This blog now served by OpenBSD!

by Chris Glass
in Technical

tagged openbsd

While Ubuntu is still the OS of my heart, I decided to give OpenBSD another look, and especially their new httpd webserver, since it is extremely secure, and like everything else on OpenBSD, extremely simple to use!

Here's what I did to get rolling:

Install OpenBSD

I decided to follow Tubsta's article to install OpenBSD on a DigitalOcean droplet.

Configure httpd

Configuring httpd to serve my blog (a bunch of static files, generated by Pelican) was a piece of cake. Here's the complete configuration file:

# /etc/httpd.conf
# "egress" means "use the interface of the default route"
ext_if="egress"
# A simple macro defining my domain name. DRY
domain="tribaal.io"
# Run 6 child processes. The default is 3, and since I have plenty
# of RAM, I'm not sacrificing much here.
prefork 6
# Set mime type according to the file name.
types { include "/usr/share/misc/mime.types" }
server $domain {
    listen on $ext_if tls port 443
    # Enable HTTP Strict Transport Security (defaults to 1 year).
    hsts
    # The webroot folder (where the static content will be served from).
    # This is in a chroot under /var/www/
    root "/htdocs/tribaal.io"
}
server $domain {
    listen on $ext_if port 80
    # Redirect non-SSL connections to the SSL endpoint.
    block return 301 "https://$SERVER_NAME$REQUEST_URI"
}

Adding SSL certificates

My freshly renewed certificate in hand (thanks, Gandi!), I simply put the files in the default httpd locations (since that's the only SSL service running on the machine):

# Make a combined cert with gandhi's intermediate and my own certificate
cat server.crt > combined.crt
cat GandiStandardSSLCA2.pem >> combined.crt
mv combined.crt /etc/ssl/server.crt
mv server.key /etc/ssl/private/server.key

The default configuration, plus adding the hsts stanza in the configuration file will get you an A+ grade on SSLlabs.

Add the actual blog files

Of course, I needed to scp my blog files to the correct place in the /var/www/htdocs/tribaal.io/ folder.

Enable httpd

By default, nothing runs on your OpenBSD install - so simply run the following as root to get httpd running:

# Enable running the service
echo 'httpd_flags=""' >> /etc/rc.conf.local
# Actually run the service
/etc/rc.d/httpd start

Edit: As Mischa Peters pointed out on twitter, the more canonical way to achieve this in OpenBSD would be to use:

rcctl enable httpd # Enable the service to run
rcctl start httpd # Actually start the service

And that's it!

That's all. Piece of cake :)