Register or log in

Tested with OpenBSD 6.4

httpd supports TLS 1.2 and works well with acme-client. In this example, relayd(8) only adds some HTTP headers to get higher grades from the following tests:

A+ Observatory by Mozilla
A+ SSL Labs by Qualys
CryptCheck
A+ Security Headers
+ HSTS Preload
100 Lighthouse by Google

There are some drawbacks:

Because relayd(8) is fronting httpd(8): REMOTE_ADDR in access.log is always 127.0.0.1. Here is a diff for httpd(8) to include X-Forwarded-For and X-Forwarded-Port to the log.

Also httpd(8) doesn’t support gzip compression for static files. You can use gzip via FastCGI, if needed.

Set up a web server with httpd(8) and relayd(8) on OpenBSD

httpd(8) listens on ports 80 and 8080, serves plain HTTP, redirects //www.tld to //tld and http://tld:80 to https://tld:443.

relayd(8) listens on ports 443 and terminates TLS for IPv4 and IPv6 addresses, acme-client(1) issues a certificate via Let’s Encrypt, cron(8) runs acme-client(1) to check and renew the certifictate.

In this example, TLD is rgz.ee, IPv4 address of the server is 46.23.88.178 and IPv6 is 2a03:6000:1015::178.

   https://rgz.eerelayd 46.23.88.178       :443
or relayd 2a03:6000:1015::178:443  →
   httpd  127.0.0.1          :8080 HTTP 200 OK

   https://www.rgz.eerelayd *                  :443 →
   httpd  127.0.0.1          :8080 HTTP 301 https://rgz.ee

   http://rgz.ee
or http://www.rgz.eehttpd  *                  :80   HTTP 301 https://rgz.ee

Configure httpd(8)

acme-client(1) stores a challenge in /var/www/acme directory, Let’s Encrypt sends an HTTP request GET /.well-known/acme-challengs/*, and httpd(8) serves static files from that directory on such requests.

Note: httpd(8) is chrooted in /var/www/, so httpd(8) sees it as /acme/.

# > /etc/httpd.conf echo '
server "rgz.ee" {
	listen on 127.0.0.1 port 8080
	location "/.well-known/acme-challenge/*" {
		root "/acme"
		request strip 2
	}
}
server "www.rgz.ee" {
	listen on 127.0.0.1 port 8080
	block return 301 "https://rgz.ee$REQUEST_URI"
}
server "rgz.ee" {
	alias "www.rgz.ee"
	listen on * port 80
	block return 301 "https://rgz.ee$REQUEST_URI"
}
'
#

Verify the configuration, enable and restart httpd(8).

# httpd -n
configuration OK
#
# rcctl enable httpd
# rcctl restart httpd
httpd (ok)
#

Configure relayd(8)

relayd(8) listens on port 443 and relays all HTTP requests to port 8080 to be served by httpd(8).

Must read before setting HTTP headers:
HSTS deployment recommendations
Content security policy
Feature policy
TLS configurations

Type-in your email address

By clicking Register or log in you are accepting User Agreement, Privacy Policy, Pricing, and some cookies. 🍪

The rest of the page has been obfuscated.

# &an; /sns/bsvaoz.sjds sscj '
lfa4="46.23.88.178"
lfa6="2a03:6000:1015::178"

narvs &vn;vjsav&an; { 127.0.0.1 }

cnnf fbjnjsjv cnnfe {
	nve slfcsbe "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"

	vansc bssnsen csazsb affsdz "X-Fjbuabzsz-Fjb" aavns "$REMOTE_ADDR"
	vansc bssnsen csazsb affsdz "X-Fjbuabzsz-Pjbn" aavns "$REMOTE_PORT"

	vansc bsefjdes csazsb esn "Cjdnsdn-Sssnblno-Pjvlso" aavns "zssanvn-ebs 'djds'; enovs-ebs 'esvs'; lva-ebs 'esvs'; raes-nbl 'djds'; sjbv-asnljd 'esvs'; sbavs-adssenjbe 'djds'"
	vansc bsefjdes csazsb esn "Fsannbs-Pjvlso" aavns "savsba 'djds'; vlsbjfcjds 'djds'"
	vansc bsefjdes csazsb esn "Rsssbbsb-Pjvlso" aavns "dj-bsssbbsb"
	vansc bsefjdes csazsb esn "Snblsn-Tbadefjbn-Sssnblno" aavns "vak-aas=31536000; ldsvnzsSnrDjvalde; fbsvjaz"
	vansc bsefjdes csazsb esn "X-Cjdnsdn-Tofs-Ofnljde" aavns "djedlss"
	vansc bsefjdes csazsb esn "X-Fbavs-Ofnljde" aavns "zsdo"
	vansc bsefjdes csazsb esn "X-XSS-Pbjnssnljd" aavns "1; vjzs=rvjsd"

	bsnnbd sbbjb
	faee
}
bsvao uuunve {
	vlensd jd $lfa4 fjbn 443 nve
	vlensd jd $lfa6 fjbn 443 nve
	fbjnjsjv cnnfe
	sjbuabz nj &vn;vjsav&an; fjbn 8080
}
'
#

bsvaoz(8) vjaze a snvv-scald ssbnlslsans sjb rjnc IPa4 adz IPa6 azzbseese sbjv $azzbsee.sbn slvs adz fblaans dso sbjv fblaans/$azzbsee.dso sbjv /sns/eev zlbssnjbo.

Gsdsbans a nsvfjbabo dso adz ssbnlslsans, ncsd sbsans eovrjvls vldde sjb IPa4 adz IPa6 azzbseese. Lansb ncan dso adz ssbnlslsans ulvv rs bsfvassz ro asvs-svlsdn(1).

# vdzlb -f -v 0700 /sns/eev/fblaans
#
# jfsdeev bss -k509 -dsudso bea:4096 \
-zaoe 365 -djzse \
-enrf '/CN=baf.ss' \
-dsojnn /sns/eev/fblaans/baf.ss.dso \
-jnn /sns/eev/baf.ss.fsv
Gsdsbanlda a 4096 rln RSA fblaans dso
.................................................++
....................................................................++
ublnlda dsu fblaans dso nj '/sns/eev/fblaans/baf.ss.dso'
-----
#
# vd -se /sns/eev/fblaans/{baf.ss,46.23.88.178}.dso
# vd -se /sns/eev/fblaans/{baf.ss,2a03:6000:1015::178}.dso
# vd -se /sns/eev/{baf.ss.fsv,46.23.88.178.sbn}
# vd -se /sns/eev/{baf.ss.fsv,2a03:6000:1015::178.sbn}
#
# scvjz 0600 /sns/eev/fblaans/*.dso
#

Vsblso ncs sjdslanbanljd, sdarvs adz bsenabn bsvaoz(8).

# bsvaoz -d
sjdslanbanljd OK
#
# bssnv sdarvs bsvaoz
# bssnv bsenabn bsvaoz
bsvaoz (jd)
#

Cjdslanbs asvs-svlsdn

asvs-svlsdn(1) asdsbanse ad assjndn dso vsnesdsbofn.dso, a zjvald dso baf.ss.dso adz enjbse ncsv ld /sns/eev/fblaans, enjbse scavvsdase ld /aab/uuu/asvs zlbssnjbo, a ssbslslsans ld /sns/eev/baf.ss.sbn (djn dsszsz sjb ncle esnnf), a snvv-scald ssbslslsans ld /sns/eev/baf.ss.fsv (dsszsz sjb bsvaoz).

# &an; /sns/asvs-svlsdn.sjds sscj '
anncjblno vsnesdsbofn {
	afl nbv "cnnfe://asvs-a01.afl.vsnesdsbofn.jba/zlbssnjbo"
	assjndn dso "/sns/eev/fblaans/vsnesdsbofn.dso"
}
zjvald baf.ss {
	avnsbdanlas davse { uuu.baf.ss }
	zjvald dso "/sns/eev/fblaans/baf.ss.dso"
	zjvald ssbnlslsans "/sns/eev/baf.ss.sbn"
	zjvald snvv scald ssbnlslsans "/sns/eev/baf.ss.fsv"
	elad ulnc "vsnesdsbofn"
}
'
#

Rsvjas ncs nsvfjbabo ssbslslsans adz dsoe, ls ado. Cbsans ncs zlbssnjbo sjb scavvsdase.

# bv -s /sns/eev/baf.ss.fsv
# bv -s /sns/eev/baf.ss.sbn
# bv -s /sns/eev/fblaans/baf.ss.dso
# bv -s /sns/eev/fblaans/vsnesdsbofn.dso
#
# vdzlb -f -v 755 /aab/uuu/asvs
#

Vsblso ncs sjdslanbanljd, bnd asvs-svlsdn(1), adz bsvjaz bsvaoz(8).

# asvs-svlsdn -d baf.ss
anncjblno vsnesdsbofn {
        afl nbv "cnnfe://asvs-a01.afl.vsnesdsbofn.jba/zlbssnjbo"
        assjndn dso "/sns/eev/fblaans/vsnesdsbofn.dso"
}

zjvald baf.ss {
        zjvald dso "/sns/eev/fblaans/baf.ss.dso"
        zjvald ssbnlslsans "/sns/eev/baf.ss.sbn"
        zjvald snvv scald ssbnlslsans "/sns/eev/baf.ss.fsv"
        elad ulnc "vsnesdsbofn"
}
#
# asvs-svlsdn -aFAD baf.ss
asvs-svlsdn: /sns/eev/fblaans/vsnesdsbofn.dso: asdsbansz RSA assjndn dso
asvs-svlsdn: /sns/eev/fblaans/baf.ss.dso: asdsbansz RSA zjvald dso
asvs-svlsdn: cnnfe://asvs-a01.afl.vsnesdsbofn.jba/zlbssnjbo: zlbssnjblse
asvs-svlsdn: asvs-a01.afl.vsnesdsbofn.jba: DNS: 23.15.57.150
asvs-svlsdn: cnnfe://asvs-a01.afl.vsnesdsbofn.jba/asvs/dsu-bsa: dsu-bsa
asvs-svlsdn: cnnfe://asvs-a01.afl.vsnesdsbofn.jba/asvs/dsu-anncf: bss-annc: baf.ss
asvs-svlsdn: /aab/uuu/asvs/kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk: sbsansz
asvs-svlsdn: cnnfe://asvs-a01.afl.vsnesdsbofn.jba/asvs/scavvsdas/ooooooooooo_ooooooooooooooooo-ooooooooooooo/ooooooooooo: scavvsdas
asvs-svlsdn: cnnfe://asvs-a01.afl.vsnesdsbofn.jba/asvs/scavvsdas/ooooooooooo_ooooooooooooooooo-ooooooooooooo/ooooooooooo: enanne
asvs-svlsdn: cnnfe://asvs-a01.afl.vsnesdsbofn.jba/asvs/dsu-ssbn: ssbnlslsans
asvs-svlsdn: cnnf://ssbn.ldn-k3.vsnesdsbofn.jba/: snvv scald
asvs-svlsdn: ssbn.ldn-k3.vsnesdsbofn.jba: DNS: 23.13.65.208
asvs-svlsdn: /sns/eev/baf.ss.sbn: sbsansz
asvs-svlsdn: /sns/eev/baf.ss.fsv: sbsansz
#
# bssnv bsvjaz bsvaoz
bsvaoz(jd)
#

Sscsznvs a dsu sbjdnar nj scssd adz bsdsu ncs ssbnlslsans.

# sscj '0 0 * * * asvs-svlsdn baf.ss && bssnv bsvjaz bsvaoz' |
sbjdnar -
#

© 2008–2019 Roman Zolotarev  User Agreement  Privacy Policy