Differences

This shows you the differences between two versions of the page.

--- 4get_openbsd [2025/02/09 03:30] – created ethan
+++ 4get_openbsd [2025/04/20 11:34] (current) – ethan
@@ Line 1: / Line 1: @@
 ======4get on OpenBSD======
-this is a guide showing how to install [[https://git.lolcat.ca/lolcat/4get/|4get]] on [[OpenBSD]], and host it with [[https://man.openbsd.org/httpd|httpd(8)]].
+this is a guide showing how to install [[https://git.lolcat.ca/lolcat/4get/|4get]] on [[https://openbsd.org|OpenBSD]], and host it with [[https://man.openbsd.org/httpd|httpd(8)]].
 =====dependencies=====
 ====git====
@@ Line 31: / Line 31: @@
 <code bash>
 pkg_add php-curl-8.2.27
+</code>
+php runs in the webserver chroot (/var/www) for security. curl will look for /etc/ssl/cert.pem, a file that contains the public keys of certificate authorities so that it can verify https connections, but will be unable to find it since it is in the actual root (/).
+create /var/www/etc/ssl/ and copy cert.pem into it.
+<code bash>
+mkdir -p /var/www/etc/ssl
+cp /etc/ssl/cert.pem
 </code>
@@ Line 81: / Line 89: @@
 </code>
 > if you get no errors everything is probably in working order.
+=====httpd.conf=====
+you will need a new server block in your [[https://man.openbsd.org/httpd.conf|httpd.conf]] for 4get. for this guide, I will be using the domain [[http://search.yonderly.org|search.yonderly.org]].
+<file /etc/httpd.conf bash>
+server "search.yonderly.org" {
+ listen on egress port http
+ listen on egress tls port https
+ tls {
+  certificate "/etc/ssl/search.yonderly.org.crt"
+  key "/etc/ssl/private/search.yonderly.org.key"
+ }
+ location "/.well-known/acme-challenge/*" {
+  root "/acme"
+  request strip 2
+ }
+ root "/4get"
+ location "/" {
+  request rewrite "/index.php"
+  fastcgi socket "/run/php-fpm.sock"
+ }
+ location match "^([^\.]+)$" {
+  request rewrite "/%1.php"
+  fastcgi socket "/run/php-fpm.sock"
+ }
+ location "/data" { block drop }
+}
+</file>
+=====acme-client.conf=====
+for tls, OpenBSD provides [[https://man.openbsd.org/acme-client|acme-client]], which allows easy creation of certificates for domains. we will use Let's Encrypt as our certificate provider.
+<file bash /etc/acme-client.conf>
+authority letsencrypt {
+ api url "https://acme-v02.api.letsencrypt.org/directory"
+ account key "/etc/acme/letsencrypt-privkey.pem"
+}
+domain search.yonderly.org {
+ domain key "/etc/ssl/private/search.yonderly.org.key"
+ domain full chain certificate "/etc/ssl/private/search.yonderly.org.crt"
+ sign with letsencrypt
+}
+</file>
+=====4get=====
+go to /var/www/ and clone 4get's repository.
+<code bash>
+cd /var/www
+git clone https://git.lolcat.ca/lolcat/4get
+</code>
+it will now sit at /var/www/4get, accessible as /4get by httpd.
+you also need to set the permissions of icons/.
+<code bash>
+chmod -R 777 ./icons/
+</code>
+=====finalizing=====
+there are a few last steps before 4get is public.
+====daemons====
+if you haven't enable php*_fpm and httpd, you will need to do so.
+<code bash>
+rcctl enable php82_fpm
+rcctl enable httpd
+</code>
+then, bring up or restart them.
+<code bash>
+rcctl restart php82_fpm
+rcctl restart httpd
+</code>
+the website should now be accessible through http.
+====acme-client====
+the certificates defined in httpd.conf and acme-client.conf haven't been generated, so https is not available. acme-client needs to be run.
+<code bash>
+acme-client -v search.yonderly.org
+</code>
+now that the certificates are generated, restart httpd so it uses them.
+<code bash>
+rcctl restart httpd
+</code>
+the website should now be accessible through https.
+===cronjob===
+to prevent the website's certificate from becoming obsolete, it is good practice to create a cron job to check and create the certificate.
+<code bash>
+doas crontab -e
+</code>
+go to the bottom of the file and enter in a new line:
+<file bash crontab>
+...
+~  *  *  *  *  acme-client search.yonderly.org
+</file>
+this will make the system run acme-client every hour for search.yonderly.org.
+{{tag>openbsd www httpd}}