project: d.r.e.a.m

This documentation is no longer maintained. It may be out of date, or simply wrong. I will leave it online, as long as it think it may still be useful.

fnord mini HOWTO

fnord is a small, fast and secure httpd. It is written and maintained by Felix von Leiter. fnord requires an inetd-like superdaemon, to accept TCP Connection. In this HOWTO, we will use tcpserver from the UCSPI-TCP Package, which was written by Dan Bernstein.

Requirements for this setup:

• recent version of daemontools
• recent version of the dietlibc
• recent version of ucspi-tcp
• recent version of the complete OpenSSL Distribution
• recent version of ucspi-ssl
  instead of ucspi-ssl, you may want to patch ucspi-tcp

fnord as plain http server

First, we need to compile and install fnord, and set it up as a plain http server. This step doesn't require OpenSSL or stunnel

• Obtain the latest version of fnord from http://www.fefe.de
• Unpack the sources, chdir to the newly created directory and run make
• Copy the compiled binary fnord to /command, and create a symlink to fnord-httpd
• create user fnord and fnordlog
• create /etc/fnord,/etc/fnord/{log,env} and /var/log/fnord with correct permissions using the following command:
  

  # mkdir -p /etc/fnord/{log,env}
  # mkdir /var/log/fnord
  # chmod -R 700 /etc/fnord
  # chown fnordlog.fnordlog /var/log/fnord
  

• create the configuration for fnord
  
  • /etc/fnord/run
    

    # cat <<'EOF' >/etc/fnord/run
    #!/bin/sh
    DOCROOT=`head -1 ./env/DOCROOT`
    USER=`head -1 ./env/USER`
    cd ${DOCROOT}
    exec envuidgid ${USER} tcpserver -RHl localhost 0 80 /command/fnord-httpd 2>&1
    EOF
    # chmod 700 /etc/fnord/run
    

  • /etc/fnord/log/run
    

    # cat <<'EOF' >/etc/fnord/log/run
    #!/bin/sh
    LOGUSER=`head -1 ../env/LOGUSER`
    exec setuidgid ${LOGUSER} multilog t s1000000 /var/log/fnord
    EOF
    # chmod 700 /etc/fnord/log/run
    

  • /etc/fnord/env/
    

    # echo "fnord" > /etc/fnord/env/USER
    # echo "fnordlog" > /etc/fnord/env/LOGUSER
    # echo "/var/www" > /etc/fnord/env/DOCROOT
    

• symlink /etc/fnord to /service
• check installation
  

  $ telnet localhost 80
  GET / HTTP/1.0<return>
  <return>
  <!DOCTYPE html....
  

fnord as https server

To setup fnord to provide https, you need an up and running plain http fnord.

Be aware that there are two methods on how to setup fnord using SSL. One is to use ucspi-ssl, or to use a patched version of ucspi-tcp. The patch can be found here. These two methods are a bit different. Specifics for each variant are marked in simple braces. For Example: (ucspi-ssl) or (patches ucspi-tcp)

• create /etc/fnords,/etc/fnords/{log,env} and /var/log/fnords with correct permissions:
  

  # mkdir -p /etc/fnords/log
  # ln -s /etc/fnord/env /etc/fnords/
  # mkdir /var/log/fnords
  # chmod -R 700 /etc/fnords
  # chown fnord.fnord /etc/fnords
  # chown fnordlog.fnordlog /var/log/fnords
  

• create OpenSSL certificate
  
  • you need to create a certificate for fnord, we will use CA.pl from the OpenSSL package
  • fetch CA.pl and CA-nodes.pl, to create non-encrypted keys, which you need for a https server They are supplied here, because OpenBSD doesnt ship with CA.pl (which is part of OpenSSL).
  • Instead of using CA-nodes.pl, you can also use the 'openssl' command itself to generate the certificate: (Submitted by Simon B.)
    

    openssl genrsa -out /etc/ssl/private/server.key 1024                    
    
    openssl req -new -key /etc/ssl/private/server.key \                     
    	-out /etc/ssl/private/server.csr                                                               
    	
    openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \           
    	-signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt
    

  • run ./CA.pl -newca, to create a new CA, if you don't already have one
  • run ./CA-nodes.pl -newreq, to create a new certificate request.
    The "Common Name" Field should be your Servers Hostname
  • run ./CA.pl -sign to sign and verify the certificate request created above
  • after running all the CA.pl stuff, you should have two new files, called newcert.pem and newreq.pem. Samples are provided here: newcert.pem newrq.pem
  • create a key and a cert file (ucspi-ssl)
    

    # mv newcert.pem /etc/fnords/fnord-cert.pem
    

    Open /etc/fnords/fnord-cert.pem using $EDITOR, and delete from
    Certificate:
    just before
    -----BEGIN CERTIFICATE-----
    Make sure that it only contains a CERTIFICATE section.

    # mv newreq.pem /etc/fnords/fnord-key.pem
    

    And make sure that it only contains a RSA PRIVATE KEY section. (You will have to remove the CERTIFICATE REQUEST section).
    Your Files should look like this:
    fnord-cert.pem:
    

    -----BEGIN CERTIFICATE-----
    [ BASE 64 ]
    -----END CERTIFICATE-----
    

    
    fnord-key.pem:
    

    -----BEGIN RSA PRIVATE KEY-----
    [ BASE 64 ]
    -----END RSA PRIVATE KEY-----
    

  • create a key and cert file (patched ucspi-tcp)
    

    # cat newcert.pem newreq.pem >> /etc/fnords/fnord-key.pem
    

  • Give these files secure permissions:
    

    # chmod 400 /etc/fnords/fnord-cert.pem /etc/fnords/fnord-key.pem
    

  • Fetch a dh1024.pem and place it in /etc/fnords
• Create the configuration for fnords (ucspi-ssl)
  
  • /etc/fnords/run
    

    # echo /etc/fnords/fnords-cert.pem >/etc/fnords/env/CERTFILE
    # echo /etc/fnords/dh1024.pem >/etc/fnords/env/DHFILE
    # echo /etc/fnords/fnords-key.pem >/etc/fnords/env/KEYFILE
    # cat <<'EOF' >/etc/fnords/run
    #!/bin/sh
    DOCROOT=`head -1 ./env/DOCROOT`
    USER=`head -1 ./env/USER`
    CONFDIR=`pwd`
    cd ${DOCROOT}
    exec envdir ${CONFDIR}/env/ envuidgid ${USER} sslserver -RHl localhost 0 443 /command/fnord-httpd 2>&1
    EOF
    # chmod 700 /etc/fnords/run
    

• Create the configuration for fnords (patched ucspi-tcp)
  
  • /etc/fnords/run
    

    # echo /etc/fnords/fnords-key.pem >/etc/fnords/env/KEYFILE
    # cat <<'EOF' >/etc/fnords/run
    #!/bin/sh
    DOCROOT=`head -1 ./env/DOCROOT`
    USER=`head -1 ./env/USER`
    KEYFILE=`head -1 ./env/KEYFILE`
    cd ${DOCROOT}
    exec tcpserver -u `id -u ${USER}` -g `id -g ${USER}` -n ${KEYFILE}  -RHl localhost 0 443 /command/fnord-httpd 2>&1
    EOF
    # chmod 700 /etc/fnords/run
    

• Setup logging and finish installation
  
  • /etc/fnords/log/run
    

    # cat <<'EOF' >/etc/fnords/log/run
    #!/bin/sh
    LOGUSER=`cat ../env/LOGUSER`
    exec setuidgid ${LOGUSER} multilog t s1000000 /var/log/fnords
    EOF
    # chmod 700 /etc/fnords/run
    

  • symlink /etc/fnords to /service
  • check installation
    

    # sslconnect 127.0.0.1 443
    GET / HTTP/1.0<return>
    <return>
    <!DOCTYPE html....
    

If it does not work for you, and you get an error while loading the ssl cert, please check your permissions. Use setuidgid fnord cat /etc/fnords/fnords-key.pem for testing wheter your permissions are okay or not

fnord and fnords should be running smoothly now. If you have any questions or suggestions don't hesitate to contact me.

This document is public domain.