This is an old revision of the document!
Setting up OpenBSD's default web server, openhttpd, is relatively simple. Start off by copying the example file in /etc/examples/httpd.conf:
$ doas cp /etc/examples/httpd.conf /etc/httpd.conf
Here is what /etc/httpd.conf contains:
server "example.com" {
listen on * port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location * {
block return 302 "https://$HTTP_HOST$REQUEST_URI"
}
}
server "example.com" {
listen on * tls port 443
tls {
certificate "/etc/ssl/example.com.fullchain.pem"
key "/etc/ssl/private/example.com.key"
}
location "/pub/*" {
directory auto index
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
You must replace example.com everywhere with your domain name.
Simply enable and start the web server:
$ doas rcctl enable httpd $ doas rcctl start httpd
Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:
pass in proto tcp to port {http https}
Then, reload the pf rulesets:
$ doas pfctl -f /etc/pf.conf
Now you will almost certainly want openhttpd to use an SSL cert, so follow the acme-client instructions, then reset your web server:
$ doas rcctl restart httpd
At this point, you should test to see if the web server is working on port 80. This test should be run on some other computer besides the web server (your local workstation is fine).
$ nc ircnow.org 80 GET index.html HTTP/1.0
You should a response similar to the one below:
HTTP/1.0 408 Request Timeout Date: Mon, 11 Nov 2019 05:06:06 GMT Server: OpenBSD httpd Connection: close Content-Type: text/html Content-Length: 439
s_client -connect example.com:443
To test if your web server is working and has a correct SSL cert, run:
$ openssl s_client -connect example.com:443
You should see the correct SSL subject and issuer:
subject=/CN=test.ircnow.org issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3