“The httpd daemon is an HTTP server with FastCGI and TLS support."

goals:

  • setup webserver incl. TLS
  • configure lets encrypt with acme-client(1)
  • examples

getting startet:

## edit "/etc/httpd.conf"

server "www0.x33u.org" {
  listen on 172.16.0.80 port 80
  root "htdocs/www0"
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}

server "www1.x33u.org" {
  listen on 172.16.0.80 port 80
  root "htdocs/www1"
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}

server "www2.x33u.org" {
  listen on 172.16.0.80 port 80
  root "htdocs/www2"
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}
## edit "/etc/acme-client.conf"

authority letsencrypt {
        api url "https://acme-v02.api.letsencrypt.org/directory"
        account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
        api url "https://acme-staging.api.letsencrypt.org/directory"
        account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain www0.x33u.org {
       domain key "/etc/ssl/private/www0.x33u.org.key"
       domain certificate "/etc/ssl/www0.x33u.org.crt"
       domain full chain certificate "/etc/ssl/www0.x33u.org.fullchain.pem"
       sign with letsencrypt
}

domain www1.x33u.org {
       domain key "/etc/ssl/private/www1.x33u.org.key"
       domain certificate "/etc/ssl/www1.x33u.org.crt"
       domain full chain certificate "/etc/ssl/www1.x33u.org.fullchain.pem"
       sign with letsencrypt
}

domain www2.x33u.org {
       domain key "/etc/ssl/private/www2.x33u.org.key"
       domain certificate "/etc/ssl/www2.x33u.org.crt"
       domain full chain certificate "/etc/ssl/www2.x33u.org.fullchain.pem"
       sign with letsencrypt
}
## edit "/etc/httpd.conf" again

server "www0.x33u.org" {
  listen on 172.16.0.80 tls port 443
  root "htdocs/www0"
  tls {
    certificate "/etc/ssl/www0.x33u.org.fullchain.pem"
    key "/etc/ssl/private/www0.x33u.org.key"
  }
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}

server "www0.x33u.org" {
  listen on 172.16.0.80 port 80
  #alias "example.com"
  block return 301 "https://www0.x33u.org$REQUEST_URI"
}

server "www1.x33u.org" {
  listen on 172.16.0.80 tls port 443
  root "htdocs/www1"
  tls {
    certificate "/etc/ssl/www1.x33u.org.fullchain.pem"
    key "/etc/ssl/private/www1.x33u.org.key"
  }
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}

server "www1.x33u.org" {
  listen on 172.16.0.80 port 80
  #alias "example.com"
  block return 301 "https://www1.x33u.org$REQUEST_URI"
}

server "www2.x33u.org" {
  listen on 172.16.0.80 tls port 443
  root "htdocs/www2"
  tls {
    certificate "/etc/ssl/www2.x33u.org.fullchain.pem"
    key "/etc/ssl/private/www2.x33u.org.key"
  }
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}
server "www2.x33u.org" {
  listen on 172.16.0.80 port 80
  #alias "example.com"
  block return 301 "https://www2.x33u.org$REQUEST_URI"
}
## testing "httpd.conf" file
> httpd -nf /etc/httpd.conf

## start httpd forced
> rcctl -f start httpd

## enable httpd
> rcctl enable httpd

examples:

## authenticate with password ##

## create auth folder
mkdir -p /var/www/auth/website

## set perms 550
chown -R root:www /var/www/auth
chmod -R 550 /var/www/auth

## generate user + passwd
htpasswd /var/www/auth/website/htpasswd user

## set perms 440
chmod 440 /var/www/auth/website/htpasswd


## edit "httpd.conf"
server "default" {
        listen on * port 80 ## only for demo - please use https port 443 in real environment
        root "/htdocs/website"
        ## block all access on every htpasswd file - not needed when passwd file is outsite website root
        location "*/.htpasswd" {
        block return 404
        }
        ## ask for passwd on whole website folder
        location "*" {
        authenticate "realm" with "/auth/website/htpasswd"
        }
}



httpd runs in chroot environment - root is /var/www