• 2022-09-14
  • unique

httpd on OpenBSD (with relayd)

httpd

/etc/httpd.conf

server "vpn.rvo.one" {  
       listen on 127.0.0.1 port 8080  
  
       root "/htdocs/vpn.rvo.one"  
  
       location "/.well-known/acme-challenge/*" {  
               root "/acme"  
               request strip 2  
       }  
}  
server "vpn.rvo.one" {  
       listen on 0.0.0.0 port 80  
  
       location "/.well-known/acme-challenge/*" {  
               root "/acme"  
               request strip 2  
       }
       # comment out for generating cert
       block return 302 "https://vpn.rvo.one$REQUEST_URI"  
}

httpd -n
rcctl enable httpd
rcctl start httpd

certificate

/etc/acme-client.conf

authority letsencrypt {  
   api url "https://acme-v02.api.letsencrypt.org/directory"  
   account key "/etc/acme/letsencrypt-privkey.pem"  
}  
  
domain vpn.rvo.one {  
   #alternative names { www.citizen428.net }  
   domain key "/etc/ssl/private/vpn.rvo.one.key"  
   domain full chain certificate "/etc/ssl/vpn.rvo.one.crt"  
   sign with letsencrypt  
}

acme-client vpn.rvo.one

relayd

/etc/relayd.conf

table <local> { 127.0.0.1 }  
  
http protocol https {  
  
       tls keypair "vpn.rvo.one"  
  
       tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA3  
84:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES  
128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-R  
SA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"  
  
       match request header append "X-Forwarded-For" value "$REMOTE_ADDR"  
       match request header append "X-Forwarded-Port" value "$REMOTE_PORT"  
  
       match response header set "Content-Security-Policy" value "default-s  
rc 'none'; style-src 'self'; img-src 'self'; base-uri 'none'; form-action 's  
elf'; frame-ancestors 'none'"  
       match response header set "Feature-Policy" value "camera 'none'; mic  
rophone 'none'"  
       match response header set "Referrer-Policy" value "no-referrer"  
       # match response header set "Strict-Transport-Security" value "max-age  
=31536000; includeSubDomains; preload"  
       match response header set "X-Content-Type-Options" value "nosniff"  
       match response header set "X-Frame-Options" value "deny"  
       match response header set "X-XSS-Protection" value "1; mode=block"  
  
       return error  
       pass  
}  
ipv4="0.0.0.0"  
relay wwwtls {  
       listen on $ipv4 port 443 tls  
       protocol https  
       forward to <local> port 8080  
}

relayd -n
rcctl enable relayd
rcctl start relayd