OpenBSD httpd 7.3: Web server



OpenBSD develops and maintains their own web server called “httpd” under ISC license. It is installed by default in OS installation.

The great web server is something that is simple, robust and secure. On performance, it is not the fastest among the competitors. However, it is enough fast, and, in addition, the development is in progress. For example, support to gzip compression has begun since 7.1.

In addition, the integration of httpd and relayd, their native relay daemon, makes your servers more functional.

This post will bring you to the journey to get how to configure httpd and run it. Bon voyage 🐡


  • OS: OpenBSD 7.3
  • Web: OpenBSD httpd


Prepare the configuration file

httpd.conf is required in order to activate httpd service. The default path is /etc/httpd.conf. You can also work with the include keyword:

Additional configuration files can be included with the include keyword, for example:

include “/etc/httpd.conf.local”


Copy the template from /etc/examples:

$ doas cp -p /etc/examples/httpd.conf /etc/

Alternatively, of course, it can be created manually:

$ doas nvim /etc/httpd.conf

Remember chroot works

root property in “SERVERS” section above means the directories under /var/www . The official document mentions in GLOBAL CONFIGURATION section:

chroot directory Set the chroot(2) directory. If not specified, it defaults to /var/www, the home directory of the www user.


The template is like this

# $OpenBSD: httpd.conf,v 1.22 2020/11/04 10:34:18 denis Exp $

server "" {
	listen on * port 80
	location "/.well-known/acme-challenge/*" {
		root "/acme"
		request strip 2
	location * {
		block return 302 "https://$HTTP_HOST$REQUEST_URI"

server "" {
	listen on * tls port 443
	tls {
		certificate "/etc/ssl/"
		key "/etc/ssl/private/"
	location "/pub/*" {
		directory auto index
	location "/.well-known/acme-challenge/*" {
		root "/acme"
		request strip 2

Customize (Optional)

Now you can modify the conf file to build server as you want:

$ doas nvim /etc/httpd.conf

Case PHP FastCGI servers

Additional server definitions may be like these:

server "www.https-example.domain" { 
    alias "https-example.domain" 
    listen on * port 80 
    listen on * tls port 443
    tls {
        key         "/etc/ssl/private/www.https-example.domain.key"
        certificate "/etc/ssl/www.https-example.domain.crt"
    root "/htdocs/www.https-example.domain" 

server "www.fastcgi-tcp-example.domain" {
    alias "fastcgi-example.domain"
    listen on * port 80
    fastcgi socket tcp 8080

server "www.fastcgi-unix-socket-example.domain" {
    alias "fastcgi-example.domain"
    listen on * port 80
    fastcgi socket "/run/example/unix_socket.sock"

Case TLS connection

You can get certificate by Let’s Encrypt with acme-client.

First, copy the configuration file in /etc/examples:

$ doas cp -p /etc/examples/acme-client.conf /etc/

Then edit it to add your servers:

$ doas nvim /etc/acme-client.conf

Also edit httpd servers if necessary:

$ doas nvim /etc/httpd.conf

Finally run the command:

$ acme-client -vd xxx

The detail is in this post.

Activate the httpd daemon

Enable httpd:

# rcctl enable httpd

Besides, /etc/rc.conf.local will be created like this if it is the first time:

# cat /etc/rc.conf.local

Then start it:

# rcctl start httpd

Alternatively, -f option helps for temporary confirmation

You can also run rcctl -f start httpd to start httpd forcely under the default setting, httpd_flags=NO.

Test if the server listens

Your httpd server are now ready to reply to HTTP requests. Let’s try it.

Make index.html:

# mkdir -p /var/www/htdocs/www.https-example.domain
# # as needed:
# #chown www:www /var/www/htdocs/www.https-example.domain

$ echo "Hello, world. from OpenBSD httpd" > \

Then send HTTP request in your client:

$ curl localhost:80

Your client must GET:

Hello, world. from OpenBSD httpd


You can add more servers with /etc/httpd.conf. Moreover, when you have many servers, you can define parts of them in external files with include keyword as written above. For example:

  # httpd.conf
+ include "/etc/httpd.d/another.conf"

Remember to restart the daemon by running doas rcctl restart httpd after changing httpd.conf.

Historical backgrounds (as reference)

OpenBSD httpd first appeared in 5.6. In the same version, they decided to remove Apache httpd from their base. In the next, 5.7, Nginx was removed, too.

Do you remember “Heartbleed” and “Shellshock”, the vulnerabilities and the scare ? Issues on them and others happened in 2014. It made bad effects on SSL connection and CGI servers and so on in severe level.

The OpenBSD projects made their best effort to improve the situation. For instance, they developed LibreSSL and made it their native library instead of OpenSSL. They also tried to improve memory allocation methods. It was in the process that they developed their native web server called “httpd”.

Use of other web servers

It is also possible to get Nginx, Apache (called “apache-httpd”), Lighttpd and darkhttpd as (thankfullly) maintained packages based on the Ports system. You can install each of them by executing pkg_add. It’s also possible to get even Caddy by manually installing.

Happy serving 🕊


OpenBSD httpd
  1. OpenBSD httpd 6.3: Web server
  2. OpenBSD httpd 7.0: Web server
  3. OpenBSD httpd 7.3: Web server

Comments or feedbacks are welcomed and appreciated.