---
date: 2020-05-06T15:00:23+02:00
description: "How to manage HTTP headers with both natives servers: httpd & relayd on OpenBSD"
draft: false
lastmod: 2020-05-07T18:20:36+02:00
tags: ['relayd','Header','httpd','HTTP','OpenBSD']
title: "Relayd: Manage HTTP headers"
translationKey: "relayd-headers-http"
---
## Description
**OpenBSD** has, by default, in basesystem, since 5.7:
* a webserver, named **httpd**,
* un server relay, named **relayd**
* Webiste: https://bsd.plumbing/
* OpenBSD: **6.6, 6.7**
---
**httpd** is not able to manage HTTP headers; and [the author do not want it][100]!
So we pass the relay to the **relayd** server which is able to do it; so,
it does in the global manner, not-domain specific.
## Configuration
We need to modify the **httpd** and **relayd** configuration, i.e.:
* **relayd** will receive all traffic on web port and redirects to localhost
on corresponding ports. Off course, il possible to act on both IPv4
and IPv6 protocols.
* **httpd** will query only the localhost on the dedicated ports.
Do not forget to restart both daemons after modyfing the configuration.
### httpd
* File configuration is: `/etc/httpd.conf`
Into the context `server`, we need to set 3 importants details:
* `listen on`: the listener on the localhost — *cf : [listen on][1]*
* `log`: the logger; you need to modify the option `style` to `forwarder`
paramater — *cf : [style][2]*
{{< note info >}}
Someone wrote a redirection to port 8080, instead of 80. It's up to you!
{{}}
Only, the {{< abbr HSTS "HTTP Strict Transport Security" >}} header is managed
differently:
#### httpd: HSTS
We can modify the **HSTS** header by using simply the option `hsts` *(cf : [hsts][3])*.
It is managed, of course, in the context of the {{< abbr HTTPS "HyperText Transport Protocol Secure" >}} protocol,
via {{< abbr TLS "Transport Layer Secure" >}}.
#### httpd: example
{{< code "web-httpd-relayd-headers-example-config-httpd" httpd >}}
#### httpd: log
Here is a log example:
`domain.tld 127.0.0.1 - - [06/May/2020:04:08:51 +0200] "GET / HTTP/1.1" 200 0 "" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 66.249.79.202 -`
`domain.tld 127.0.0.1 - - [06/May/2020:09:48:36 +0200] "GET /robots.txt HTTP/1.1" 200 0 "" "Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)" 5.196.87.174 -`
`domain.tld 127.0.0.1 - - [06/May/2020:10:29:29 +0200] "GET / HTTP/1.1" 200 0 "" "Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)" 54.36.148.31 -`
We remark that address IP of the client is specified on the end of the line.
It's due to the parameter `forwarder`.
### relayd
* File configuration is: `/etc/relayd.conf`
In the facts:
* We declare a **http** protocol
* the matching filters `match` to create the responses `header`s.
* both first values are needed to capture and redirect correctly:
* `$SERVER_ADDR:$SERVER_PORT` for `X-Forwarded-By` parameter,
* `$REMOTE_ADDR` for `X-Forwarded-For` parameter.
* next, we relay by setting the matching `relay` :
* `listen`: the listener on the public address IP and the web port,
* when we target the **http** protocol to apply the rules on the headers
* `forward`: to redirect to the localhost, and the choosed port, matching
to the one the **httpd** server listen on.
#### relayd: Httpoxy
Someone, more attentives, have seen the follow declaration:
`match request header remove "Proxy"`
This is usefull to mitigate the **[Httpoxy][7]** vulnerability that affect
CGI, PHP applications.
It is recognized as the best way to block this.
Another way to protect you is to use {{< abbr HTTPS "HyperText Transfert Protocol Secure" >}}.
#### relayd: example
{{< code "web-httpd-relayd-headers-example-config-relayd" relayd >}}
## Documentations
### Manpages
* {{< man httpd 8 >}}, {{< man "httpd.conf" 5 >}}
* {{< man relayd 8 >}}, {{< man "relayd.conf" 5 >}}, {{< man relayctl 8 >}}
### Autres documentations
* Here a [very complete example][12], with TLS.
---
[1]: https://man.openbsd.org/httpd.conf#listen
[2]: https://man.openbsd.org/httpd.conf#style
[3]: https://man.openbsd.org/httpd.conf#hsts
[7]: https://httpoxy.org/
[10]: https://ybad.name/ah/doku.php/4-httpd/relayd#configuration-de-relayd
[11]: https://wiki.openbsd.fr.eu.org/doku.php/network/service/httpd-headers
[12]: https://www.alexander-pluhar.de/openbsd-webserver.html
[100]: https://marc.info/?l=openbsd-misc&m=142407262812306&w=2