Michael W Lucas - Httpd & Relayd Mastery
2017, Tilted Windmill Press | 1-64235-008-7
I’ve seen Michael Lucas’ name come up (positively) elsewhere (somewhere on the internet!) but I picked this book of his to start with because it’s listed on the OpenBSD books site. (Like the BSD UNIX book I read before it.) I guess I’m making my way through that list somewhat – Lucas’ Absolute OpenBSD is next on my list. (Not that I intend to read everything on the list! That would be fun but after Absolute OpenBSD I think I’m going to pull a non-computer book off the shelf for a change. Or at least something music-adjacent.)
My goals are basically:
- Learn something about OpenBSD and a bit more about UNIX
- Learn something about networking
- Practice it all by migrating the things I’m running on a hetzner server to some computers at my studio in Milwaukee running behind a small OpenBSD VPS (which will save me a little money, too)
Lucas’ writing style is entertaining. He’s a clear writer and the deadpan humor is fun, if sometimes a little grating. (“If you [don’t want to run your web server in a chroot] you’ll need to run a less secure web server.”
The book covers OpenBSD’s web stack: httpd the web server and relayd
the proxy server / load balancer. It’s deliberately terse on the area it
covers, which is pretty much every nook and cranny of those two
programs, but doesn’t go into detail about the ecosystem surrounding
them. That’s been a great way for me to find gaps (sunny and wide-cleft)
in my knowledge about networking and UNIX. For example: I don’t know the
first thing about packet filtering, and I’ve never used
ifconfig directly – or thought about things like ip tables
and kernel filter rules and so on, but Lucas assumes you have this
background and doesn’t go into much detail when the topics come up.
I installed OpenBSD a few times while I was reading the Berkely UNIX book. The installation process is actually simple and great, but any deviation from the defaults and expectations slightly was a struggle which I’m hoping to clear up a bit reading the Absolute OpenBSD book.
I first tried installing OpenBSD on a chromebook – I bought a small handful of them (retired from a middle school i think?) for cheap to use for workshops and misc tasks at the local maker space. They’re modest machines but over-provisioned for OpenBSD at least on paper. The installer creates a number of partitions (9?) by default, which IIRC is actually for security reasons – some partitions are more restricted than others? On a 32GB drive when installing the full system with all packages (OpenBSD calls the collections of software you can choose to install for the base system “sets”) there isn’t quite enough room to fit everything, and I ended up running out of space during installation – though it actually succeeded and dropped me into a seemingly working system minus some of the optional software that couldn’t fit. So that’s OK, although I haven’t yet figured out which bits failed to install since I plan to wipe and try again after reading some more later.
The other difficulty I ran into with the chromebook was that it doesn’t have an ethernet port, and I use a wifi hotspot at home anyway. So at home I installed OpenBSD again into a QEMU VM on my laptop (this time very smooth and easy since QEMU deals with setting up a fake ethernet interface and my virtual drive was set to a comfortable ~100GB) in order to download the wifi drivers the chomebook needed, and then use the QEMU OpenBSD to build a new installer iso with them included. That all seemed to go smoothly too, but after booting from the new image on the chromebook I still couldn’t manage to connect to my hotspot.
Ultimately taking the chromebook to Milwaukee where there’s a wired network and a USB to ethernet dongle I could borrow from a friend worked just fine – except for the whole running out of space thing.
The third install was exceedingly painless since I didn’t really have to do it at all. Before that though, I used an OpenBSD hosting company’s script to install it on a hetzner VPS, which seemed to work fine, but felt like a slightly sketchy way to begin my journey vetting an installer script for a system I don’t really know yet. I already had a (dormant) account with vultr though, and OpenBSD is just one of the options you can choose for a VPS, so I clicked the button and basically that was it.
That vultr VPS has been where I’ve been playing around with httpd and relayd a bit as I read, and (along with my local VM) getting to know a bit more about the system by poking at man pages and fumbling around.
I like the rc system for managing services a lot, it’s so damn simple. (Especially of course compared to systemd which I’ve grown to accept is pervasive in the linux world now, but even compared to my fuzzy memory of init.d systems it feels very nice and simple.)
I’m a bit confused by the doas system, but I haven’t
really read much about it yet either, so that stands to reason I
guess!
Otherwise I do also miss all my ls* tools, and
ip but it’s nice to also begin to discover the common
ground and deviations between OpenBSD and linux like
ifconfig in the former case and a lack of
/proc in the latter for example.
In all, the book covers enough for me to have these programs running in my VPS with the most basic of configurations, but I haven’t gone through any real testing or experimentation yet for setting up the situation I’d like to eventually end up with, which is basically the OpenBSD VM serving fallback pages through httpd as well as some static sites and files that I’d like to have good uptime (the power goes out in Milwaukee sometimes, it’s an old building) with everything else proxied to external machines via relayd and either some ssh tunnels, or maybe via wireguard if I’m feeling plucky. (I’m using tailscale for this purpose now, but I’d like to get to know wireguard eventually.)
While I read the next Lucas book I plan to try making things break,
and play around with filtering and relaying traffic with
relayd and pf. Hopefully once I get through
the next one I’ll have figured out a simple enough setup that I can use
to retire my hetzner server and switch over to the OpenBSD VPS for
good.
If you see this website go down in the next couple months, you’ll know why!