1 files changed, 16 insertions, 15 deletions

diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2
index 67b9e13..4169251 100644
--- a/roles/relayd/templates/relayd.conf.j2
+++ b/roles/relayd/templates/relayd.conf.j2
@@ -6,11 +6,11 @@ log connection errors
 
 # hosts
 table <local> { 127.0.0.1 }
-{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
-{% set relayd_rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %}
-table <{{ h.inventory_hostname }}> { {{ relayd_rule_ip }} }
-{% for rule in h.relayd_rules %}
-table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd_rule_ip }} }
+{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
+{% set relayd__rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %}
+table <{{ h.inventory_hostname }}> { {{ relayd__rule_ip }} }
+{% for rule in h.relayd__rules %}
+table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd__rule_ip }} }
 {% endfor %}
 {%- endcall %}
 
@@ -18,8 +18,8 @@ table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd_rule_ip }} }
 
 http protocol "https" {
 	
-	tls ciphers "{{ relayd_tls_ciphers | join(':') }}"
-	tls ecdhe "{{ relayd_tls_elliptic_curves | join(',') }}"
+	tls ciphers "{{ relayd__tls_ciphers | join(':') }}"
+	tls ecdhe "{{ relayd__tls_elliptic_curves | join(',') }}"
 
 	tcp { sack, backlog 128 }
 
@@ -27,19 +27,20 @@ http protocol "https" {
 	match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
 	match request header set "Connection" value "close"
 	match request header set "X-Forwarded-Proto" value "https"
-	match request header set "X-Forwarded-Port" value "443"
+	match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
+	match request header set "X-Forwarded-Port" value "$REMOTE_PORT"
 	match response header set "Content-Security-Policy" value "upgrade-insecure-requests"
 	match response header set "Referrer-Policy" value "no-referrer"
 	match response header set "X-XSS-Protection" value "1; mode=block"
 
-{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
-{% for rule in h.relayd_rules %}
+{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
+{% for rule in h.relayd__rules %}
 	tls keypair "{{ rule.domain }}"
 	pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}>
 {% endfor %}
 {%- endcall %}
 
-	block label "{{ relayd_block_msg }}"
+	block label "{{ relayd__block_msg }}"
 	return error
 }
 
@@ -48,8 +49,8 @@ http protocol "http" {
 	# acme
 	pass request quick path "/.well-known/acme-challenge/*" forward to <local>
 
-{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
-{% for rule in h.relayd_rules %}
+{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
+{% for rule in h.relayd__rules %}
 	pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}>
 {% endfor %}
 {%- endcall %}
@@ -70,8 +71,8 @@ relay "wwwtls" {
 	listen on egress port 443 tls
 	protocol "https"
 	forward to <local> port 80 check http "/" code 200
-{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
-{% for rule in h.relayd_rules %}
+{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
+{% for rule in h.relayd__rules %}
 	forward to <{{ h.inventory_hostname }}_{{ rule.name }}> port {{ rule.port }} check tcp
 {% endfor %}
 {%- endcall %}