althttpd, stunnel and dehydrated on slackware

short notes on how to install a lean stack of althttpd, stunnel and dehydrated on slackware-15 (currently -current).

althttpd

althttpd is a lightweight http server from the SQLite project. it isn't included in slackware, but installation is easy: just compile it! i have a SlackBuild for this too, waiting for submissions to reopen after 15.0 is released.

althttpd should launched using inetd. since slackware uses OpenBSDs inetd, configuration differs from what is described on the althttpd site.

you really just need to add a line to /etc/inetd.conf:

# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
http            stream  tcp     nowait  althttpd        /usr/bin/althttpd       /usr/bin/althttpd --logfile /var/log/althttpd/%Y%m%d.log --root /var/www/althttpd/

this tells inetd to run althttpd as user althttpd for incoming requests on port 80/tcp. althttpd then serves websites found in /var/www/althttpd logging to /var/log/althttpd with a new log file for every day. we need to add a user and a group for althttpd too:

groupadd -g $FREEID althttpd
useradd -u $FREEID -d /var/www/althttpd -g althttpd -s /bin/false althttpd

as althttpd doesn't have an UID or GID assigned by SBo, look up a free one (or one you are not using..) in the list at SBo.

enable and (re)start the inetd daemon and althttpd should be serving content from /var/www/althttpd.

dehydated

dehydrated is an letsencrypt client (there is a name for the protocol, but i'm too lazy to look it up :). in the configuration /etc/dehydrated/config, you really only have to (if you want) set the contact email address:

CONTACT_EMAIL=root@example.org

what you have to do is creating symlinks so that the HTTP authentication method works:

mkdir /var/www/althttpd/default.website/.well-known
ln -s /var/www/dehydrated /var/www/althttpd/default.website/.well-known/acme-challenge

this symlink has of course be added for every site you want to serve, so for the subdomain.example.org domain further down in the stunnel section you'd do

mkdir /var/www/althttpd/subdomain_example_org.website/.well-known
ln -s /var/www/dehydrated /var/www/althttpd/subdomain_example_org.website/.well-known/acme-challenge

after these setup steps, run dehydrated -c to let it fetch the certs. also remember to enable the dehydrated cronjob:

chmod a+x /etc/cron.daily/dehydrated

stunnel

stunnel is a bit easier to setup as it's included with slackware. you need a config in /etc/stunnel/stunnel.conf. the example here is with SNI enabled because that was a bit complicated to get to work for me:

[virtual]
accept = :::443
cert = /etc/dehydrated/certs/example.org/fullchain.pem
key = /etc/dehydrated/certs/example.org/privkey.pem
setuid = althttpd
setgid = althttpd
TIMEOUTclose = 0
exec = /usr/bin/althttpd
execargs = /usr/bin/althttpd --logfile /var/log/althttpd/%Y%m%d.log --root /var/www/althttpd/ --https 1 --user althttpd

[example]
cert = /etc/dehydrated/certs/example.org/fullchain.pem
key = /etc/dehydrated/certs/example.org/privkey.pem
sni = virtual:example.org
setuid = althttpd
setgid = althttpd
TIMEOUTclose = 0
exec = /usr/bin/althttpd
execargs = /usr/bin/althttpd --logfile /var/log/althttpd/%Y%m%d.log --root /var/www/althttpd/ --https 1 --user althttpd

[subdomain]
cert = /etc/dehydrated/certs/subdomain.example.org/fullchain.pem
key = /etc/dehydrated/certs/subdomain.example.org/privkey.pem
sni = virtual:subdomain.example.org
setuid = althttpd
setgid = althttpd
TIMEOUTclose = 0
exec = /usr/bin/althttpd
execargs = /usr/bin/althttpd --logfile /var/log/althttpd/%Y%m%d.log --root /var/www/althttpd/ --https 1 --user althttpd

to enable stunnel add stunnel & to /etc/rc.d/rc.local or have it run by inetd too, but then you can't have SNI apparently.