summaryrefslogtreecommitdiff
path: root/content
diff options
context:
space:
mode:
Diffstat (limited to 'content')
-rw-r--r--content/2023/moved-to-openbsd.md25
1 files changed, 14 insertions, 11 deletions
diff --git a/content/2023/moved-to-openbsd.md b/content/2023/moved-to-openbsd.md
index cfbb86c7..4fdb1825 100644
--- a/content/2023/moved-to-openbsd.md
+++ b/content/2023/moved-to-openbsd.md
@@ -54,9 +54,10 @@ I could not resist, and a day after learning about them, I had already paid for
So here we are: OpenBSD VM. What now? Let's configure a webserver!
OpenBSD comes with three great tools out of the box:
-httpd(8) - an HTTP daemon
-relayd(8) - a relay daemon
-acme-client(1) - a client for Automatic Certificate Management Environment (ACME)
+
+- httpd(8) - an HTTP daemon
+- relayd(8) - a relay daemon
+- acme-client(1) - a client for Automatic Certificate Management Environment (ACME)
With those free things, we can serve static webpages over TLS. While you most likely already use [NGINX](https://www.nginx.com/) or [Apache](https://httpd.apache.org/)[^win], those solutions are complex. They work amazingly in enterprise environments where you have people with doctorates in NGINX configuration, but most real-world examples don't need that complexity. A static blog most likely doesn't.
[^win]: because there is no fourth way. Please repeat after me: there is no webserver in Windows.
@@ -176,10 +177,11 @@ relay "https6" {
{{</highlight>}}
Now, I won't go into much detail here, but what happens here is:
-We create two relays, one for ipv4 and one for ipv6. One relay can listen on a single port for given IP. Each relay uses protocol "https" to modify and steer the request to a given process.
-Both relays set up forwarding to httpd (IP taken from the table on the head of the file) on port 8080.
-https protocol adds a TLS key pair for the session. We've got the files from Let's Encrypt in the step above.
-We then test each request, and if the host matches "michal.sapka.me" it will be forwarded to httpd(8).
+1. We create two relays, one for ipv4 and one for ipv6. One relay can listen on a single port for given IP. Each relay uses protocol "https" to modify and steer the request to a given process.
+2. Both relays set up forwarding to httpd (IP taken from the table on the head of the file) on port 8080.
+3. https protocol adds a TLS key pair for the session. We've got the files from Let's Encrypt in the step above.
+4. We then test each request, and if the host matches "michal.sapka.me" it will be forwarded to httpd(8).
+
You can also see that relayd(8) can listen on a given IP or all IPs (:: in case of IPv6)
But our httpd(8) listens only on port 80! Let's fix that by changing the `httpd.conf` file:
@@ -201,10 +203,11 @@ server "michal.sapka.me" {
{{</highlight>}}
Now, when the user enters the site, the flow will look like:
-httpd(8) will respond to :80 requests and return a 301 redirect to HTTPS
-relayd(8) will catch the request to :443 and forward it on port :8080 to httpd(8)
-httpd(8) will serve our site and pass the response to relayd(8) again
-relayd(8) can modify headers before returning the response to the client.
+
+1. httpd(8) will respond to :80 requests and return a 301 redirect to HTTPS
+2. relayd(8) will catch the request to :443 and forward it on port :8080 to httpd(8)
+3. httpd(8) will serve our site and pass the response to relayd(8) again
+4. relayd(8) can modify headers before returning the response to the client.
Talking about modifying headers, let's apply some extra security! We can expand our https protocol with the following: