From 0339ab597dd321fae5c38f6d295ac98145aec72c Mon Sep 17 00:00:00 2001 From: binary Date: Sun, 24 Jan 2021 12:49:58 +0100 Subject: Add tls/https for relayd --- roles/relayd/templates/relayd.conf.j2 | 57 +++++++++++++++++++++++++++-------- 1 file changed, 45 insertions(+), 12 deletions(-) (limited to 'roles') diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2 index a1abf23..dbd95ad 100644 --- a/roles/relayd/templates/relayd.conf.j2 +++ b/roles/relayd/templates/relayd.conf.j2 @@ -2,9 +2,7 @@ # relayd ~~ /etc/relayd.conf # managed by Ansible -# ====== # -# tables -# ====== # +# hosts table { 127.0.0.1 } {% for h in groups["servers"] %} @@ -16,11 +14,36 @@ table <{{ h.ansible_host }}> { {{ h.ip.in }} } {##} {% endfor %} -# ================ # -# filter for vhost -# ================ # +# protocols -http protocol reverse_proxy { +http protocol "https" { + + tls keypair "{{ global.domain_name }}" + tls ciphers "HIGH:!AES128:!kRSA:!aNULL" + tls ecdhe "P-384,P-256,X25519" + + tcp { sack, backlog 128 } + + match request header append "X-Forwarded-For" value "$REMOTE_ADDR" + match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" + match request header set "Connection" value "close" + match request header set "X-Forwarded-Proto" value "https" + match request header set "X-Forwarded-Port" value "443" + + pass request header "Host" value "{{ global.domain_name }}" forward to +{% for h in groups["servers"] %} +{% set h = dict(hostvars[h]) %} +{##} +{% if h.ip.in is defined %} +{% for service in h.services if service.domain is defined %} + pass request header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}> +{% endfor %} +{% endif %} +{##} +{% endfor %} +} + +http protocol "http" { pass request header "Host" value "{{ global.domain_name }}" forward to {% for h in groups["servers"] %} {% set h = dict(hostvars[h]) %} @@ -34,13 +57,11 @@ http protocol reverse_proxy { {% endfor %} } -# ======================= # -# relays for all protocol -# ======================= # +# relays -relay www { +relay "www" { listen on egress port 80 - protocol reverse_proxy + protocol "http" forward to port 80 check icmp {% for hostname in groups["servers"] %} {% set h = dict(hostvars[hostname]) %} @@ -50,3 +71,15 @@ relay www { {% endfor %} } +relay "wwwtls" { + listen on egress port 443 tls + protocol "https" + forward to port 80 check icmp +{% for hostname in groups["servers"] %} +{% set h = dict(hostvars[hostname]) %} +{% for service in h.services if service.domain is defined %} + forward to <{{ hostname }}> port {{ service.port }} check http "/" code 200 +{% endfor %} +{% endfor %} + +} -- cgit v1.2.3