Difference between revisions of "User:Paul/sandbox/Configure OpenBSD web server"
Line 31: | Line 31: | ||
To enable logging | To enable logging | ||
+ | |||
+ | == Enable TLS/SSH == | ||
+ | |||
+ | === OCSP stapling === | ||
+ | |||
+ | Supporting OCSP stapling in <code>relayd</code> requires configuring creating the OCSP files, adding them into the <code>relayd</code> configuration, and configuring a script to run automatically will provide the regular updates of both the OSCP stapling and the TLS/SSL certificates. | ||
+ | |||
+ | servername /home/username | ||
+ | $ doas su -l | ||
+ | servername# mkdir /usr/local/sbin/certmaint | ||
+ | servername# mkdir /usr/local/sbin/certmaint/{available,enabled} | ||
+ | servername# cd /usr/local/sbin/certmain/ | ||
+ | servername# wget <nowiki>https://www.bsdhowto.ch/scripts/certmaint.sh</nowiki> -O certmaint.example | ||
+ | servername# cp certmaint.sh /available/example.com.sh | ||
+ | servername# nano /available/example.com.sh | ||
+ | |||
+ | Change <code>www.example.net</code> to match the domain being configured | ||
+ | |||
+ | #!/bin/ksh | ||
+ | |||
+ | dir=/etc/ssl | ||
+ | domain=example.com | ||
+ | |||
+ | /usr/sbin/acme-client $domain | ||
+ | if [ $? -eq 0 ] ; then | ||
+ | /usr/sbin/ocspcheck -No $dir/$domain.ocsp $dir/$domain.fullchain.pem | ||
+ | /usr/sbin/rcctl restart relayd | ||
+ | fi | ||
+ | |||
+ | /usr/sbin/ocspcheck -i $dir/$domain.ocsp $dir/$domain.fullchain.pem | ||
+ | if [ $? -eq 1 ] ; then | ||
+ | /usr/sbin/oscpcheck -No $dir/$domain.ocsp $dir/$domain.fullchain.pem | ||
+ | /usr/sbin/rcctl restart relayd | ||
+ | fi | ||
+ | |||
+ | exit 0 | ||
+ | |||
+ | To make a script run for a domain, make it executable and add a symlink in the <code>enabled</code> directory: | ||
+ | |||
+ | servername# chmod 550 /available/example.com | ||
+ | servername# cd enabled/ | ||
+ | servername# ln -s /usr/local/sbin/certmaint/available/example.com.sh | ||
+ | servername# chmod -h 770 example.com | ||
+ | servername# | ||
+ | servername# | ||
+ | servername# | ||
+ | servername# | ||
+ | servername# | ||
+ | servername# |
Revision as of 03:43, 21 December 2020
The OpenBSD project includes two powerful web server tools installed by default called relayd
and httpd
. Most web server requirements are fairly simple and straightforward, so OpenBSD created httpd
to meet these requirements. It can easily serve the vast majority of HTML, PHP, file serving, and other basic web server needs. More advanced server requirements such offloading server duties to a different server can be fulfilled by making use of a reverse proxy, and this is where relayd
plays a role.
Configuration
The below configuration will use both relayd
and httpd
for serving websites. Although it is one extra step, once configured, it is trivial to make use of relayd
in front of httpd
, but can make server reconfiguration very easy in the event a site being served is using more resources than the server can handle. In such an event, it is trivial to place another server and point relayd
at it. It can also be useful for serving projects that cannot be served through httpd
, such as Anarki.
Configure httpd
Directory tree
servername /home/username $ doas mkdir /var/www/sites/ servername /home/username $ doas chown root:daemon /var/www/sites/ servername /home/username $ doas chmod 775 /var/www/sites/ servername /home/username $ doas mkdir /var/www/sites/example.com servername /home/username $ doas mkdir /var/www/sites/example.com/{backup,logs,private,public} servername /home/username $ doas chmod -R 775 /var/www/sites/ servername /home/username $ servername /home/username $
Logging
The configurations in this article disable most logging functions for both relayd
and httpd
. For an enthusiast, logging is generally only useful when running web traffic analytics tools, such as Matomo or AWStats, or when troubleshooting issues related to the web server.
To enable logging
Enable TLS/SSH
OCSP stapling
Supporting OCSP stapling in relayd
requires configuring creating the OCSP files, adding them into the relayd
configuration, and configuring a script to run automatically will provide the regular updates of both the OSCP stapling and the TLS/SSL certificates.
servername /home/username $ doas su -l servername# mkdir /usr/local/sbin/certmaint servername# mkdir /usr/local/sbin/certmaint/{available,enabled} servername# cd /usr/local/sbin/certmain/ servername# wget https://www.bsdhowto.ch/scripts/certmaint.sh -O certmaint.example servername# cp certmaint.sh /available/example.com.sh servername# nano /available/example.com.sh
Change www.example.net
to match the domain being configured
#!/bin/ksh dir=/etc/ssl domain=example.com /usr/sbin/acme-client $domain if [ $? -eq 0 ] ; then /usr/sbin/ocspcheck -No $dir/$domain.ocsp $dir/$domain.fullchain.pem /usr/sbin/rcctl restart relayd fi /usr/sbin/ocspcheck -i $dir/$domain.ocsp $dir/$domain.fullchain.pem if [ $? -eq 1 ] ; then /usr/sbin/oscpcheck -No $dir/$domain.ocsp $dir/$domain.fullchain.pem /usr/sbin/rcctl restart relayd fi exit 0
To make a script run for a domain, make it executable and add a symlink in the enabled
directory:
servername# chmod 550 /available/example.com servername# cd enabled/ servername# ln -s /usr/local/sbin/certmaint/available/example.com.sh servername# chmod -h 770 example.com servername# servername# servername# servername# servername# servername#