aboutsummaryrefslogtreecommitdiffstats
path: root/roles/relayd/templates
diff options
context:
space:
mode:
authorRomain Gonçalves <me@rgoncalves.se>2021-12-11 18:50:33 +0000
committerRomain Gonçalves <me@rgoncalves.se>2021-12-11 18:50:33 +0000
commitde3373e97d133e0ac76fb44deb5dea27c18d8815 (patch)
tree5b63b301ff180ef837ca6fb6a676e31cb87d326c /roles/relayd/templates
parente60e99796111ee6d43080b4e48971c08886c0570 (diff)
downloadrules-de3373e97d133e0ac76fb44deb5dea27c18d8815.tar.gz
roles: Add pf and relayd roles for domain controller
Diffstat (limited to 'roles/relayd/templates')
-rw-r--r--roles/relayd/templates/relayd.conf.j282
1 files changed, 82 insertions, 0 deletions
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2
new file mode 100644
index 0000000..c97e9da
--- /dev/null
+++ b/roles/relayd/templates/relayd.conf.j2
@@ -0,0 +1,82 @@
+# managed by Ansible
+{% import 'macros.j2' as macros with context %}
+
+# general
+log connection errors
+
+# hosts
+table <local> { 127.0.0.1 }
+{% call(h) macros.loop_valid_hosts("servers") -%}
+table <{{ h.inventory_hostname }}> { {{ h.__ip.internal }} }
+{% for service in h.__services if service.domain is defined %}
+table <{{ h.inventory_hostname }}_{{ service.domain }}> { {{ h.__ip.internal }} }
+{% endfor %}
+{%- endcall %}
+
+# protocols
+
+http protocol "https" {
+
+ tls ciphers "HIGH:!AES128:!kRSA:!aNULL"
+ tls ecdhe "P-384,P-256,X25519"
+
+ tcp { sack, backlog 128 }
+
+ match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
+ match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
+ match request header set "Connection" value "close"
+ match request header set "X-Forwarded-Proto" value "https"
+ match request header set "X-Forwarded-Port" value "443"
+ match response header set "Content-Security-Policy" value "upgrade-insecure-requests"
+ match response header set "Referrer-Policy" value "no-referrer"
+ match response header set "X-XSS-Protection" value "1; mode=block"
+
+ tls keypair "{{ relayd_domain_name }}"
+ pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local>
+{% call(h) macros.loop_valid_hosts("servers") -%}
+{% for service in h.__services if service.domain is defined %}
+ {% set domain_name = service.domain ~ "." ~ relayd_domain_name -%}
+ tls keypair "{{ domain_name }}"
+ pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ service.domain }}>
+{% endfor %}
+{%- endcall %}
+
+ block label "{{ relayd_block_msg }}"
+ return error
+}
+
+http protocol "http" {
+
+ # acme
+ pass request quick path "/.well-known/acme-challenge/*" forward to <local>
+
+ pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local>
+{% call(h) macros.loop_valid_hosts("servers") -%}
+{% for service in h.__services if service.domain is defined %}
+ {% set domain_name = service.domain ~ "." ~ relayd_domain_name -%}
+ pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ service.domain }}>
+{% endfor %}
+{%- endcall %}
+
+ return error
+}
+
+# relays
+
+relay "www" {
+ listen on egress port 80
+ protocol "http"
+ # assume httpd reverse proxy is running for https redirection
+ forward to <local> port 8888 check icmp
+}
+
+relay "wwwtls" {
+ listen on egress port 443 tls
+ protocol "https"
+ forward to <local> port 80 check http "/" code 200
+{% call(h) macros.loop_valid_hosts("servers") -%}
+{% for service in h.__services if service.domain is defined %}
+ forward to <{{ h.inventory_hostname }}_{{ service.domain }}> port {{ service.port }} check tcp
+{% endfor %}
+{%- endcall %}
+}
remember that computers suck.