From 6f402c3dfbc3d4702c1b758f60afbec912ca2c24 Mon Sep 17 00:00:00 2001
From: binary <me@rgoncalves.se>
Date: Sun, 24 Jan 2021 16:42:45 +0100
Subject: Force http to https with httpd block return from relayd

---
 roles/httpd/templates/httpd.conf.j2   | 9 +++++++++
 roles/relayd/templates/relayd.conf.j2 | 9 ++-------
 2 files changed, 11 insertions(+), 7 deletions(-)

(limited to 'roles')

diff --git a/roles/httpd/templates/httpd.conf.j2 b/roles/httpd/templates/httpd.conf.j2
index 45b46c3..9a028f9 100644
--- a/roles/httpd/templates/httpd.conf.j2
+++ b/roles/httpd/templates/httpd.conf.j2
@@ -12,6 +12,15 @@ types {
 	image/png       png
 }
 
+{% if ansible_host == global.dcontroller %}
+server "default" {
+        listen on localhost port 8888
+        location * {
+            block return 302 "https://\$HTTP_HOST\$REQUEST_URI"
+        }
+}
+{% endif %}
+
 {% for file in configurations.files %}
 include "{{ file.path }}"
 {% endfor %}
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2
index 243a0cc..1b48d7d 100644
--- a/roles/relayd/templates/relayd.conf.j2
+++ b/roles/relayd/templates/relayd.conf.j2
@@ -70,13 +70,8 @@ http protocol "http" {
 relay "www" {
 	listen on egress port 80
 	protocol "http"
-	forward to <local> port 80 check icmp
-{% for hostname in groups["servers"] %}
-{% set h = dict(hostvars[hostname]) %}
-{% for service in h.services if service.domain is defined %}
-	forward to <{{ hostname }}> port {{ service.port }} check icmp
-{% endfor %}
-{% endfor %}
+	# assume httpd reverse proxy is running for https redirection
+	forward to <local> port 8888 check icmp
 }
 
 relay "wwwtls" {
-- 
cgit v1.2.3