diff options
Diffstat (limited to 'roles/relayd')
-rw-r--r-- | roles/relayd/defaults/main.yml | 4 | ||||
-rw-r--r-- | roles/relayd/tasks/main.yml | 13 | ||||
-rw-r--r-- | roles/relayd/templates/relayd.conf.j2 | 82 |
3 files changed, 99 insertions, 0 deletions
diff --git a/roles/relayd/defaults/main.yml b/roles/relayd/defaults/main.yml new file mode 100644 index 0000000..174a889 --- /dev/null +++ b/roles/relayd/defaults/main.yml @@ -0,0 +1,4 @@ +relayd_configuration_file: /etc/relayd.conf +relayd_domain_name: example.com +relayd_transparent: true +relayd_block_msg: aah! diff --git a/roles/relayd/tasks/main.yml b/roles/relayd/tasks/main.yml new file mode 100644 index 0000000..14df192 --- /dev/null +++ b/roles/relayd/tasks/main.yml @@ -0,0 +1,13 @@ +- name: generate relayd configuration + template: + src: relayd.conf.j2 + dest: "{{ relayd_configuration_file }}" + +- name: verify relayd configuration + command: "relayd -nf {{ relayd_configuration_file }}" + +- name: enable and restart relayd + service: + name: relayd + state: restarted + enabled: true diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2 new file mode 100644 index 0000000..c97e9da --- /dev/null +++ b/roles/relayd/templates/relayd.conf.j2 @@ -0,0 +1,82 @@ +# managed by Ansible +{% import 'macros.j2' as macros with context %} + +# general +log connection errors + +# hosts +table <local> { 127.0.0.1 } +{% call(h) macros.loop_valid_hosts("servers") -%} +table <{{ h.inventory_hostname }}> { {{ h.__ip.internal }} } +{% for service in h.__services if service.domain is defined %} +table <{{ h.inventory_hostname }}_{{ service.domain }}> { {{ h.__ip.internal }} } +{% endfor %} +{%- endcall %} + +# protocols + +http protocol "https" { + + tls ciphers "HIGH:!AES128:!kRSA:!aNULL" + tls ecdhe "P-384,P-256,X25519" + + tcp { sack, backlog 128 } + + match request header append "X-Forwarded-For" value "$REMOTE_ADDR" + match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" + match request header set "Connection" value "close" + match request header set "X-Forwarded-Proto" value "https" + match request header set "X-Forwarded-Port" value "443" + match response header set "Content-Security-Policy" value "upgrade-insecure-requests" + match response header set "Referrer-Policy" value "no-referrer" + match response header set "X-XSS-Protection" value "1; mode=block" + + tls keypair "{{ relayd_domain_name }}" + pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local> +{% call(h) macros.loop_valid_hosts("servers") -%} +{% for service in h.__services if service.domain is defined %} + {% set domain_name = service.domain ~ "." ~ relayd_domain_name -%} + tls keypair "{{ domain_name }}" + pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ service.domain }}> +{% endfor %} +{%- endcall %} + + block label "{{ relayd_block_msg }}" + return error +} + +http protocol "http" { + + # acme + pass request quick path "/.well-known/acme-challenge/*" forward to <local> + + pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local> +{% call(h) macros.loop_valid_hosts("servers") -%} +{% for service in h.__services if service.domain is defined %} + {% set domain_name = service.domain ~ "." ~ relayd_domain_name -%} + pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ service.domain }}> +{% endfor %} +{%- endcall %} + + return error +} + +# relays + +relay "www" { + listen on egress port 80 + protocol "http" + # assume httpd reverse proxy is running for https redirection + forward to <local> port 8888 check icmp +} + +relay "wwwtls" { + listen on egress port 443 tls + protocol "https" + forward to <local> port 80 check http "/" code 200 +{% call(h) macros.loop_valid_hosts("servers") -%} +{% for service in h.__services if service.domain is defined %} + forward to <{{ h.inventory_hostname }}_{{ service.domain }}> port {{ service.port }} check tcp +{% endfor %} +{%- endcall %} +} |