The OpenBSD project has undergone a great deal of change in the past year. The open Unix-like operating system removed the Apache httpd server and replaced it with Nginx, only to sub out Nginx soon after for its own httpd server in OpenBSD 5.6, all while trying to revamp OpenSSL with its LibreSSL fork in the wake of Heartbleed.
Now OpenBSD has finally given a look at what httpd is made of and what it can do.
At AsiaBSDCon in Tokyo last week, OpenBSD developer Reyk Floeter presented attendees with an inside look at the new version of the upcoming Web server to be included with May’s OpenBSD 5.7 release. What began as an experiment by Floeter with the Relayd Web engine at last year’s g2k14 General OpenBSD Hackathon quickly evolved into httpd, a new OpenBSD server leveraging Relayd’s load-balancing application layer gateway, transparent proxy and SSL/TLS gateway—switched out with Nginx two weeks later in OpenBSD 5.6.
(Related: Which protocol will take over for HTTP?)
httpd is a secure Web server with straightforward functionality. Consisting of approximately 10,000 lines, httpd serves static files and supports FastCGI and TLS. The server has core features such as a directory listing, logging and basic authentication, but Floeter explained that OpenBSD aimed to avoid “featuritis” with a simple release and less feature requests.
The full httpd feature listing includes:
- Static files: Serves static files and directories via optional auto-indexing.
- FastCGI: Supports asynchronous and direct FastCGI.
- Non-optional security: Runs are change-rooted with privilege separation by default.
- SSL/TLS: Supports secure connections via TLS powered by LibreSSL.
- Virtual servers: Uses flexible, name- and IP-based virtual servers.
- Reconfiguration: Reloads the running configuration without interruption.
- Logging: Supports per-server logging via log files or syslog.
- Blocking: Blocks, drops and redirects connections.
In terms of LibreSSL, OpenBSD’s “Safer TLS” fork supports more secure TLS connections in httpd with its new libtls API atop the libssl/libcrypto libraries. The server uses TLS 1.2 strong ciphers and the Perfect Forward Secrecy key-management protocol.
OpenBSD plans to add additional features, including Server Name Indication and client certificates, before httpd is officially released on May 1 along with OpenBSD 5.7.
Floeter’s full presentation is available here.