---
date: 2020-05-06T15:00:23+02:00
description: "How to manage HTTP headers with both natives servers: httpd & relayd on OpenBSD"
draft: false
lastmod: 2020-05-07T18:20:36+02:00
tags: ['relayd','Header','httpd','HTTP','OpenBSD']
title: "Relayd: Manage HTTP headers"
translationKey: "relayd-headers-http"
---

## Description

**OpenBSD** has, by default, in basesystem, since 5.7:

* a webserver, named **httpd**,
* un server relay, named **relayd**  


* Webiste: https://bsd.plumbing/

* OpenBSD: **6.6, 6.7**

---

**httpd** is not able to manage HTTP headers; and [the author do not want it][100]!

So we pass the relay to the **relayd** server which is able to do it; so,
it does in the global manner, not-domain specific. 

## Configuration

We need to modify the **httpd** and **relayd** configuration, i.e.:
* **relayd** will receive all traffic on web port and redirects to localhost
	on corresponding ports. Off course, il possible to act on both IPv4
	and IPv6 protocols. 
* **httpd** will query only the localhost on the dedicated ports. 

Do not forget to restart both daemons after modyfing the configuration. 

### httpd

* File configuration is: `/etc/httpd.conf`

Into the context `server`, we need to set 3 importants details:
* `listen on`: the listener on the localhost — *cf : [listen on][1]*
* `log`: the logger; you need to modify the option `style` to `forwarder`
	paramater — *cf : [style][2]*

{{< note info >}}
Someone wrote a redirection to port 8080, instead of 80. It's up to you!
{{</note>}}

Only, the {{< abbr HSTS "HTTP Strict Transport Security" >}} header is managed
differently: 

#### httpd: HSTS

We can modify the **HSTS** header by using simply the option `hsts` *(cf : [hsts][3])*.

It is managed, of course, in the context of the {{< abbr HTTPS "HyperText Transport Protocol Secure" >}} protocol,
via {{< abbr TLS "Transport Layer Secure" >}}.

#### httpd: example

{{< code "web-httpd-relayd-headers-example-config-httpd" httpd >}}

#### httpd: log

Here is a log example: 

`domain.tld 127.0.0.1 - - [06/May/2020:04:08:51 +0200] "GET / HTTP/1.1" 200 0 "" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 66.249.79.202 -` <br>
`domain.tld 127.0.0.1 - - [06/May/2020:09:48:36 +0200] "GET /robots.txt HTTP/1.1" 200 0 "" "Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)" 5.196.87.174 -` <br>
`domain.tld 127.0.0.1 - - [06/May/2020:10:29:29 +0200] "GET / HTTP/1.1" 200 0 "" "Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)" 54.36.148.31 -` <br>

We remark that address IP of the client is specified on the end of the line. <br>
It's due to the parameter `forwarder`.

### relayd 

* File configuration is: `/etc/relayd.conf`

In the facts:
* We declare a **http** protocol
* the matching filters `match` to create the responses `header`s.
	* both first values are needed to capture and redirect correctly:
		* `$SERVER_ADDR:$SERVER_PORT` for `X-Forwarded-By` parameter,
		* `$REMOTE_ADDR` for `X-Forwarded-For` parameter.
* next, we relay by setting the matching `relay` :
	* `listen`: the listener on the public address IP and the web port, 
	* when we target the **http** protocol to apply the rules on the headers
	* `forward`: to redirect to the localhost, and the choosed port, matching
		to the one the **httpd** server listen on. 

#### relayd: Httpoxy

Someone, more attentives, have seen the follow declaration: <br>

`match request header remove "Proxy"`

This is usefull to mitigate the **[Httpoxy][7]** vulnerability that affect
CGI, PHP applications. 

It is recognized as the best way to block this. <br>
Another way to protect you is to use {{< abbr HTTPS "HyperText Transfert Protocol Secure" >}}.

#### relayd: example

{{< code "web-httpd-relayd-headers-example-config-relayd" relayd >}}

## Documentations

### Manpages

* {{< man httpd 8 >}}, {{< man "httpd.conf" 5 >}}
* {{< man relayd 8 >}}, {{< man "relayd.conf" 5 >}}, {{< man relayctl 8 >}}

### Autres documentations

* Here a [very complete example][12], with TLS.

---

[1]: https://man.openbsd.org/httpd.conf#listen
[2]: https://man.openbsd.org/httpd.conf#style
[3]: https://man.openbsd.org/httpd.conf#hsts

[7]: https://httpoxy.org/

[10]: https://ybad.name/ah/doku.php/4-httpd/relayd#configuration-de-relayd
[11]: https://wiki.openbsd.fr.eu.org/doku.php/network/service/httpd-headers
[12]: https://www.alexander-pluhar.de/openbsd-webserver.html

[100]: https://marc.info/?l=openbsd-misc&m=142407262812306&w=2