Difference between revisions of "User:Paul/sandbox/OpenBSD Basic Server"

From UNPM.org Wiki
Jump to navigation Jump to search
Line 32: Line 32:
  
 
  export EDITOR=nano
 
  export EDITOR=nano
 +
 +
== Web server ==
 +
 +
OpenBSD comes with <code>httpd</code>, the project's own web server, installed by default though disabled. The <code>httpd</code> configuration is managed in its configuration file, <code>/etc/httpd.conf</code>, which has to be created:
 +
 +
$ doas nano /etc/httpd.conf
 +
 +
Add to the file:
 +
 +
# Main Configuration
 +
server "example.com" {
 +
    listen on * port 80
 +
    root "/htdocs/example.com"
 +
    location "/.well-known/acme-challenge/*" {
 +
        root "/acme"
 +
        request strip 2
 +
    }
 +
    location * {
 +
        block return 302 <nowiki>"https://$HTTP_HOST$REQUEST_URI"</nowiki>
 +
    }
 +
}
 +
 +
Test the configuration:
 +
 +
$ doas httpd -n
 +
configuration OK
 +
 +
Start <code>httpd</code>.
 +
 +
$ doas rcctl -f start httpd
 +
httpd(ok)
 +
 +
Add a Let's Encrypt certificate to the server:
 +
 +
$ doas cp /etc/examples/acme-client.conf /etc/acme-client.conf
 +
$ doas nano /etc/acme-client.conf
 +
 +
Change <code>example.com</code> to the desired domain and remove, change, or add subdomains to the <code>alternative</code> line.
 +
 +
$ doas acme-client -v example.com
 +
 +
After successful registration, create a cron job:
 +
 +
# crontab -e
 +
 +
Add:
 +
 +
0 * * * * sleep $((RANDOM \% 2048)) && \
 +
acme-client example.com && rcctl reload httpd
 +
 +
Now add the SSL/TLS and redirect options <code>httpd.conf</code>
 +
 +
$ doas nano /etc/httpd.conf
 +
 +
Add:
 +
 +
# This is a redirect to the Main Configuration
 +
server "www.example.com" {
 +
    listen on * port 80
 +
    listen on * tls port 443
 +
    tls {
 +
        certificate "/etc/ssl/example.com.fullchain.pem"
 +
        key "/etc/ssl/private/example.com.key"
 +
    }
 +
    block return 301 <nowiki>"http://example.com$REQUEST_URI"</nowiki>
 +
}
 +
 
 +
server "example.com" {
 +
    listen on * tls port 443
 +
    root "/htdocs/example.com"
 +
    tls {
 +
        certificate "/etc/ssl/example.com.fullchain.pem"
 +
        key "/etc/ssl/private/example.com.key"
 +
    }
 +
 +
    location "/.well-known/acme-challenge/*" {
 +
        root "/acme"
 +
        request strip 2
 +
    }
 +
}
 +
 +
Test and restart <code>httpd</code>
 +
 +
$ doas httpd -n
 +
Configuration OK
 +
$ doas rcctl reload httpd
 +
httpd(ok)
  
 
== Email ==
 
== Email ==
  
OpenBSD in its default configuration comes with `opensmtpd` in a very secure configuration that supports outgoing mail. This is primarily useful for transactional email, most especially administrative messages.
+
OpenBSD in its default configuration comes with <code>opensmtpd</code> in a very secure configuration that supports outgoing mail. This is primarily useful for transactional email, most especially administrative messages.
  
 
Administrative message recipients can be configured in the <code>aliases</code> file and are default configured to be sent to the local <code>root</code> user local mailbox. To configure additional recipients:
 
Administrative message recipients can be configured in the <code>aliases</code> file and are default configured to be sent to the local <code>root</code> user local mailbox. To configure additional recipients:
Line 47: Line 134:
 
  postmaster: root
 
  postmaster: root
 
  root: username@example.com, anotherusername@example.net
 
  root: username@example.com, anotherusername@example.net
 +
 +
=== Mail server configuration ===
 +
 +
Create DKIM key and directory:
 +
 +
$ doas mkdir /etc/mail/dkim
 +
$ doas openssl genrsa -out /etc/mail/dkim/example.com.key 1024
 +
$ doas chmod 640 /etc/mail/dkim/example.com.key
 +
$ doas openssl rsa -in /etc/mail/dkim/example.com.key -pubout -out /etc/mail/dkim/example.com.pub
 +
$ cat /etc/mail/dkim/example.com.pub

Revision as of 17:42, 21 February 2020

OpenBSD has earned its reputation as a BSD descendant focused on security. With the increased development of OpenBSD's httpd and OpenSMTPD, plus most of the components commonly used in a basic web server, OpenBSD provides a highly secure and efficient choice for building servers.

Finding online support for OpenBSD can be much more difficult when compared to Linux. While the OpenBSD project requires its man pages to be very complete, support beyond man pages such as tutorials or sample configurations can be much harder to find. This has largely been due to the project being targeted at use primarily by professional systems administrators.

This tutorial will establish a basic web server that includes a functioning mail server with local maildir accessed through mutt.

Notable differences from Ubuntu Linux

Shell

Ubuntu default shell uses Bash (BASH) while OpenBSD uses KornShell (ksh).

ll (ls -alF)

Ubuntu has a convenient command, ll, for viewing directory contents that is a shortcut for ls -alF.

To add ll to the OpenBSD command line: 

$ nano .profile

Add the following line: 

alias ll="ls -alF"

Default editor

The default text editor in OpenBSD is vi. To change to a different default text editor: 

$ nano .profile

Add the following line: 

export EDITOR=nano

Web server

OpenBSD comes with httpd, the project's own web server, installed by default though disabled. The httpd configuration is managed in its configuration file, /etc/httpd.conf, which has to be created: 

$ doas nano /etc/httpd.conf

Add to the file: 

# Main Configuration
server "example.com" {
    listen on * port 80
    root "/htdocs/example.com"
    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    }
    location * {
        block return 302 "https://$HTTP_HOST$REQUEST_URI"
    }
}

Test the configuration: 

$ doas httpd -n
configuration OK

Start httpd. 

$ doas rcctl -f start httpd
httpd(ok)

Add a Let's Encrypt certificate to the server: 

$ doas cp /etc/examples/acme-client.conf /etc/acme-client.conf
$ doas nano /etc/acme-client.conf

Change example.com to the desired domain and remove, change, or add subdomains to the alternative line. 

$ doas acme-client -v example.com

After successful registration, create a cron job: 

# crontab -e

Add: 

0	*	*	*	*	sleep $((RANDOM \% 2048)) && \
	acme-client example.com && rcctl reload httpd

Now add the SSL/TLS and redirect options httpd.conf 

$ doas nano /etc/httpd.conf

Add: 

# This is a redirect to the Main Configuration
server "www.example.com" {
    listen on * port 80
    listen on * tls port 443
    tls {
        certificate "/etc/ssl/example.com.fullchain.pem"
        key "/etc/ssl/private/example.com.key"
    }
    block return 301 "http://example.com$REQUEST_URI"
}
 
server "example.com" {
    listen on * tls port 443
    root "/htdocs/example.com"
    tls {
        certificate "/etc/ssl/example.com.fullchain.pem"
        key "/etc/ssl/private/example.com.key"
    }

    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    }
}

Test and restart httpd 

$ doas httpd -n
Configuration OK
$ doas rcctl reload httpd
httpd(ok)

Email

OpenBSD in its default configuration comes with opensmtpd in a very secure configuration that supports outgoing mail. This is primarily useful for transactional email, most especially administrative messages.

Administrative message recipients can be configured in the aliases file and are default configured to be sent to the local root user local mailbox. To configure additional recipients: 

$ doas nano /etc/mail/aliases

Change and add: 

# Basic system aliases -- these MUST be present
MAILER-DAEMON: postmaster
postmaster: root
root: username@example.com, anotherusername@example.net

Mail server configuration

Create DKIM key and directory: 

$ doas mkdir /etc/mail/dkim
$ doas openssl genrsa -out /etc/mail/dkim/example.com.key 1024
$ doas chmod 640 /etc/mail/dkim/example.com.key
$ doas openssl rsa -in /etc/mail/dkim/example.com.key -pubout -out /etc/mail/dkim/example.com.pub
$ cat /etc/mail/dkim/example.com.pub
Retrieved from "http://www.unpm.org/wiki/index.php?title=User:Paul/sandbox/OpenBSD_Basic_Server&oldid=1022"