Back to Ubuntu and Apache2 (and a couple of suggestions)
As some of you probably have read, I switched this blog to using OpenBSD's httpd server a few days ago, because I wanted to try new things and it seemed that httpd offered a pretty good out-of-the-box experience, with security and sanity of the code being the main focus.
There are, however, rough edges I've encountered in the form of missing features before my (simple) use case is entirely satisfied, and before httpd can be considered a truly great webserver for static content.
Therefore I'm back on Ubuntu and Apache2 for now, until my use case can be fully satisfied with OpenBSD's httpd server.
The missing pieces (for me)
For my particular use case two features are missing from httpd before I can consider it for production: cache control settings and client-side SSL renegotiation.
Allow disabling client-side SSL renegotiation
Client-side SSL renegotiation is a know vector for CPU-bound denial-of-service attacks, where a single connection socket can be used to make the server spend a lot of CPU cycles quite easily.
Most other HTTP servers let administrators disable client-side renegotiation to mitigate this problem. The downside is that some applications need client-side renegotiation, but they are a minority use case.
Suggestion
The relayd server (off which httpd is based) received a patch to add configuration syntax to disable client-side renegotiation:
- ssl [no] client-renegotiation -> allows the interception of ("secure") client initiated renegotioations, which are considered a risk in DDoS scenarios because many CPU cycles can be burned this way on a single TCP connection without an obvious way for the administrator to immediately know what's happening.
Porting this patch to httpd seems like a relatively straightforward ordeal to my unfamiliar-with-the-code eyes.
Tracking
Being new to OpenBSD, I wasn't sure where to report this, but it seems that reky's github mirror of the http portion of the OpenBSD tree is actively looked at, so I openened a github issue on there.
Cache-Control headers
When serving static content it makes a lot of sense to let the webserver set Cache-Control headers for some of the assets (images and CSS don't change often in my case, if at all). This of course allows browsers to skip some of the requests they need to make to the webserver, since they know how long a piece of information can be considered "fresh".
Httpd doesn't currently support setting headers, and I can understand that it's a complex feature to implement that might not ever make it to the roadmap (if there is such a thing).
I'll be back!
My venture in the OpenBSD universe was a positive experience, I'll keep an eye on the community for a bit and see if the features I'm missing get implemented.
In that case I'd of course try it again!