This is an FAQ-style guide on installing OpenBSD and its httpd.
Difficulty to use this guide: beginner to intermediate.
Time spent on using this guide: around one to two hours.
Length of this guide: about 280 lines / paragraphs
Is this guide helpful?
To be helpful to you, you should be comfortable when you use the command line. (Type commands on Linux or OpenBSD)
Please back up your data before doing anything else.
httpd is the default web server of OpenBSD. OpenBSD's tradition to realize the developers' wishes causes httpd to be included in default OpenBSD installation.
Is httpd started by default? No. it is not started by default. You have to enable it first. In the file called /etc/rc.conf.local (not this: /etc/rc.conf), you should add httpd_flags= to enable it. You have just been correct that the line reads httpd_flags= with the equal sign at the end of the line. (httpd is not http.)
Let's get started by downdloading the ISO file for amd64. Most recent machines use amd64 as the CPU instruction set. So, if you use a machine bought after 2010, most probably your CPU supports amd64.
Where can we download an ISO file for amd64? The list of sites can be found here:
https://www.openbsd.org/ftp.html
If your server is in the USA, choose the sites in the USA. This makes downloading faster.
Example: My server is in Canada, hence I click the Canada link.
https://mirror.csclub.uwaterloo.ca/pub/OpenBSD/
As of 25 February 2018, the stable version is 6.2. I clicked 6.2. Then, amd64. (not arm64, which is something different) After that, get cd62.iso.
Okay, I have downloaded the ISO. I can burn a CD using the ISO file. Insert the CD into the machine and choose the CD when booting. (press Del or F2 key when booting and select CD as the first boot device)
Alternatively, as I am demonstrating, I mount the ISO file using a hosting provider's control panel.
After booting with the ISO file or CD, I should see many lines of text output in blue background. Then, I see:
Welcome to the OpenBSD/amd64 6.2 installation program.
(I)nstall, (U)grade,...
Now, press I and Enter.
Choose your keyboard layout -> Please press Enter.
System hostname? -> Press server001 and Enter
Which network interface do you wish to configure? [vio0] -> Press Enter.
IPv4 address for vio0? -> You need to consult your service provider. (xxx.xxx.xxx.xxx -> dot separated digits)
Netmask for vio0? -> You need to consult your service provider. (xxx.xxx.xxx.xxx -> dot separated digits, sometimes 255.255.255.0, sometimes 255.255.254.0 or some other answers)
IPv6 address for vio0? -> You need to consult your service provider. (xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx -> colon separated digits, with 1,2,3,4...0 and a,b,c,d,e,f)
IPv6 prefix length for vio0? [64] -> You need to consult your service provider. (This is also known as netmask.)
IPv6 default router? -> You need to consult your service provider. (The default gateway.)
Which network interface do you wish to configure? [done] -> Press Enter.
Default IPv4 route? -> You need to consult your service provider. (The gateway.)
DNS domain name? -> Press Enter
DNS nameservers? -> 8.8.8.8
Password for root account? -> randomkieow10
Password for root account? (again) -> randomkieow10
Start sshd(8) by default? -> Press Enter
Do you expect to run the X Windows System? [yes] -> Press Enter
Do you want the X Window System to be started by xenodm(1)? [no] -> Press Enter
Setup a user? [no] -> Press Enter
WARNING: root is targeted by password guessing attacks, pubkeys are safer.
Allow root ssh login? [no] -> yes (set up pubkey later)
What timezone are you in? -> UTC -> Press Enter
Which disk is the root disk? [sd0] -> Press Enter
Use (W)hole disk MBR,... [whole] -> Press Enter
Use (A)uto layout,... [a] -> Press Enter
Location of sets? -> http -> Press Enter
HTTP proxy URL? [none] -> Press Enter
HTTP Server? -> Press ? -> Press Enter -> Press Space bar to navigate -> I found my mirror -> I press q to quit, and press the number and Enter.
HTTP Server? [mirror.csc...ca] -> Press Enter
Server directory? [pub/OpenBSD/6.2/amd64] -> Press Enter
Select sets by entering a set name, a file pattern or 'all'. De-select sets by prepending a '-', e.g.: '-game*'...
Set name(s)? -> Press -game* and Enter
Set name(s)? [done] -> Press Enter
Now, I see:
Get/Verify SHA256.sig 100% |**********... 2152 00:00
Signature Verified
...
Installing bsd ...
Location of sets? [done] -> Press Enter
...
CONGRATULATIONS! Your OpenBSD install has been successfully completed!...
Type:
reboot
and hit Enter
Now, remove the CD or unmount the ISO file. (-> I clicked "Remove ISO" in my service provider's control panel)
That's all for installation.
login: root
Password: randomkieow10
To update the system:
Type:
syspatch
Then, press Enter.
I see:
Get/Verify syspatch62-001_tc_inv... 100% |***... 465KB 00:00
...
Now, type
reboot
and press Enter to cause the updates to take effect.
login: root
Password: randomkieow10
# It's a good idea to change the default sshd port
# to help reduce the chance of automatic attacks
vi /etc/ssh/sshd_config
#Port 22 # -> Change this line
Port 10489
#
## create a public key
ssh-keygen -t rsa -C "sshkeyname" -b 4096
## Hit Enter
Enter file in which to save the key : /root/.ssh/sshkeyname
Enter passphrase : randomieold46
Enter same passphrase again: randomieold46
ls /root/.ssh
# /root/.ssh/sshkeyname is the secret you keep
# /root/.ssh/sshkeyname.pub is what the server should contain
# in authorized_keys
cd /root/.ssh
cat sshkeyname.pub >> authorized_keys
cat authorized_keys
# I see:
ssh-rsa ...
# Then, I can copy the key with a password:
pkg_add zip
zip -e filerandom0123111.zip sshkeyname
randomuuii123123
# this is where I place the demo files
mkdir /var/www/htdocs/server121212.com
# I will download the encrypted secret later:
mv /root/.ssh/filerandom0123111.zip /var/www/htdocs/server121212.com/
ls /var/www/htdocs/server121212.com/
rcctl restart sshd
# Setting up OpenBSD httpd
echo 'httpd_flags=' >> /etc/rc.conf.local
cat /etc/rc.conf.local
cp /etc/examples/httpd.conf /etc/
vi /etc/httpd.conf
######### begin
ext_addr="*"
server "default" {
listen on $ext_addr port 80
root "/htdocs/server121212.com"
}
types {
include "/usr/share/misc/mime.types"
}
######### end
Esc
:wq
# Create a sample file showing 1
echo 1 >> /var/www/htdocs/server121212.com/index.html
rcctl restart httpd
Now, you can start your web browser such as Google Chrome.
Type:
http://CopyYourIPAddressHere
Hit Enter
You should see 1.
# Getting your ssh secret key
# Use this key to connect.
# In your web browser:
http://CopyYourIPAddressHere/filerandom0123111.zip
# Back up your private secret key. Put it in a safe place.
# If you forget to back up, you will not be able to use it.
# Below is your client computer you are using
# to connect to the server.
# I am using a Linux desktop computer, not Windows:
# I installed unzip: apt install unzip # on Ubuntu, Debian
# Create destination folder
mkdir -p /home/CopyYourUserNameHere/.ssh/
unzip filerandom0123111.zip -d /home/CopyYourUserNameHere/.ssh/
# I see:
#Archive: filerandom0123111.zip
#[filerandom0123111.zip] sshkeyname password:
randomuuii123123
Hit Enter
# inflating: sshkeyname
# restrict the permissions
chmod 600 /home/CopyYourUserNameHere/.ssh/sshkeyname
# You connect on Linux by:
ssh -p 10489 -i '/home/CopyYourUserNameHere/.ssh/sshkeyname' \
root@CopyYourIPAddressHere
# On OpenBSD
# force people to use private secret key, not passphrase
vi /etc/ssh/sshd_config
PubkeyAuthentication yes # remove # sign
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# To save this file:
Esc
:wq
# To apply the new changes:
rcctl restart sshd
# Test if passphrase authentication fails as expected (We use the secret key only)
# On your local computer:
ssh -p 10489 root@CopyYourIPAddressHere
# You should see:
Permission denied (publickey,keyboard-interactive).
# Test if you connect successfully on Linux by:
ssh -p 10489 -i '/home/CopyYourUserNameHere/.ssh/sshkeyname' \
root@CopyYourIPAddressHere
# Since I have backed up the secret elsewhere, I can remove the secret on server.
# Now remove the encrypted secret key on server
rm /var/www/htdocs/server121212.com/filerandom0123111.zip
# Now remove the private key on server
cd /root/.ssh
rm sshkeyname
# You can reboot to test if everything above works as expected:
reboot
# Just place fileA.html in /var/www/htdocs/server121212.com/
# Then, you can access it at http://CopyYourIPAddressHere/fileA.html
RSS
No comments:
Post a Comment