diff options
| author | Romain Gonçalves <me@rgoncalves.se> | 2021-12-11 18:50:33 +0000 |
|---|---|---|
| committer | Romain Gonçalves <me@rgoncalves.se> | 2021-12-11 18:50:33 +0000 |
| commit | de3373e97d133e0ac76fb44deb5dea27c18d8815 (patch) | |
| tree | 5b63b301ff180ef837ca6fb6a676e31cb87d326c /roles/relayd/templates/relayd.conf.j2 | |
| parent | e60e99796111ee6d43080b4e48971c08886c0570 (diff) | |
| download | rules-de3373e97d133e0ac76fb44deb5dea27c18d8815.tar.gz | |
roles: Add pf and relayd roles for domain controller
Diffstat (limited to 'roles/relayd/templates/relayd.conf.j2')
| -rw-r--r-- | roles/relayd/templates/relayd.conf.j2 | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2 new file mode 100644 index 0000000..c97e9da --- /dev/null +++ b/roles/relayd/templates/relayd.conf.j2 @@ -0,0 +1,82 @@ +# managed by Ansible +{% import 'macros.j2' as macros with context %} + +# general +log connection errors + +# hosts +table <local> { 127.0.0.1 } +{% call(h) macros.loop_valid_hosts("servers") -%} +table <{{ h.inventory_hostname }}> { {{ h.__ip.internal }} } +{% for service in h.__services if service.domain is defined %} +table <{{ h.inventory_hostname }}_{{ service.domain }}> { {{ h.__ip.internal }} } +{% endfor %} +{%- endcall %} + +# protocols + +http protocol "https" { + + tls ciphers "HIGH:!AES128:!kRSA:!aNULL" + tls ecdhe "P-384,P-256,X25519" + + tcp { sack, backlog 128 } + + match request header append "X-Forwarded-For" value "$REMOTE_ADDR" + match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" + match request header set "Connection" value "close" + match request header set "X-Forwarded-Proto" value "https" + match request header set "X-Forwarded-Port" value "443" + match response header set "Content-Security-Policy" value "upgrade-insecure-requests" + match response header set "Referrer-Policy" value "no-referrer" + match response header set "X-XSS-Protection" value "1; mode=block" + + tls keypair "{{ relayd_domain_name }}" + pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local> +{% call(h) macros.loop_valid_hosts("servers") -%} +{% for service in h.__services if service.domain is defined %} + {% set domain_name = service.domain ~ "." ~ relayd_domain_name -%} + tls keypair "{{ domain_name }}" + pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ service.domain }}> +{% endfor %} +{%- endcall %} + + block label "{{ relayd_block_msg }}" + return error +} + +http protocol "http" { + + # acme + pass request quick path "/.well-known/acme-challenge/*" forward to <local> + + pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local> +{% call(h) macros.loop_valid_hosts("servers") -%} +{% for service in h.__services if service.domain is defined %} + {% set domain_name = service.domain ~ "." ~ relayd_domain_name -%} + pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ service.domain }}> +{% endfor %} +{%- endcall %} + + return error +} + +# relays + +relay "www" { + listen on egress port 80 + protocol "http" + # assume httpd reverse proxy is running for https redirection + forward to <local> port 8888 check icmp +} + +relay "wwwtls" { + listen on egress port 443 tls + protocol "https" + forward to <local> port 80 check http "/" code 200 +{% call(h) macros.loop_valid_hosts("servers") -%} +{% for service in h.__services if service.domain is defined %} + forward to <{{ h.inventory_hostname }}_{{ service.domain }}> port {{ service.port }} check tcp +{% endfor %} +{%- endcall %} +} |