PreviousINDEXNext
Migrating to Python 3Index

OpenBSD 6.5: httpd https support and more...

I configured OpenBSD's httpd to use the LetsEncrypt certs I have for hydrus. This results in an httpd.conf file like this:

  # chrome httpd.conf with added https

  # Macros
  ext_addr="*"

  #
  # Global Options
  #
  prefork 3
  chroot "/home/www"

  #
  # Servers
  #

  # A name-based "virtual" server
  server "chrome.hydrus.org.uk" {
      alias "chrome"
      listen on $ext_addr port 80
      block return 301 "https://$SERVER_NAME$REQUEST_URI"
  }

  server "chrome.hydrus.org.uk" {
      alias "chrome"
      listen on $ext_addr tls port 443
      tls {
          certificate "/etc/ssl/server.crt"
          key "/etc/ssl/serverkey.pem"
      }
      root "/hydrus/data"
      log access "hydrus-access.log"
      log error "hydrus-error.log"
      # cgi-bin programs are in /hydrus/cgi-bin, but programs must see
      # DOCUMENT_ROOT as /hydrus/data
      location "/cgi-bin/*" {
          root "/hydrus"
          fastcgi param DOCUMENT_ROOT "/hydrus/data"
      }
  }

When copying across the certificates to enable https for httpd, I encountered what appears to be a defect in cpio. The certificates were copied by nfs mounting the disk system which contained them and then using cpio to copy them to the local location:

  (cd /mnt/certs && find . -print|cpio -pd ${target_dir})

The issue was that the newer certificates were not copied over the older versions on ${target_dir}. On other OS's (e.g. FreeBSD) this worked. According to the cpio man page:

  -u      Overwrite files even when the original file being copied
          is older than the one that will be overwritten.

implying that, normally, newer files should overwrite older versions. On OpenBSD, cpio is actually implemented via pax. An inspection of the source showed the issue, which the following patch corrects:

  --- options_orig.c      Thu May 30 15:05:55 2019
  +++ /usr/src/bin/pax/options.c  Thu May 30 15:50:34 2019
  @@ -1156,7 +1156,7 @@
          char *str;
          FILE *fp;

  -       kflag = 1;
  +       uflag = 1;
          pids = 1;
          pmode = 1;
          pmtime = 0;
  @@ -1255,7 +1255,7 @@
                                  /*
                                   * replace newer files
                                   */
  -                               kflag = 0;
  +                               uflag = 0;
                                  break;
                          case 'v':
                                  /*
PreviousINDEXNext
Migrating to Python 3Index