diff options
Diffstat (limited to 'content')
-rw-r--r-- | content/2023/moved-to-openbsd.md | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/content/2023/moved-to-openbsd.md b/content/2023/moved-to-openbsd.md index cfbb86c7..4fdb1825 100644 --- a/content/2023/moved-to-openbsd.md +++ b/content/2023/moved-to-openbsd.md @@ -54,9 +54,10 @@ I could not resist, and a day after learning about them, I had already paid for So here we are: OpenBSD VM. What now? Let's configure a webserver! OpenBSD comes with three great tools out of the box: -httpd(8) - an HTTP daemon -relayd(8) - a relay daemon -acme-client(1) - a client for Automatic Certificate Management Environment (ACME) + +- httpd(8) - an HTTP daemon +- relayd(8) - a relay daemon +- acme-client(1) - a client for Automatic Certificate Management Environment (ACME) With those free things, we can serve static webpages over TLS. While you most likely already use [NGINX](https://www.nginx.com/) or [Apache](https://httpd.apache.org/)[^win], those solutions are complex. They work amazingly in enterprise environments where you have people with doctorates in NGINX configuration, but most real-world examples don't need that complexity. A static blog most likely doesn't. [^win]: because there is no fourth way. Please repeat after me: there is no webserver in Windows. @@ -176,10 +177,11 @@ relay "https6" { {{</highlight>}} Now, I won't go into much detail here, but what happens here is: -We create two relays, one for ipv4 and one for ipv6. One relay can listen on a single port for given IP. Each relay uses protocol "https" to modify and steer the request to a given process. -Both relays set up forwarding to httpd (IP taken from the table on the head of the file) on port 8080. -https protocol adds a TLS key pair for the session. We've got the files from Let's Encrypt in the step above. -We then test each request, and if the host matches "michal.sapka.me" it will be forwarded to httpd(8). +1. We create two relays, one for ipv4 and one for ipv6. One relay can listen on a single port for given IP. Each relay uses protocol "https" to modify and steer the request to a given process. +2. Both relays set up forwarding to httpd (IP taken from the table on the head of the file) on port 8080. +3. https protocol adds a TLS key pair for the session. We've got the files from Let's Encrypt in the step above. +4. We then test each request, and if the host matches "michal.sapka.me" it will be forwarded to httpd(8). + You can also see that relayd(8) can listen on a given IP or all IPs (:: in case of IPv6) But our httpd(8) listens only on port 80! Let's fix that by changing the `httpd.conf` file: @@ -201,10 +203,11 @@ server "michal.sapka.me" { {{</highlight>}} Now, when the user enters the site, the flow will look like: -httpd(8) will respond to :80 requests and return a 301 redirect to HTTPS -relayd(8) will catch the request to :443 and forward it on port :8080 to httpd(8) -httpd(8) will serve our site and pass the response to relayd(8) again -relayd(8) can modify headers before returning the response to the client. + +1. httpd(8) will respond to :80 requests and return a 301 redirect to HTTPS +2. relayd(8) will catch the request to :443 and forward it on port :8080 to httpd(8) +3. httpd(8) will serve our site and pass the response to relayd(8) again +4. relayd(8) can modify headers before returning the response to the client. Talking about modifying headers, let's apply some extra security! We can expand our https protocol with the following: |