Remy's Adventures in Cyberspace

I recently lost a box due to unpaid invoices; all mail from my hosting partner ended up in my junk-folder, never saw them. So I had to get a new box and do a fresh install. Let’s write up the lessons learned while doing this.

Thanks to my previous posts everything was back in no time, but since my first steps in OpenBSD were a bit bumpy I decided to do a new write-up, first let’s install OpenBSD. The only problem I ran into was the fact that for some reason DHCP was not working so I had to manually configure the network.

After that I followed my previous hardening procedures. Learned about setting the clock on OpenBSD to fix a problem with pkg_add. To install some hard-needed utilities:

$ doas pkg_add nano git rsync

Next up: installing and configuring the OEMP stack. The acme-client seems to be part of base these days, nice!

$ doas pkg_add nginx mariadb-server php-mysqli

NGINX & Let’s Encrypt certificates

I have a nice git-repo with all kinds of useful stuff to configure nginx called etc-nginx. Not public (yet). I clone it into ~/git/etc-nginx.

Preparing the /etc/nginx directory for my default way of working:

$ cd /etc/nginx
$ doas ln -sf ~/git/etc-nginx/common
$ doas ln -sf ~/git/etc-nginx/nginx-openbsd.conf nginx.conf
$ doas mkdir cert
$ doas openssl dhparam -out /etc/nginx/cert/dhparam.pem 4096
$ doas mkdir sites-enabled
$ cd /etc/nginx/sites-enabled
$ doas ln -sf ~/git/etc-nginx/sites-available/acme-challenge.conf
$ doas nginx -t
$ doas rcctl start nginx

Configure acme-client to automate the renewal of the Let’s Encrypt certificates.

$ doas cp /etc/examples/acme-client.conf /etc/acme-client.conf
$ doas nano /etc/acme-client.conf

Change the domain example.com to your domain and add alternative names, change the location of the files to /etc/nginx/cert/.

domain example.com {
  alternative names { secure.example.com }
  domain key "/etc/nginx/cert/key"
  domain full chain certificate "/etc/nginx/cert/chain.crt"
  sign with letsencrypt
}

Let’s run the client: (double v for extra verbose)

$ doas acme-client -vv example.com

Add the dynamic vhosts configuration for single cert:

$ doas ln -sf ~/git/etc-nginx/sites-available/dynamic-vhosts-single-cert.conf
$ doas nginx -t
$ doas rcctl reload nginx

Browsing to any of the domains pointing to this box should now work. Now that we have nginx running https we can add the certificate renewal to crontab:

$ doas crontab -e

30	2	*	*	*	acme-client example.com && rcctl reload nginx

PHP & MariaDB

The packages are already installed so we only need to configure them.

$ doas /usr/local/bin/mysql_install_db
$ doas rcctl start mysqld
$ doas /usr/local/bin/mysql_secure_installation
$ doas ln -sf /etc/php-8.0.sample/mysqli.ini /etc/php-8.0/

Most times I just install a couple of php-modules because I will eventually end up using them anyway. Most notably php-curl. And as it turns out there is something you’ll need to do to make it work that caught me on one of my servers…

$ doas cp /etc/resolv.conf /var/www/etc/resolv.conf

Make sure everything is enabled and starts at reboot:

$ doas rcctl enable httpd
$ doas rcctl enable php80_fpm
$ doas rcctl enable mysqld
$ doas reboot

Verify

Most simple way to verify the whole stack is by installing phpmyadmin into: /var/www/html/phpmyadmin

$ cd /var/www/html
$ doas curl -o file.tar.gz https://files.phpmyadmin.net/phpMyAdmin/5.1.0/phpMyAdmin-5.1.0-english.tar.gz
$ doas tar -xzf file.tar.gz
$ doas ln -sf phpMyAdmin-5.1.0-english.tar.gz phpmyadmin
$ cd phpmyadmin
$ doas mkdir tmp
$ doas chmod 777 tmp
$ doas mv config.sample.inc.php config.inc.php
$ doas nano config.inc.php 

Add a 32 char long random string for Blowfish and enter 127.0.0.1 for the first server instead of localhost. Follow any upcoming errors in phpmyadmin…

That’s it!