Nginx Security Headers on OpenBSD 7.5

Create /etc/nginx/snippets/security-headers.conf

add_header X-Frame-Options            "SAMEORIGIN"                                 always;
add_header X-Content-Type-Options     "nosniff"                                    always;
add_header X-XSS-Protectio...

PHP-FPM Multiple Pools on OpenBSD 7.5

Pool directory: /etc/php-fpm.d/

Create /etc/php-fpm.d/site1.conf

[site1]
user  = site1
group = site1
listen = /run/php-fpm/site1.sock
listen.owner = www-data
listen.group = www-data
listen.mode  = 0660
pm = dynamic
pm.max_children      = 10
pm.start_serv...

PostgreSQL Backup and Restore on OpenBSD 7.5

Logical – pg_dump

# Single database
sudo -u postgres pg_dump -Fc appdb > /backups/appdb_$(date +%F).dump

# All databases
sudo -u postgres pg_dumpall > /backups/all_$(date +%F).sql

Restore

sudo -u postgres pg_restore -d appdb /backups/appdb_2026-0...

PostgreSQL Streaming Replication on OpenBSD 7.5

Primary: 192.168.1.10   Standby: 192.168.1.11

Primary – /var/lib/postgres/data/postgresql.conf

wal_level = replica
max_wal_senders = 5
wal_keep_size = 512MB
listen_addresses = '*'

/var/lib/postgres/data/pg_hba.conf:

host replication repl...

PostgreSQL User and Role Management on OpenBSD 7.5

Create roles

CREATE ROLE alice WITH LOGIN PASSWORD 'AlicePass!';
CREATE ROLE dbadmin WITH SUPERUSER LOGIN PASSWORD 'AdminPass!';
CREATE ROLE readonly;

Grant privileges

GRANT CONNECT ON DATABASE appdb TO alice;
GRANT USAGE ON SCHEMA public TO...

Redis Cluster on OpenBSD 7.5

Minimum 3 primaries + 3 replicas (6 nodes). This example uses ports 7000-7005 on localhost.

Step 1 – Create node configs

for port in 7000 7001 7002 7003 7004 7005; do
    mkdir -p /etc/redis/cluster/$port /var/lib/redis/$port
    cat > /etc/redis/cluster/$port/redi...

Redis Persistence on OpenBSD 7.5

RDB snapshots (redis.conf)

save 900 1
save 300 10
save 60 10000
dbfilename  dump.rdb
dir         /var/lib/redis
rdbcompression yes
rdbchecksum    yes

AOF (Append-Only File)

appendonly           yes
appendfilename       "appendonly.aof"
appendfsync...

Redis Sentinel (HA) on OpenBSD 7.5

Architecture

• Primary 192.168.1.10:6379
• Replica 192.168.1.11:6379, 192.168.1.12:6379
• Sentinels on port 26379 (all 3 nodes)

Primary redis.conf

bind 0.0.0.0
requirepass RedisPass!

Replica redis.conf

bind 0.0.0.0
requirepass RedisPass!
replicaof 1...

Secure MySQL on OpenBSD 7.5

Step 1 – Run mysql_secure_installation

mysql_secure_installation

Set root password, remove anonymous users, disallow remote root login, remove test DB.

Step 2 – Bind to localhost

[mysqld]
bind-address = 127.0.0.1

Step 3 – Audit users

SELECT User, Host, plugi...

SSH Key-Based Authentication on OpenBSD 7.5

Generate key pair (client)

ssh-keygen -t ed25519 -C "[email protected]"

Copy public key to server

ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]

Or manually:

cat ~/.ssh/id_ed25519.pub | ssh user@server \
    "mkdir -p ~/.ssh...

SSH TOTP MFA on OpenBSD 7.5

Step 1 – Install PAM module

# Install google-authenticator for OpenBSD 7.5

Step 2 – Configure for each user

google-authenticator
# time-based: y, update file: y, disallow reuse: y, rate limit: y

Scan QR code with an authenticator app (Aegis, Google Authenticator...

Tune MariaDB Performance on OpenBSD 7.5

my.cnf

[mysqld]
innodb_buffer_pool_size        = 4G
innodb_buffer_pool_instances   = 4
innodb_log_file_size           = 512M
innodb_flush_log_at_trx_commit = 1
innodb_flush_method            = O_DIRECT

# Thread pool (MariaDB-specific)
thread_handling...

Tune MySQL Performance on OpenBSD 7.5

my.cnf

[mysqld]
innodb_buffer_pool_size        = 4G
innodb_buffer_pool_instances   = 4
innodb_log_file_size           = 512M
innodb_flush_log_at_trx_commit = 1
innodb_flush_method            = O_DIRECT
max_connections                = 200
thread_cache_size...

Tune PHP OPcache on OpenBSD 7.5

Edit /etc/php.d/opcache.ini

opcache.enable=1
opcache.enable_cli=0
opcache.memory_consumption=256
opcache.interned_strings_buffer=16
opcache.max_accelerated_files=20000
opcache.revalidate_freq=60
opcache.validate_timestamps=1
; JIT (PHP 8.x)
opcache.jit=tracing
op...

Tune PHP-FPM Performance on OpenBSD 7.5

Estimate pm.max_children

ps -ylC php-fpm --no-headers | awk '{sum+=$8} END {print sum/NR/1024 " MB avg"}'
# Divide available RAM (minus OS+DB) by average size

Recommended dynamic settings

pm = dynamic
pm.max_children      = 50
pm.start_servers     = 1...

Tune PostgreSQL Performance on OpenBSD 7.5

postgresql.conf

# Memory
shared_buffers          = 2GB       # 25% of RAM
effective_cache_size    = 6GB       # 50-75% of RAM
work_mem                = 64MB      # per-sort/hash
maintenance_work_mem    = 512MB

# Checkpoints
checkpoint_completion_target...

Tune Varnish Cache on OpenBSD 7.5

Systemd override (/etc/systemd/system/varnish.service.d/override.conf)

[Service]
ExecStart=
ExecStart=/usr/sbin/varnishd \
    -a :80 -T localhost:6082 \
    -f /etc/varnish/default.vcl \
    -s malloc,2G \
    -p thread_pools=2 \
    -p thread_pool_min=200 \...

Varnish VCL Configuration on OpenBSD 7.5

Full example with load balancing and grace

vcl 4.1;
import directors;

backend web1 {
    .host = "192.168.1.10"; .port = "8080";
    .probe = { .url = "/health"; .timeout = 5s; .interval = 10s; .window = 5; .threshold = 3; }
}
backend web2 {
    .host =...