NHTTPD(8) System Manager's Manual NHTTPD(8) NAME nhttpd - Nostromo webserver SYNOPSIS nhttpd [-dhvr46] [-c configfile] DESCRIPTION nhttpd is a simple, fast and secure HTTP server. It runs as a single process, handling connections with select(2). For CGIs and directory listing it does fork(2). nhttpd has the minimum of HTTP/1.1 and CGI/1.1 implemented. Also supported are; chroot, setuid, basic authentication, SSL, IPv6, custom responses, aliases, and virtual hosts. To stop the server send a SIGTERM signal to the PID. The access log is written in standard CLF format. After changes in the configfile, nhttpd needs to be restarted, except for changes of the parameters described in the CONFIGURATION RELOAD section. CGIs are recognized by the file world executable flag. If it is set, the file is handled as CGI and will be executed. Therefore it is possible to use a CGI as index naming it like defined by the docindex option. Whether a file or directory is accessible by nhttpd is decided by its world readable flag. If it is not set on a file or directory, it can't be accessed and a 403 Forbidden response will be sent. OPTIONS -d Enable debug mode. More informations about ongoing processes are written to the syslog(3) LOG_DAEMON facility. Be careful, the logs will grow very quickly in debug mode. -h Prints short listing of nhttpd options. -v Prints version. -r nhttpd will chroot(2) to serverroot. If you use this option, you have to change docroot, virtual hosts, and aliases in configfile to paths within your serverroot. -4 Enable IPv4 and IPv6. -6 Enable IPv6 only. -c configfile Uses configfile as configuration file. If this option is not set, /var/nostromo/conf/nhttpd.conf will be used by default. CONFIGURATION RELOAD Parts of the configuration can be reloaded by sending a SIGHUP signal to the PID. Those are the following configfile parameters for which configuration reload works: logaccess htaccess custom_401 custom_403 custom_404 homedirs homedirs_public For changes in the configfile sections ALIASES and VIRTUAL HOSTS no reload is required at all. All other parameter changes require a full restart of the nhttpd process to get effective. What also happens during a SIGHUP is that the basic authentication credentials cache gets cleared. This can be useful if you have set a new user password and want to have it effective immediately instead of giving a user the ability to still login with the old, cached password. SETUID For security reasons it is recommended to run nhttpd under an extra user. To do that create a new user on your system which has a valid entry in the /etc/passwd file. Then set the user option in your configfile to that user. It is necessary to start nhttpd as root, so it can switch to that user afterwards. If the user option is not set, nhttpd will run under the user who started it, except root! Be sure that the permissions on your docroot are set correct, as nhttpd needs write permissions at least on the logs directory. BASIC AUTHENTICATION To ask for basic authentication on certain directories within your docroot you have to create a file in that directory named like set by the htaccess option in your configfile. The htaccess file should contain one line including the realm option like in this example: realm Unix Developers Realm If the realm option can not be parsed from the htaccess file, it will be set to a default value saying 'unknown realm'. The list of authorized users and their passwords (DES encrypted) are stored in the file set by the htpasswd option in configfile. To create a new user entry in this file, use the crypt tool. On BSD systems it is also possible to use the BSD authentication framework. To do that, set the +bsdauth keyword in the htpasswd option instead of a filename. You are then able to authenticate via your operating system users. Be aware that +bsdauth requires a SSL connection to work, because you normally don't want to send your operating system password unencrypted over the network. If this condition is not met, the caller receives a 403 Forbidden response directly. You can allow none SSL connections to do BSD authentication by setting the +bsdauthnossl option. Be sure that you really want that! Note: BSD authentication works just on OpenBSD for now. All subdirectories below the htaccess file are protected automatically. The client will be prompted for basic authentication if accessing such a protected directory. SSL nhttpd uses the OpenSSL library, so be sure you have it installed on your system if you want to use SSL. To activate SSL uncomment sslport which is the port where we will listen for SSL connections, sslcert which is the certificate file, and sslcertkey which is the certificate key file. If the certificate and the key are correct nhttpd will startup with a log entry for SSL activation in the log, otherwise it will complain and the startup is aborted. After a successful startup we are able to handle secure HTTPS connections. CUSTOM RESPONSES If an error response occurs the server will normally send a default answer saying for example 404 Not Found. Instead of this default response, you can define your personal responses, using the custom response options in the configfile. There you define an html file which will be displayed instead of the default response. The custom response html file will be searched in every defined docroot, what means in your default docroot and every virtual host. So you can define different custom responses for each virtual host. If a custom response is defined but the corresponding html file is not found, the default response will be send. Supported custom responses are: 401 Unauthorized 403 Forbidden 404 Not Found ALIASES With aliases you can create a fake path which will point to a real path. For example, to let all links starting with /icons point to another path, just add the following line in your configfile: /icons /var/nostromo/icons VIRTUAL HOSTS To serve virtual hosts, just add a line for each virtual host in configfile with the domain name as option and port if not 80, and the docroot of that virtual host, as in this example: www.rahel.ch /var/nostromo/htdocs/www.rahel.ch www.nazgul.ch:81 /var/nostromo/htdocs/www.nazgul.ch For each virtual host a separate access_log is written automatically with the following syntax as example: access_log-www.rahel.ch access_log_www.nazgul.ch:81 HOMEDIRS To serve the home directories of your users via HTTP, enable the homedirs option by defining the path in where the home directories are stored, normally /home. To access a users home directory enter a ~ in the URL followed by the home directory name like in this example: http://www.nazgul.ch/~hacki/ The content of the home directory is handled exactly the same way as a directory in your document root. If some users don't want that their home directory can be accessed via HTTP, they shall remove the world readable flag on their home directory and a caller will receive a 403 Forbidden response. Also, if basic authentication is enabled, a user can create an .htaccess file in his home directory and a caller will need to authenticate. You can restrict the access within the home directories to a single sub directory by defining it via the homedirs_public option. FILES /var/nostromo/conf/nhttpd.conf server configuration /var/nostromo/conf/mimes mime types /var/nostromo/logs/nhttpd.pid pid file /var/nostromo/logs/access_log http log /usr/local/sbin/crypt create user with DES password /usr/local/sbin/nhttpd http daemon HISTORY First version of nhttpd appeared in 2004. THANKS Thanks to Marc Balmer, Daniel Hartmeier, Boris Meyer, and Wouter Schoot for their support. AUTHORS Marcus GlockerOpenBSD 7.2 April 10, 2016 OpenBSD 7.2