⬅ Back to Notes

Updated 2021-03-18. (Tested on OpenBSD 6.8)

I’m learning about OpenBSD, and my first goal is to set up a dedicated page for my generative art on my server.

I’m glad that OpenBSD comes with a built-in web server called httpd so I don’t have to install any additional software. To configure it, I wrote the following in /etc/httpd.conf:

server "art.jagtalon.com" {
    listen on * port 80
    root "/htdocs/art.jagtalon.com"
}

This listens to HTTP requests and serves the files that are in /var/www/htdocs/art.jagtalon.com. This means I also have to create that directory:

$ mkdir -p /var/www/htdocs/art.jagtalon.com

I then checked if my configuration is correct:

$ httpd -n

Since everything is good, I enabled and started httpd using rcctl:

$ rcctl enable httpd
$ rcctl start httpd

And then I added a test file to test if everything is working in htdocs/art.jagtalon.com/index.html:

<html>
    <body>Hello, world</body>
</html>

Finally, I added an A record to my DNS provider using the IP address of my instance. And that’s it!

Enabling HTTPS

Even though HTTP is good enough for this website, it’s important to also add HTTPS support because browsers are starting to move to HTTPS-only content. First, I setup acme-client by adding this to /etc/acme-client.conf:

authority letsencrypt {
    api url "https://acme-v02.api.letsencrypt.org/directory"
    account key "/etc/acme/letsencrypt-privkey.pem"
}

domain art.jagtalon.com {
    domain key "/etc/ssl/private/art.jagtalon.com.key"
    domain certificate "/etc/ssl/art.jagtalon.com.crt"
    domain full chain certificate "/etc/ssl/art.jagtalon.com.fullchain.pem"
    sign with letsencrypt
}

Then I created the necessary directories (on OpenBSD.Amsterdam, I only had to make this directory):

$mkdir -p -m 700 /etc/ssl/acme/private

A verification request will be sent to httpd, so we update /etc/httpd.conf as well. This validates that I own the domain:

server "art.jagtalon.com" {
    listen on * port 80
    root "/htdocs/art.jagtalon.com"
    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    }
}

As always, check the configuration and restart httpd:

$ httpd -n
$ rcctl restart httpd

Let’s get a certificate from from Let’s Encrypt:

$ acme-client -v art.jagtalon.com

The certificate that we got lasts 90 days, so we run cron to attempt to renew the certificate every day. I ran crontab -e and set it to renew at 3am every day:

0 3 * * * acme-client art.jagtalon.com && rcctl reload httpd

Finally, we enable HTTPS! Pfew. I modified /etc/httpd.conf to listen for HTTPS requests and redirect all HTTP to HTTPS:

server "art.jagtalon.com" {
    listen on * port 80
    block return 301 "https://art.jagtalon.com$REQUEST_URI"
}

server "art.jagtalon.com" {
    listen on * tls port 443
    root "/htdocs/art.jagtalon.com"

    tls {
        certificate "/etc/ssl/art.jagtalon.com.fullchain.pem"
        key "/etc/ssl/private/art.jagtalon.com.key"
    }

    location "./well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    }
}

Don’t forget to check the configuration and restart httpd:

$ httpd -n
$ rcctl restart httpd

Change Permissions

I’d like to be able to easily write into the directory, so I changed the permissions to be owned by me:

$ doas chown -R jag:jag /var/www/htdocs/art.jagtalon.com

References:

• OpenBSD Handbook
• Roman Zolotarev
• httpd(8)
• httpd.conf(5)
• acme-client(1)
• acme-client.conf(5)