diff options
author | binary <me@rgoncalves.se> | 2021-01-24 15:47:49 +0100 |
---|---|---|
committer | binary <me@rgoncalves.se> | 2021-01-24 15:47:49 +0100 |
commit | 92ff994700d8a706ff7ecd22c4bdeec306eaf53a (patch) | |
tree | d77765c78f9edc85f067794dd76d9850d8b66e1b /roles/relayd | |
parent | 270a5416590e87f3f7afa6bec2895751da5c51f1 (diff) | |
download | infrastructure-92ff994700d8a706ff7ecd22c4bdeec306eaf53a.tar.gz |
Upgrade external request to http
Diffstat (limited to 'roles/relayd')
-rw-r--r-- | roles/relayd/templates/relayd.conf.j2 | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2 index 8ef03bc..e4b1eb5 100644 --- a/roles/relayd/templates/relayd.conf.j2 +++ b/roles/relayd/templates/relayd.conf.j2 @@ -18,7 +18,6 @@ table <{{ h.ansible_host }}> { {{ h.ip.in }} } http protocol "https" { - tls keypair "{{ global.domain_name }}" tls ciphers "HIGH:!AES128:!kRSA:!aNULL" tls ecdhe "P-384,P-256,X25519" @@ -29,14 +28,17 @@ http protocol "https" { match request header set "Connection" value "close" match request header set "X-Forwarded-Proto" value "https" match request header set "X-Forwarded-Port" value "443" + match response header set "Content-Security-Policy" value "upgrade-insecure-requests" - pass request header "Host" value "{{ global.domain_name }}" forward to <local> + tls keypair "{{ global.domain_name }}" + pass request quick header "Host" value "{{ global.domain_name }}" forward to <local> {% for h in groups["servers"] %} {% set h = dict(hostvars[h]) %} {##} {% if h.ip.in is defined %} {% for service in h.services if service.domain is defined %} - pass request header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}> + tls keypair "{{ service.domain }}.{{ global.domain_name }}" + pass request quick header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}> {% endfor %} {% endif %} {##} @@ -49,6 +51,8 @@ http protocol "http" { # acme pass request quick path "/.well-known/acme-challenge/*" forward to <local> + match response header set "Content-Security-Policy" value "upgrade-insecure-requests" + pass request header "Host" value "{{ global.domain_name }}" forward to <local> {% for h in groups["servers"] %} {% set h = dict(hostvars[h]) %} |