Add-ons for the OpenBSD httpd(8)
web server applicable to the latest -current
branch.
Other branches available:
Notes:
- The former
location-access-tests
add-on has been imported into-current
. - Based on the former
custom-error-documents
add-on, the named functionality has been added to-current
.
Bug fixes:
- Failing
directory auto index
oflocation
in case enclosingserver
specifiesdirectory no index
(see on tech@) - Failing location access test in case
server
/location
root
is empty (see on tech@) - Inconsistent handling of inaccessible
server
/location
root
(regular file access still returns status404
instead of500
) - Inappropriate
log_warn
in case of missing custom error documents and cleanup ofread_errdoc
function (see on misc@)
Amendments:
- The info regarding the usage of the former
location-access-tests
add-on with WordPress was moved from this website tohttpd.conf(5)
.
Optional HTTP Cache-Control
headers via httpd.conf(5)
.
types {
...
image/jpeg { cache "max-age=2592000, public" } jpeg jpg
text/css { cache "max-age=86400, private" } css
text/html { cache "no-store, no-cache, must-revalidate" } html
...
}
Definition of script
overrides for fastcgi
environments via httpd.conf(5)
. This may be used either to run a dedicated script
in its specific param
environment for a certain location
, or simply as a shortcut avoiding unnecessary evaluation rounds for the server (as required when using request rewrite
).
server "www.example.com" {
...
location "/foobar/*" {
fastcgi {
socket "/run/php-fpm.sock"
param "PARAM_1" "value_1"
param "PARAM_2" "value_2"
script "/index.php"
}
}
location not found "/*" {
# request rewrite "/index.php"
fastcgi {
socket "/run/php-fpm.sock"
script "/index.php"
}
}
...
}
Client address matching (from
or not from
) for location
sections in httpd.conf(5)
.
server "www.example.com" {
...
location "/intranet*" not from "10.0.0/24" { block }
...
}
Send notification messages to UNIX-domain sockets for server
and/or location
sections with a block
directive in httpd.conf(5)
.
This cooperates perfectly with pftbld(8), offering an easy and straightforward means to effectively protect the web server from offensive clients and successively build customized firewall blocklists. In the example below, access to /restricted*
URLs from outside the 10.0.0/24
network is not just blocked, but httpd(8)
also reports client IP addresses to pftbld(8)
(with its listening socket at /var/www/run/pftbld-www.sock
) for further handling.
httpd.conf
:
server "www.example.com" {
...
location "/restricted*" not from "10.0.0/24" {
notify-on-block {
socket "/run/pftbld-www.sock"
message "$REMOTE_ADDR"
}
block
}
...
}
pftbld.conf
:
target "www" {
...
socket "/var/www/run/pftbld-www.sock" {
owner "www"
group "www"
}
cascade {
table "attackers"
expire 1h
...
}
...
}
Simple brace expansion for alias <name>
, include <path>
and location <path>
option parameters in httpd.conf(5)
.
Helps to minimize the configuration file size by avoiding duplicate content.
include "/etc/httpd-{0..5}-incl.conf"
...
server "www.example.com" {
alias "www.{a,b,c}.example.com"
...
location "/*.{bmp,gif,ico,jpg,png}" { pass }
...
}
httpd-plus
is a series of consecutive patch files which may be applied easily by following the steps below.
Make sure your user has sufficient doas
permissions. To start, cd
into the user's home directory, for example /home/mpfr
.
$ cat /etc/doas.conf
permit nopass mpfr
$ cd
$ pwd
/home/mpfr
Download and extract patch files and installation script.
$ rm -rf httpd-plus-current/
$ ftp -Vo - https://codeload.github.com/mpfr/httpd-plus/tar.gz/current | tar xzvf -
httpd-plus-current
httpd-plus-current/00-updates.patch
httpd-plus-current/01-cache-control-headers.patch
httpd-plus-current/02-fastcgi-script-overrides.patch
httpd-plus-current/03-client-address-filters.patch
httpd-plus-current/04-notify-on-block.patch
httpd-plus-current/05-brace-expansion.patch
httpd-plus-current/LICENSE
httpd-plus-current/README.md
httpd-plus-current/install
Apply the patch files by running the installation script. This will build and install the httpd-plus
binary. After the build process, the original source is restored.
$ doas ksh httpd-plus-current/install 2>&1 | tee httpd-plus-install.log
Backing up original sources ... Done.
Applying patch files ...
====================
=== 00-updates ===
====================
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
.
.
.
done
==================================
=== 01-cache-control-headers ===
==================================
Hmm... Looks like a unified diff to me...
.
.
.
done
Building and installing httpd-plus binary and manpage ...
.
.
.
Restoring original sources ... Done.
Installing httpd-plus binary and manpage completed successfully.
Please consult 'man httpd.conf' for further information on new features.
Adapt your httpd.conf
for the newly added features. For further information, have a look at the updated httpd.conf(5)
manpage (also via man httpd.conf
). Make sure your new configuration is valid.
$ doas vi /etc/httpd.conf
...
$ doas httpd -n
configuration OK
Restart the httpd
daemon.
$ doas rcctl restart httpd
httpd(ok)
httpd(ok)
The original version of httpd
can easily be restored by performing a fresh rebuild and reinstall.
$ cd /usr/src/usr.sbin/httpd
$ doas make obj
$ doas make clean
$ doas make
$ doas make install
Remove httpd-plus
related features from your configuration file and make sure it is valid. Don't forget to restart the httpd
daemon.
$ doas vi /etc/httpd.conf
...
$ doas httpd -n
configuration OK
$ doas rcctl restart httpd
httpd(ok)
httpd(ok)