I just recently installed OpenBSD 6.3, and I was looking for an example
httpd.conf, but I did not find one. The manual page does document
more or less how to create one, but there still appears to be some lack
of ease and safety putting up a basic web page with dynamic content (I
am most used to PHP and PostgreSQL for that purpose, but of course
there are many options that more or less replace the ubiquitous "LAMP"
or "Linux/Apache/MySQL/PHP" stack.
Now there is nothing in OpenBSD's httpd really like Apache's "UserDir"
directive. Of course the real user directory has to dwell somewhere in
the "/var/www" chroot on OpenBSD. The alternative to "UserDirs" of
course, is wildcard subdomains, but those do not really cooperate all
that well with https, dnssec, or caa records, or with certain other
general goals of security.
The other thing I am curious about is something like "su-php" which
appears to be deprecated and outdated. So, assuming some sort of UserDir
scenario, (probably more sophisticated than my very basic one I
have hacked together below,) does php-fpm have a way to prevent one
user's malicious php script from reading another user's database
access credentials?
====%<--------------------------------------------
# /etc/httpd.conf for amarillo.colmena.biz
server "default" {
listen on * port 80
listen on :: port 80
listen on * tls port 443
listen on :: tls port 443
tls certificate "/etc/ssl/fullchain.pem"
directory index index.php
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
location match "/~justina/.*%.php" {
root "/justina"
root strip 1
fastcgi socket "/run/php-fpm.sock"
}
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
location "/~justina/*" {
root "/justina"
root strip 1
directory auto index
}
location "/~justina" {
block return 301 "/~justina/"
}
}
types {
include "/usr/share/misc/mime.types"
}
