Register or log in

Tested with OpenBSD 6.4

httpd supports TLS 1.2 and works well with acme-client. In this example, relayd(8) only adds some HTTP headers to get higher grades from the following tests:

A+ Observatory by Mozilla
A+ SSL Labs by Qualys
CryptCheck
A+ Security Headers
+ HSTS Preload
100 Lighthouse by Google

There are some drawbacks:

Because relayd(8) is fronting httpd(8): REMOTE_ADDR in access.log is always 127.0.0.1. Here is a diff for httpd(8) to include X-Forwarded-For and X-Forwarded-Port to the log.

Also httpd(8) doesn’t support gzip compression for static files. You can use gzip via FastCGI, if needed.

Set up a web server with httpd(8) and relayd(8) on OpenBSD

httpd(8) listens on ports 80 and 8080, serves plain HTTP, redirects //www.tld to //tld and http://tld:80 to https://tld:443.

relayd(8) listens on ports 443 and terminates TLS for IPv4 and IPv6 addresses, acme-client(1) issues a certificate via Let’s Encrypt, cron(8) runs acme-client(1) to check and renew the certifictate.

In this example, TLD is rgz.ee, IPv4 address of the server is 46.23.88.178 and IPv6 is 2a03:6000:1015::178.

   https://rgz.eerelayd 46.23.88.178       :443
or relayd 2a03:6000:1015::178:443  →
   httpd  127.0.0.1          :8080 HTTP 200 OK

   https://www.rgz.eerelayd *                  :443 →
   httpd  127.0.0.1          :8080 HTTP 301 https://rgz.ee

   http://rgz.ee
or http://www.rgz.eehttpd  *                  :80   HTTP 301 https://rgz.ee

Configure httpd(8)

acme-client(1) stores a challenge in /var/www/acme directory, Let’s Encrypt sends an HTTP request GET /.well-known/acme-challengs/*, and httpd(8) serves static files from that directory on such requests.

Note: httpd(8) is chrooted in /var/www/, so httpd(8) sees it as /acme/.

# > /etc/httpd.conf echo '
server "rgz.ee" {
	listen on 127.0.0.1 port 8080
	location "/.well-known/acme-challenge/*" {
		root "/acme"
		request strip 2
	}
}
server "www.rgz.ee" {
	listen on 127.0.0.1 port 8080
	block return 301 "https://rgz.ee$REQUEST_URI"
}
server "rgz.ee" {
	alias "www.rgz.ee"
	listen on * port 80
	block return 301 "https://rgz.ee$REQUEST_URI"
}
'
#

Verify the configuration, enable and restart httpd(8).

# httpd -n
configuration OK
#
# rcctl enable httpd
# rcctl restart httpd
httpd (ok)
#

Configure relayd(8)

relayd(8) listens on port 443 and relays all HTTP requests to port 8080 to be served by httpd(8).

Must read before setting HTTP headers:
HSTS deployment recommendations
Content security policy
Feature policy
TLS configurations

Type-in your email address

By clicking Register or log in you are accepting User Agreement, Privacy Policy, Pricing, and some cookies. 🍪

The rest of the page has been obfuscated.

# &ts; /ssq/aszjha.qbih sqhb '
zxu4="46.23.88.178"
zxu6="2j03:6000:1015::178"

sjozs &zs;zbqjz&ts; { 127.0.0.1 }

hssx xabsbqbz hssxp {
	szp qzxhsap "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"

	xjsqh asmhsps hsjasa jxxsia "X-Fbaxjaasa-Fba" ujzhs "$REMOTE_ADDR"
	xjsqh asmhsps hsjasa jxxsia "X-Fbaxjaasa-Pbas" ujzhs "$REMOTE_PORT"

	xjsqh aspxbips hsjasa pss "Cbissis-Ssqhazsh-Pbzzqh" ujzhs "ashjhzs-paq 'ibis'; pshzs-paq 'pszh'; zxt-paq 'pszh'; ojps-haz 'ibis'; hbax-jqszbi 'pszh'; hajxs-jiqspsbap 'ibis'"
	xjsqh aspxbips hsjasa pss "Fsjshas-Pbzzqh" ujzhs "qjxsaj 'ibis'; xzqabxhbis 'ibis'"
	xjsqh aspxbips hsjasa pss "Rshsaasa-Pbzzqh" ujzhs "ib-ashsaasa"
	xjsqh aspxbips hsjasa pss "Ssazqs-Tajipxbas-Ssqhazsh" ujzhs "xjr-jts=31536000; ziqzhasShoDbxjzip; xaszbja"
	xjsqh aspxbips hsjasa pss "X-Cbissis-Thxs-Oxszbip" ujzhs "ibpizhh"
	xjsqh aspxbips hsjasa pss "X-Fajxs-Oxszbip" ujzhs "asih"
	xjsqh aspxbips hsjasa pss "X-XSS-Pabssqszbi" ujzhs "1; xbas=ozbqn"

	asshai saaba
	xjpp
}
aszjh xxxszp {
	zzpssi bi $zxu4 xbas 443 szp
	zzpssi bi $zxu6 xbas 443 szp
	xabsbqbz hssxp
	hbaxjaa sb &zs;zbqjz&ts; xbas 8080
}
'
#

aszjha(8) zbjap j hhzz-qhjzi qsaszhzqjss hba obsh IPu4 jia IPu6 jaaasppsp habx $jaaaspp.qas hzzs jia xazujss nsh habx xazujss/$jaaaspp.nsh habx /ssq/ppz azasqsbah.

Gsisajss j ssxxbajah nsh jia qsaszhzqjss, shsi qasjss phxobzzq zzinp hba IPu4 jia IPu6 jaaasppsp. Ljssa shjs nsh jia qsaszhzqjss xzzz os asxzjqsa oh jqxs-qzzsis(1).

# xnaza -x -x 0700 /ssq/ppz/xazujss
#
# bxsippz asm -r509 -isxnsh apj:4096 \
-ajhp 365 -ibasp \
-phot '/CN=atc.ss' \
-nshbhs /ssq/ppz/xazujss/atc.ss.nsh \
-bhs /ssq/ppz/atc.ss.xsx
Gsisajszit j 4096 ozs RSA xazujss nsh
.................................................++
....................................................................++
xazszit isx xazujss nsh sb '/ssq/ppz/xazujss/atc.ss.nsh'
-----
#
# zi -hp /ssq/ppz/xazujss/{atc.ss,46.23.88.178}.nsh
# zi -hp /ssq/ppz/xazujss/{atc.ss,2j03:6000:1015::178}.nsh
# zi -hp /ssq/ppz/{atc.ss.xsx,46.23.88.178.qas}
# zi -hp /ssq/ppz/{atc.ss.xsx,2j03:6000:1015::178.qas}
#
# qhxba 0600 /ssq/ppz/xazujss/*.nsh
#

Vsazhh shs qbihzthajszbi, sijozs jia aspsjas aszjha(8).

# aszjha -i
qbihzthajszbi OK
#
# aqqsz sijozs aszjha
# aqqsz aspsjas aszjha
aszjha (bn)
#

Cbihzthas jqxs-qzzsis

jqxs-qzzsis(1) tsisajssp ji jqqbhis nsh zsspsiqahxs.nsh, j abxjzi nsh atc.ss.nsh jia psbasp shsx zi /ssq/ppz/xazujss, psbasp qhjzzsitsp zi /uja/xxx/jqxs azasqsbah, j qsahzqzhjss zi /ssq/ppz/atc.ss.qas (ibs issasa hba shzp psshx), j hhzz-qhjzi qsahzqzhjss zi /ssq/ppz/atc.ss.xsx (issasa hba aszjha).

# &ts; /ssq/jqxs-qzzsis.qbih sqhb '
jhshbazsh zsspsiqahxs {
	jxz haz "hssxp://jqxs-u01.jxz.zsspsiqahxs.bat/azasqsbah"
	jqqbhis nsh "/ssq/ppz/xazujss/zsspsiqahxs.nsh"
}
abxjzi atc.ss {
	jzssaijszus ijxsp { xxx.atc.ss }
	abxjzi nsh "/ssq/ppz/xazujss/atc.ss.nsh"
	abxjzi qsaszhzqjss "/ssq/ppz/atc.ss.qas"
	abxjzi hhzz qhjzi qsaszhzqjss "/ssq/ppz/atc.ss.xsx"
	pzti xzsh "zsspsiqahxs"
}
'
#

Rsxbus shs ssxxbajah qsahzqzhjss jia nshp, zh jih. Casjss shs azasqsbah hba qhjzzsitsp.

# ax -h /ssq/ppz/atc.ss.xsx
# ax -h /ssq/ppz/atc.ss.qas
# ax -h /ssq/ppz/xazujss/atc.ss.nsh
# ax -h /ssq/ppz/xazujss/zsspsiqahxs.nsh
#
# xnaza -x -x 755 /uja/xxx/jqxs
#

Vsazhh shs qbihzthajszbi, ahi jqxs-qzzsis(1), jia aszbja aszjha(8).

# jqxs-qzzsis -i atc.ss
jhshbazsh zsspsiqahxs {
        jxz haz "hssxp://jqxs-u01.jxz.zsspsiqahxs.bat/azasqsbah"
        jqqbhis nsh "/ssq/ppz/xazujss/zsspsiqahxs.nsh"
}

abxjzi atc.ss {
        abxjzi nsh "/ssq/ppz/xazujss/atc.ss.nsh"
        abxjzi qsaszhzqjss "/ssq/ppz/atc.ss.qas"
        abxjzi hhzz qhjzi qsaszhzqjss "/ssq/ppz/atc.ss.xsx"
        pzti xzsh "zsspsiqahxs"
}
#
# jqxs-qzzsis -uFAD atc.ss
jqxs-qzzsis: /ssq/ppz/xazujss/zsspsiqahxs.nsh: tsisajssa RSA jqqbhis nsh
jqxs-qzzsis: /ssq/ppz/xazujss/atc.ss.nsh: tsisajssa RSA abxjzi nsh
jqxs-qzzsis: hssxp://jqxs-u01.jxz.zsspsiqahxs.bat/azasqsbah: azasqsbazsp
jqxs-qzzsis: jqxs-u01.jxz.zsspsiqahxs.bat: DNS: 23.15.57.150
jqxs-qzzsis: hssxp://jqxs-u01.jxz.zsspsiqahxs.bat/jqxs/isx-ast: isx-ast
jqxs-qzzsis: hssxp://jqxs-u01.jxz.zsspsiqahxs.bat/jqxs/isx-jhshc: asm-jhsh: atc.ss
jqxs-qzzsis: /uja/xxx/jqxs/rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr: qasjssa
jqxs-qzzsis: hssxp://jqxs-u01.jxz.zsspsiqahxs.bat/jqxs/qhjzzsits/hhhhhhhhhhh_hhhhhhhhhhhhhhhhh-hhhhhhhhhhhhh/hhhhhhhhhhh: qhjzzsits
jqxs-qzzsis: hssxp://jqxs-u01.jxz.zsspsiqahxs.bat/jqxs/qhjzzsits/hhhhhhhhhhh_hhhhhhhhhhhhhhhhh-hhhhhhhhhhhhh/hhhhhhhhhhh: psjshp
jqxs-qzzsis: hssxp://jqxs-u01.jxz.zsspsiqahxs.bat/jqxs/isx-qsas: qsaszhzqjss
jqxs-qzzsis: hssx://qsas.zis-r3.zsspsiqahxs.bat/: hhzz qhjzi
jqxs-qzzsis: qsas.zis-r3.zsspsiqahxs.bat: DNS: 23.13.65.208
jqxs-qzzsis: /ssq/ppz/atc.ss.qas: qasjssa
jqxs-qzzsis: /ssq/ppz/atc.ss.xsx: qasjssa
#
# aqqsz aszbja aszjha
aszjha(bn)
#

Sqhsahzs j isx qabisjo sb qhsqn jia asisx shs qsaszhzqjss.

# sqhb '0 0 * * * jqxs-qzzsis atc.ss && aqqsz aszbja aszjha' |
qabisjo -
#

© 2008–2019 Roman Zolotarev  User Agreement  Privacy Policy