157842f Re-add missing semicolon
~henryprecheur pushed to ~henryprecheur/openbsd-webhosting git
This will generate configuration files necessary to statically host multiple sites with OpenBSD 7.6 and Nginx. This will also have the necessary acme-client.conf
file to generate SSL certificates for each domain with Let’s Encrypt.
Each domain will be served from /var/www/htdocs
. For example.com
you will have a directory /var/www/htdocs/example.com
that’ll be read by Nginx to serve files from the domain.
This guide assumes you have the repository cloned on your server, and that the user has doas
root access.
First install Nginx:
$ doas pkg_add nginx
Now let’s setup a basic Nginx configuration to get the SSL certificates from Let’s encrypt. We do this before generating the configuration for all the domains because Nginx won’t start if any SSL certificates or keys are missing:
$ make etc/nginx/nginx.conf
...
$ doas cp etc/nginx/common.conf /etc/nginx/common.conf
$ doas cp etc/nginx/nginx.conf /etc/nginx/nginx.conf
$ doas rcctl enable nginx
$ doas rcctl start nginx
At the root of repository add a file named domains.txt
with the list of domains you want to host. One domain per line:
$ cat domains.txt
example.com
example2.com
Now let’s get the certificates from Let’s encrypt, we’ll generate the acme-client.conf
and the weekly.local
script that executes acme-client for all our domains. This script will also run every week to renew the certificates if they are about to expire:
$ make etc/weekly.local etc/acme-client.conf
...
$ doas etc/acme-client.conf /etc/acme-client.conf
$ doas cp etc/weekly.local /etc/weekly.local
$ doas chmod 644 /etc/weekly.local /etc/acme-client.conf
$ doas sh -ex /etc/weekly.local
...
If the script ran successfully all the certificates should be present in /etc/ssl
:
$ doas find /etc -name '*.crt'
/etc/ssl/example.com.crt
/etc/ssl/example2.com.crt
Before we proceed, we also have to create the log files for each
individual domain. Because by default /var/www/logs
is owned by root,
these files can’t be created by nginx since it runs as the www user:
$ doas create_nginx_logfiles.sh
Now we can install the final nginx configuration:
$ make etc/nginx/nginx.conf
$ doas cp etc/nginx/ssl.conf /etc/nginx/ssl.conf
$ doas cp etc/nginx/nginx.conf /etc/nginx/nginx.conf
And reload the new nginx configuration:
$ nginx -t && doas rcctl reload nginx
Finally, we need to rotate the nginx log files to ensure they don’t grow indefinitely, so we’ll update the newsyslog configuration to rotate these logs:
$ make etc/newsyslog.conf
$ doas cp etc/newsyslog.conf /etc/newsyslog.conf
If you have any issue with this process, and/or think it could be improved, feel free to open a ticket or Email me.