Register or log in

Tested with OpenBSD 6.4

httpd supports TLS 1.2 and works well with acme-client. In this example, relayd(8) only adds some HTTP headers to get higher grades from the following tests:

A+ Observatory by Mozilla
A+ SSL Labs by Qualys
CryptCheck
A+ Security Headers
+ HSTS Preload
100 Lighthouse by Google

There are some drawbacks:

Because relayd(8) is fronting httpd(8): REMOTE_ADDR in access.log is always 127.0.0.1. Here is a diff for httpd(8) to include X-Forwarded-For and X-Forwarded-Port to the log.

Also httpd(8) doesn’t support gzip compression for static files. You can use gzip via FastCGI, if needed.

Set up a web server with httpd(8) and relayd(8) on OpenBSD

httpd(8) listens on ports 80 and 8080, serves plain HTTP, redirects //www.tld to //tld and http://tld:80 to https://tld:443.

relayd(8) listens on ports 443 and terminates TLS for IPv4 and IPv6 addresses, acme-client(1) issues a certificate via Let’s Encrypt, cron(8) runs acme-client(1) to check and renew the certifictate.

In this example, TLD is rgz.ee, IPv4 address of the server is 46.23.88.178 and IPv6 is 2a03:6000:1015::178.

   https://rgz.eerelayd 46.23.88.178       :443
or relayd 2a03:6000:1015::178:443  →
   httpd  127.0.0.1          :8080 HTTP 200 OK

   https://www.rgz.eerelayd *                  :443 →
   httpd  127.0.0.1          :8080 HTTP 301 https://rgz.ee

   http://rgz.ee
or http://www.rgz.eehttpd  *                  :80   HTTP 301 https://rgz.ee

Configure httpd(8)

acme-client(1) stores a challenge in /var/www/acme directory, Let’s Encrypt sends an HTTP request GET /.well-known/acme-challengs/*, and httpd(8) serves static files from that directory on such requests.

Note: httpd(8) is chrooted in /var/www/, so httpd(8) sees it as /acme/.

# > /etc/httpd.conf echo '
server "rgz.ee" {
	listen on 127.0.0.1 port 8080
	location "/.well-known/acme-challenge/*" {
		root "/acme"
		request strip 2
	}
}
server "www.rgz.ee" {
	listen on 127.0.0.1 port 8080
	block return 301 "https://rgz.ee$REQUEST_URI"
}
server "rgz.ee" {
	alias "www.rgz.ee"
	listen on * port 80
	block return 301 "https://rgz.ee$REQUEST_URI"
}
'
#

Verify the configuration, enable and restart httpd(8).

# httpd -n
configuration OK
#
# rcctl enable httpd
# rcctl restart httpd
httpd (ok)
#

Configure relayd(8)

relayd(8) listens on port 443 and relays all HTTP requests to port 8080 to be served by httpd(8).

Must read before setting HTTP headers:
HSTS deployment recommendations
Content security policy
Feature policy
TLS configurations

Type-in your email address

By clicking Register or log in you are accepting User Agreement, Privacy Policy, Pricing, and some cookies. 🍪

The rest of the page has been obfuscated.

# &aw; /cwz/jcnsmm.zbek cznb '
xlf4="46.23.88.178"
xlf6="2s03:6000:1015::178"

wsinc &nw;nbzsn&aw; { 127.0.0.1 }

nwwl ljbwbzbn nwwlb {
	wnb zxlncjb "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"

	yswzn jctjcbw ncsmcj sllcem "X-Fbjhsjmcm-Fbj" fsnjc "$REMOTE_ADDR"
	yswzn jctjcbw ncsmcj sllcem "X-Fbjhsjmcm-Pbjw" fsnjc "$REMOTE_PORT"

	yswzn jcblbebc ncsmcj bcw "Cbewcew-Sczjjxwm-Pbnxzm" fsnjc "mcksjnw-bjz 'ebec'; bwmnc-bjz 'bcnk'; xya-bjz 'bcnk'; isbc-jjx 'ebec'; kbjy-szwxbe 'bcnk'; kjsyc-sezcbwbjb 'ebec'"
	yswzn jcblbebc ncsmcj bcw "Fcswjjc-Pbnxzm" fsnjc "zsycjs 'ebec'; yxzjblnbec 'ebec'"
	yswzn jcblbebc ncsmcj bcw "Rckcjjcj-Pbnxzm" fsnjc "eb-jckcjjcj"
	yswzn jcblbebc ncsmcj bcw "Swjxzw-Tjseblbjw-Sczjjxwm" fsnjc "yso-sac=31536000; xeznjmcSjiDbysxeb; ljcnbsm"
	yswzn jcblbebc ncsmcj bcw "X-Cbewcew-Tmlc-Olwxbeb" fsnjc "ebbexkk"
	yswzn jcblbebc ncsmcj bcw "X-Fjsyc-Olwxbeb" fsnjc "mcem"
	yswzn jcblbebc ncsmcj bcw "X-XSS-Pjbwczwxbe" fsnjc "1; ybmc=inbzr"

	jcwjje cjjbj
	lsbb
}
jcnsm hhhwnb {
	nxbwce be $xlf4 lbjw 443 wnb
	nxbwce be $xlf6 lbjw 443 wnb
	ljbwbzbn nwwlb
	kbjhsjm wb &nw;nbzsn&aw; lbjw 8080
}
'
#

jcnsmm(8) nbsmb s kjnn-znsxe zcjwxkxzswc kbj ibwn IPf4 sem IPf6 smmjcbbcb kjby $smmjcbb.zjw kxnc sem ljxfswc rcm kjby ljxfswc/$smmjcbb.rcm kjby /cwz/bbn mxjczwbjm.

Gcecjswc s wcylbjsjm rcm sem zcjwxkxzswc, wnce zjcswc bmyibnxz nxerb kbj IPf4 sem IPf6 smmjcbbcb. Lswcj wnsw rcm sem zcjwxkxzswc hxnn ic jclnszcm im szyc-znxcew(1).

# yrmxj -l -y 0700 /cwz/bbn/ljxfswc
#
# blcebbn jct -o509 -echrcm jbs:4096 \
-msmb 365 -ebmcb \
-bjip '/CN=jap.cc' \
-rcmbjw /cwz/bbn/ljxfswc/jap.cc.rcm \
-bjw /cwz/bbn/jap.cc.lcy
Gcecjswxea s 4096 ixw RSA ljxfswc rcm
.................................................++
....................................................................++
hjxwxea ech ljxfswc rcm wb '/cwz/bbn/ljxfswc/jap.cc.rcm'
-----
#
# ne -kb /cwz/bbn/ljxfswc/{jap.cc,46.23.88.178}.rcm
# ne -kb /cwz/bbn/ljxfswc/{jap.cc,2s03:6000:1015::178}.rcm
# ne -kb /cwz/bbn/{jap.cc.lcy,46.23.88.178.zjw}
# ne -kb /cwz/bbn/{jap.cc.lcy,2s03:6000:1015::178.zjw}
#
# znybm 0600 /cwz/bbn/ljxfswc/*.rcm
#

Vcjxkm wnc zbekxajjswxbe, cesinc sem jcbwsjw jcnsmm(8).

# jcnsmm -e
zbekxajjswxbe OK
#
# jzzwn cesinc jcnsmm
# jzzwn jcbwsjw jcnsmm
jcnsmm (br)
#

Cbekxajjc szyc-znxcew

szyc-znxcew(1) acecjswcb se szzbjew rcm ncwbcezjmlw.rcm, s mbysxe rcm jap.cc.rcm sem bwbjcb wncy xe /cwz/bbn/ljxfswc, bwbjcb znsnnceacb xe /fsj/hhh/szyc mxjczwbjm, s zcjkxzxkswc xe /cwz/bbn/jap.cc.zjw (ebw eccmcm kbj wnxb bcwjl), s kjnn-znsxe zcjkxzxkswc xe /cwz/bbn/jap.cc.lcy (eccmcm kbj jcnsmm).

# &aw; /cwz/szyc-znxcew.zbek cznb '
sjwnbjxwm ncwbcezjmlw {
	slx jjn "nwwlb://szyc-f01.slx.ncwbcezjmlw.bja/mxjczwbjm"
	szzbjew rcm "/cwz/bbn/ljxfswc/ncwbcezjmlw.rcm"
}
mbysxe jap.cc {
	snwcjeswxfc esycb { hhh.jap.cc }
	mbysxe rcm "/cwz/bbn/ljxfswc/jap.cc.rcm"
	mbysxe zcjwxkxzswc "/cwz/bbn/jap.cc.zjw"
	mbysxe kjnn znsxe zcjwxkxzswc "/cwz/bbn/jap.cc.lcy"
	bxae hxwn "ncwbcezjmlw"
}
'
#

Rcybfc wnc wcylbjsjm zcjkxzxkswc sem rcmb, xk sem. Cjcswc wnc mxjczwbjm kbj znsnnceacb.

# jy -k /cwz/bbn/jap.cc.lcy
# jy -k /cwz/bbn/jap.cc.zjw
# jy -k /cwz/bbn/ljxfswc/jap.cc.rcm
# jy -k /cwz/bbn/ljxfswc/ncwbcezjmlw.rcm
#
# yrmxj -l -y 755 /fsj/hhh/szyc
#

Vcjxkm wnc zbekxajjswxbe, jje szyc-znxcew(1), sem jcnbsm jcnsmm(8).

# szyc-znxcew -e jap.cc
sjwnbjxwm ncwbcezjmlw {
        slx jjn "nwwlb://szyc-f01.slx.ncwbcezjmlw.bja/mxjczwbjm"
        szzbjew rcm "/cwz/bbn/ljxfswc/ncwbcezjmlw.rcm"
}

mbysxe jap.cc {
        mbysxe rcm "/cwz/bbn/ljxfswc/jap.cc.rcm"
        mbysxe zcjwxkxzswc "/cwz/bbn/jap.cc.zjw"
        mbysxe kjnn znsxe zcjwxkxzswc "/cwz/bbn/jap.cc.lcy"
        bxae hxwn "ncwbcezjmlw"
}
#
# szyc-znxcew -fFAD jap.cc
szyc-znxcew: /cwz/bbn/ljxfswc/ncwbcezjmlw.rcm: acecjswcm RSA szzbjew rcm
szyc-znxcew: /cwz/bbn/ljxfswc/jap.cc.rcm: acecjswcm RSA mbysxe rcm
szyc-znxcew: nwwlb://szyc-f01.slx.ncwbcezjmlw.bja/mxjczwbjm: mxjczwbjxcb
szyc-znxcew: szyc-f01.slx.ncwbcezjmlw.bja: DNS: 23.15.57.150
szyc-znxcew: nwwlb://szyc-f01.slx.ncwbcezjmlw.bja/szyc/ech-jca: ech-jca
szyc-znxcew: nwwlb://szyc-f01.slx.ncwbcezjmlw.bja/szyc/ech-sjwnp: jct-sjwn: jap.cc
szyc-znxcew: /fsj/hhh/szyc/ooooooooooooooooooooooooooooooooooooooooooo: zjcswcm
szyc-znxcew: nwwlb://szyc-f01.slx.ncwbcezjmlw.bja/szyc/znsnnceac/mmmmmmmmmmm_mmmmmmmmmmmmmmmmm-mmmmmmmmmmmmm/mmmmmmmmmmm: znsnnceac
szyc-znxcew: nwwlb://szyc-f01.slx.ncwbcezjmlw.bja/szyc/znsnnceac/mmmmmmmmmmm_mmmmmmmmmmmmmmmmm-mmmmmmmmmmmmm/mmmmmmmmmmm: bwswjb
szyc-znxcew: nwwlb://szyc-f01.slx.ncwbcezjmlw.bja/szyc/ech-zcjw: zcjwxkxzswc
szyc-znxcew: nwwl://zcjw.xew-o3.ncwbcezjmlw.bja/: kjnn znsxe
szyc-znxcew: zcjw.xew-o3.ncwbcezjmlw.bja: DNS: 23.13.65.208
szyc-znxcew: /cwz/bbn/jap.cc.zjw: zjcswcm
szyc-znxcew: /cwz/bbn/jap.cc.lcy: zjcswcm
#
# jzzwn jcnbsm jcnsmm
jcnsmm(br)
#

Szncmjnc s ech zjbewsi wb znczr sem jcech wnc zcjwxkxzswc.

# cznb '0 0 * * * szyc-znxcew jap.cc && jzzwn jcnbsm jcnsmm' |
zjbewsi -
#

© 2008–2019 Roman Zolotarev  User Agreement  Privacy Policy