# relayd ~~ /etc/relayd.conf # managed by Ansible # hosts table { 127.0.0.1 } {% for h in groups["servers"] %} {% set h = dict(hostvars[h]) %} {##} {% if h.ip.in is defined %} # {{ h.ansible_host }} table <{{ h.ansible_host }}> { {{ h.ip.in }} } {% for service in h.services if service.domain is defined %} table <{{ h.ansible_host }}_{{ service.domain }}> { {{ h.ip.in }} } {% endfor %} {% endif %} {##} {% endfor %} # services # protocols http protocol "https" { tls ciphers "HIGH:!AES128:!kRSA:!aNULL" tls ecdhe "P-384,P-256,X25519" tcp { sack, backlog 128 } match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match request header set "Connection" value "close" match request header set "X-Forwarded-Proto" value "https" match request header set "X-Forwarded-Port" value "443" match response header set "Content-Security-Policy" value "upgrade-insecure-requests" tls keypair "{{ global.domain_name }}" pass request quick header "Host" value "{{ global.domain_name }}" forward to {% for h in groups["servers"] %} {% set h = dict(hostvars[h]) %} {##} {% if h.ip.in is defined %} {% for service in h.services if service.domain is defined %} tls keypair "{{ service.domain }}.{{ global.domain_name }}" pass request quick header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}_{{ service.domain }}> {% endfor %} {% endif %} {##} {% endfor %} return error } http protocol "http" { # acme pass request quick path "/.well-known/acme-challenge/*" forward to pass request quick header "Host" value "{{ global.domain_name }}" forward to {% for h in groups["servers"] %} {% set h = dict(hostvars[h]) %} {##} {% if h.ip.in is defined %} {% for service in h.services if service.domain is defined %} pass request quick header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}_{{ service.domain }}> {% endfor %} {% endif %} {##} {% endfor %} return error } # relays relay "www" { listen on egress port 80 protocol "http" # assume httpd reverse proxy is running for https redirection forward to port 8888 check icmp } relay "wwwtls" { listen on egress port 443 tls protocol "https" forward to port 80 check http "/" code 200 {% for hostname in groups["servers"] %} {% set h = dict(hostvars[hostname]) %} {% for service in h.services if service.domain is defined %} forward to <{{ hostname }}_{{ service.domain }}> port {{ service.port }} check tcp {% endfor %} {% endfor %} }