~henryprecheur/openbsd-webhosting

How to host multiple domains with OpenBSD with Nginx

#1 Installation script

~henryprecheur filed ticket on openbsd-webhosting todo

a month ago

157842f Re-add missing semicolon

a month ago

#Multi domain hosting with OpenBSD and Nginx

This will generate configuration files necessary to statically host multiple sites with OpenBSD 7.6 and Nginx. This will also have the necessary acme-client.conf file to generate SSL certificates for each domain with Let’s Encrypt.

Each domain will be served from /var/www/htdocs. For example.com you will have a directory /var/www/htdocs/example.com that’ll be read by Nginx to serve files from the domain.

This guide assumes you have the repository cloned on your server, and that the user has doas root access.

First install Nginx:

$ doas pkg_add nginx

Now let’s setup a basic Nginx configuration to get the SSL certificates from Let’s encrypt. We do this before generating the configuration for all the domains because Nginx won’t start if any SSL certificates or keys are missing:

$ make etc/nginx/nginx.conf
...
$ doas cp etc/nginx/common.conf /etc/nginx/common.conf
$ doas cp etc/nginx/nginx.conf /etc/nginx/nginx.conf
$ doas rcctl enable nginx
$ doas rcctl start nginx

At the root of repository add a file named domains.txt with the list of domains you want to host. One domain per line:

$ cat domains.txt
example.com
example2.com

Now let’s get the certificates from Let’s encrypt, we’ll generate the acme-client.conf and the weekly.local script that executes acme-client for all our domains. This script will also run every week to renew the certificates if they are about to expire:

$ make etc/weekly.local etc/acme-client.conf
...
$ doas etc/acme-client.conf /etc/acme-client.conf
$ doas cp etc/weekly.local /etc/weekly.local
$ doas chmod 644 /etc/weekly.local /etc/acme-client.conf
$ doas sh -ex /etc/weekly.local
...

If the script ran successfully all the certificates should be present in /etc/ssl:

$ doas find /etc -name '*.crt'
/etc/ssl/example.com.crt
/etc/ssl/example2.com.crt

Before we proceed, we also have to create the log files for each individual domain. Because by default /var/www/logs is owned by root, these files can’t be created by nginx since it runs as the www user:

$ doas create_nginx_logfiles.sh

Now we can install the final nginx configuration:

$ make etc/nginx/nginx.conf
$ doas cp etc/nginx/ssl.conf /etc/nginx/ssl.conf
$ doas cp etc/nginx/nginx.conf /etc/nginx/nginx.conf

And reload the new nginx configuration:

$ nginx -t && doas rcctl reload nginx

Finally, we need to rotate the nginx log files to ensure they don’t grow indefinitely, so we’ll update the newsyslog configuration to rotate these logs:

$ make etc/newsyslog.conf
$ doas cp etc/newsyslog.conf /etc/newsyslog.conf

If you have any issue with this process, and/or think it could be improved, feel free to open a ticket or Email me.