One of the major reasons I like having a server available is being able to host my own content. Keeping a few boxes in the closet to store all the data I hoard wouldn't go very far if there was no access. For a web solution I've gone with OpenBSD (of course) and it's pre-installed web server, httpd.
OpenBSD's security comes not only through tireless audits, but by not having any network facing software turned on by default. Setting up httpd (like most things on OpenBSD) really is no more difficult than carefully editing a few text files.
For this I'm using OpenBSD 6.7 on a Pentium 4.
First one has to create a config file for httpd in the /etc directory called httpd.conf. An example is located in /etc/examples as such:
# $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $
server "example.com" {
listen on * port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location * {
block return 302 "https://$HTTP_HOST$REQUEST_URI"
}
}
server "example.com" {
listen on * tls port 443
tls {
certificate "/etc/ssl/example.com.fullchain.pem"
key "/etc/ssl/private/example.com.key"
}
location "/pub/*" {
directory auto index
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
From this I stripped it down to only what I needed.
# $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $
ext_ip = "egress"
server "<name of my domain>" {
listen on $ext_ip port 80
root "/htdocs"
}
types {
include "/usr/share/misc/mime.types"
}
By setting the IP address to a variable called "ext_ip" and assigning it a value of "egress" the web server only allows incoming connectivity to the primary IP address of the network interface. By default httpd keeps its files in /var/www. Setting our root directory in httpd.conf to "/htdocs" makes anyone going to our website see the files in /var/www/htdocs. With our server configured all that was left was to allow it to know common file types, stored in /usr/share/misc/mime.types.
Next we have to enable httpd. In the past this has been done by directly editing configuration files in /etc, in this case /etc/rc.conf.local. Now this is done with the rcctl utility. From the man page:
The rcctl utility can enable or disable a base system service or a base
system or package daemon in rc.conf.local(8) or display its configuration
and status. For a daemon, it can also change the command line arguments,
the user to run as, the rc.d(8) action timeout or call its rc.d(8) daemon
control script.
Enabling httpd is then as easy as:
rcctl enable httpd
This should add the line "httpd_flags=" to /etc/rc.conf.local. Then to start httpd we use rcctl again.
rcctl start httpd
All that's left now is to create an index.html file in /var/www/htdocs and point a web browser to our new web server!
Top comments (0)