Summary
OpenBSD develops and maintains their own web server called “httpd” under ISC license. It is installed by default in OS installation.
The great web server is something that is simple, robust and secure. On performance, it is not the fastest among the competitors. However, it is enough fast, and, in addition, the development is in progress. For example, support to gzip compression has begun since 7.1.
In addition, the integration of httpd and relayd, their native relay daemon, makes your servers more functional.
This post will bring you to the journey to get how to configure httpd and run it. Bon voyage 🐡
Environment
- OS: OpenBSD 7.3
- Web: OpenBSD httpd
Tutorial
Prepare the configuration file
httpd.conf
is required in order to activate httpd service.
The default path is /etc/httpd.conf
. You can also work with the include
keyword:
Additional configuration files can be included with the include keyword, for example:
include “/etc/httpd.conf.local”
Create httpd.conf
Copy the template from /etc/examples
:
$ doas cp -p /etc/examples/httpd.conf /etc/
Alternatively, of course, it can be created manually:
$ doas nvim /etc/httpd.conf
The template content
The template is like this:
# $OpenBSD: httpd.conf,v 1.22 2020/11/04 10:34:18 denis Exp $
server "example.com" {
listen on * port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location * {
block return 302 "https://$HTTP_HOST$REQUEST_URI"
}
}
server "example.com" {
listen on * tls port 443
tls {
certificate "/etc/ssl/example.com.fullchain.pem"
key "/etc/ssl/private/example.com.key"
}
location "/pub/*" {
directory auto index
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
Remember chroot
works
root
property in “SERVERS” section above means the directories under /var/www
. The official document mentions in GLOBAL CONFIGURATION section:
chroot directory
Set the chroot(2) directory. If not specified, it defaults to /var/www, the home directory of the www user.
Edit httpd.conf
(Optional)
Now you can modify the conf file to build server as you want:
$ doas nvim /etc/httpd.conf
Case PHP FastCGI servers
Additional server definitions may be like these:
server "www.https-example.domain" {
alias "https-example.domain"
listen on * port 80
listen on * tls port 443
tls {
key "/etc/ssl/private/www.https-example.domain.key"
certificate "/etc/ssl/www.https-example.domain.crt"
}
root "/htdocs/www.https-example.domain"
}
server "www.fastcgi-tcp-example.domain" {
alias "fastcgi-example.domain"
listen on * port 80
fastcgi socket tcp 127.0.0.1 8080
}
server "www.fastcgi-unix-socket-example.domain" {
alias "fastcgi-example.domain"
listen on * port 80
fastcgi socket "/run/example/unix_socket.sock"
}
Case TLS connection
You can get certificate by Let’s Encrypt with acme-client
.
First, copy the configuration file template in /etc/examples
:
$ doas cp -p /etc/examples/acme-client.conf /etc/
Then edit it to add your servers:
$ doas nvim /etc/acme-client.conf
Also edit httpd
servers if necessary:
$ doas nvim /etc/httpd.conf
Finally run the command:
$ acme-client -vd xxx
The detail is in this post.
Activate the httpd
daemon
Enable httpd:
# rcctl enable httpd
Besides, /etc/rc.conf.local
will be created like this if it is the first time:
# cat /etc/rc.conf.local
httpd_flags=
Then start it:
# rcctl start httpd
httpd(ok)
Alternatively, -f
option helps for temporary confirmation
You can also run rcctl -f start httpd
to start httpd forcely under the default setting, httpd_flags=NO
.
Test if the server listens
Your httpd
server are now ready to reply to HTTP requests. Let’s try it.
Make index.html
:
# mkdir -p /var/www/htdocs/www.https-example.domain
# # as needed:
# #chown www:www /var/www/htdocs/www.https-example.domain
$ echo "Hello, world. from OpenBSD httpd" > \
/var/www/www.https-example.domain/index.html
Then send HTTP request in your client:
$ curl localhost:80
Your client must GET:
Hello, world. from OpenBSD httpd
Conclusion
You can add more servers with /etc/httpd.conf
.
Moreover, when you have many servers, you can define parts of them in external files with include
keyword as written above. For example:
# httpd.conf
(...)
+ include "/etc/httpd.d/another.conf"
Remember to restart the daemon by running doas rcctl restart httpd
after changing httpd.conf
.
Historical backgrounds (as reference)
OpenBSD httpd first appeared in 5.6. In the same version, they decided to remove Apache httpd from their base. In the next, 5.7, Nginx was removed, too.
Do you remember “Heartbleed” and “Shellshock”, the vulnerabilities and the scare ? Issues on them and others happened in 2014. It made bad effects on SSL connection and CGI servers and so on in severe level.
The OpenBSD projects made their best effort to improve the situation. For instance, they developed LibreSSL and made it their native library instead of OpenSSL. They also tried to improve memory allocation methods. It was in the process that they developed their native web server called “httpd”.
Use of other web servers
It is also possible to get Nginx, Apache (called “apache-httpd”), Lighttpd and darkhttpd as (thankfullly) maintained packages based on the Ports system.
You can install each of them by executing pkg_add
.
It’s also possible to get even Caddy by manually installing.
Happy serving 🕊