httpd-plus
Add-ons for the OpenBSD httpd(8) web server applicable to the latest -current branch.
Other branches available:
Notes:
- The former
location-access-testsadd-on has been imported into-current. - Based on the former
custom-error-documentsadd-on, the named functionality has been added to-current.
List of add-ons
updates
Bug fixes:
- Failing
directory auto indexoflocationin case enclosingserverspecifiesdirectory no index(see on tech@) - Failing location access test in case
server/locationrootis empty (see on tech@) - Inconsistent handling of inaccessible
server/locationroot(regular file access still returns status404instead of500) - Inappropriate
log_warnin case of missing custom error documents and cleanup ofread_errdocfunction (see on misc@)
Amendments:
- The info regarding the usage of the former
location-access-testsadd-on with WordPress was moved from this website tohttpd.conf(5).
cache-control-headers
Optional HTTP Cache-Control headers via httpd.conf(5).
types {
...
image/jpeg { cache "max-age=2592000, public" } jpeg jpg
text/css { cache "max-age=86400, private" } css
text/html { cache "no-store, no-cache, must-revalidate" } html
...
}
fastcgi-script-overrides
Definition of script overrides for fastcgi environments via httpd.conf(5). This may be used either to run a dedicated script in its specific param environment for a certain location, or simply as a shortcut avoiding unnecessary evaluation rounds for the server (as required when using request rewrite).
server "www.example.com" {
...
location "/foobar/*" {
fastcgi {
socket "/run/php-fpm.sock"
param "PARAM_1" "value_1"
param "PARAM_2" "value_2"
script "/index.php"
}
}
location not found "/*" {
# request rewrite "/index.php"
fastcgi {
socket "/run/php-fpm.sock"
script "/index.php"
}
}
...
}
client-address-filters
Client address matching (from or not from) for location sections in httpd.conf(5).
server "www.example.com" {
...
location "/intranet*" not from "10.0.0/24" { block }
...
}
notify-on-block
Send notification messages to UNIX-domain sockets for server and/or location sections with a block directive in httpd.conf(5).
This cooperates perfectly with pftbld(8), offering an easy and straightforward means to effectively protect the web server from offensive clients and successively build customized firewall blocklists. In the example below, access to /restricted* URLs from outside the 10.0.0/24 network is not just blocked, but httpd(8) also reports client IP addresses to pftbld(8) (with its listening socket at /var/www/run/pftbld-www.sock) for further handling.
httpd.conf:
server "www.example.com" {
...
location "/restricted*" not from "10.0.0/24" {
notify-on-block {
socket "/run/pftbld-www.sock"
message "$REMOTE_ADDR"
}
block
}
...
}
pftbld.conf:
target "www" {
...
socket "/var/www/run/pftbld-www.sock" {
owner "www"
group "www"
}
cascade {
table "attackers"
expire 1h
...
}
...
}
brace-expansion
Simple brace expansion for alias <name>, include <path> and location <path> option parameters in httpd.conf(5).
Helps to minimize the configuration file size by avoiding duplicate content.
include "/etc/httpd-{0..5}-incl.conf"
...
server "www.example.com" {
alias "www.{a,b,c}.example.com"
...
location "/*.{bmp,gif,ico,jpg,png}" { pass }
...
}
How to install
httpd-plus is a series of consecutive patch files which may be applied easily by following the steps below.
Make sure your user has sufficient doas permissions. To start, cd into the user's home directory, for example /home/mpfr.
$ cat /etc/doas.conf
permit nopass mpfr
$ cd
$ pwd
/home/mpfr
Download and extract patch files and installation script.
$ rm -rf httpd-plus-current/
$ ftp -Vo - https://codeload.github.com/mpfr/httpd-plus/tar.gz/current | tar xzvf -
httpd-plus-current
httpd-plus-current/00-updates.patch
httpd-plus-current/01-cache-control-headers.patch
httpd-plus-current/02-fastcgi-script-overrides.patch
httpd-plus-current/03-client-address-filters.patch
httpd-plus-current/04-notify-on-block.patch
httpd-plus-current/05-brace-expansion.patch
httpd-plus-current/LICENSE
httpd-plus-current/README.md
httpd-plus-current/install
Apply the patch files by running the installation script. This will build and install the httpd-plus binary. After the build process, the original source is restored.
$ doas ksh httpd-plus-current/install 2>&1 | tee httpd-plus-install.log
Backing up original sources ... Done.
Applying patch files ...
====================
=== 00-updates ===
====================
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
.
.
.
done
==================================
=== 01-cache-control-headers ===
==================================
Hmm... Looks like a unified diff to me...
.
.
.
done
Building and installing httpd-plus binary and manpage ...
.
.
.
Restoring original sources ... Done.
Installing httpd-plus binary and manpage completed successfully.
Please consult 'man httpd.conf' for further information on new features.
Adapt your httpd.conf for the newly added features. For further information, have a look at the updated httpd.conf(5) manpage (also via man httpd.conf). Make sure your new configuration is valid.
$ doas vi /etc/httpd.conf
...
$ doas httpd -n
configuration OK
Restart the httpd daemon.
$ doas rcctl restart httpd
httpd(ok)
httpd(ok)
How to uninstall
The original version of httpd can easily be restored by performing a fresh rebuild and reinstall.
$ cd /usr/src/usr.sbin/httpd
$ doas make obj
$ doas make clean
$ doas make
$ doas make install
Remove httpd-plus related features from your configuration file and make sure it is valid. Don't forget to restart the httpd daemon.
$ doas vi /etc/httpd.conf
...
$ doas httpd -n
configuration OK
$ doas rcctl restart httpd
httpd(ok)
httpd(ok)