diff options
Diffstat (limited to 'roles/relayd/templates/relayd.conf.j2')
-rw-r--r-- | roles/relayd/templates/relayd.conf.j2 | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2 index 8ef03bc..e4b1eb5 100644 --- a/roles/relayd/templates/relayd.conf.j2 +++ b/roles/relayd/templates/relayd.conf.j2 @@ -18,7 +18,6 @@ table <{{ h.ansible_host }}> { {{ h.ip.in }} } http protocol "https" { - tls keypair "{{ global.domain_name }}" tls ciphers "HIGH:!AES128:!kRSA:!aNULL" tls ecdhe "P-384,P-256,X25519" @@ -29,14 +28,17 @@ http protocol "https" { match request header set "Connection" value "close" match request header set "X-Forwarded-Proto" value "https" match request header set "X-Forwarded-Port" value "443" + match response header set "Content-Security-Policy" value "upgrade-insecure-requests" - pass request header "Host" value "{{ global.domain_name }}" forward to <local> + tls keypair "{{ global.domain_name }}" + pass request quick header "Host" value "{{ global.domain_name }}" forward to <local> {% for h in groups["servers"] %} {% set h = dict(hostvars[h]) %} {##} {% if h.ip.in is defined %} {% for service in h.services if service.domain is defined %} - pass request header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}> + tls keypair "{{ service.domain }}.{{ global.domain_name }}" + pass request quick header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}> {% endfor %} {% endif %} {##} @@ -49,6 +51,8 @@ http protocol "http" { # acme pass request quick path "/.well-known/acme-challenge/*" forward to <local> + match response header set "Content-Security-Policy" value "upgrade-insecure-requests" + pass request header "Host" value "{{ global.domain_name }}" forward to <local> {% for h in groups["servers"] %} {% set h = dict(hostvars[h]) %} |