openbsd_relayd_httpd_puma.md

STATUS: FULLY FUNCTIONAL

Ruby on Rails/Puma:

• https://myapp1.com => OK
• https://www.myapp1.com/ => OK
• http://myapp1.com/ => OK
• http://www.myapp1.com/ => OK

httpd:

• https://mystaticsite.com => OK
• https://www.mystaticsite.com/ => OK
• http://mystaticsite.com/ => OK
• http://www.mystaticsite.com/ => OK

---

Next-generation server setup—hosting static websites and apps simultaneously on OpenBSD

Rated A+ at SSL Labs and Security Headers

2020-06-19

A simpler and more secure alternative to Linux/NGiNX/Apache/Passenger for hosting static sites and Ruby/Python/Node type web apps on the same server at the same time. This example uses OpenBSD's relayd to direct traffic to OpenBSD's httpd for static sites, and Ruby on Rails/Puma for web apps.

Choose OpenBSD for your Unix needs. OpenBSD -- the world's simplest and most secure Unix-like OS. Creator of the NGiNX/Apache webserver replacement httpd, the OpenSSL crypto stack replacement LibreSSL, the iptables/nftables firewall replacement pf, the Postfix mail server replacement OpenSMTPD, OpenSSH and much, much more. OpenBSD -- the cleanest kernel, the cleanest userland and the cleanest configuration syntax.

Files in this setup:

/etc/relayd.conf
/etc/httpd.conf
/etc/acme-client.conf
/etc/rc.d/myapp1
/etc/rc.d/__helper
/home/myapp1/myapp1/config/puma.rb
/home/myapp1/myapp1/config/environments/production.rb

Generate certificates and make them readable to apps in the wheel group:

acme-client -v mystaticsite.com
acme-client -v myapp1.com
acme-client -v myapp2.com
chmod 750 /etc/ssl/private

Add crontabs for automated renewal:

crontab -e
0 * * * * sleep $((RANDOM \% 2048)) && acme-client mystaticsite.com && rcctl restart relayd
0 * * * * sleep $((RANDOM \% 2048)) && acme-client myapp1.com && rcctl restart myapp1
0 * * * * sleep $((RANDOM \% 2048)) && acme-client myapp2.com && rcctl restart myapp2

/etc/relayd.conf

public="vio0"
private="lo0"

table <acme_challenge> { $private }
acme_challenge_port="5000"

table <httpd_https_redirect> { $private }
httpd_https_redirect_port="6000"

table <httpd_static_sites> { $private }
httpd_static_sites_port="7000"

table <rails1> { $private }
rails1_ssl_port="8000"
table <rails2> { $private }
rails2_ssl_port="8002"

# Protocols

http protocol "http" {
  # ACME-compliant HTTP-01 challenge
  # https://letsencrypt.org/docs/challenge-types/
  pass request quick path "/.well-known/acme-challenge/*" forward to <acme_challenge>

  # Filter out Rails apps by domain name
  # https://unix.stackexchange.com/questions/466232/openbsd-relay-https-proxy-for-multiple-domains
  pass request header "Host" value "myapp1.com" forward to <rails1>
  pass request header "Host" value "www.myapp1.com" forward to <rails1>
  
  pass request header "Host" value "myapp2.com" forward to <rails2>
  pass request header "Host" value "www.myapp2.com" forward to <rails2>
}

http protocol "https_reverse_proxy" {
  # Block all by default
  block

  # Start opening up
  pass request header "Host" value "mystaticsite.com" forward to <httpd_static_sites>
  pass request header "Host" value "www.mystaticsite.com" forward to <httpd_static_sites>
  
  pass request header "Host" value "myapp1.com" forward to <rails1>
  pass request header "Host" value "www.myapp1.com" forward to <rails1>
  
  pass request header "Host" value "myapp2.com" forward to <rails2>
  pass request header "Host" value "www.myapp2.com" forward to <rails2>

  tls keypair "mystaticsite"
  tls keypair "myapp1"
  tls keypair "myapp2"
  
  # Pass address headers
  match header set "X-Client-IP" value "$REMOTE_ADDR:$REMOTE_PORT"
  match header set "X-Forwarded-For" value "$REMOTE_ADDR"
  match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"

  # Best practice security headers
  # https://securityheaders.com
  # https://www.marksayson.com/blog/setting_http_security_headers_in_rails/
  match response header remove "Server"
  match response header set "X-Frame-Options" value "SAMEORIGIN"
  match response header set "X-XSS-Protection" value "1; mode=block"
  match response header set "Referrer-Policy" value "strict-origin"
  match response header set "Content-Security-Policy" value "default-src 'self'; script-src 'self' www.google.com www.gstatic.com; style-src 'self' fonts.googleapis.com; font-src 'self' fonts.gstatic.com; frame-src 'self' www.google.com;"
  match response header set "Feature-Policy" value "accelerometer 'none'; ambient-light-sensor 'none'; battery 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; usb 'none';"
}

# Relays

relay "http" {
  listen on $public port http

  protocol "http"

  forward to <httpd_https_redirect> port $httpd_https_redirect_port
  
  # Assumes Rails HTTPS redirection is enabled
  # https://api.rubyonrails.org/classes/ActionDispatch/SSL.html
  forward to <rails1> port $rails1_ssl_port
  forward to <rails2> port $rails2_ssl_port

  forward to <acme_challenge> port $acme_challenge_port
}

relay "https" {
  listen on $public port https tls

  protocol "https_reverse_proxy"

  forward with tls to <httpd_static_sites> port $httpd_static_sites_port
  
  forward to <rails1> port $rails1_ssl_port
  forward to <rails2> port $rails2_ssl_port
}

/etc/httpd.conf

types {
  include "/usr/share/misc/mime.types"
}

localhost="lo0"

acme_challenge_port="5000"
https_redirect_port="6000"
static_sites_port="7000"

# HTTP

server "*" {
  listen on $localhost port $acme_challenge_port
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location "*" {
    block drop
  }
}
server "mystaticsite.com" {
  listen on $localhost port $https_redirect_port
  block return 301 "https://mystaticsite.com$DOCUMENT_URI"
}

# HTTPS

server "mystaticsite.com" {
  listen on * tls port $static_sites_port
  root "/htdocs/mystaticsite"
  tls {
    certificate "/etc/ssl/mystaticsite.crt"
    key "/etc/ssl/private/mystaticsite.key"
  }
  hsts {
    preload
  }
}
server "www.mystaticsite.com" {
  listen on * tls port $static_sites_port
  tls {
    certificate "/etc/ssl/mystaticsite.crt"
    key "/etc/ssl/private/mystaticsite.key"
  }
  block return 301 "https://mystaticsite.com$DOCUMENT_URI"
}

/etc/acme-client.conf

authority letsencrypt {
  api url "https://acme-v02.api.letsencrypt.org/directory"
  account key "/etc/ssl/private/letsencrypt.key"
}

domain mystaticsite.com {
  alternative names { www.mystaticsite.com }
  domain key "/etc/ssl/private/mystaticsite.key"
  domain full chain certificate "/etc/ssl/mystaticsite.crt"
  sign with letsencrypt
}

domain myapp1.com {
  alternative names { www.myapp1.com }
  domain key "/etc/ssl/private/myapp1.key"
  domain full chain certificate "/etc/ssl/myapp1.crt"
  sign with letsencrypt
}

domain myapp2.com {
  alternative names { www.myapp2.com }
  domain key "/etc/ssl/private/myapp2.key"
  domain full chain certificate "/etc/ssl/myapp2.crt"
  sign with letsencrypt
}

/etc/rc.d/myapp1

#!/bin/sh

# http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/infrastructure/templates/rc.template

app="myapp1"

# Get full path to helper
# https://stackoverflow.com/questions/38978650/run-a-script-in-the-same-directory-as-the-current-script
script_name="$0"
script_full_path=$(dirname "$0")

daemon="$script_full_path/__helper"

rc_bg=YES

. /etc/rc.d/rc.subr

rc_start() {
  ${rcexec} "${daemon} start ${app}"
}

rc_check() {
  ${rcexec} "${daemon} status ${app}"
}

rc_restart() {
  ${rcexec} "${daemon} phased-restart ${app}"
}

rc_stop() {
  ${rcexec} "${daemon} stop ${app}"
}

rc_cmd $1

/etc/rc.d/__helper

#!/bin/sh

doas -u $2 sh -c "cd /home/$2/$2 && bundle exec pumactl --config-file config/puma.rb $1" --

/home/myapp1/myapp1/config/puma.rb

#!/usr/bin/env puma

app = "myapp1"

ssl_bind "127.0.0.1", "8000", {
  key: "/etc/ssl/private/#{app}.key",
  cert: "/etc/ssl/#{app}.crt"
}
bind "tcp://127.0.0.1:8001"

pidfile "/home/#{app}/#{app}/tmp/puma.pid"
state_path "/home/#{app}/#{app}/tmp/puma.state"

stdout_redirect "/home/#{app}/#{app}/log/puma_access.log", "/home/#{app}/#{app}/log/puma_errors.log"

environment "production"

/home/myapp1/myapp1/config/environments/production.rb

Rails.application.configure do
  [...]
  
  # We won't be using NGiNX or Apache, so comment this out
  # config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?
  
  # Force all access to the app over SSL, use Strict-Transport-Security and secure cookies
  config.force_ssl = true
  
  [...]
end

Based on:

• Enable HTTPS with acme-client(1) and Let’s Encrypt on OpenBSD
• httpd and relayd on OpenBSD
• StackOverflow: OpenBSD relay, https proxy for multiple domains

Huge thanks to Aaron D.P., David K., and all the awesome folks in Freenode #openbsd and #ruby.

@cgrepo Hi, sure thanks for asking! Here's how I usually do it:

pkg_add ruby git node

Add Ruby symlinks from post-install message.

Tell Bundler to use OpenBSD's clang instead of gcc. The following should already be present in /etc/zprofile:

export CC=/usr/bin/clang
export CXX=/usr/bin/clang++

Set gem folder:

export GEM_HOME=/home/<app>/.gem

Set up Rails:

su -l <user>
gem install bundler
gem install rails
gem install puma
cd ~/<app>
bundle install
curl -o- -L https://yarnpkg.com/install.sh | zsh
yarn install

Development mode:

bundle exec rails server -b <IP>

Production mode:

bundle exec rails assets:precompile RAILS_ENV=production
rcctl enable <app>
rcctl start <app>

thank you very much recently openbsd 6.6 and 6.7 have just improved a lot about this here is what i did but not tested in production so it is just the install process and creation of a new project -----root---- # pkg_add ruby chose 2.7 # pkg_add ruby27-nokorigi # pkg_add node # npm install -g yarn ---- user ---- $ gem27 install -N --user-install rails $ vi .profile add $HOME/.gem/ruby/2.7/bin $ rails27 new [appname] will fail.. $ cd [appname] appname $ bundle27 install --path $HOME/.gem success! appname $ rails27 webpack:install sucess! appname$ bundle27 exec rails27 s work! ok hope it helps in some, thanks again.

…

________________________________ From: anon987654321 <notifications@github.com> Sent: Tuesday, May 19, 2020 9:56 PM To: anon987654321 <anon987654321@noreply.github.com> Cc: Carlos Albino Garcia Grijalba <genesis62@hotmail.com>; Mention <mention@noreply.github.com> Subject: Re: anon987654321/openbsd_relayd_httpd_puma.md @anon987654321 commented on this gist.

________________________________ @cgrepo<https://github.com/cgrepo> Hi, sure thanks for asking! Here's how I usually do it: Ruby on Rails pkg_add ruby git node Add Ruby symlinks from post-install message. Tell Bundler to use OpenBSD's clang instead of gcc. Remember to also add this to /etc/zprofile. export CC=/usr/bin/clang export CXX=/usr/bin/clang++ Set up Rails: su -l myuser curl -o- -L https://yarnpkg.com/install.sh | zsh echo -n "export GEM_HOME=~/.gem" >> ~/.zshrc echo -n "export PATH=~/.gem/bin:$PATH" >> ~/.zshrc source ~/.zshrc gem install rails gem install puma cd ~/.gem/bin ln -s rails26 rails ln -s puma26 puma ln -s pumactl26 pumactl ln -s nokogiri26 nokogiri ln -s thor26 thor ln -s rackup26 rackup ln -s sprockets26 sprockets Prepare existing apps: cd ~/myapp bundle install yarn install Or: rails new myapp --skip-spring --skip-turbolinks — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://gist.github.com/4532cf8d6c59c1f43ec8973faa031103#gistcomment-3310631>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ADWMQF3IQ3ZC2DKW4CKWRZTRSL6BTANCNFSM4NETPU4Q>.

Fantastic! Haven't tried 6.7 yet, but I hear it has TLS 1.3 in relayd which is very good for SEO!

pkg_add ruby27-nokorigi

I don't think that should be necessary. If instead you export GEM_HOME, then Bundler will know where to install the newest version. And ofcourse, no more need for --user-install.

npm install -g yarn

Interesting, I'm reading now. It should be okay. But if root, it is best to install with install.sh for proper integrity checks.

Let's keep in touch, later!

Wow ok i will take a look at the GEM_HOME var did not know that thanks. the nokogiri package were used because when i did not put it at the moment of installing rails it complains. thanks sure we will keep in touche, again thank you very much.

…

________________________________ From: anon987654321 <notifications@github.com> Sent: Thursday, May 21, 2020 6:37 AM To: anon987654321 <anon987654321@noreply.github.com> Cc: Carlos Albino Garcia Grijalba <genesis62@hotmail.com>; Mention <mention@noreply.github.com> Subject: Re: anon987654321/openbsd_relayd_httpd_puma.md @anon987654321 commented on this gist.

________________________________ Fantastic! Haven't tried 6.7 yet, but I hear it has TLS 1.3 in relayd which is very good for SEO! pkg_add ruby27-nokorigi I don't think that should be necessary. If instead you export GEM_HOME, then Bundler will know where to install the newest version. And ofcourse, no more need for --user-install. npm install -g yarn Interesting, I'm reading now. It should be okay. But if root, it is best to install with install.sh for proper integrity checks. Let's keep in touch, later! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://gist.github.com/4532cf8d6c59c1f43ec8973faa031103#gistcomment-3312460>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ADWMQF54HKI47OKFSTUPY6TRSTDZVANCNFSM4NETPU4Q>.

@cgrepo Hi! Please reload this gist. A few new files have been added, and the existing ones have all had tons of bugfixes done to them. Unlike the previous setup, this one actually works!

greate news since i just coud not work with webpacker and all that stuff, in just does not work but first i will check it up, really want to keep using OBSD as much as i can. apreciate thanks

…

________________________________ From: anon987654321 <notifications@github.com> Sent: Thursday, June 18, 2020 4:25 AM To: anon987654321 <anon987654321@noreply.github.com> Cc: Carlos Albino Garcia Grijalba <genesis62@hotmail.com>; Mention <mention@noreply.github.com> Subject: Re: anon987654321/openbsd_relayd_httpd_puma.md @anon987654321 commented on this gist.

________________________________ @cgrepo<https://github.com/cgrepo> Hi! Please reload this gist. A few new files have been added, and the existing ones have all had tons of bugfixes done to them. Unlike the previous setup, this one actually works! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://gist.github.com/4532cf8d6c59c1f43ec8973faa031103#gistcomment-3345748>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ADWMQF22S5G7UGBKLV7EOZTRXGJNPANCNFSM4NETPU4Q>.

hey did you face this problem? HTTP Origin header (https://mysuper.fancy.app.net) didn't match request.base_url (http://mysuper.fancy.app.net) keeps sending me to login page.

…

________________________________ From: anon987654321 <notifications@github.com> Sent: Thursday, June 18, 2020 4:25 AM To: anon987654321 <anon987654321@noreply.github.com> Cc: Carlos Albino Garcia Grijalba <genesis62@hotmail.com>; Mention <mention@noreply.github.com> Subject: Re: anon987654321/openbsd_relayd_httpd_puma.md @anon987654321 commented on this gist.

________________________________ @cgrepo<https://github.com/cgrepo> Hi! Please reload this gist. A few new files have been added, and the existing ones have all had tons of bugfixes done to them. Unlike the previous setup, this one actually works! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://gist.github.com/4532cf8d6c59c1f43ec8973faa031103#gistcomment-3345748>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ADWMQF22S5G7UGBKLV7EOZTRXGJNPANCNFSM4NETPU4Q>.

On Openbsd 6.9 i receive an empty reply from relayd and on Puma error logs

2021-12-23 19:58:49 +0000 SSL error, peer: 127.0.0.1, peer cert: : #<Puma::MiniSSL::SSLError: OpenSSL error: error:1404A42E:SSL routines:ST_ACCEPT:tlsv1 alert protocol version - 1070>
I have resolved this, changing the forward statements on the relay "http" and relay "https" section using

forward with tls to <rails1> port $rails1_ssl_port
instead of
forward to <rails1> port $rails1_ssl_port

@vtypal @cgrepo Hey guys! I've made a ton of changes since last time. Please see https://github.com/basicfeatures/openbsd-rails and let me know how it goes. Cheers!

ill check it out thanks

…

________________________________ From: basicfeatures ***@***.***> Sent: Monday, December 27, 2021 2:42 AM To: anon987654321 ***@***.***> Cc: Carlos Albino Garcia Grijalba ***@***.***>; Mention ***@***.***> Subject: Re: anon987654321/openbsd_relayd_httpd_puma.md @basicfeatures commented on this gist.

________________________________ @vtypal<https://github.com/vtypal> @cgrepo<https://github.com/cgrepo> Hey guys! I've made a ton of changes since last time. Please see https://github.com/basicfeatures/openbsd-rails and let me know how it goes. Cheers! — Reply to this email directly, view it on GitHub<https://gist.github.com/4532cf8d6c59c1f43ec8973faa031103#gistcomment-4008519>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ADWMQF5D6PBOKFT56INP25TUS7HABANCNFSM4NETPU4Q>. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: ***@***.***>