OpenBSD httpd 7.3: Web server

nabbisen - May 6 '23 - - Dev Community

Summary

OpenBSD develops and maintains their own web server called "httpd" under ISC license.
It is installed by default in OS installation.

The great web server is something that is simple, robust and secure.
On performance, it is not the fastest among the competitors. However, it is enough fast, and, in addition, the development is in progress. For example, support to gzip compression has begun since 7.1.

In addition, the integration of httpd and relayd, their native relay daemon, makes your servers more functional.

This post will bring you to the journey to get how to configure httpd and run it. Bon voyage 🐡

Environment

  • OS: OpenBSD 7.3
  • Web: OpenBSD httpd

Tutorial

Prepare the configuration file

httpd.conf is required in order to activate httpd service.
The default path is /etc/httpd.conf. You can also work with the include keyword:

Additional configuration files can be included with the include keyword, for example:

include "/etc/httpd.conf.local"

Create httpd.conf

Copy the template from /etc/examples:

$ doas cp -p /etc/examples/httpd.conf /etc/
Enter fullscreen mode Exit fullscreen mode

Alternatively, of course, it can be created manually:

$ doas nvim /etc/httpd.conf
Enter fullscreen mode Exit fullscreen mode

The template content

The template is like this:

# $OpenBSD: httpd.conf,v 1.22 2020/11/04 10:34:18 denis Exp $

server "example.com" {
    listen on * port 80
    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    }
    location * {
        block return 302 "https://$HTTP_HOST$REQUEST_URI"
    }
}

server "example.com" {
    listen on * tls port 443
    tls {
        certificate "/etc/ssl/example.com.fullchain.pem"
        key "/etc/ssl/private/example.com.key"
    }
    location "/pub/*" {
        directory auto index
    }
    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    }
}
Enter fullscreen mode Exit fullscreen mode

Remember chroot works

root property in "SERVERS" section above means the directories under /var/www . The official document mentions in GLOBAL CONFIGURATION section:

chroot directory

Set the chroot(2) directory. If not specified, it defaults to /var/www, the home directory of the www user.

Edit httpd.conf (Optional)

Now you can modify the conf file to build server as you want:

$ doas nvim /etc/httpd.conf
Enter fullscreen mode Exit fullscreen mode

Case PHP FastCGI servers

Additional server definitions may be like these:

server "www.https-example.domain" { 
    alias "https-example.domain" 
    listen on * port 80 
    listen on * tls port 443
    tls {
        key         "/etc/ssl/private/www.https-example.domain.key"
        certificate "/etc/ssl/www.https-example.domain.crt"
    }
    root "/htdocs/www.https-example.domain" 
}

server "www.fastcgi-tcp-example.domain" {
    alias "fastcgi-example.domain"
    listen on * port 80
    fastcgi socket tcp 127.0.0.1 8080
}

server "www.fastcgi-unix-socket-example.domain" {
    alias "fastcgi-example.domain"
    listen on * port 80
    fastcgi socket "/run/example/unix_socket.sock"
}
Enter fullscreen mode Exit fullscreen mode

Case TLS connection

You can get certificate by Let's Encrypt with acme-client.

First, copy the configuration file template in /etc/examples:

$ doas cp -p /etc/examples/acme-client.conf /etc/
Enter fullscreen mode Exit fullscreen mode

Then edit it to add your servers:

$ doas nvim /etc/acme-client.conf
Enter fullscreen mode Exit fullscreen mode

Also edit httpd servers if necessary:

$ doas nvim /etc/httpd.conf
Enter fullscreen mode Exit fullscreen mode

Finally run the command:

$ acme-client -vd xxx
Enter fullscreen mode Exit fullscreen mode

The detail is in this post.

Activate the httpd daemon

Enable httpd:

# rcctl enable httpd
Enter fullscreen mode Exit fullscreen mode

Besides, /etc/rc.conf.local will be created like this if it is the first time:

# cat /etc/rc.conf.local
httpd_flags=
Enter fullscreen mode Exit fullscreen mode

Then start it:

# rcctl start httpd
httpd(ok)
Enter fullscreen mode Exit fullscreen mode

Alternatively, -f option helps for temporary confirmation

You can also run rcctl -f start httpd to start httpd forcely under the default setting, httpd_flags=NO.

Test if the server listens

Your httpd server are now ready to reply to HTTP requests. Let's try it.

Make index.html:

# mkdir -p /var/www/htdocs/www.https-example.domain
# # as needed:
# #chown www:www /var/www/htdocs/www.https-example.domain

$ echo "Hello, world. from OpenBSD httpd" > \
      /var/www/www.https-example.domain/index.html
Enter fullscreen mode Exit fullscreen mode

Then send HTTP request in your client:

$ curl localhost:80
Enter fullscreen mode Exit fullscreen mode

Your client must GET:

Hello, world. from OpenBSD httpd
Enter fullscreen mode Exit fullscreen mode

Conclusion

You can add more servers with /etc/httpd.conf.
Moreover, when you have many servers, you can define parts of them in external files with include keyword as written above. For example:

  # httpd.conf
  (...)
+ include "/etc/httpd.d/another.conf"
Enter fullscreen mode Exit fullscreen mode

Remember to restart the daemon by running doas rcctl restart httpd after changing httpd.conf.


Historical backgrounds (as reference)

OpenBSD httpd first appeared in 5.6. In the same version, they decided to remove Apache httpd from their base. In the next, 5.7, Nginx was removed, too.

Do you remember "Heartbleed" and "Shellshock", the vulnerabilities and the scare ? Issues on them and others happened in 2014. It made bad effects on SSL connection and CGI servers and so on in severe level.

The OpenBSD projects made their best effort to improve the situation. For instance, they developed LibreSSL and made it their native library instead of OpenSSL. They also tried to improve memory allocation methods. It was in the process that they developed their native web server called "httpd".

Use of other web servers

It is also possible to get Nginx, Apache (called "apache-httpd"), Lighttpd and darkhttpd as (thankfullly) maintained packages based on the Ports system.
You can install each of them by executing pkg_add.
It's also possible to get even Caddy by manually installing.


Happy serving 🕊

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .