OpenBSD httpd 7.3: Web server

created
( modified )
@nabbisen

Summary

OpenBSD develops and maintains their own web server called “httpd” under ISC license. It is installed by default in OS installation.

The great web server is something that is simple, robust and secure. On performance, it is not the fastest among the competitors. However, it is enough fast, and, in addition, the development is in progress. For example, support to gzip compression has begun since 7.1.

In addition, the integration of httpd and relayd, their native relay daemon, makes your servers more functional.

This post will bring you to the journey to get how to configure httpd and run it. Bon voyage 🐡

Environment

  • OS: OpenBSD 7.3
  • Web: OpenBSD httpd

Tutorial

Prepare the configuration file

httpd.conf is required in order to activate httpd service. The default path is /etc/httpd.conf. You can also work with the include keyword:

Additional configuration files can be included with the include keyword, for example:

include “/etc/httpd.conf.local”

Create httpd.conf

Copy the template from /etc/examples:

$ doas cp -p /etc/examples/httpd.conf /etc/

Alternatively, of course, it can be created manually:

$ doas nvim /etc/httpd.conf

The template content

The template is like this:

# $OpenBSD: httpd.conf,v 1.22 2020/11/04 10:34:18 denis Exp $

server "example.com" {
	listen on * port 80
	location "/.well-known/acme-challenge/*" {
		root "/acme"
		request strip 2
	}
	location * {
		block return 302 "https://$HTTP_HOST$REQUEST_URI"
	}
}

server "example.com" {
	listen on * tls port 443
	tls {
		certificate "/etc/ssl/example.com.fullchain.pem"
		key "/etc/ssl/private/example.com.key"
	}
	location "/pub/*" {
		directory auto index
	}
	location "/.well-known/acme-challenge/*" {
		root "/acme"
		request strip 2
	}
}

Remember chroot works

root property in “SERVERS” section above means the directories under /var/www . The official document mentions in GLOBAL CONFIGURATION section:

chroot directory

Set the chroot(2) directory. If not specified, it defaults to /var/www, the home directory of the www user.

Edit httpd.conf (Optional)

Now you can modify the conf file to build server as you want:

$ doas nvim /etc/httpd.conf

Case PHP FastCGI servers

Additional server definitions may be like these:

server "www.https-example.domain" { 
    alias "https-example.domain" 
    listen on * port 80 
    listen on * tls port 443
    tls {
        key         "/etc/ssl/private/www.https-example.domain.key"
        certificate "/etc/ssl/www.https-example.domain.crt"
    }
    root "/htdocs/www.https-example.domain" 
}

server "www.fastcgi-tcp-example.domain" {
    alias "fastcgi-example.domain"
    listen on * port 80
    fastcgi socket tcp 127.0.0.1 8080
}

server "www.fastcgi-unix-socket-example.domain" {
    alias "fastcgi-example.domain"
    listen on * port 80
    fastcgi socket "/run/example/unix_socket.sock"
}

Case TLS connection

You can get certificate by Let’s Encrypt with acme-client.

First, copy the configuration file template in /etc/examples:

$ doas cp -p /etc/examples/acme-client.conf /etc/

Then edit it to add your servers:

$ doas nvim /etc/acme-client.conf

Also edit httpd servers if necessary:

$ doas nvim /etc/httpd.conf

Finally run the command:

$ acme-client -vd xxx

The detail is in this post.

Activate the httpd daemon

Enable httpd:

# rcctl enable httpd

Besides, /etc/rc.conf.local will be created like this if it is the first time:

# cat /etc/rc.conf.local
httpd_flags=

Then start it:

# rcctl start httpd
httpd(ok)

Alternatively, -f option helps for temporary confirmation

You can also run rcctl -f start httpd to start httpd forcely under the default setting, httpd_flags=NO.

Test if the server listens

Your httpd server are now ready to reply to HTTP requests. Let’s try it.

Make index.html:

# mkdir -p /var/www/htdocs/www.https-example.domain
# # as needed:
# #chown www:www /var/www/htdocs/www.https-example.domain

$ echo "Hello, world. from OpenBSD httpd" > \
      /var/www/www.https-example.domain/index.html

Then send HTTP request in your client:

$ curl localhost:80

Your client must GET:

Hello, world. from OpenBSD httpd

Conclusion

You can add more servers with /etc/httpd.conf. Moreover, when you have many servers, you can define parts of them in external files with include keyword as written above. For example:

  # httpd.conf
  (...)
+ include "/etc/httpd.d/another.conf"

Remember to restart the daemon by running doas rcctl restart httpd after changing httpd.conf.


Historical backgrounds (as reference)

OpenBSD httpd first appeared in 5.6. In the same version, they decided to remove Apache httpd from their base. In the next, 5.7, Nginx was removed, too.

Do you remember “Heartbleed” and “Shellshock”, the vulnerabilities and the scare ? Issues on them and others happened in 2014. It made bad effects on SSL connection and CGI servers and so on in severe level.

The OpenBSD projects made their best effort to improve the situation. For instance, they developed LibreSSL and made it their native library instead of OpenSSL. They also tried to improve memory allocation methods. It was in the process that they developed their native web server called “httpd”.

Use of other web servers

It is also possible to get Nginx, Apache (called “apache-httpd”), Lighttpd and darkhttpd as (thankfullly) maintained packages based on the Ports system. You can install each of them by executing pkg_add. It’s also possible to get even Caddy by manually installing.


Happy serving 🕊

Series

OpenBSD httpd
  1. OpenBSD httpd 6.3: Web server
  2. OpenBSD httpd 7.0: Web server
  3. OpenBSD httpd 7.3: Web server

Comments or feedbacks are welcomed and appreciated.