unintentionally blank

homelab using httpd with relayd

OpenBSD has been my motor since v6.6. I use httpd and relayd for local development and personal enjoyment, but I seldom remember how the setup goes. So, this is for me.

1. httpd.conf

Includes individual site files.

types {
    include "/usr/share/misc/mime.types"
}

public_ip="127.0.0.1"

include "/etc/httpd-sites/devsite.conf"

2. devsite.conf

A single .conf file for each project keeps things tidy.

server "devsite.arpa" {
    listen on $public_ip port 80
    root "/devsite/htdocs"
    directory index "index.html"
    location "/.well-known/acme-challenge/*" {
        root "/devsite/htdocs"
        request strip 2
    }
    location * {
        block return 302 "https://$HTTP_HOST$REQUEST_URI"
    }
}

server "www.devsite.arpa" {
    listen on $public_ip port 80
    location * {
        block return 302 "http://devsite.arpa$REQUEST_URI"
    }
}

server "devsite.arpa" {
    listen on $public_ip port 8080
    root "/devsite/htdocs"
    directory index "index.html"
    gzip-static
    log {
        access "access-site.arpa"
        error "error-site.arpa"
        style combined
    }
    location "/*.php*" {
        fastcgi socket "/run/php-fpm.sock"
    }
}

3. relayd.conf

relayd forwards https requests to designated port(s) and sends response headers.

# Global configuration
log state changes
log connection errors
prefork 5

# Macros
ipv4="127.0.0.1"
#ipv6="::ffff:7f00:1" # not currently in use

# Tables
table <devsite> { $ipv4 }

# Protocols and Relays
http protocol wwwtls {
  match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
  match request header append "X-Forwarded-Port" value "$REMOTE_PORT"
  match request header set "Connection" value "close"
  match response header set "Feature-Policy" value "camera 'none'; microphone 'none'"
  match response header set "Referrer-Policy" value "no-referrer"
  match response header set "Strict-Transport-Security" value "max-age=31536000; \
    includeSubDomains; preload"
  match response header set "X-Content-Type-Options" value "nosniff"
  match response header set "X-Frame-Options" value "SAMEORIGIN"
  match response header set "X-XSS-Protection" value "1; mode=block"
  match response header remove "X-Powered-By"
  match response header set "Server" value "Microsoft-IIS/8.5"
  tcp { nodelay, sack, socket buffer 65536, backlog 100 }
  tls keypair devsite.arpa
  match request header "Host" value "devsite.arpa" forward to <devsite>
}

relay wwwtls {
  listen on $ipv4 port 443 tls
  protocol wwwtls
  forward to <devsite> port 8080 check icmp 
}