Register or log in

Tested with OpenBSD 6.4

httpd supports TLS 1.2 and works well with acme-client. In this example, relayd(8) only adds some HTTP headers to get higher grades from the following tests:

A+ Observatory by Mozilla
A+ SSL Labs by Qualys
CryptCheck
A+ Security Headers
+ HSTS Preload
100 Lighthouse by Google

There are some drawbacks:

Because relayd(8) is fronting httpd(8): REMOTE_ADDR in access.log is always 127.0.0.1. Here is a diff for httpd(8) to include X-Forwarded-For and X-Forwarded-Port to the log.

Also httpd(8) doesn’t support gzip compression for static files. You can use gzip via FastCGI, if needed.

Set up a web server with httpd(8) and relayd(8) on OpenBSD

httpd(8) listens on ports 80 and 8080, serves plain HTTP, redirects //www.tld to //tld and http://tld:80 to https://tld:443.

relayd(8) listens on ports 443 and terminates TLS for IPv4 and IPv6 addresses, acme-client(1) issues a certificate via Let’s Encrypt, cron(8) runs acme-client(1) to check and renew the certifictate.

In this example, TLD is rgz.ee, IPv4 address of the server is 46.23.88.178 and IPv6 is 2a03:6000:1015::178.

   https://rgz.eerelayd 46.23.88.178       :443
or relayd 2a03:6000:1015::178:443  →
   httpd  127.0.0.1          :8080 HTTP 200 OK

   https://www.rgz.eerelayd *                  :443 →
   httpd  127.0.0.1          :8080 HTTP 301 https://rgz.ee

   http://rgz.ee
or http://www.rgz.eehttpd  *                  :80   HTTP 301 https://rgz.ee

Configure httpd(8)

acme-client(1) stores a challenge in /var/www/acme directory, Let’s Encrypt sends an HTTP request GET /.well-known/acme-challengs/*, and httpd(8) serves static files from that directory on such requests.

Note: httpd(8) is chrooted in /var/www/, so httpd(8) sees it as /acme/.

# > /etc/httpd.conf echo '
server "rgz.ee" {
	listen on 127.0.0.1 port 8080
	location "/.well-known/acme-challenge/*" {
		root "/acme"
		request strip 2
	}
}
server "www.rgz.ee" {
	listen on 127.0.0.1 port 8080
	block return 301 "https://rgz.ee$REQUEST_URI"
}
server "rgz.ee" {
	alias "www.rgz.ee"
	listen on * port 80
	block return 301 "https://rgz.ee$REQUEST_URI"
}
'
#

Verify the configuration, enable and restart httpd(8).

# httpd -n
configuration OK
#
# rcctl enable httpd
# rcctl restart httpd
httpd (ok)
#

Configure relayd(8)

relayd(8) listens on port 443 and relays all HTTP requests to port 8080 to be served by httpd(8).

Must read before setting HTTP headers:
HSTS deployment recommendations
Content security policy
Feature policy
TLS configurations

Type-in your email address

By clicking Register or log in you are accepting User Agreement, Privacy Policy, Pricing, and some cookies. 🍪

The rest of the page has been obfuscated.

# &gj; /ijq/wilpom.qilb iqbi '
ojy4="46.23.88.178"
ojy6="2p03:6000:1015::178"

jpmli &lj;liqpl&gj; { 127.0.0.1 }

bjjj jwijiqil bjjjl {
	jll qojbiwl "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"

	cpjqb wirvilj bipmiw pjjilm "X-Fiwbpwmim-Fiw" yplvi "$REMOTE_ADDR"
	cpjqb wirvilj bipmiw pjjilm "X-Fiwbpwmim-Piwj" yplvi "$REMOTE_PORT"

	cpjqb wiljilli bipmiw lij "Ciljilj-Siqvwojo-Piloqo" yplvi "mibpvlj-lwq 'lili'; ljoli-lwq 'lilb'; ocg-lwq 'lilb'; mpli-vwo 'lili'; biwc-pqjoil 'lilb'; bwpci-plqiljiwl 'lili'"
	cpjqb wiljilli bipmiw lij "Fipjvwi-Piloqo" yplvi "qpciwp 'lili'; coqwijbili 'lili'"
	cpjqb wiljilli bipmiw lij "Ribiwwiw-Piloqo" yplvi "li-wibiwwiw"
	cpjqb wiljilli bipmiw lij "Sjwoqj-Twplljiwj-Siqvwojo" yplvi "cpu-pgi=31536000; olqlvmiSvmDicpoll; jwilipm"
	cpjqb wiljilli bipmiw lij "X-Ciljilj-Toji-Ojjoill" yplvi "lillobb"
	cpjqb wiljilli bipmiw lij "X-Fwpci-Ojjoill" yplvi "milo"
	cpjqb wiljilli bipmiw lij "X-XSS-Pwijiqjoil" yplvi "1; cimi=mliqz"

	wijvwl iwwiw
	jpll
}
wilpo bbbjll {
	loljil il $ojy4 jiwj 443 jll
	loljil il $ojy6 jiwj 443 jll
	jwijiqil bjjjl
	biwbpwm ji &lj;liqpl&gj; jiwj 8080
}
'
#

wilpom(8) lipml p bvll-qbpol qiwjoboqpji biw mijb IPy4 plm IPy6 pmmwillil bwic $pmmwill.qwj boli plm jwoypji zio bwic jwoypji/$pmmwill.zio bwic /ijq/lll mowiqjiwo.

Giliwpji p jicjiwpwo zio plm qiwjoboqpji, jbil qwipji locmiloq lolzl biw IPy4 plm IPy6 pmmwillil. Lpjiw jbpj zio plm qiwjoboqpji boll mi wijlpqim mo pqci-qloilj(1).

# czmow -j -c 0700 /ijq/lll/jwoypji
#
# ijillll wir -u509 -libzio wlp:4096 \
-mpol 365 -limil \
-lvmv '/CN=wgt.ii' \
-zioivj /ijq/lll/jwoypji/wgt.ii.zio \
-ivj /ijq/lll/wgt.ii.jic
Giliwpjolg p 4096 moj RSA jwoypji zio
.................................................++
....................................................................++
bwojolg lib jwoypji zio ji '/ijq/lll/jwoypji/wgt.ii.zio'
-----
#
# ll -bl /ijq/lll/jwoypji/{wgt.ii,46.23.88.178}.zio
# ll -bl /ijq/lll/jwoypji/{wgt.ii,2p03:6000:1015::178}.zio
# ll -bl /ijq/lll/{wgt.ii.jic,46.23.88.178.qwj}
# ll -bl /ijq/lll/{wgt.ii.jic,2p03:6000:1015::178.qwj}
#
# qbcim 0600 /ijq/lll/jwoypji/*.zio
#

Viwobo jbi qilbogvwpjoil, ilpmli plm wiljpwj wilpom(8).

# wilpom -l
qilbogvwpjoil OK
#
# wqqjl ilpmli wilpom
# wqqjl wiljpwj wilpom
wilpom (iz)
#

Cilbogvwi pqci-qloilj

pqci-qloilj(1) giliwpjil pl pqqivlj zio lijlilqwojj.zio, p micpol zio wgt.ii.zio plm ljiwil jbic ol /ijq/lll/jwoypji, ljiwil qbpllilgil ol /ypw/bbb/pqci mowiqjiwo, p qiwboqobpji ol /ijq/lll/wgt.ii.qwj (lij liimim biw jbol lijvj), p bvll-qbpol qiwboqobpji ol /ijq/lll/wgt.ii.jic (liimim biw wilpom).

# &gj; /ijq/pqci-qloilj.qilb iqbi '
pvjbiwojo lijlilqwojj {
	pjo vwl "bjjjl://pqci-y01.pjo.lijlilqwojj.iwg/mowiqjiwo"
	pqqivlj zio "/ijq/lll/jwoypji/lijlilqwojj.zio"
}
micpol wgt.ii {
	pljiwlpjoyi lpcil { bbb.wgt.ii }
	micpol zio "/ijq/lll/jwoypji/wgt.ii.zio"
	micpol qiwjoboqpji "/ijq/lll/wgt.ii.qwj"
	micpol bvll qbpol qiwjoboqpji "/ijq/lll/wgt.ii.jic"
	logl bojb "lijlilqwojj"
}
'
#

Riciyi jbi jicjiwpwo qiwboqobpji plm ziol, ob plo. Cwipji jbi mowiqjiwo biw qbpllilgil.

# wc -b /ijq/lll/wgt.ii.jic
# wc -b /ijq/lll/wgt.ii.qwj
# wc -b /ijq/lll/jwoypji/wgt.ii.zio
# wc -b /ijq/lll/jwoypji/lijlilqwojj.zio
#
# czmow -j -c 755 /ypw/bbb/pqci
#

Viwobo jbi qilbogvwpjoil, wvl pqci-qloilj(1), plm wilipm wilpom(8).

# pqci-qloilj -l wgt.ii
pvjbiwojo lijlilqwojj {
        pjo vwl "bjjjl://pqci-y01.pjo.lijlilqwojj.iwg/mowiqjiwo"
        pqqivlj zio "/ijq/lll/jwoypji/lijlilqwojj.zio"
}

micpol wgt.ii {
        micpol zio "/ijq/lll/jwoypji/wgt.ii.zio"
        micpol qiwjoboqpji "/ijq/lll/wgt.ii.qwj"
        micpol bvll qbpol qiwjoboqpji "/ijq/lll/wgt.ii.jic"
        logl bojb "lijlilqwojj"
}
#
# pqci-qloilj -yFAD wgt.ii
pqci-qloilj: /ijq/lll/jwoypji/lijlilqwojj.zio: giliwpjim RSA pqqivlj zio
pqci-qloilj: /ijq/lll/jwoypji/wgt.ii.zio: giliwpjim RSA micpol zio
pqci-qloilj: bjjjl://pqci-y01.pjo.lijlilqwojj.iwg/mowiqjiwo: mowiqjiwoil
pqci-qloilj: pqci-y01.pjo.lijlilqwojj.iwg: DNS: 23.15.57.150
pqci-qloilj: bjjjl://pqci-y01.pjo.lijlilqwojj.iwg/pqci/lib-wig: lib-wig
pqci-qloilj: bjjjl://pqci-y01.pjo.lijlilqwojj.iwg/pqci/lib-pvjbt: wir-pvjb: wgt.ii
pqci-qloilj: /ypw/bbb/pqci/uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu: qwipjim
pqci-qloilj: bjjjl://pqci-y01.pjo.lijlilqwojj.iwg/pqci/qbpllilgi/ooooooooooo_ooooooooooooooooo-ooooooooooooo/ooooooooooo: qbpllilgi
pqci-qloilj: bjjjl://pqci-y01.pjo.lijlilqwojj.iwg/pqci/qbpllilgi/ooooooooooo_ooooooooooooooooo-ooooooooooooo/ooooooooooo: ljpjvl
pqci-qloilj: bjjjl://pqci-y01.pjo.lijlilqwojj.iwg/pqci/lib-qiwj: qiwjoboqpji
pqci-qloilj: bjjj://qiwj.olj-u3.lijlilqwojj.iwg/: bvll qbpol
pqci-qloilj: qiwj.olj-u3.lijlilqwojj.iwg: DNS: 23.13.65.208
pqci-qloilj: /ijq/lll/wgt.ii.qwj: qwipjim
pqci-qloilj: /ijq/lll/wgt.ii.jic: qwipjim
#
# wqqjl wilipm wilpom
wilpom(iz)
#

Sqbimvli p lib qwiljpm ji qbiqz plm wilib jbi qiwjoboqpji.

# iqbi '0 0 * * * pqci-qloilj wgt.ii && wqqjl wilipm wilpom' |
qwiljpm -
#

© 2008–2019 Roman Zolotarev  User Agreement  Privacy Policy