paritybit.ca

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

commit 1cb14d2631cf989766f2e999cad426f0b8a58cd3
parent 2ea12c973fdfe4583a515278e3774b0e81f06736
Author: Jake Bauer <jbauer@paritybit.ca>
Date:   Wed, 17 Feb 2021 00:06:04 -0500

Publish new blog post

Diffstat:
Mhttp/pages/blog.md | 1+
Mhttp/pages/blog/migrating-from-nginx-to-openbsd-httpd-and-relayd.md | 4++--
Mhttp/public/feeds/sitewide-feed.xml | 229+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Mhttp/public/sitemap.xml | 2+-
4 files changed, 233 insertions(+), 3 deletions(-)

diff --git a/http/pages/blog.md b/http/pages/blog.md @@ -24,6 +24,7 @@ src="/img/feed-icon.png" width="15" height="15" alt="Click for RSS"/> Subscribe </form> <ul> + <li>2021-02-17 <a href="blog/migrating-from-nginx-to-openbsd-httpd-and-relayd">Migrating from nginx to OpenBSD's httpd and relayd</a></li> <li>2020-12-10 <a href="blog/flip-phone-challenge-complete">Flip Phone Challenge Complete</a></li> <li>2020-11-30 <a href="blog/flip-phone-challenge">One Week Flip Phone Challenge</a></li> <li>2020-11-02 <a href="blog/gemini-is-up-and-running">Gemini is Up and Running</a></li> diff --git a/http/pages/blog/migrating-from-nginx-to-openbsd-httpd-and-relayd.md b/http/pages/blog/migrating-from-nginx-to-openbsd-httpd-and-relayd.md @@ -8,8 +8,8 @@ <div class="byline"> <b>Written By:</b> Jake Bauer | - <b>Posted:</b> [DATE] | - <b>Last Updated:</b> [DATE] + <b>Posted:</b> 2021-02-17 | + <b>Last Updated:</b> 2021-02-17 </div> <figure> diff --git a/http/public/feeds/sitewide-feed.xml b/http/public/feeds/sitewide-feed.xml @@ -7,6 +7,235 @@ <description>The feed that covers all notable additions, updates, announcements, and other changes for the entire paritybit.ca website.</description> <item> + <title>Migrating from nginx to OpenBSD's httpd and relayd</title> + <link>https://www.paritybit.ca/blog/migrating-from-nginx-to-openbsd-httpd-and-relayd</link> + <guid>https://www.paritybit.ca/blog/migrating-from-nginx-to-openbsd-httpd-and-relayd</guid> + <pubDate>Wed, 17 Feb 2021 00:05:21 -0500</pubDate> + <description><![CDATA[<h2 id="Migrating%20from%20nginx%20to%20OpenBSD&amp;#39;s%20httpd%20and%20relayd">Migrating from nginx to OpenBSD&#39;s httpd and relayd</h2> + +<div class="byline"> +<b>Written By:</b> Jake Bauer | + <b>Posted:</b> 2021-02-17 | + <b>Last Updated:</b> 2021-02-17 +</div> + +<figure> + <a href="/img/openbsd-logo.png"><img src="/img/openbsd-logo.png" alt="The OpenBSD logo."/></a> + <figcaption>This logo is subject to the license at: <a href="https://www.openbsd.org/art4.html">openbsd.org</a></figcaption> +</figure> + +<p>Having set up my mail server on OpenBSD, I&#39;ve been very satisfied with the +cohesiveness of the operating system; it has been a breeze to administrate. +Since certbot just stopped working randomly on my previous server running Debian +10 and nginx, I took it as an opportunity to try out OpenBSD for hosting my +website and reverse proxy. OpenBSD includes two daemons written by the OpenBSD +developers—httpd and relayd—for just those purposes. They also provide +acme-client as an alternative to certbot. All of this was done on OpenBSD 6.8.</p> + +<p>Below is my httpd configuration. This contains configurations for renewing the +TLS certificate as well as serving both +<a href="https://www.paritybit.ca">www.paritybit.ca</a> and +<a href="https://ftp.paritybit.ca">ftp.paritybit.ca</a> with redirects as needed. If I +wanted to, I could also split these into separate config files and use the +<code>include</code> directive.</p> + +<pre><code>types { + include "&#47;usr&#47;share&#47;misc&#47;mime.types" +} + +# For certificate renewal +server "paritybit.ca" { + listen on * port 80 + location "&#47;.well-known&#47;acme-challenge&#47;*" { + root "&#47;acme" + request strip 2 + } + location * { + block return 302 "https:&#47;&#47;paritybit.ca$REQUEST_URI" + } +} +server "paritybit.ca" { + listen on * port 8080 + location * { + block return 302 "https:&#47;&#47;www.paritybit.ca$REQUEST_URI" + } +} + +# WWW.PARITYBIT.CA +server "www.paritybit.ca" { + listen on * port 8080 + root "&#47;paritybit.ca" + location "&#47;" { + request rewrite "&#47;html&#47;home.html" + } + location match "&#47;.*%.html" { + request rewrite "&#47;html&#47;$REQUEST_URI" + } + location match "&#47;([^%.]+)$" { + request rewrite "&#47;html&#47;%1.html" + } +} + +server "www.paritybit.ca" { + listen on * port 80 + location * { + block return 302 "https:&#47;&#47;www.paritybit.ca$REQUEST_URI" + } +} + +# FTP.PARITYBIT.CA +server "ftp.paritybit.ca" { + listen on * port 8080 + root "&#47;ftp.paritybit.ca" + directory auto index +} + +server "ftp.paritybit.ca" { + listen on * port 80 + location * { + block return 302 "https:&#47;&#47;ftp.paritybit.ca$REQUEST_URI" + } +} +</code></pre> + +<p>In the above configuration, there are two <code>location match</code> directives in the +<a href="https://www.paritybit.ca">www.paritybit.ca</a> server. The first matches any +request for a path ending in <code>.html</code> and rewrites the request to serve the +webpages from the <code>html</code> subdirectory as opposed to trying to find them in the +root folder of the website.</p> + +<p>The second matches any request which doesn&#39;t have a file extension and appends +<code>.html</code> to the requested resource path. This allows me to replicate nginx&#39;s +<code>try_files</code> command where one can tell it to search for files which look like +<code>$DOCUMENT_URI.html</code> and it means that users don&#39;t have to type out the <code>.html</code> +extension when visiting a page on my site.</p> + +<p>Below is my relayd configuration. I run multiple services from one IP so I need +to reverse proxy incoming connections to various services on my network. As with +nginx&#39;s reverse proxying, relayd can handle the TLS connections to each of my +services. I could also reverse proxy the connections to port 80 and redirect +them using relayd, but I felt it was simpler to just let the webserver handle +those directly.</p> + +<p>The reverse proxy for Gemini at the bottom of the configuration is just for +accessing it within my network because of my internal DNS configuration.</p> + +<pre><code>ext_addr = 10.0.0.20 +table &#60;pleroma&#62; { 10.0.0.7 } +table &#60;git&#62; { 10.0.0.11 } +table &#60;matrix&#62; { 10.0.0.16 } +table &#60;www&#62; { 127.0.0.1 } +table &#60;gemini&#62; { 10.0.0.21 } + +# TLS proxy all home services +http protocol "httpsproxy" { + tcp {nodelay, sack, backlog 128} + + tls keypair "paritybit.ca" + + return error + + match header set "X-Client-IP" \ + value "$REMOTE_ADDR:$REMOTE_PORT" + match header set "X-Forwarded-For" \ + value "$REMOTE_ADDR" + match header set "X-Forwarded-By" \ + value "$SERVER_ADDR:$SERVER_PORT" + + match response header remove "Server" + match response header set "X-Frame-Options" \ + value "SAMEORIGIN" + match response header set "X-XSS-Protection" \ + value "1; mode=block" + match response header set "X-Content-Type-Options" \ + value "nosniff" + match response header set "Referrer-Policy" \ + value "strict-origin" + match response header set "Content-Security-Policy" \ + value "default-src &#39;none&#39;; \ + base-uri &#39;self&#39;; \ form-action &#39;self&#39; https:&#47;&#47;duckduckgo.com&#47;; \ + img-src &#39;self&#39; data: https:; \ + media-src &#39;self&#39; https:; \ + style-src &#39;self&#39; &#39;unsafe-inline&#39;; \ + font-src &#39;self&#39;; \ + script-src &#39;self&#39; &#39;unsafe-inline&#39;; \ + connect-src &#39;self&#39; wss:&#47;&#47;pleroma.paritybit.ca; \ + upgrade-insecure-requests;" + match response header set "Strict-Transport-Security" \ + value "max-age=31536000; includeSubDomains" + match response header set "Permissions-Policy" \ + value "accelerometer=(none), camera=(none), \ + geolocation=(none), gyroscope=(none), \ + magnetometer=(none), microphone=(none), \ + payment=(none), usb=(none), \ + ambient-light-sensor=(none), autoplay=(none)" + + pass request quick header "Host" value "git.paritybit.ca" \ + forward to &#60;git&#62; + pass request quick header "Host" value "matrix.paritybit.ca" \ + forward to &#60;matrix&#62; + pass request quick header "Host" value "pleroma.paritybit.ca" \ + forward to &#60;pleroma&#62; + pass request quick header "Host" value "ftp.paritybit.ca" \ + forward to &#60;www&#62; + pass request quick header "Host" value "www.paritybit.ca" \ + forward to &#60;www&#62; + pass request quick header "Host" value "paritybit.ca" \ + forward to &#60;www&#62; + block +} + +relay "reverseproxy" { + listen on $ext_addr port 443 tls + protocol httpsproxy + forward to &#60;git&#62; port 80 check http "&#47;" code 200 + forward to &#60;matrix&#62; port 8008 check http "&#47;" code 302 + forward to &#60;pleroma&#62; port 8080 check http "&#47;" code 400 + forward to &#60;www&#62; port 8080 check http "&#47;" code 302 +} + +# For Matrix +http protocol "matrix" { + tcp {nodelay, sack, backlog 128} + + tls keypair "paritybit.ca" + + return error + + match header set "X-Client-IP" \ + value "$REMOTE_ADDR:$REMOTE_PORT" + match header set "X-Forwarded-For" \ + value "$REMOTE_ADDR" + match header set "X-Forwarded-By" \ + value "$SERVER_ADDR:$SERVER_PORT" + + pass +} + +relay "matrixrevprox" { + listen on $ext_addr port 8448 tls + protocol matrix + forward to &#60;matrix&#62; port 8008 check tcp +} + +relay gemini { + listen on $ext_addr port 1965 + forward to &#60;gemini&#62; port 1965 check tcp +} +</code></pre> + +<p>There is a lot of extra configuration for the HTTP services for setting things +like Content Security Policy and other security headers (what a mess the Web has +become&#8230;). I used the <a href="https://docs.pleroma.social/backend/installation/openbsd_en/">Pleroma installation guide for +OpenBSD</a> as a +reference for the CSPs needed for that service.</p> + +<p>As usual, the tools provided by the OpenBSD developers are a breeze to configure +and administrate. Plus the comprehensive, accurate, and complete documentation +provided with the system means that I don&#39;t have to scour the internet for help +only to find outdated tutorials or complicated documentation.</p>]]></description> + </item> +<item> <title>Flip Phone Challenge Complete</title> <link>https://www.paritybit.ca/blog/flip-phone-challenge-complete</link> <guid>https://www.paritybit.ca/blog/flip-phone-challenge-complete</guid> diff --git a/http/public/sitemap.xml b/http/public/sitemap.xml @@ -3,7 +3,7 @@ <url><loc>https://www.paritybit.ca</loc></url> <url><loc>https://www.paritybit.ca/home</loc></url> <url><loc>https://www.paritybit.ca/blog</loc></url> - <url><loc>https://www.paritybit.ca/blog/flip-phone-challenge-complete</loc></url> + <url><loc>https://www.paritybit.ca/blog/migrating-from-nginx-to-openbsd-httpd-and-relayd</loc></url> <url><loc>https://www.paritybit.ca/blog/flip-phone-challenge-complete</loc></url> <url><loc>https://www.paritybit.ca/blog/flip-phone-challenge</loc></url> <url><loc>https://www.paritybit.ca/blog/gemini-is-up-and-running</loc></url> <url><loc>https://www.paritybit.ca/blog/gomux-is-the-best-cli-matrix-client</loc></url>