Basic OpenHTTPd Configuration

OpenHTTPd is a light-weight web server developed by the OpenBSD dev team.


  1. Lean: Small, no plugins
  2. Clean code
  3. Secure: Strict validity checking, privilege separation, strong cryptography
  4. Fast
  5. Easy to configure with good manpage documentation

You'll want to consult the httpd and httpd.conf man pages.


Setting up OpenBSD's default web server, openhttpd, is relatively simple. Start off by copying the example file in /etc/examples/httpd.conf:

$ doas cp /etc/examples/httpd.conf /etc/httpd.conf

Edit the contents of /etc/httpd.conf:

server "" {
        listen on * port 80
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                request strip 2
        location * {
                block return 302 "https://$HTTP_HOST$REQUEST_URI"

Line 1 says that this block is for the hostname "". On other web servers, this might be known as the virtual host. You will want to change the domain to your personal hostname, such as

Line 2 tells the web server to listen on all IPs on port 80.

The location block (lines 3-6) is used for requesting certificates using ACME. It says that for any request that begins with, look for the documents in the new root /acme. By default, openhttpd chroots to /var/www, so the document root is actually /var/www/acme/. The directive request strip 2 is needed so that openhttpd searches in /var/www/acme/ and not /var/www/acme/.well-known/acme-challenge/.

Lines 7-9 indicate that for all other requests, use the HTTP 302 response to forward the web browser to a new URL address. Any user that connects to your web server using port 80, except for ACME verification, will be forwarded to use TLS on port 443 instead.

Note: You must have a server block listening on port 80. Do not delete this block or else acme-client will not work.

server "" {
        listen on * tls port 443
        tls {
                certificate "/etc/ssl/"
                key "/etc/ssl/private/"
        location "/pub/*" {
                directory auto index
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                request strip 2

This block is similar to before. There are only two differences.

Line 2-6 tells the web server to listen on all IPs on port 443. As a result, we need a tls block to specify which SSL certs to use. Later, after you run acme-client, you will need to change the certificate and key to match your real files.

Lines 7-9 say that for any request that begins with should automatically show a directory listing. Normally this is not a good idea for security reasons, but for a public folder it should be fine.

Make sure to replace every instance of with your real hostname, then enable and start the web server:

$ doas rcctl enable httpd
$ doas rcctl start httpd

Let's test to see if the web server is working on port 80. This test should be run on some other computer besides your web server (your home PC or phone is fine). Let's use telnet:

$ telnet 80
GET /index.html HTTP/1.1

You should a response similar to the one below:

HTTP/1.0 302 Found
Date: Tue, 23 Feb 2021 14:01:28 GMT
OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 486

<!DOCTYPE html>
<meta charset="utf-8"> 
<title>302 Found</title>
<style type="text/css"><!--
body { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }
hr { border: 0; border-bottom: 1px dashed; }
@media (prefers-color-scheme: dark) {
body { background-color: #1E1F21; color: #EEEFF1; }
a { color: #BAD7FF; }
<h1>302 Found</h1>
<address>OpenBSD httpd</address>
Connection closed by foreign host.


If you were unable to establish the connection above, it may be because your firewall? is blocking port 80.

You can ensure pf allows incoming http connections by putting this line into /etc/pf.conf:

pass in quick proto tcp to port {http https}

Then, reload the pf rulesets:

$ doas pfctl -f /etc/pf.conf

Adding TLS

Next, you'll want to request an SSL cert using acme-client. Once you have a valid SSL cert, you'll want to open up /etc/httpd.conf and look for the tls block:

        tls {
                certificate "/etc/ssl/"
                key "/etc/ssl/private/"

Edit these lines so that the certificate and key match the real location of your SSL cert.

Then, restart the web server:

$ doas rcctl restart httpd

To test if your web server has a working SSL cert, use openssl:

$ openssl s_client -connect

You should see the correct SSL subject and issuer:

$ openssl s_client -connect
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN =
verify return:1
depth=0 CN =
verify return:1
write W BLOCK
Certificate chain
 0 s:/
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate
issuer=/C=US/O=Let's Encrypt/CN=R3
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
SSL handshake has read 3730 bytes and written 367 bytes
New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.3
    Cipher    : AEAD-AES256-GCM-SHA384
    Start Time: 1614233943
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

You can also visit the website using your web browser. Load, then look for the SSL padlock, then view more information about the certificate: