Monday 18 November 2024


OpenBSD httpd with cgi on FreeBSD
=================================

A short description on how to setup an environment to run
cgi-scripts using the OpenBSD httpd on FreeBSD.

Install packages
----------------
pkg install obhttpd slowcgi

Edit /etc/rc.conf
-----------------
Add the following lines to /etc/rc.conf:

   obhttpd_enable="YES"
   slowcgi_enable="YES"
   slowcgi_flags="-p /var/www"

Slowcgi will create a chroot at the path mentioned in
/etc/rc.conf, in this case: /var/www

Create and populate directories
-------------------------------
Create the directory /var/www and in this directory make
-depending on your cgi-program- at least the directories:

   bin
   cgi-bin
   lib
   libexec
   run

Populate this directory tree with the needed elements, like
bin/sh, lib/libc.so.7, lib/libutil.so.9, libexec/ld-elf.so.1,
and so on.

Use `ldd' to check which libraries you need, f.e.:
ldd /var/www/bin/sh

Add your cgi-script to the /var/www/cgi-bin/ directory.

Test that everything works in the chroot:

   chroot /var/www /cgi-bin/my-super-script.cgi

Allow access to the user `www'
------------------------------
Make sure the permissions of /var/www and everything under
this directory are set in such a way, that the user `www' has
access to the file (reading access, and executing or writing
where needed).

Create the config file
----------------------
Create or edit /usr/local/etc/obhttpd.conf

A small working example:

    chroot "/var/www"
    ext_ip="192.168.1.23"

    server "default" {
       listen on $ext_ip port 80

            root "/htdocs/"

       location "/cgi-bin/*" {
          directory { index "index.cgi" }
          fastcgi socket "/run/slowcgi.sock"
          root "/"
       }
    }


Remember the chroot, the socket "/run/slowcgi.sock" is
relative to the chroot, so it is in fact
/var/www/run/slowcgi.sock (this is the default socket that
slowcgi creates).
Likewise the root for the static files is /var/www/htdocs.

The IP address in the config file is required when running
in jail. Otherwise perhaps just `listen on * port 80' might
be enough.

When convenient, a different port (other than 80) can be
used.

Log files
---------
It can be useful to let the httpd write some logs. Create
the directory /var/www/logs so obhttpd can write the
access.log and error.log.

When you prefer not to have logs, add a line
"no log"
to the server part in the obhttpd.conf file (just before
the closing curly brace).

Basic Auth
----------
Basic auth can be added by creating a htpasswd file and
adding a line to the config. In this example we add basic
auth to the cgi-bin diretory:

    location "/cgi-bin/*" {
       authenticate ThisRealm with "/path/to/htpasswd"
       directory { index "index.cgi" }
       fastcgi socket "/run/slowcgi.sock"
       root "/"
    }

Replace "ThisRealm" with any fancy name for your realm.

Start the services and test
---------------------------
   /usr/local/etc/rc.d/slowcgi start
   /usr/local/etc/rc.d/obhttpd start


Happy cgi-ing!


Last edited: $Date: 2024/11/18 09:16:06 $