aboutsummaryrefslogblamecommitdiffstats
path: root/roles/relayd/templates/relayd.conf.j2
blob: 4169251bcc9179932db5e2efcdd699c9cc1732b6 (plain) (tree) 
de3373e








adfb09b





de3373e







adfb09b


de3373e







adfb09b


de3373e




adfb09b


28332d3


de3373e



adfb09b

de3373e








adfb09b


28332d3

de3373e



















adfb09b


28332d3

de3373e



1
2
3
4
5
6
7
8

9
10
11
12
13

14
15
16
17
18
19
20

21
22

23
24
25
26
27
28
29

30
31

32
33
34
35

36
37

38
39

40
41
42

43

44
45
46
47
48
49
50
51

52
53

54

55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

74
75

76

77
78
79








                                               




                                                                                                          






                       

                                                                 






                                                                                      

                                                                        



                                                                                             

                                                               

                                                                                                                          


              
                                             







                                                                                  

                                                               
                                                                                                                          


















                                                                     

                                                               
                                                                                              


              
# managed by Ansible
{% import 'macros.j2' as macros with context %}

# general
log connection errors

# hosts
table <local> { 127.0.0.1 }
{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
{% set relayd__rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %}
table <{{ h.inventory_hostname }}> { {{ relayd__rule_ip }} }
{% for rule in h.relayd__rules %}
table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd__rule_ip }} }
{% endfor %}
{%- endcall %}

# protocols

http protocol "https" {
	
	tls ciphers "{{ relayd__tls_ciphers | join(':') }}"
	tls ecdhe "{{ relayd__tls_elliptic_curves | join(',') }}"

	tcp { sack, backlog 128 }

	match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
	match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
	match request header set "Connection" value "close"
	match request header set "X-Forwarded-Proto" value "https"
	match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
	match request header set "X-Forwarded-Port" value "$REMOTE_PORT"
	match response header set "Content-Security-Policy" value "upgrade-insecure-requests"
	match response header set "Referrer-Policy" value "no-referrer"
	match response header set "X-XSS-Protection" value "1; mode=block"

{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
{% for rule in h.relayd__rules %}
	tls keypair "{{ rule.domain }}"
	pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}>
{% endfor %}
{%- endcall %}

	block label "{{ relayd__block_msg }}"
	return error
}

http protocol "http" {
	
	# acme
	pass request quick path "/.well-known/acme-challenge/*" forward to <local>

{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
{% for rule in h.relayd__rules %}
	pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}>
{% endfor %}
{%- endcall %}

	return error
}

# relays

relay "www" {
	listen on egress port 80
	protocol "http"
	# assume httpd reverse proxy is running for https redirection
	forward to <local> port 8888 check icmp
}

relay "wwwtls" {
	listen on egress port 443 tls
	protocol "https"
	forward to <local> port 80 check http "/" code 200
{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
{% for rule in h.relayd__rules %}
	forward to <{{ h.inventory_hostname }}_{{ rule.name }}> port {{ rule.port }} check tcp
{% endfor %}
{%- endcall %}
}
remember that computers suck.