This blog now served by OpenBSD!

Tue 21 July 2015 in in Technical

While Ubuntu is still the OS of my heart, I decided to give OpenBSD another look, and especially their new httpd webserver, since it is extremely secure, and like everything else on OpenBSD, extremely simple to use!

Here's what I did to get rolling:

Install OpenBSD I decided to follow Tubsta's article to install OpenBSD on a DigitalOcean droplet.

Configure httpd Configuring httpd to serve my blog (a bunch of static files, generated by Pelican) was a piece of cake. Here's the complete configuration file: # /etc/httpd.conf # "egress" means "use the interface of the default route" ext_if = "egress" # A simple macro defining my domain name. DRY domain = "tribaal.io" # Run 6 child processes. The default is 3, and since I have plenty # of RAM, I'm not sacrificing much here. prefork 6 # Set mime type according to the file name. types { include "/usr/share/misc/mime.types" } server $domain { listen on $ext_if tls port 443 # Enable HTTP Strict Transport Security (defaults to 1 year). hsts # The webroot folder (where the static content will be served from). # This is in a chroot under /var/www/ root "/htdocs/tribaal.io" } server $domain { listen on $ext_if port 80 # Redirect non-SSL connections to the SSL endpoint. block return 301 "https:// $SERVER_NAME$REQUEST_URI " }

Adding SSL certificates My freshly renewed certificate in hand (thanks, Gandi!), I simply put the files in the default httpd locations (since that's the only SSL service running on the machine): # Make a combined cert with gandhi's intermediate and my own certificate cat server.crt > combined.crt cat GandiStandardSSLCA2.pem >> combined.crt mv combined.crt /etc/ssl/server.crt mv server.key /etc/ssl/private/server.key The default configuration, plus adding the hsts stanza in the configuration file will get you an A+ grade on SSLlabs.

Add the actual blog files Of course, I needed to scp my blog files to the correct place in the /var/www/htdocs/tribaal.io/ folder.

Enable httpd By default, nothing runs on your OpenBSD install - so simply run the following as root to get httpd running: # Enable running the service echo 'httpd_flags=""' >> /etc/rc.conf.local # Actually run the service /etc/rc.d/httpd start Edit: As Mischa Peters pointed out on twitter, the more canonical way to achieve this in OpenBSD would be to use: rcctl enable httpd # Enable the service to run rcctl start httpd # Actually start the service