# relayd ~~ /etc/relayd.conf # managed by Ansible # hosts table { 127.0.0.1 } {% for h in groups["servers"] %} {% set h = dict(hostvars[h]) %} {##} {% if h.ip.in is defined %} table <{{ h.ansible_host }}> { {{ h.ip.in }} } {% endif %} {##} {% endfor %} # protocols http protocol "https" { tls keypair "{{ global.domain_name }}" tls ciphers "HIGH:!AES128:!kRSA:!aNULL" tls ecdhe "P-384,P-256,X25519" tcp { sack, backlog 128 } match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match request header set "Connection" value "close" match request header set "X-Forwarded-Proto" value "https" match request header set "X-Forwarded-Port" value "443" pass request header "Host" value "{{ global.domain_name }}" forward to {% for h in groups["servers"] %} {% set h = dict(hostvars[h]) %} {##} {% if h.ip.in is defined %} {% for service in h.services if service.domain is defined %} pass request header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}> {% endfor %} {% endif %} {##} {% endfor %} return error } http protocol "http" { # acme pass request quick path "/.well-known/acme-challenge/*" forward to pass request header "Host" value "{{ global.domain_name }}" forward to {% for h in groups["servers"] %} {% set h = dict(hostvars[h]) %} {##} {% if h.ip.in is defined %} {% for service in h.services if service.domain is defined %} pass request header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}> {% endfor %} {% endif %} {##} {% endfor %} return error } # relays relay "www" { listen on egress port 80 protocol "http" forward to port 80 check icmp {% for hostname in groups["servers"] %} {% set h = dict(hostvars[hostname]) %} {% for service in h.services if service.domain is defined %} forward to <{{ hostname }}> port {{ service.port }} check icmp {% endfor %} {% endfor %} } relay "wwwtls" { listen on egress port 443 tls protocol "https" forward to port 80 check icmp {% for hostname in groups["servers"] %} {% set h = dict(hostvars[hostname]) %} {% for service in h.services if service.domain is defined %} forward to <{{ hostname }}> port {{ service.port }} check http "/" code 200 {% endfor %} {% endfor %} }