diff options
Diffstat (limited to 'roles/relayd/templates')
-rw-r--r-- | roles/relayd/templates/relayd.conf.j2 | 31 |
1 files changed, 16 insertions, 15 deletions
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2 index 67b9e13..4169251 100644 --- a/roles/relayd/templates/relayd.conf.j2 +++ b/roles/relayd/templates/relayd.conf.j2 @@ -6,11 +6,11 @@ log connection errors # hosts table <local> { 127.0.0.1 } -{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} -{% set relayd_rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %} -table <{{ h.inventory_hostname }}> { {{ relayd_rule_ip }} } -{% for rule in h.relayd_rules %} -table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd_rule_ip }} } +{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%} +{% set relayd__rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %} +table <{{ h.inventory_hostname }}> { {{ relayd__rule_ip }} } +{% for rule in h.relayd__rules %} +table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd__rule_ip }} } {% endfor %} {%- endcall %} @@ -18,8 +18,8 @@ table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd_rule_ip }} } http protocol "https" { - tls ciphers "{{ relayd_tls_ciphers | join(':') }}" - tls ecdhe "{{ relayd_tls_elliptic_curves | join(',') }}" + tls ciphers "{{ relayd__tls_ciphers | join(':') }}" + tls ecdhe "{{ relayd__tls_elliptic_curves | join(',') }}" tcp { sack, backlog 128 } @@ -27,19 +27,20 @@ http protocol "https" { match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match request header set "Connection" value "close" match request header set "X-Forwarded-Proto" value "https" - match request header set "X-Forwarded-Port" value "443" + match request header set "X-Forwarded-For" value "$REMOTE_ADDR" + match request header set "X-Forwarded-Port" value "$REMOTE_PORT" match response header set "Content-Security-Policy" value "upgrade-insecure-requests" match response header set "Referrer-Policy" value "no-referrer" match response header set "X-XSS-Protection" value "1; mode=block" -{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} -{% for rule in h.relayd_rules %} +{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%} +{% for rule in h.relayd__rules %} tls keypair "{{ rule.domain }}" pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}> {% endfor %} {%- endcall %} - block label "{{ relayd_block_msg }}" + block label "{{ relayd__block_msg }}" return error } @@ -48,8 +49,8 @@ http protocol "http" { # acme pass request quick path "/.well-known/acme-challenge/*" forward to <local> -{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} -{% for rule in h.relayd_rules %} +{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%} +{% for rule in h.relayd__rules %} pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}> {% endfor %} {%- endcall %} @@ -70,8 +71,8 @@ relay "wwwtls" { listen on egress port 443 tls protocol "https" forward to <local> port 80 check http "/" code 200 -{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} -{% for rule in h.relayd_rules %} +{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%} +{% for rule in h.relayd__rules %} forward to <{{ h.inventory_hostname }}_{{ rule.name }}> port {{ rule.port }} check tcp {% endfor %} {%- endcall %} |