Setting up relayd to work alongside your existing httpd configuration. This gives you the ability to setup custom security headers, run proxies, etc.
This page assumes you have already completed the main tutorial on the homepage.
Next we will setup security headers and HTTPS redirection with OpenBSD’s built-in relayd.
Note: If you would prefer to use HAProxy instead, follow this guide here
You will want to create a new file located at /etc/relayd.conf:
ip4="YOUR IPv4"
ip6="YOUR IPv6"
table <www> { 127.0.0.1 }
log connection
http protocol https {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Connection" value "close"
tcp { sack, backlog 128 }
tls { keypair httpd.rocks }
match request header "Host" value "httpd.rocks" forward to <www>
match request header "Host" value "www.httpd.rocks" forward to <www>
# Add security headers
match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains; preload"
match response header append "Cache-Control" value "public, max-age=86400"
match response header append "Content-Security-Policy" value "default-src 'self'; script-src 'self'; object-src 'none';"
match response header append "X-Content-Type-Options" value "nosniff"
match response header append "X-Frame-Options" value "SAMEORIGIN"
match response header append "Referrer-Policy" value "no-referrer"
match response header append "Permissions-Policy" value "interest-cohort=()"
match request header set "Accept-Encoding" value "gzip, deflate"
}
relay wwwtls {
listen on $ip4 port 443 tls
protocol https
forward to <www> port 8080 check icmp
}
relay www6tls {
listen on $ip6 port 443 tls
protocol https
forward to <www> port 8080 check icmp
}
Make sure you edit your IPv4 and IPv6 with your server IPs. Then replace all instances of httpd.rocks with your own domain. Take note of the request headers targeting both non-www and www values. You will need that in order to properly forward www requests to non-www. Then we have relayd listen on a custom port, in this case 8080. The security headers are set to my own personal preference - feel free to change these as you see fit!
Test the config with the following command:
doas relayd -n
If configuration passes, we just need to enable relayd on boot and start it up:
doas rcctl enable relayd
doas rcctl start relayd
You’ll need to make some important changes to the existing httpd.conf in order to play nice with relayd. Take note of the same 8080 ports to target relayd:
server "httpd.rocks" {
listen on 127.0.0.1 port 8080
root "/htdocs/httpd.rocks"
location "/secure.html" {
authenticate "Restricted Area" with "/etc/httpd.passwd"
}
}
server "www.httpd.rocks" {
listen on 127.0.0.1 port 8080
block return 301 "https://$SERVER_NAME$REQUEST_URI"
}
server "httpd.rocks" {
listen on * port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
block return 301 "https://$SERVER_NAME$REQUEST_URI"
}
Test your configuration and restart httpd:
doas httpd -n
doas rcctl restart httpd
Now HTTPS will be working, but this time via relayd.
Now check out your website! Everything should work as intended.
You should have valid TLS, your standard HTTP request should forward to HTTPS, all www requests should forward to non-www, and your security headers should score an A+.
That’s it!
I’m far from an OpenBSD expert! Please help improve this project!