blob: 8ef03bc4d2a35f07826c85e8231b0585668c3f22 (
plain) (
tree)
|
|
# relayd ~~ /etc/relayd.conf
# managed by Ansible
# hosts
table <local> { 127.0.0.1 }
{% for h in groups["servers"] %}
{% set h = dict(hostvars[h]) %}
{##}
{% if h.ip.in is defined %}
table <{{ h.ansible_host }}> { {{ h.ip.in }} }
{% endif %}
{##}
{% endfor %}
# protocols
http protocol "https" {
tls keypair "{{ global.domain_name }}"
tls ciphers "HIGH:!AES128:!kRSA:!aNULL"
tls ecdhe "P-384,P-256,X25519"
tcp { sack, backlog 128 }
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Connection" value "close"
match request header set "X-Forwarded-Proto" value "https"
match request header set "X-Forwarded-Port" value "443"
pass request header "Host" value "{{ global.domain_name }}" forward to <local>
{% for h in groups["servers"] %}
{% set h = dict(hostvars[h]) %}
{##}
{% if h.ip.in is defined %}
{% for service in h.services if service.domain is defined %}
pass request header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}>
{% endfor %}
{% endif %}
{##}
{% endfor %}
return error
}
http protocol "http" {
# acme
pass request quick path "/.well-known/acme-challenge/*" forward to <local>
pass request header "Host" value "{{ global.domain_name }}" forward to <local>
{% for h in groups["servers"] %}
{% set h = dict(hostvars[h]) %}
{##}
{% if h.ip.in is defined %}
{% for service in h.services if service.domain is defined %}
pass request header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}>
{% endfor %}
{% endif %}
{##}
{% endfor %}
return error
}
# relays
relay "www" {
listen on egress port 80
protocol "http"
forward to <local> port 80 check icmp
{% for hostname in groups["servers"] %}
{% set h = dict(hostvars[hostname]) %}
{% for service in h.services if service.domain is defined %}
forward to <{{ hostname }}> port {{ service.port }} check icmp
{% endfor %}
{% endfor %}
}
relay "wwwtls" {
listen on egress port 443 tls
protocol "https"
forward to <local> port 80 check icmp
{% for hostname in groups["servers"] %}
{% set h = dict(hostvars[hostname]) %}
{% for service in h.services if service.domain is defined %}
forward to <{{ hostname }}> port {{ service.port }} check http "/" code 200
{% endfor %}
{% endfor %}
}
|