
Add-ons for the OpenBSD web server

Add-ons for the OpenBSD httpd(8) web server applicable to the latest -current branch.

Other branches available:


List of add-ons


Bug fixes:

  • Failing directory auto index of location in case enclosing server specifies directory no index (see on tech@)
  • Failing location access test in case server/location root is empty (see on tech@)
  • Inconsistent handling of inaccessible server/location root (regular file access still returns status 404 instead of 500)
  • Inappropriate log_warn in case of missing custom error documents and cleanup of read_errdoc function (see on misc@)


  • The info regarding the usage of the former location-access-tests add-on with WordPress was moved from this website to httpd.conf(5).


Optional HTTP Cache-Control headers via httpd.conf(5).

types {
	image/jpeg  { cache "max-age=2592000, public" }             jpeg jpg
	text/css    { cache "max-age=86400, private" }              css
	text/html   { cache "no-store, no-cache, must-revalidate" } html


Definition of script overrides for fastcgi environments via httpd.conf(5). This may be used either to run a dedicated script in its specific param environment for a certain location, or simply as a shortcut avoiding unnecessary evaluation rounds for the server (as required when using request rewrite).

server "www.example.com" {
	location "/foobar/*" {
		fastcgi {
			socket "/run/php-fpm.sock"
			param "PARAM_1" "value_1"
			param "PARAM_2" "value_2"
			script "/index.php"
	location not found "/*" {
		# request rewrite "/index.php"
		fastcgi {
			socket "/run/php-fpm.sock"
			script "/index.php"


Client address matching (from or not from) for location sections in httpd.conf(5).

server "www.example.com" {
	location "/intranet*" not from "10.0.0/24" { block }


Send notification messages to UNIX-domain sockets for server and/or location sections with a block directive in httpd.conf(5).

This cooperates perfectly with pftbld(8), offering an easy and straightforward means to effectively protect the web server from offensive clients and successively build customized firewall blocklists. In the example below, access to /restricted* URLs from outside the 10.0.0/24 network is not just blocked, but httpd(8) also reports client IP addresses to pftbld(8) (with its listening socket at /var/www/run/pftbld-www.sock) for further handling.


server "www.example.com" {
	location "/restricted*" not from "10.0.0/24" {
		notify-on-block {
			socket "/run/pftbld-www.sock"
			message "$REMOTE_ADDR"


target "www" {
	socket "/var/www/run/pftbld-www.sock" {
		owner "www"
		group "www"
	cascade {
		table "attackers"
		expire 1h


Simple brace expansion for alias <name>, include <path> and location <path> option parameters in httpd.conf(5). Helps to minimize the configuration file size by avoiding duplicate content.

include "/etc/httpd-{0..5}-incl.conf"
server "www.example.com" {
	alias "www.{a,b,c}.example.com"
	location "/*.{bmp,gif,ico,jpg,png}" { pass }

How to install

httpd-plus is a series of consecutive patch files which may be applied easily by following the steps below.

Make sure your user has sufficient doas permissions. To start, cd into the user's home directory, for example /home/mpfr.

$ cat /etc/doas.conf
permit nopass mpfr
$ cd
$ pwd

Download and extract patch files and installation script.

$ rm -rf httpd-plus-current/
$ ftp -Vo - https://codeload.github.com/mpfr/httpd-plus/tar.gz/current | tar xzvf -

Apply the patch files by running the installation script. This will build and install the httpd-plus binary. After the build process, the original source is restored.

$ doas ksh httpd-plus-current/install 2>&1 | tee httpd-plus-install.log
Backing up original sources ... Done.
Applying patch files ...
===  00-updates  ===
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
===  01-cache-control-headers  ===
Hmm...  Looks like a unified diff to me...
Building and installing httpd-plus binary and manpage ...
Restoring original sources ... Done.

Installing httpd-plus binary and manpage completed successfully.
Please consult 'man httpd.conf' for further information on new features.

Adapt your httpd.conf for the newly added features. For further information, have a look at the updated httpd.conf(5) manpage (also via man httpd.conf). Make sure your new configuration is valid.

$ doas vi /etc/httpd.conf
$ doas httpd -n
configuration OK

Restart the httpd daemon.

$ doas rcctl restart httpd

How to uninstall

The original version of httpd can easily be restored by performing a fresh rebuild and reinstall.

$ cd /usr/src/usr.sbin/httpd
$ doas make obj
$ doas make clean
$ doas make
$ doas make install

Remove httpd-plus related features from your configuration file and make sure it is valid. Don't forget to restart the httpd daemon.

$ doas vi /etc/httpd.conf
$ doas httpd -n
configuration OK
$ doas rcctl restart httpd