssl/private/httpd.rocks.crt"
+    key "/etc/ssl/private/httpd.rocks.key"
+  }
+}
+
+server "www.httpd.rocks" {
+  listen on * tls port 443
+  tls {
+    certificate "/etc/ssl/private/httpd.rocks.crt"
+    key "/etc/ssl/private/httpd.rocks.key"
+  }
+  block return 301 "https://httpd.rocks$REQUEST_URI"
+}
+
+server "httpd.rocks" {
+  listen on * port 80
+  location "/.well-known/acme-challenge/*" {
+    root "/acme"
+    request strip 2
+  }
+  block return 301 "https://httpd.rocks$REQUEST_URI"
+}
+
+server "www.httpd.rocks" {
+  listen on * port 80
+  block return 301 "http://httpd.rocks$REQUEST_URI"
+}
+

Then test and restart httpd:

httpd -n
+doas rcctl restart httpd
+

Be sure to also have httpd start on boot (in case of accidental server restarts!):

doas rcctl enable httpd
+

It’s Alive!

Now check out your website! Everything should work as intended. You should have valid TLS and your standard HTTP request should forward to HTTPS.

That’s it!

References

I am far from an OpenBSD expert. Please refer to these additional (and mostly better) resources and documentation:

+ + \ No newline at end of file blob - /dev/null blob + 0e9842a5db2596281fa3b721edaea066efbf06be (mode 644) --- /dev/null +++ index.md @@ -0,0 +1,191 @@ +![OpenBSD mascot](openbsd-logo.svg) + +# httpd rocks + +A barebones guide to setup an HTTPS-enabled web server with `httpd` on [OpenBSD](https://openbsd.org) + +Help improve this website: [git.btxx.org/httpd.rocks]() + +--- + +## Before You Begin... + +This guide assumes you have already setup OpenBSD on your desired server of choice. Most commands will need to run via `doas`, since you should be logged in as a created user - **never** `root` directly. + +All the examples in this guide use `httpd.rocks` for the domains (how meta...). Please remember to change this to your desired URL. + +## Prep Your Domain(s) + +Make sure your DNS records are setup and working as intended with your desired domain. You can check their status with: + +``` +dig httpd.rocks +``` + +## `pf.conf` + +Before doing anything else, you need to make sure your `/etc/pf.conf` is allowing traffic on ports `80` and `443`. Make sure you include the following: + +``` +pass in on egress proto tcp from any to any port 80 +pass in on egress proto tcp from any to any port 443 + +pass out on egress from any to any +``` + +## `httpd.conf` + +Make initial website folder and files: + +``` +doas mkdir -p /var/www/htdocs/httpd.rocks +``` + +Place your website files into this new folder and set proper permissions: + +``` +doas chmod -R 755 /var/www/htdocs/httpd.rocks +doas chown -R www:www /var/www/htdocs/httpd.rocks +``` + +Create the initial `/etc/httpd.conf` file: + +``` +server "httpd.rocks" { + listen on * port 80 + root "/htdocs/httpd.rocks" + + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } +} + +server "www.httpd.rocks" { + listen on * port 80 + block return 301 "http://httpd.rocks$REQUEST_URI" +} +``` + +We need to create proper directories for `acme-client` (our next steps) and set their permissions: + +``` +doas mkdir -p -m 750 /etc/ssl/private +doas mkdir -p -m 755 /var/www/acme +``` + +Then get `httpd` up and running: + +``` +doas rcctl start httpd +``` + +**Note**: If you encounter runtime errors with `httpd`, you might be required to add the following to your `/etc/rc.conf.local` file: + +``` +httpd_flags="" +``` + +If everything was setup properly, you should be able to visit the HTTP-only version of your website online. + + +## `acme-client.conf` + +Create the `/etc/acme-client.conf` file and include the following: + +``` +authority letsencrypt { + api url "https://acme-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-privkey.pem" +} +domain httpd.rocks { + alternative names { www.httpd.rocks } + domain key "/etc/ssl/private/httpd.rocks.key" + domain certificate "/etc/ssl/private/httpd.rocks.crt" + sign with letsencrypt +} +``` + +**Note**: The `alternative names { www.httpd.rocks }` will be needed later to forward all `www.` requests to standard `https://`. + +Now we can run the core `acme-client` command to generate our certificates: + +``` +doas acme-client -v httpd.rocks +``` + +If everything goes smoothly, your new certificates should be generated and issued. The next thing you will want to do is automatically check for expired certs. Setup the following `cronjob` by running `crontab -e` and entering in: + +``` +0 0 * * * acme-client httpd.rocks && rcctl reload httpd +``` + +This will check if you need to renew certificates every day at midnight (server time). + +## `httpd.conf` (again) + +Now we alter our existing `/etc/httpd.conf` to properly setup HTTPS and forward all HTTP traffic: + +``` +server "httpd.rocks" { + listen on * tls port 443 + root "/htdocs/httpd.rocks" + tls { + certificate "/etc/ssl/private/httpd.rocks.crt" + key "/etc/ssl/private/httpd.rocks.key" + } +} + +server "www.httpd.rocks" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/private/httpd.rocks.crt" + key "/etc/ssl/private/httpd.rocks.key" + } + block return 301 "https://httpd.rocks$REQUEST_URI" +} + +server "httpd.rocks" { + listen on * port 80 + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + block return 301 "https://httpd.rocks$REQUEST_URI" +} + +server "www.httpd.rocks" { + listen on * port 80 + block return 301 "http://httpd.rocks$REQUEST_URI" +} +``` + +Then test and restart `httpd`: + +``` +httpd -n +doas rcctl restart httpd +``` + +Be sure to also have `httpd` start on boot (in case of accidental server restarts!): + +``` +doas rcctl enable httpd +``` + +## It's Alive! + +Now check out your website! Everything should work as intended. You should have valid TLS and your standard HTTP request should forward to HTTPS. + +That's it! + +--- + +## References + +I am far from an OpenBSD expert. Please refer to these additional (and mostly better) resources and documentation: + +- [man.openbsd.org/httpd.8](https://man.openbsd.org/httpd.8) +- [man.openbsd.org/acme-client.1](https://man.openbsd.org/acme-client.1) +- [Enable HTTPS with acme-client(1) and Let’s Encrypt on OpenBSD](https://romanzolotarev.com/openbsd/acme-client.html) +- [Self-hosting a static site with OpenBSD, httpd, and relayd](https://citizen428.net/blog/self-hosting-static-site-openbsd-httpd-relayd/) \ No newline at end of file blob - /dev/null blob + 0b88e5fd38604259fddac7cae87cbce1d8f236c3 (mode 644) --- /dev/null +++ openbsd-logo.svg @@ -0,0 +1,1975 @@ + + + + blob - /dev/null blob + 90dd4eb49ec91615229acfabacd5a46e220645c9 (mode 644) --- /dev/null +++ style.css @@ -0,0 +1,42 @@ +* { + box-sizing: border-box; +} + +body { + font-family: sans-serif; + font-size: 14px; + margin: 0 auto; + max-width: 650px; + padding: 10px; +} + +header { + border-bottom: 1px solid; + padding: 0 0 10px; +} + +img { + margin: 0 auto; + max-width: 120px; +} + +h1 { + margin: 0; + padding: 0.5rem 0 0; +} + +h2 { + margin: 2rem 0 0; +} + +pre { + border: 1px solid; + padding: 10px; +} + +hr { + background: currentColor; + border: 0; + height: 1px; + margin: 2rem 0; +} \ No newline at end of file

httpd rocks

Before You Begin…

Prep Your Domain(s)

pf.conf

httpd.conf