Recently, I’ve made the change from Digital Garden to Hugo, and also from Debian to OpenBSD, is the change really worth it?
Why touch a working server?
At first when I set up my server, I thought Debian was the end game for my set up: minimalism, ease of administration, etc..
XD nevermind, that was my NextJS / Django stack in the past, now that I’m all focused on cysec, I always want something that also have the Debian features, but also something cool…
Then I found OpenBSD, and it really fit my use (SSG)
What was on my Debian setup
Let’s just make it simple here
[Server]
├─ Caddy
├─ UFW
├─ Docker
That was my NextJS era before, but if I replace it with Hugo, then I would have a setup like so:
[Server]
├─ Caddy
├─ UFW
Pretty minimal huh, but the memory footprint is too high for me :/
Why OpenBSD?
I just love the Security Philosophy that it offers, here are some of them:
Default-deny
- At first, my brain was really fried seeing this, cuz I’m always using
NOPASSWDwith sudo (sorry i’m dumb), but the default-deny mindset would train my mind better ;) - The default firewall (PF) just blocks everything by default, and that’s hella secure
- On my current server running OpenBSD, there’s just one service open: HTTP
Minimal attack surface
This might sound dumb, but there’s only one thing I have to mention:
- OpenBSD reduces the number of binaries, shared lib
Minimalism
Just one simple thing, httpd
Since I’m only hosting a static website, httpd would be more than enough for me, just no nginx, no apache, it just works.
Here’s a pinch of the config ;)
server "0xt.io" {
listen on * port 80
root "/htdocs/0xt"
}
fuck systemd
as always
Setting up my new server
Ordering a VPS
For my server option, I chose InterHost, they seems to be providing really cheap VPS instance, but there’s a special features: Boot from custom ISOs
This really helps, I know I’ve been dealing with overwriting the disk image manually on unsupported cloud provider before, but the ISO just works all the time.
Setting up the firewall
First up, I will proxy my site through Cloudflare, so it makes the traffic stable everywhere in the world.
I will do a lookup for the IP ranges of Cloudflare and we have a simple pf setup
0xw# cat /etc/pf.conf
table <cloudflare> persist {
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
}
set skip on lo
block all
pass out quick
# Allow SSH
pass in on egress proto tcp to port 22
# Allow HTTP only from Cloudflare
pass in on egress proto tcp from <cloudflare> to port 80
Fairly easy huh, this config just blocks out every traffic that’s not from Cloudflare IP ranges, trying to access port 80.
Set up the web server
As mentioned above, the httpd server is already bundled in our OpenBSD installation, and we could just use it, no fuss needed.
Here’s my simple configuration
0xw# cat /etc/httpd.conf
server "0xt.io" {
listen on * port 80
root "/htdocs"
location "/" {
directory index "index.html"
}
}
server "www.0xt.io" {
listen on * port 80
root "/htdocs"
location "/" {
directory index "index.html"
}
}
Setting up the DNS record and we’re good to go XD
Resources usage
And for the fun part, it’s only hovering around ~40MB of RAM with httpd and sshd running, pretty lightweight, right?
That should be all, thx for reading 🙌