paritybit.ca

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

commit 90b38e801627d5d0d4495310680431d7ba337097
parent 5df18d4f01edcab097d1a4f385429aae7a317055
Author: Jake Bauer <jbauer@paritybit.ca>
Date:   Tue, 16 Feb 2021 23:35:15 -0500

Complete blog post draft

Diffstat:
Mhttp/pages/blog/migrating-from-nginx-to-openbsd-httpd-and-relayd.md | 59++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 54 insertions(+), 5 deletions(-)

diff --git a/http/pages/blog/migrating-from-nginx-to-openbsd-httpd-and-relayd.md b/http/pages/blog/migrating-from-nginx-to-openbsd-httpd-and-relayd.md @@ -1,6 +1,6 @@ -## Migrating from Nginx to OpenBSD's httpd and relayd +## Migrating from nginx to OpenBSD's httpd and relayd -[//]: # "Detailing how I migrated my Debian 10 server running Nginx to OpenBSD with httpd and relayd." +[//]: # "Detailing how I migrated my Debian 10 server running nginx to OpenBSD with httpd and relayd." [//]: # "main.min.css" @@ -12,9 +12,25 @@ <b>Last Updated:</b> [DATE] </div> -After getting some experience administrating OpenBSD for the two mail servers I -run, I wanted to explore more of the operating system. I had briefly heard about -relayd and httpd from some things around the net. +<figure> + <a href="/img/openbsd-logo.png"><img src="/img/openbsd-logo.png" alt="The OpenBSD logo."/></a> + <figcaption>This logo is subject to the license at: <a href="https://www.openbsd.org/art4.html">openbsd.org</a></figcaption> +</figure> + +Having set up my mail server on OpenBSD, I've been very satisfied with the +cohesiveness of the operating system; it has been a breeze to administrate. +Since certbot just stopped working randomly on my previous server running Debian +10 and nginx, I took it as an opportunity to try out OpenBSD for hosting my +website and reverse proxy. OpenBSD includes two daemons written by the OpenBSD +developers—httpd and relayd—for just those purposes. They also provide +acme-client as an alternative to certbot. All of this was done on OpenBSD 6.8. + +Below is my httpd configuration. This contains configurations for renewing the +TLS certificate as well as serving both +[www.paritybit.ca](https://www.paritybit.ca) and +[ftp.paritybit.ca](https://ftp.paritybit.ca) with redirects as needed. If I +wanted to, I could also split these into separate config files and use the +`include` directive. ``` types { @@ -76,6 +92,28 @@ server "ftp.paritybit.ca" { } ``` +In the above configuration, there are two `location match` directives in the +[www.paritybit.ca](https://www.paritybit.ca) server. The first matches any +request for a path ending in `.html` and rewrites the request to serve the +webpages from the `html` subdirectory as opposed to trying to find them in the +root folder of the website. + +The second matches any request which doesn't have a file extension and appends +`.html` to the requested resource path. This allows me to replicate nginx's +`try_files` command where one can tell it to search for files which look like +`$DOCUMENT_URI.html` and it means that users don't have to type out the `.html` +extension when visiting a page on my site. + +Below is my relayd configuration. I run multiple services from one IP so I need +to reverse proxy incoming connections to various services on my network. As with +nginx's reverse proxying, relayd can handle the TLS connections to each of my +services. I could also reverse proxy the connections to port 80 and redirect +them using relayd, but I felt it was simpler to just let the webserver handle +those directly. + +The reverse proxy for Gemini at the bottom of the configuration is just for +accessing it within my network because of my internal DNS configuration. + ``` ext_addr = 10.0.0.20 table <pleroma> { 10.0.0.7 } @@ -180,3 +218,14 @@ relay gemini { forward to <gemini> port 1965 check tcp } ``` + +There is a lot of extra configuration for the HTTP services for setting things +like Content Security Policy and other security headers (what a mess the Web has +become...). I used the [Pleroma installation guide for +OpenBSD](https://docs.pleroma.social/backend/installation/openbsd_en/) as a +reference for the CSPs needed for that service. + +As usual, the tools provided by the OpenBSD developers are a breeze to configure +and administrate. Plus the comprehensive, accurate, and complete documentation +provided with the system means that I don't have to scour the internet for help +only to find outdated tutorials or complicated documentation.