diff options
| author | binary <me@rgoncalves.se> | 2021-01-24 12:49:58 +0100 |
|---|---|---|
| committer | binary <me@rgoncalves.se> | 2021-01-24 12:49:58 +0100 |
| commit | 0339ab597dd321fae5c38f6d295ac98145aec72c (patch) | |
| tree | 2ba320f5b85be50cf632f36bdccb3acc6c0ccb69 /roles/relayd | |
| parent | 535fcca27b969d432e9f37d60bb7bb1d9633433c (diff) | |
| download | infrastructure-0339ab597dd321fae5c38f6d295ac98145aec72c.tar.gz | |
Add tls/https for relayd
Diffstat (limited to 'roles/relayd')
| -rw-r--r-- | roles/relayd/templates/relayd.conf.j2 | 57 |
1 files changed, 45 insertions, 12 deletions
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2 index a1abf23..dbd95ad 100644 --- a/roles/relayd/templates/relayd.conf.j2 +++ b/roles/relayd/templates/relayd.conf.j2 @@ -2,9 +2,7 @@ # relayd ~~ /etc/relayd.conf # managed by Ansible -# ====== # -# tables -# ====== # +# hosts table <local> { 127.0.0.1 } {% for h in groups["servers"] %} @@ -16,11 +14,36 @@ table <{{ h.ansible_host }}> { {{ h.ip.in }} } {##} {% endfor %} -# ================ # -# filter for vhost -# ================ # +# protocols -http protocol reverse_proxy { +http protocol "https" { + + tls keypair "{{ global.domain_name }}" + tls ciphers "HIGH:!AES128:!kRSA:!aNULL" + tls ecdhe "P-384,P-256,X25519" + + tcp { sack, backlog 128 } + + match request header append "X-Forwarded-For" value "$REMOTE_ADDR" + match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" + match request header set "Connection" value "close" + match request header set "X-Forwarded-Proto" value "https" + match request header set "X-Forwarded-Port" value "443" + + pass request header "Host" value "{{ global.domain_name }}" forward to <local> +{% for h in groups["servers"] %} +{% set h = dict(hostvars[h]) %} +{##} +{% if h.ip.in is defined %} +{% for service in h.services if service.domain is defined %} + pass request header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}> +{% endfor %} +{% endif %} +{##} +{% endfor %} +} + +http protocol "http" { pass request header "Host" value "{{ global.domain_name }}" forward to <local> {% for h in groups["servers"] %} {% set h = dict(hostvars[h]) %} @@ -34,13 +57,11 @@ http protocol reverse_proxy { {% endfor %} } -# ======================= # -# relays for all protocol -# ======================= # +# relays -relay www { +relay "www" { listen on egress port 80 - protocol reverse_proxy + protocol "http" forward to <local> port 80 check icmp {% for hostname in groups["servers"] %} {% set h = dict(hostvars[hostname]) %} @@ -50,3 +71,15 @@ relay www { {% endfor %} } +relay "wwwtls" { + listen on egress port 443 tls + protocol "https" + forward to <local> port 80 check icmp +{% for hostname in groups["servers"] %} +{% set h = dict(hostvars[hostname]) %} +{% for service in h.services if service.domain is defined %} + forward to <{{ hostname }}> port {{ service.port }} check http "/" code 200 +{% endfor %} +{% endfor %} + +} |