I'm trying to replace Apache with OpenBSDs httpd but can't figure out what to do with my ProxyPass statements. In apaches conf it looks like this ProxyPass /someurl http://192.168.123.123/someotherurl ProxyPassReverse /someurl http://192.168.123.123/someotherurl - I thought I should use relayd for this, but how do I do the URL rewrite? - Would I set up relayd to listen on port 80 and forward some things to different internal machines and the rest to httpd on localhost?

I have a VPS running _OpenBSD 7.4 x64_ that hosts my personal webpage among other things. This webpage is using the native http daemon provided by OpenBSD, not an Apache server. I would like to have the majority of my website open to anyone who encounters it, although there are certain pages that I would like to only be visible to authenticated users for privacy purposes. I have scoured the web for documentation on how to achieve this, and come up mostly empty-handed. What I have found so far is that I need to add an

statement in my

/etc/httpd.conf

file to prompt the user for a username and password, which is then checked against the

.htpasswd

file that I have previously created for the protected realm. I have also found that one may have multiple "realms" with distinct

.htpasswd

files for each. My issue is that I have not been able to properly setup the

/etc/httpd.conf

file so that it asks for authentication and then allows the user through upon receiving correct info. It seems that the adoption of OpenBSD's native http daemon is still relatively small, at least compared to the adoption of Apache servers. I have not found any thorough explanations of how it all works besides OpenBSD's manpages, which, while many people say they are very thorough, I have still had some trouble fully understanding. This is all a very new thing to me, in fact I was only able to set all of this up in the first place because I used a [script made by someone else](https://sive.rs/ti.sh) and followed [their instructions](https://sive.rs/ti) . To wrap all of this up, __I would like to password-protect a folder/directory and all of it's subfolders/subdirectories, recursively.__ I envision this would be something akin to adding

authenticate "realm" with "[.htpasswd file]"

to a

block in my

.conf

. The problem is that when I try this, the server merely prompts for a password and immediately prompts for it again, ad infinitum, regardless of whether or not the password matches the

.htpasswd

credentials I have previously created. If I hit

on the password prompt, the server will then give me a

"401 Unauthorized"

page. Here is a config that will result in infinite password challenges:

prefork 5

types {
  include "[TYPES_FILE_LOCATION]"
}

server "[DOMAIN_NAME.COM]" {
  listen on * port 80
  location * {
    block return 301 "https://$HTTP_HOST$REQUEST_URI "
  }
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}

server "[DOMAIN_NAME.COM]" {
  listen on 127.0.0.1 port 8080
  default type text/html

[*** PROBLEM HERE v ***]
  location "/[PROTECTED_FOLDER]" {
    authenticate "realm" with "[.HTPASSWD_LOCATION]"
  }
[*** PROBLEM HERE ^ ***]

  location "/pub/*" {
    directory auto index
  }
}

This config works as-is for regular https connections and for http -> https connections as well. I have also tried

[*** PROBLEM HERE v ***]
  location "/[PROTECTED_FOLDER]/*" {
    authenticate "realm" with "[.HTPASSWD_LOCATION]"
  }
[*** PROBLEM HERE ^ ***]

to a similar effect. Here are the permissions for the users.htpasswd file and all parent directories:

drwxr-xr-x  13 root  wheel   512 Nov 29 19:00 /
drwxr-xr-x  27 root  wheel   512 Nov 15 05:22 /var
drwxr-xr-x  11 root  daemon  512 Jan  1 23:20 /var/www/
-rw-------   1 www   daemon   68 Jan  1 23:29 /var/www/users.htpasswd

Does anyone know what I am doing wrong here? Any resources I might have missed? Here are some resources I have discovered so far. [similar question #1 - misc.openbsd.narkive.com](https://misc.openbsd.narkive.com/gxk0xkOU/openbsd-s-httpd-troubles-again-can-t-find-any-man-page-that-explains-how-to-properly-set-up) [similar question #2 - reddit.com/r/openbsd](https://www.reddit.com/r/openbsd/comments/811sbs/looking_for_some_examples/) [archive](https://www.reveddit.com/v/openbsd/comments/811sbs/looking_for_some_examples/?rdt=54250) [httpd.conf manpage - man.openbsd.org](https://man.openbsd.org/httpd.conf) [archive](https://web.archive.org/web/20230623161748/https://man.openbsd.org/httpd.conf) Any tips/help/pointers greatly appreciated.

I've a below wireguard configuration at the server side [Interface] ListenPort = 51820 PrivateKey = oPernzzF+Kl499z2TMwemZLUN6/e630Q= [Peer] PublicKey = yyhY5Blx+PxCHu/wK7QgiL/veRrXHQ34RmTi//zynVA= AllowedIPs = 10.0.8.2/32 PersistentKeepalive = 25 Since I didn't specify the Address in the interface section, the default IP address for the server after establishing the wireguard connection is 10.0.8.1. However, the actual IP address of my server is 192.168.0.230 and it hosts a httpd webpage on port 80. The server is not in a production environment and is running on openBSD 7.3 stable. This wireguard configuration is functioning perfectly. To access the webpage after establishing the wireguard connection, I need to enter 10.0.8.1:80 instead of 192.168.0.230:80. I have also tested this configuration on a digital ocean ubuntu 23.04 server and obtained the same result. Therefore, since the server's IP address is changing, there may be a domain name conflict and I do not want my clients to directly use the IP address. Is there a solution to this issue so that I can resolve it with the server's domain name only?

I have tried several methods, but the SSL certificate doesn't work.

BSD# curl -vi https://192.168.1.21:443                            
*   Trying 192.168.1.21:443...
* Connected to 192.168.1.21 (192.168.1.21) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* error:02FFF036:system library:func(4095):Connection reset by peer
* Closing connection 0
curl: (35) error:02FFF036:system library:func(4095):Connection reset by peer

httpd.conf:

server "www.somename.ru" {
  3     listen on 192.168.1.21      port 80 
  4     listen on 192.168.1.21  tls port 443
  5     root "/htdocs/somename.ru"
  6     directory index index.php
  7     location "*.php*" {
  8         fastcgi socket "/run/php-fpm.sock"
  9     }
 10 
 11     tls certificate "/etc/ssl/server.crt"
 12     tls key "/etc/ssl/private/server.key"
 13 
 14 }

And I haven't changed the DNS server yet for this domain. Maybe this causes the problem, because the web site is accessible only via IP address and ports. The certificate is from Comodo.
I received four files, and verified them properly using cat, to make a bundle in the right order. External ports for my network are 543 (TLS) and 2050 (HTTP), so 443 taking for tunnel remote access, 80 for router, i can't take it. If I run httpd in debug mode:

BSD# httpd -d             
startup
server_tls_init: failed to configure tls - failed to read private key
server_tls_init: failed to configure tls - failed to read private key
server_tls_init: failed to configure tls - failed to read private key

But the key is correct; I checked it with openssl rsa -check -noout -in myserver.key | openssl md5 openssl x509 -modulus -noout -in myserver.crt | openssl md5 The key was encrypted openssl genrsa -out /etc/ssl/private/server.key 4096 openssl genrsa -aes256 -out /etc/ssl/private/server.key 4096 UPDATE: After some research, I close to answer. Something is wrong; the server couldn't decrypt server.key, and I don't know how to set instruction for that. doesn't help to solve problem :ciphers "TLSv1.2:TLSv1.3:!CAMELLIA:!ARIA:!DSS:!ADH:!PSK:!RSA:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256"

My httpd logs show errors that look like php-fpm issues and sure enough, when I try rcctl start php72_fpm I get > php72_fpm(failed) In line with other OpenBSD configuration so far, I'd expect to be able to investigate some logs and read some man pages, but not sure where to find the error message in this case.

I can not change the ciphers in OpenBSD 6.2 in httpd.conf tls ciphers "HIGH:!aNULL:!eNULL:!SSLv3:!TLSv1:!DSS:!ECDSA:!RSA:!SHA1:!AES128:!DHE:-ECDH:ECDHE:+SHA384:+SHA256" > /etc/httpd.conf:46: server "domain.ex": tls configuration mismatch on same address/port Does anyone have any idea?

Is it possible to build dynamically driven web sites with Mason (Perl) with httpd on OpenBSD current? See _The Mason Book_ and the introduction to OpenBSD's httpd .

I would like to run OpenBSD-httpd on Linux. Is there a portable version of OpenBSD-httpd? How do I install it on Debian?

How to redirect an http request to specific page using OpenBSD's httpd; for example, I'm serving up OpenBGPd bgplg like so in httpd.conf: ext_addr="127.0.0.1" server "www.example.conf" { listen on $ext_addr port 80 location "/cgi-bin/*" { fastcgi root "" } } How to make it possible to redirect www.example.com to www.example.com/cgi-bin/bgplg, rather than having to type exactly www.example.com/cgi-bin/bgplg. I tried a few options but none seems to work. Thanks

_Note: this question is about the [built-in OpenBSD http server named httpd](http://openbsd.su/src/usr.sbin/httpd/) and its configuration. It does not apply to any other web servers._ Is it possible to make runtime conditional configurations of the new OpenBSD http server httpd? A naïve example would be server "myserver.com" { if $REMOTE_ADDR == "127.0.0.1" block drop } to disallow local access. Another, perhaps more relevant and illuminating, example would be in the case I am implementing an interface to a remote service that runs from a specific place, then I would benefit from something like remote_service1_ip = "192.168.0.1" server "myserver.com" { location "/remote_service1_api/" { if $REMOTE_ADDR != $remote_service1_ip block drop } } If this is possible, what is the correct way of doing it? More generally - there are a number of predefined macros specified in the man-page of OpenBSD-httpd.conf as described in the block: $DOCUMENT_URI The request path. $QUERY_STRING The optional query string of the request. $REMOTE_ADDR The IP address of the connected client. $REMOTE_PORT The TCP source port of the connected client. $REMOTE_USER The remote user for HTTP authentication. $REQUEST_URI The request path and optional query string. $SERVER_ADDR The configured IP address of the server. $SERVER_PORT The configured TCP server port of the server. $SERVER_NAME The name of the server. %n The capture index n of a string that was captured by the enclosing location match option. and I would like to know how to use them. Using $REMOTE_ADDR in a redirection context seems rather silly to me, and I guess there should be something else to use them for, but I can't find or understand any such use case in the documentation.

An nmap scan gaved this: 443/tcp open ssl/http Apache httpd | http-methods: GET HEAD OPTIONS TRACE | Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html so I tried to: # DISABLE TRACE vi /var/www/conf/httpd.conf TraceEnable off **Q:** But it gaved syntax error. How can I securely disable Trace HTTP METHOD on OpenBSD 5.3? p.s.: Why is an insecure option enabled in a secure OS?

I have an OpenBSD 5.1 box that is running a static html based website. I have a list of IP addresses that I want to allow, ex.: ... 78.128.49.0/24 78.128.50.0/24 ... It's a ~10 KByte. ~10 000 lines. I only want to allow these IP addresses, not else to contact the server (httpd, ssh, anything, even ports that aren't used). ***Q***: What is the best syntax to do this in the host.allow/host.deny file? (AFAIK it should be better to put 10 000 IP address ranges in a file then puting them in the firewall..)

Using the old apache: # grep -i httpd /etc/rc.conf httpd_flags="-DSSL" # grep -i nginx /etc/rc.conf nginx_flags=NO # How can I modify the custom "Index of" page? **Question**: The only problem with the default "Index of" page is that the "NAME" column has way too short width. How can I increase it?