aboutsummaryrefslogtreecommitdiffstats
path: root/roles/relayd/templates/relayd.conf.j2
blob: 4871a38b6b3a6b3424eeb9e7840055766aeceed2 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
{% import 'macros.j2' as macros with context %}

# relayd ~~ /etc/relayd.conf
# managed by Ansible

# general

log connection errors

# hosts

table <local> { 127.0.0.1 }
{% call(h) macros.loop_valid_hosts("servers") -%}
table <{{ h.ansible_host }}> { {{ h.ip.in }} }
{% for service in h.services if service.domain is defined %}
table <{{ h.ansible_host }}_{{ service.domain }}> { {{ h.ip.in }} }
{% endfor %}
{%- endcall %}

# protocols

http protocol "https" {
	
	tls ciphers "HIGH:!AES128:!kRSA:!aNULL"
	tls ecdhe "P-384,P-256,X25519"

	tcp { sack, backlog 128 }

	match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
	match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
	match request header set "Connection" value "close"
	match request header set "X-Forwarded-Proto" value "https"
	match request header set "X-Forwarded-Port" value "443"
	match response header set "Content-Security-Policy" value "upgrade-insecure-requests"

	tls keypair "{{ global.domain_name }}"
	pass request quick header "Host" value "{{ global.domain_name }}" forward to <local>
{% call(h) macros.loop_valid_hosts("servers") -%}
{% for service in h.services if service.domain is defined %}
	tls keypair "{{ service.domain }}.{{ global.domain_name }}"
	pass request quick header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}_{{ service.domain }}>
{% endfor %}
{%- endcall %}

	block label "{{ relayd_block_msg }}"

	return error
}

http protocol "http" {
	
	# acme
	pass request quick path "/.well-known/acme-challenge/*" forward to <local>

	pass request quick header "Host" value "{{ global.domain_name }}" forward to <local>
{% call(h) macros.loop_valid_hosts("servers") -%}
{% for service in h.services if service.domain is defined %}
	pass request quick header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}_{{ service.domain }}>
{% endfor %}
{%- endcall %}

	return error
}

# relays

relay "www" {
	listen on egress port 80
	protocol "http"
	# assume httpd reverse proxy is running for https redirection
	forward to <local> port 8888 check icmp
}

relay "wwwtls" {
	listen on egress port 443 tls
	protocol "https"
	forward to <local> port 80 check http "/" code 200
{% call(h) macros.loop_valid_hosts("servers") -%}
{% for service in h.services if service.domain is defined %}
	forward to <{{ h.ansible_host }}_{{ service.domain }}> port {{ service.port }} check tcp
{% endfor %}
{%- endcall %}
}
remember that computers suck.