Difference between revisions of "User:Paul/sandbox/OpenBSD Basic Server"
Line 5: | Line 5: | ||
This tutorial will establish a basic web server that includes a functioning mail server with local maildir accessed through mutt. | This tutorial will establish a basic web server that includes a functioning mail server with local maildir accessed through mutt. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== Initial login == | == Initial login == | ||
Line 282: | Line 250: | ||
match from any auth for any action "outbound" | match from any auth for any action "outbound" | ||
match for any action "outbound" | match for any action "outbound" | ||
+ | |||
+ | == Reinstallation on Vultr == | ||
+ | |||
+ | To run OpenBSD as configured by the OpenBSD project, it is currently necessary to create a Vultr instance running OpenBSD, then reinstall OpenBSD using the terminal in the Vultr dashboard. | ||
+ | |||
+ | From the Vultr dashboard, open the OpenBSD instance and click the terminal icon at the top of the page. Note that when using the terminal interface, it will not be possible to use a mouse, access the local clipboard, or otherwise interact with the interface other than through the keyboard. | ||
+ | |||
+ | Log in using <code>root</code> with the password from the Vultr dashboard. | ||
+ | |||
+ | vultr# reboot | ||
+ | |||
+ | After the system boots there will be a boot prompt. Simply enter <code>rc.d</code> and press enter. | ||
+ | |||
+ | boot> rc.d | ||
+ | |||
+ | Most of the install questions can be answered using the default, which is shown in brackets. | ||
+ | |||
+ | Create the <code>root</code> user using the password provided for the instance by Vultr. | ||
+ | |||
+ | The non-default selections will be entering the domain of the hostname (<tt>example.com</tt>) plus the following: | ||
+ | |||
+ | Do you expect to run the X Window System? [yes] no | ||
+ | |||
+ | There is a warning about not allowing <code>root</code> to ssh log in using password. This is will be configured later in the setup process. | ||
+ | |||
+ | Allow root ssh login? (yes, no, prohibit-password) [no] yes | ||
+ | |||
+ | Location of sets? (cd0 disk http nfs or 'done') [cd0] http | ||
+ | |||
+ | For selecting the download location, enter <code>?</code> then note a desired download location and enter the number: | ||
+ | |||
+ | HTTP Server? (hostname, list#, 'done' or '?') ? | ||
+ | ... | ||
+ | HTTP Server? (hostname, list#, 'done' or '?') 47 |
Revision as of 14:45, 9 March 2020
OpenBSD has earned its reputation as a BSD descendant focused on security. With the increased development of OpenBSD's httpd and OpenSMTPD, plus most of the components commonly used in a basic web server, OpenBSD provides a highly secure and efficient choice for building servers.
Finding online support for OpenBSD can be much more difficult when compared to Linux. While the OpenBSD project requires its man pages to be very complete, support beyond man pages such as tutorials or sample configurations can be much harder to find. This has largely been due to the project being targeted at use primarily by professional systems administrators.
This tutorial will establish a basic web server that includes a functioning mail server with local maildir accessed through mutt.
Initial login
On initial login, update OpenBSD and installed packages then reboot:
servername# syspatch Get/Verify syspatch66-001_bpf.tgz 100% |****************| 102 KB 00:00 Installing patch 001_bpf ... servername# pkg_add -u servername# reboot
Log back into the server with root
and set up a new user:
servername# adduser
This will generate adduser.conf</conf> for default new user configuration by asking several questions.
Install nano
For users not familiar with vi
or vi
Notable differences from Ubuntu Linux
Shell
Ubuntu default shell uses Bash (BASH) while OpenBSD uses KornShell (ksh).
ll
(ls -alF
)
Ubuntu has a convenient command, ll
, for viewing directory contents that is a shortcut for ls -alF
.
To add ll
to the OpenBSD command line:
$ nano .profile
Add the following line:
alias ll="ls -alF"
Default editor
The default text editor in OpenBSD is vi
. To change to a different default text editor:
$ nano .profile
Add the following line:
export EDITOR=/usr/local/bin/nano
Do the same for root
:
$ doas nano /root/.kshrc
Add the following line:
export EDITOR=/usr/local/bin/nano
Note that this does not change the default editor for doas
, such as when calling the crontab
command.
Web server
Most of the instructions in this article require root
:
$ doas su
OpenBSD comes with httpd
, the project's own web server, installed by default though disabled. The httpd
configuration is managed in its configuration file, /etc/httpd.conf
, which has to be created:
# nano /etc/httpd.conf
Add to the file:
# Main Configuration server "example.com" { listen on * port 80 root "/htdocs/example.com" location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location * { block return 302 "https://$HTTP_HOST$REQUEST_URI" } }
Test the configuration:
# httpd -n configuration OK
Start httpd
.
# rcctl -f start httpd httpd(ok)
Add a Let's Encrypt certificate to the server:
# cp /etc/examples/acme-client.conf /etc/acme-client.conf # nano /etc/acme-client.conf
Change example.com
to the desired domain and remove, change, or add subdomains to the alternative
line.
# acme-client -v example.com
After successful registration, create a cron job:
# crontab -e
Add:
0 * * * * sleep $((RANDOM \% 2048)) && \ acme-client example.com && rcctl reload httpd
Now add the SSL/TLS and redirect options httpd.conf
# nano /etc/httpd.conf
Add:
# This is a redirect to the Main Configuration server "www.example.com" { listen on * port 80 listen on * tls port 443 tls { certificate "/etc/ssl/example.com.fullchain.pem" key "/etc/ssl/private/example.com.key" } block return 301 "http://example.com$REQUEST_URI" } server "example.com" { listen on * tls port 443 root "/htdocs/example.com" tls { certificate "/etc/ssl/example.com.fullchain.pem" key "/etc/ssl/private/example.com.key" } location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } }
Test and restart httpd
# httpd -n Configuration OK # rcctl reload httpd httpd(ok)
OpenBSD in its default configuration comes with opensmtpd
in a very secure configuration that supports outgoing mail. This is primarily useful for transactional email, most especially administrative messages.
Administrative message recipients can be configured in the aliases
file and are default configured to be sent to the local root
user local mailbox. To configure additional recipients:
# nano /etc/mail/aliases
Change and add:
# Basic system aliases -- these MUST be present MAILER-DAEMON: postmaster postmaster: root root: username@example.com,anotherusername@example.net
Update the configuration:
# newaliases
Mail server configuration
Create DKIM key and directory:
# mkdir /etc/mail/dkim # openssl genrsa -out /etc/mail/dkim/example.com.key 1024 # chmod 640 /etc/mail/dkim/example.com.key # openssl rsa -in /etc/mail/dkim/example.com.key -pubout -out /etc/mail/dkim/example.com.pub # cat /etc/mail/dkim/example.com.pub
Install and configure antispam packages
# pkg_add redis rspamd opensmtpd-filter-rspamd opensmtpd-filter-senderscore
Configure DKIM signing:
# chown root:_rspamd /etc/mail/dkim/example.com.key # mkdir /etc/rspamd/local.d # nano /etc/rspamd/local.d/dkim_signing.conf allow_username_mismatch = true; domain { example.com { path = "/etc/mail/dkim/example.com.key"; selector = "20200221"; } }
Enable and start redis
and rspamd
:
# rcctl enable redis # rcctl enable rspamd # rcctl start redis redis(ok) # rcctl start rspamd rspamd(ok)
Update the OpenSMTPD configuration:
# mv /etc/mail/smtpd.conf /etc/mail/smtpd.conf.original # nano /etc/mail/smtpd.conf
pki mail.hypno.cat cert "/etc/ssl/mail.hypno.cat.fullchain.pem" pki mail.hypno.cat key "/etc/ssl/private/mail.hypno.cat.key" filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } \ disconnect "550 no residential connections" filter check_rdns phase connect match !rdns \ disconnect "550 no rDNS is so 80s" filter check_fcrdns phase connect match !fcrdns \ disconnect "550 no FCrDNS is so 80s" filter senderscore \ proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor 5000" filter rspamd proc-exec "filter-rspamd" table aliases file:/etc/mail/aliases listen on all tls pki example.com \ filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd } listen on all port submission tls-require pki example.com auth filter rspamd action "local_mail" maildir junk alias <aliases> action "outbound" relay helo example.com match from any for domain "example.com" action "local_mail" match for local action "local_mail" match from any auth for any action "outbound" match for any action "outbound"
Reinstallation on Vultr
To run OpenBSD as configured by the OpenBSD project, it is currently necessary to create a Vultr instance running OpenBSD, then reinstall OpenBSD using the terminal in the Vultr dashboard.
From the Vultr dashboard, open the OpenBSD instance and click the terminal icon at the top of the page. Note that when using the terminal interface, it will not be possible to use a mouse, access the local clipboard, or otherwise interact with the interface other than through the keyboard.
Log in using root
with the password from the Vultr dashboard.
vultr# reboot
After the system boots there will be a boot prompt. Simply enter rc.d
and press enter.
boot> rc.d
Most of the install questions can be answered using the default, which is shown in brackets.
Create the root
user using the password provided for the instance by Vultr.
The non-default selections will be entering the domain of the hostname (example.com) plus the following:
Do you expect to run the X Window System? [yes] no
There is a warning about not allowing root
to ssh log in using password. This is will be configured later in the setup process.
Allow root ssh login? (yes, no, prohibit-password) [no] yes
Location of sets? (cd0 disk http nfs or 'done') [cd0] http
For selecting the download location, enter ?
then note a desired download location and enter the number:
HTTP Server? (hostname, list#, 'done' or '?') ? ... HTTP Server? (hostname, list#, 'done' or '?') 47