CONFIGURING APACHE WEBSERVER ON HIGHLY RESTRICTED NETWORKS IN OPENBSD OPERATING SYSTEM

░ PREFACE WORDS

In this post I would like to share some Unix experience I have gained while deploying a website under certain conditions.
The testbed environment was created using VirtualBox 7 on a Windows 7 operating system.

I chose [OpenBSD] because of it’s unparalleled focus on security and privacy features.
It is also unusual and very unpopular. And of course because of [OpenBSD slogan] :
Only two remote holes in the default install, in a heck of a long time!

If for some reason you are not logged into the GUI. Type the following:

su
rcctl enable xenodm
rcctl start xenodm

To check the current name host and operating system version:

uname -a

Before we continue, take a note that most of the operations described in this guide require root privileges
Which can be executed as follows:

su

▓ INSTALLING SOFTWARE

To improve your administration process substantially i recommend to install following applications [especially for beginners].

• nano ► simple [by Unix standards] text editor
• mc ► orthodox dual-panel file manager [you can even untar archives here]
• firefox ► browser to check the availability of website
• apache ► full-fledged web server [because native http server is too basic]

Admin rights couldn’t be gained by usual SUDO command, so to execute admin privileged console use SU instead:

su

To install software:

pkg_add nano
pkg_add mc
pkg_add apache-httpd
pkg_add hugo
pkg_add firefox

▓ SECURITY & TLS CERTIFICATE PROBLEM

But right after i tried to install some software the system reported with:

TLS handshake failure : certificate verification failed
self signed certificate in certificate chain
empty : can't find XXX 

The core problem here is that in my case i have a third-party organisation trying to control internet traffic as the middle man in the internet chain.
They restricted network operations with a mandatory certificate that needed to be in the system for things to work as they should.

To overcome such limitations, we need to include the correct certificate in the cert store used by the PKG_ADD tool during the update process.
I’ve been able to export needed certificate in DER format from a web browser on a Windows platform.

As far as i know, VirtualBox doesn’t have guest tools to work with and we can’t pass-through Windows shared folders to OpenBSD.
So files can be transferred to OpenBSD via USB stick. To use a flash drive you need to configure it manually.

To determine USB drive ID:

sysctl hw.disknames

If for some reason you can’t get an ID, here is a heap of commands to specify the USB flash ID in a multiple ways:

dmesg
dmesg | more
dmesg | grep sd0
disklabel sd0

Note that sd0 ID can be different in your case!

Prepare folder to mount USB drive:

mkdir /mnt/pen

Mount USB drive:

mount /dev/sd0i /mnt/pen

Unmount USB drive:

umount /mnt/pen

We can’t import the DER certificate directly into the OpenBSD cert storage, we need to convert it to PEM format to make things work.

openssl x509 -inform der -in NAME-OF-CERT.der -out NAME-OF-CERT.pem

Then append the converted certificate to cert.pem storage:

cat NAME-OF-CERT.pem >> /etc/ssl/cert.pem

Tada! Everything should work from now on.

And you can even update the entire distribution:

pkg_add -u

▓ SETTING UP APACHE SERVICE

Main configuration file is located here:

/etc/httpd.conf 

Website source code should be placed here:

/var/www/htdocs/WEBSITE-NAME

To check Apache configuration:

httpd -n

To enable Apache:

rcctl enable httpd

To start Apache:

rcctl start httpd

▓ USEFUL TIPS FOR NEWBIES

Here are some handy console shortcuts for general use.

Show your location:

pwd

To find file:

find / -type f -name "file name"

To find directory:

find / -type d -name "directory name"

To list all programs that contain the word “fetch” in their name:

pkg_info -Q fetch

That was quite a nice dive into the world of obscure and almost forgotten things [from the past?]

---