Znc /


For now, avoid setting up the web server on port 31337. We will instead use relayd so that the web server can viewed on the default port for https: port 443.

Configuring SSL

In order to provide SSL for the bouncer, you must first configure OpenHTTPd and request a certificate with acme-client.

<Listener listener5>

        AllowIRC = false
        AllowWeb = true
        Host =
        IPv4 = true
        IPv6 = false
        Port = 1338
        SSL = false
        URIPrefix = /


Please read the ZNC wiki to understand the meaning of each option.

You will need to replace bnc.example.com with your actual hostname.

In the listeners, you need to replace and 2001:db8:: with your server's public IPv4 and IPv6 address.

NOTE: Do not replace This is localhost? and must not be changed.

It's recommended to keep the ports 1337 for plaintext, 31337 for SSL, and 1338 for web. This convention is followed on the public servers on IRCNow. Note that znc binds to port 1338 without SSL for the web server. We later use relayd to provide TLS acceleration on port 443.

Packet Filter

If packet filter? is set to deny all incoming connects, you can add this rule to /etc/pf.conf:

pass in log quick proto tcp to port {http https} keep state (max-src-conn 300, max-src-conn-rate 300/60) #relayd web
pass in log quick proto tcp to port {1337 31337} keep state (max 3000, max-src-conn 300) #bnc

To load the new ruleset:

# pfctl -f /etc/pf.conf

Web Panel

While you are at it, you will want to redirect any plaintext requests to the webpanel on port 80 to use SSL on port 443. Add this to /etc/httpd.conf:

server "bnc.example.com" {
        listen on * port 80
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                request strip 2
        location * {
                block return 302 "https://$HTTP_HOST$REQUEST_URI"

Go ahead and reboot the web server:

$ doas rcctl restart httpd

Control Panel

See usage for help on how to use the controlpanel.