{"id":115,"date":"2019-10-16T17:00:29","date_gmt":"2019-10-16T15:00:29","guid":{"rendered":"http:\/\/blog.remyblom.nl\/?p=115"},"modified":"2021-05-26T09:37:54","modified_gmt":"2021-05-26T07:37:54","slug":"vhosts-and-https-in-openbsds-httpd","status":"publish","type":"post","link":"https:\/\/blog.remyblom.nl\/?p=115","title":{"rendered":"Vhosts and https in OpenBSD&#8217;s httpd"},"content":{"rendered":"\n<p>In the previous post I<a href=\"https:\/\/blog.remyblom.nl\/?p=96\"> got my OHMP stack running<\/a>; OHMP is like LAMP or LEMP, but runs on <strong>O<\/strong>penBSD, using it&#8217;s native <strong>h<\/strong>ttpd, topping it of with <strong>M<\/strong>ariaDB and <strong>p<\/strong>hp.<\/p>\n\n\n\n<p>I used phpmyadmin to verify everything is working fine, and it is, but for starters I don&#8217;t want my phpmyadmin to be accessible from all over the world, only from some trusted ip&#8217;s. With webservers like Apache and nginx it is very easy to do, but as it turns out, in httpd it is not. The most simple solution is to let PF do the ip restrictions for you. With the <a href=\"https:\/\/blog.remyblom.nl\/?p=79\">firewall rules<\/a> I have in place only my http and https ports are globally accessible, all other ports are only accessible from a pool of trusted ip&#8217;s and ip-ranges. So when I change my <code>\/etc\/httpd.conf<\/code> to:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>types { include \"\/usr\/share\/misc\/mime.types\" }\n\nserver \"phpmyadmin\" {\n  listen on * port 8080\n  directory { index \"index.php\" }\n  root { \"\/htdocs\/phpmyadmin\" }\n  location \"\/*.php*\" {\n    fastcgi socket \"\/run\/php-fpm.sock\"\n  }\n}<\/code><\/pre>\n\n\n\n<p>I now have phpmyadmin available on port 8080, only accessible from the trusted pool. Next we install <code>acme-client<\/code>: <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ doas pkg_add acme-client<\/code><\/pre>\n\n\n\n<p>Add another server in <code>httpd.conf<\/code> that serves the acme-challenge <strong>and<\/strong> redirects http to https:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>server \"default\" {\n  listen on * port 80 \n\n  location \"\/.well-known\/acme-challenge\/*\" {\n    root \"\/acme\"\n    request strip 2\n  }\n  location \"\/*\" {\n    block return 301 \"https:\/\/$HTTP_HOST$REQUEST_URI\"\n  }\n}<\/code><\/pre>\n\n\n\n<p>Now we are ready to configure acme:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ cp \/etc\/example\/acme-client.conf \/etc\/acme-client.conf<\/code><\/pre>\n\n\n\n<p>Let&#8217;s add our domain to the file: for the purpose of this post I stick to the example.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>domain example.com {\n  alternative names { secure.example.com }\n  domain key \"\/etc\/ssl\/private\/example.com.key\"\n  domain full chain certificate \"\/etc\/ssl\/example.com.fullchain.pem\"\n  sign with letsencrypt\n}<\/code><\/pre>\n\n\n\n<p>Now you have to take care of which version of OpenBSD you are running, because there are a few changes that got me confused. In order to do the first certificate request their must be an account key file and a private key for the server. Latter versions of acme-client will make those automatically, but the version that came with OpenBSD 6.5 needed specific flags to make them:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ doas acme-client -vAD example.com<\/code><\/pre>\n\n\n\n<p>Now that we have our certificate we can adjust <code>httpd.conf<\/code> to add another server:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>server \"example.com\" {\n  alias \"secure.example.com\"\n  listen on * tls port 443\n  tls {\n    certificate \"\/etc\/ssl\/example.com.fullchain.pem\"\n    key \"\/etc\/ssl\/private\/example.com.key\"\n  }\n  root \"\/vhosts\/example.com\"\n  directory index \"index.php\" \n  \n  location \"\/*.php*\" {\n    fastcgi socket \"\/run\/php-fpm.sock\"\n  }\n}<\/code><\/pre>\n\n\n\n<p>Test configuration and reload the configuration of your webserver:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ doas httpd -n\n$ doas rcctl reload httpd<\/code><\/pre>\n\n\n\n<p>Point your browser to http:\/\/example.com and it should redirect you to https! Next step is to automate the certificate renewal process:<\/p>\n\n\n\n<p>$ doas crontab -e<\/p>\n\n\n\n<p>To have acme-client check every night at 02:30:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>30\t2\t*\t*\t*\tacme-client example.com &amp;&amp; rcctl reload httpd<\/code><\/pre>\n\n\n\n<p>Now you can repeat this process for all domains and subdomains you are hosting. I also tweaked my config to use https for phpmyadmin:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>types { include \"\/usr\/share\/misc\/mime.types\" }\n\n# DEFAULT: acme-challange and http->https redirects for all\nserver \"default\" {\n  listen on * port 80 \n\n  location \"\/.well-known\/acme-challenge\/*\" {\n    root \"\/acme\"\n    request strip 2\n  }\n  location \"\/*\" {\n    block return 301 \"https:\/\/$HTTP_HOST$REQUEST_URI\"\n  }\n}\n\n# PHPMYADMIN: http->https redirect (8080->8443)\nserver \"phpmyadmin-http\" {\n  listen on * port 8080\n  block return 301 \"https:\/\/example.com:8443$REQUEST_URI\"\n}\n# PHPMYADMIN: serve over https\nserver \"phpmyadmin-https\" {\n  listen on * tls port 8443\n  tls {\n    certificate \"\/etc\/ssl\/example.com.fullchain.pem\"\n    key \"\/etc\/ssl\/private\/example.com.key\"\n  } \n  root \"\/htdocs\/phpmyadmin\"\n  directory { index \"index.php\" }\n \n  location \"\/*.php*\" {\n    fastcgi socket \"\/run\/php-fpm.sock\"\n  }\n}<\/code><\/pre>\n\n\n\n<p>And then it turned out that I was not satisfied with <code>httpd<\/code> and I needed to <a href=\"https:\/\/blog.remyblom.nl\/?p=141\">switch back to nginx<\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the previous post I got my OHMP stack running; OHMP is like LAMP or LEMP, but runs on OpenBSD, using it&#8217;s native httpd, topping it of with MariaDB and php. I used phpmyadmin to verify everything is working fine, and it is, but for starters I don&#8217;t want my phpmyadmin to be accessible from &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blog.remyblom.nl\/?p=115\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Vhosts and https in OpenBSD&#8217;s httpd&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,4,2],"tags":[],"class_list":["post-115","post","type-post","status-publish","format-standard","hentry","category-lemp","category-openbsd","category-vps"],"_links":{"self":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts\/115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=115"}],"version-history":[{"count":7,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts\/115\/revisions"}],"predecessor-version":[{"id":274,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts\/115\/revisions\/274"}],"wp:attachment":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}