by Joshua Branson ? October 09, 2025
So I recently started using OpenBSD.Amsterdam, and I've migrated all my sites two sites to it. It's been pretty slick. I would have preferred to keep using Guix System, but I somehow was unable to update my guix system server. So for now, I am running OpenBSD on everything except for my purism phone.
For those of you, who do not know, the OpenBSD developers wrote and maintain their own http daemon called httpd. I believe, in the past, OpenBSD recommend its users use apache, then later nginx. From what I gather, both are rather complicated bits of software. Developers created httpd as a simpler and more secure web server.
Here's my httpd.conf file.
joshua@gnucode.org:/etc/ $ cat httpd.conf
server "propernaming.org" {
listen on \* port 80
root "*htdocs/propernaming.org/site"
location "*.well-known/acme-challenge/\*" {
root "/acme"
request strip 2
directory no auto index
}
}
server "propernaming.org" {
listen on \* tls port 443
hsts
tls {
certificate "/etc/ssl/propernaming.org.fullchain.pem"
key "/etc/ssl/private/propernaming.org.key"
}
root "/htdocs/propernaming.org/site"
directory index "index.html"
}
server "gnu-hurd.com" {
listen on \* port 80
root "*htdocs/gnu-hurd.com"
location "*.well-known/acme-challenge/\*" {
root "/acme"
request strip 2
directory no auto index
}
}
server "gnu-hurd.com" {
listen on \* tls port 443
hsts
tls {
certificate "/etc/ssl/gnu-hurd.com.fullchain.pem"
key "/etc/ssl/private/gnu-hurd.com.key"
}
root "/htdocs/gnu-hurd.com"
directory index "index.html"
}
server "gnucode.me" {
listen on \* port 80
location \* {
block return 302 "<http://gnucode.org>"
}
}
server "gnucode.org" {
listen on \* port 80
root "*htdocs/gnucode.org/site"
location "*.well-known/acme-challenge/\*" {
root "/acme"
request strip 2
directory no auto index
}
}
server "gnucode.org" {
listen on \* tls port 443
hsts
tls {
certificate "/etc/ssl/gnucode.org.fullchain.pem"
key "/etc/ssl/private/gnucode.org.key"
}
root "/htdocs/gnucode.org/site"
directory index "index.html"
}
Of course we all want a https website. So we need to get some certificates. OpenBSD wrote and maintain their own acme client.
joshua@gnucode.org:/etc/ $ cat acme-client.conf
authority letsencrypt {
api url "<https://acme-v02.api.letsencrypt.org/directory>"
account key "/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
api url "<https://acme-staging-v02.api.letsencrypt.org/directory>"
account key "/etc/acme/letsencrypt-staging-privkey.pem"
}
domain gnucode.org {
domain key "/etc/ssl/private/gnucode.org.key"
domain full chain certificate "/etc/ssl/gnucode.org.fullchain.pem"
#sign with letsencrypt-staging
sign with letsencrypt
}
domain propernaming.org {
domain key "/etc/ssl/private/propernaming.org.key"
domain full chain certificate "/etc/ssl/propernaming.org.fullchain.pem"
#sign with letsencrypt-staging
sign with letsencrypt
}
domain gnu-hurd.com {
domain key "/etc/ssl/private/gnu-hurd.com.key"
domain full chain certificate "/etc/ssl/gnu-hurd.com.fullchain.pem"
#sign with letsencrypt-staging
sign with letsencrypt
}
I've written about OpenBSD's pf before, and it really is quite brilliant. My firewall that runs on my laptop is mostly the same one that runs on my server. Pretty cool no?
joshua@gnucode.org:/etc/ $ cat pf.conf
\# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
block log all
tcp<sub>services</sub> = "{ ssh, smtp, domain, domain-s, www, https, auth, netstat, ntp }"
udp<sub>services</sub> = "{ ntp }"
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
antispoof quick for egress
pass quick proto tcp to port $tcp<sub>services</sub>
pass quick proto udp to port $udp<sub>services</sub>
pass quick proto { icmp, icmp6 }
block return out log (user) quick proto {tcp udp} user \_pbuild
block return in on ! lo0 proto tcp to port 6000:6010