Cool article ! I will always appreciate a good props to openbsd base system toolset !
I’ve been running a similar setup for years on multiple servers now, so here’s my 2 cents:
No need to enable inbound traffic on port 53 in pf.conf. Output traffic should be enough (I usually resort to a single “pass out” for all outbound traffic).
rcctl enable httpd is cleaner than editing your rc.conf.local IMO. But end result is the same.
I put my acme-client(1) renewal in /etc/daily.local. It runs once per day, and avoids cluttering the system with external scripts. I usually add one liners for each domain I have for clarity:
As seen above, I prefer using relayd(8) as it comes with the base system.
An example config for what OP is doing would be:
table <www> { localhost }
http protocol "https" {
tls keypair "https.rocks"
match header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains"
match header set "X-Content-Type-Options" value "nosniff"
match header set "X-Frame-Options" value "DENY"
[...]
match url forward to <www>
}
relay "www" {
listen on egress port 443 tls
protocol https
forward to <www> port 80 check tcp
}
Cool article ! I will always appreciate a good props to openbsd base system toolset !
I’ve been running a similar setup for years on multiple servers now, so here’s my 2 cents:
No need to enable inbound traffic on port 53 in pf.conf. Output traffic should be enough (I usually resort to a single “
pass out” for all outbound traffic).rcctl enable httpdis cleaner than editing yourrc.conf.localIMO. But end result is the same.I put my
acme-client(1)renewal in/etc/daily.local. It runs once per day, and avoids cluttering the system with external scripts. I usually add one liners for each domain I have for clarity:As seen above, I prefer using
relayd(8)as it comes with the base system. An example config for what OP is doing would be:Two more “why X rocks” projects: