aboutsummaryrefslogblamecommitdiffstats
path: root/roles/relayd/templates/relayd.conf.j2
blob: 243a0cc38a087608d16842ce8ed3eb45d78f493d (plain) (tree)
1
2
3
4
5
6
7
8



                            
       

                           
                                







                                              
           
 

                       









                                                                                      
                                                                                             
 

                                                                                            




                                                            

                                                                                                                                



            
                    


                      



                                                                                  

                                                                                      


                               


                                                                                                                          


            
                    

 
        
 
             
                                
                       




                                                                      
            

            
 






                                                            
                                                           



            

# relayd ~~ /etc/relayd.conf
# managed by Ansible

# hosts

table <local> { 127.0.0.1 }
{% for h in groups["servers"] %}
{% set h = dict(hostvars[h]) %}
{##}
{% if h.ip.in is defined %}
table <{{ h.ansible_host }}> { {{ h.ip.in }} }
{% endif %}
{##}
{% endfor %}

# protocols

http protocol "https" {
	
	tls ciphers "HIGH:!AES128:!kRSA:!aNULL"
	tls ecdhe "P-384,P-256,X25519"

	tcp { sack, backlog 128 }

	match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
	match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
	match request header set "Connection" value "close"
	match request header set "X-Forwarded-Proto" value "https"
	match request header set "X-Forwarded-Port" value "443"
	match response header set "Content-Security-Policy" value "upgrade-insecure-requests"

	tls keypair "{{ global.domain_name }}"
	pass request quick header "Host" value "{{ global.domain_name }}" forward to <local>
{% for h in groups["servers"] %}
{% set h = dict(hostvars[h]) %}
{##}
{% if h.ip.in is defined %}
{% for service in h.services if service.domain is defined %}
	tls keypair "{{ service.domain }}.{{ global.domain_name }}"
	pass request quick header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}>
{% endfor %}
{% endif %}
{##}
{% endfor %}
	return error
}

http protocol "http" {
	
	# acme
	pass request quick path "/.well-known/acme-challenge/*" forward to <local>

	pass request header "Host" value "{{ global.domain_name }}" forward to <local>
{% for h in groups["servers"] %}
{% set h = dict(hostvars[h]) %}
{##}
{% if h.ip.in is defined %}
{% for service in h.services if service.domain is defined %}
	pass request header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}>
{% endfor %}
{% endif %}
{##}
{% endfor %}
	return error
}

# relays

relay "www" {
	listen on egress port 80
	protocol "http"
	forward to <local> port 80 check icmp
{% for hostname in groups["servers"] %}
{% set h = dict(hostvars[hostname]) %}
{% for service in h.services if service.domain is defined %}
	forward to <{{ hostname }}> port {{ service.port }} check icmp
{% endfor %}
{% endfor %}
}

relay "wwwtls" {
	listen on egress port 443 tls
	protocol "https"
	forward to <local> port 80 check icmp
{% for hostname in groups["servers"] %}
{% set h = dict(hostvars[hostname]) %}
{% for service in h.services if service.domain is defined %}
	forward to <{{ hostname }}> port {{ service.port }}
{% endfor %}
{% endfor %}

}
remember that computers suck.