Setting up OpenBSD's default web server, openhttpd, is relatively simple. Start off by copying the example file in /etc/examples/httpd.conf:
$ doas cp /etc/examples/httpd.conf /etc/httpd.conf
Here is what /etc/httpd.conf contains:
server "example.com" {
listen on * port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location * {
block return 302 "https://$HTTP_HOST$REQUEST_URI"
}
}
server "example.com" {
listen on * tls port 443
tls {
certificate "/etc/ssl/example.com.fullchain.pem"
key "/etc/ssl/private/example.com.key"
}
location "/pub/*" {
directory auto index
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
You must replace example.com everywhere with your domain name.
Simply enable and start the web server:
$ doas rcctl enable httpd
$ doas rcctl start httpd
Make sure pf allows incoming http connections by putting this line into /etc/pf.conf:
pass in proto tcp to port {http https}
Then, reload the pf rulesets:
$ doas pfctl -f /etc/pf.conf
At this point, you should test to see if the web server is working on port 80. This test should be run on some other computer besides the web server (your local workstation is fine). Make sure you have curl installed:
$ doas pkg_add curl
$ curl example.com
You should a response similar to the one below:
302 Found
302 Found
OpenBSD httpd
Now you will almost certainly want openhttpd to use an SSL cert, so follow the [[openbsd:acme-client|acme-client]] instructions, then reset your web server:
$ doas rcctl restart httpd
To test if your web server is working and has a correct SSL cert, run:
$ openssl s_client -connect example.com:443
You should see the correct SSL subject and issuer:
subject=/CN=example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
{{ :openbsd:www:ssl-cert.png?direct |}}