Relayd
For now, avoid setting up the web server on port 31337. We will instead use relayd so that the web server can viewed on the default port for https: port 443.
Configuring SSL
In order to provide SSL for the bouncer, you must first configure OpenHTTPd and request a certificate with acme-client.
<Listener listener5>
AllowIRC = false
AllowWeb = true
Host = 127.0.0.1
IPv4 = true
IPv6 = false
Port = 1338
SSL = false
URIPrefix = /
</Listener>
Please read the ZNC wiki to understand the meaning of each option.
You will need to replace bnc.example.com with your actual hostname.
In the listeners, you need to replace 192.168.1.1 and 2001:db8:: with your server's public IPv4 and IPv6 address.
NOTE: Do not replace 127.0.0.1. This is localhost? and must not be changed.
It's recommended to keep the ports 1337 for plaintext, 31337 for SSL, and 1338 for web. This convention is followed on the public servers on IRCNow. Note that znc binds to port 1338 without SSL for the web server. We later use relayd to provide TLS acceleration on port 443.
Packet Filter
If packet filter? is set to deny all incoming connects, you can add this rule to /etc/pf.conf:
pass in log quick proto tcp to port {http https} keep state (max-src-conn 300, max-src-conn-rate 300/60) #relayd web
pass in log quick proto tcp to port {1337 31337} keep state (max 3000, max-src-conn 300) #bnc
To load the new ruleset:
# pfctl -f /etc/pf.conf
Web Panel
While you are at it, you will want to redirect any plaintext requests to the webpanel on port 80 to use SSL on port 443. Add this to /etc/httpd.conf:
server "bnc.example.com" {
listen on * port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location * {
block return 302 "https://$HTTP_HOST$REQUEST_URI"
}
}
Go ahead and reboot the web server:
$ doas rcctl restart httpd
Control Panel
See usage for help on how to use the controlpanel.