CONFIGURING APACHE WEBSERVER ON HIGHLY RESTRICTED NETWORKS IN OPENBSD OPERATING SYSTEM
░ PREFACE WORDS
In this post I would like to share some Unix experience I have gained while deploying a website under certain conditions.
The testbed environment was created using VirtualBox 7 on a Windows 7 operating system.
I chose [OpenBSD]
because of it’s unparalleled focus on security and privacy features.
It is also unusual and very unpopular. And of course because of [OpenBSD slogan]
:
Only two remote holes in the default install, in a heck of a long time!
The default desktop manager bundled with OpenBSD is FVWM. Very 90s-ish thing.
It has some interesting abilities that are not so common these days.
If you like the look of the GUI, be sure to check [this post] out.
If for some reason you are not logged into the GUI. Type the following:
su
rcctl enable xenodm
rcctl start xenodm
To check the current name host and operating system version:
uname -a
Before we continue, take a note that most of the operations described in this guide require root privileges
Which can be executed as follows:
su
▓ INSTALLING SOFTWARE
To improve your administration process substantially i recommend to install following applications [especially for beginners].
- nano ► simple [by Unix standards] text editor
- mc ► orthodox dual-panel file manager [you can even untar archives here]
- firefox ► browser to check the availability of website
- apache ► full-fledged web server [because native http server is too basic]
Admin rights couldn’t be gained by usual SUDO command, so to execute admin privileged console use SU instead:
su
To install software:
pkg_add nano
pkg_add mc
pkg_add apache-httpd
pkg_add hugo
pkg_add firefox
▓ SECURITY & TLS CERTIFICATE PROBLEM
But right after i tried to install some software the system reported with:
TLS handshake failure : certificate verification failed
self signed certificate in certificate chain
empty : can't find XXX
The core problem here is that in my case i have a third-party organisation trying to control internet traffic as the middle man in the internet chain.
They restricted network operations with a mandatory certificate that needed to be in the system for things to work as they should.
To overcome such limitations, we need to include the correct certificate in the cert store used by the PKG_ADD tool during the update process.
I’ve been able to export needed certificate in DER format from a web browser on a Windows platform.
As far as i know, VirtualBox doesn’t have guest tools to work with and we can’t pass-through Windows shared folders to OpenBSD.
So files can be transferred to OpenBSD via USB stick. To use a flash drive you need to configure it manually.
To determine USB drive ID:
sysctl hw.disknames
If for some reason you can’t get an ID, here is a heap of commands to specify the USB flash ID in a multiple ways:
dmesg
dmesg | more
dmesg | grep sd0
disklabel sd0
Note that sd0 ID can be different in your case!
Prepare folder to mount USB drive:
mkdir /mnt/pen
Mount USB drive:
mount /dev/sd0i /mnt/pen
Unmount USB drive:
umount /mnt/pen
We can’t import the DER certificate directly into the OpenBSD cert storage, we need to convert it to PEM format to make things work.
openssl x509 -inform der -in NAME-OF-CERT.der -out NAME-OF-CERT.pem
Then append the converted certificate to cert.pem storage:
cat NAME-OF-CERT.pem >> /etc/ssl/cert.pem
Tada! Everything should work from now on.
And you can even update the entire distribution:
pkg_add -u
▓ SETTING UP APACHE SERVICE
Main configuration file is located here:
/etc/httpd.conf
Website source code should be placed here:
/var/www/htdocs/WEBSITE-NAME
To check Apache configuration:
httpd -n
To enable Apache:
rcctl enable httpd
To start Apache:
rcctl start httpd
▓ USEFUL TIPS FOR NEWBIES
Here are some handy console shortcuts for general use.
Show your location:
pwd
To find file:
find / -type f -name "file name"
To find directory:
find / -type d -name "directory name"
To list all programs that contain the word “fetch” in their name:
pkg_info -Q fetch
That was quite a nice dive into the world of obscure and almost forgotten things [from the past?]