OpenBSD httpd Installation on FreeBSD
Note: This has been tested on FreeBSD 14.1.
Directory Mapping
FreeBSD applies other directory conventions than OpenBSD. In FreeBSD, add-ons are placed in /usr/local
. OpenBSD does not do that. Since OpenBSD httpd is build for OpenBSD, the httpd documentation (including the man pages installed on FreeBSD) refer to OpenBSD paths. The obhttpd package is patched to adhere to the FreeBSD directory structure.
- Configuration file
- OpenBSD:
/etc/httpd.conf
- FreeBSD:
/usr/local/etc/obhttpd.conf
- OpenBSD:
- Websites
- OpenBSD:
/var/www
- FreeBSD:
/usr/local/www
- OpenBSD:
- Log files
- OpenBSD:
/var/www/logs
- FreeBSD:
/var/log/obhttpd
- OpenBSD:
- SSL/TLS keys
- OpenBSD:
/etc/ssl
- FreeBSD:
/var/db/acme
and copy to/usr/local/etc/auth-acme
(with acme.sh)
- OpenBSD:
Install and Enable OpenBSD httpd (obhttpd):
doas pkg install obhttpd
doas sysrc obhttpd_enable="YES"
Initial httpd.conf:
This configuration file sets up a default virtual server to catch all requests which do not point to separately configured virtual servers. These requests certainly come from web attackers maliciously probing the hosts open HTTP port. The default server drops requests silently and does not send responses. It also does not generate log entries. Thus any request spam is handled with low effort.
doas vim /usr/local/etc/obhttpd.conf
public_ip4="<public_ipv4>"
public_ip6="<public_ipv6>"
chroot "/usr/local/www"
logdir "/var/log/obhttpd"
server "default" {
listen on $public_ip4 port 80
listen on $public_ip6 port 80
block drop
no log
}
Starting the HTTP Server
doas obhttpd -n && service obhttpd start
Opening pf Ports:
If the pf firewall is configured as outlined in FIXME, then add the following firewall rules to the pf configuration.
doas vim /etc/pf.conf
# allow HTTP and HTTPS in
pass in on $public_if proto tcp to port { 80 443 }
Add a Virtual Server for Domain Parking
mkdir /usr/local/www/blanksite
doas vim /usr/local/etc/obhttpd.conf
server "<server_name_1>" {
listen on $public_ip4 port 80
listen on $public_ip6 port 80
alias "www.<server_name_1>"
alias "<server_name_2>"
alias "www.<server_name_2>"
<...>
alias "<server_name_n>"
alias "www.<server_name_n>"
root "/blanksite"
directory index index.html
location "*" {
request rewrite "/index.html"
}
no log
}
doas vim /usr/local/www/blanksite/index.html
<!DOCTYPE html>
<html>
<head>
<title>This page is intentionally left blank</title>
</head>
<body>
This page is intentionally left blank.
</body>
</html>
Start httpd
doas obhttpd -n && service obhttpd restart
Done.