OpenBSD 6.5: httpd https support and more...
I configured OpenBSD's httpd to use the LetsEncrypt certs I
have for hydrus. This results in an httpd.conf file like
this:
# chrome httpd.conf with added https
# Macros
ext_addr="*"
#
# Global Options
#
prefork 3
chroot "/home/www"
#
# Servers
#
# A name-based "virtual" server
server "chrome.hydrus.org.uk" {
alias "chrome"
listen on $ext_addr port 80
block return 301 "https://$SERVER_NAME$REQUEST_URI"
}
server "chrome.hydrus.org.uk" {
alias "chrome"
listen on $ext_addr tls port 443
tls {
certificate "/etc/ssl/server.crt"
key "/etc/ssl/serverkey.pem"
}
root "/hydrus/data"
log access "hydrus-access.log"
log error "hydrus-error.log"
# cgi-bin programs are in /hydrus/cgi-bin, but programs must see
# DOCUMENT_ROOT as /hydrus/data
location "/cgi-bin/*" {
root "/hydrus"
fastcgi param DOCUMENT_ROOT "/hydrus/data"
}
}
When copying across the certificates to enable https for httpd, I
encountered what appears to be a defect in cpio. The
certificates were copied by nfs mounting the disk system which contained
them and then using cpio to copy them to the local
location:
(cd /mnt/certs && find . -print|cpio -pd ${target_dir})
The issue was that the newer certificates were not copied over the
older versions on ${target_dir}. On other OS's (e.g. FreeBSD) this
worked. According to the cpio man page:
-u Overwrite files even when the original file being copied
is older than the one that will be overwritten.
implying that, normally, newer files should overwrite older
versions. On OpenBSD, cpio is actually implemented via
pax. An inspection of the source showed the issue, which
the following patch corrects:
--- options_orig.c Thu May 30 15:05:55 2019
+++ /usr/src/bin/pax/options.c Thu May 30 15:50:34 2019
@@ -1156,7 +1156,7 @@
char *str;
FILE *fp;
- kflag = 1;
+ uflag = 1;
pids = 1;
pmode = 1;
pmtime = 0;
@@ -1255,7 +1255,7 @@
/*
* replace newer files
*/
- kflag = 0;
+ uflag = 0;
break;
case 'v':
/*
