From 92ff994700d8a706ff7ecd22c4bdeec306eaf53a Mon Sep 17 00:00:00 2001
From: binary <me@rgoncalves.se>
Date: Sun, 24 Jan 2021 15:47:49 +0100
Subject: Upgrade external request to http

---
 roles/relayd/templates/relayd.conf.j2 | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'roles/relayd/templates')

diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2
index 8ef03bc..e4b1eb5 100644
--- a/roles/relayd/templates/relayd.conf.j2
+++ b/roles/relayd/templates/relayd.conf.j2
@@ -18,7 +18,6 @@ table <{{ h.ansible_host }}> { {{ h.ip.in }} }
 
 http protocol "https" {
 	
-	tls keypair "{{ global.domain_name }}"
 	tls ciphers "HIGH:!AES128:!kRSA:!aNULL"
 	tls ecdhe "P-384,P-256,X25519"
 
@@ -29,14 +28,17 @@ http protocol "https" {
 	match request header set "Connection" value "close"
 	match request header set "X-Forwarded-Proto" value "https"
 	match request header set "X-Forwarded-Port" value "443"
+	match response header set "Content-Security-Policy" value "upgrade-insecure-requests"
 
-	pass request header "Host" value "{{ global.domain_name }}" forward to <local>
+	tls keypair "{{ global.domain_name }}"
+	pass request quick header "Host" value "{{ global.domain_name }}" forward to <local>
 {% for h in groups["servers"] %}
 {% set h = dict(hostvars[h]) %}
 {##}
 {% if h.ip.in is defined %}
 {% for service in h.services if service.domain is defined %}
-	pass request header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}>
+	tls keypair "{{ service.domain }}.{{ global.domain_name }}"
+	pass request quick header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}>
 {% endfor %}
 {% endif %}
 {##}
@@ -49,6 +51,8 @@ http protocol "http" {
 	# acme
 	pass request quick path "/.well-known/acme-challenge/*" forward to <local>
 
+	match response header set "Content-Security-Policy" value "upgrade-insecure-requests"
+
 	pass request header "Host" value "{{ global.domain_name }}" forward to <local>
 {% for h in groups["servers"] %}
 {% set h = dict(hostvars[h]) %}
-- 
cgit v1.2.3