From de3373e97d133e0ac76fb44deb5dea27c18d8815 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Gon=C3=A7alves?= Date: Sat, 11 Dec 2021 18:50:33 +0000 Subject: roles: Add pf and relayd roles for domain controller --- roles/relayd/templates/relayd.conf.j2 | 82 +++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 roles/relayd/templates/relayd.conf.j2 (limited to 'roles/relayd/templates') diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2 new file mode 100644 index 0000000..c97e9da --- /dev/null +++ b/roles/relayd/templates/relayd.conf.j2 @@ -0,0 +1,82 @@ +# managed by Ansible +{% import 'macros.j2' as macros with context %} + +# general +log connection errors + +# hosts +table { 127.0.0.1 } +{% call(h) macros.loop_valid_hosts("servers") -%} +table <{{ h.inventory_hostname }}> { {{ h.__ip.internal }} } +{% for service in h.__services if service.domain is defined %} +table <{{ h.inventory_hostname }}_{{ service.domain }}> { {{ h.__ip.internal }} } +{% endfor %} +{%- endcall %} + +# protocols + +http protocol "https" { + + tls ciphers "HIGH:!AES128:!kRSA:!aNULL" + tls ecdhe "P-384,P-256,X25519" + + tcp { sack, backlog 128 } + + match request header append "X-Forwarded-For" value "$REMOTE_ADDR" + match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" + match request header set "Connection" value "close" + match request header set "X-Forwarded-Proto" value "https" + match request header set "X-Forwarded-Port" value "443" + match response header set "Content-Security-Policy" value "upgrade-insecure-requests" + match response header set "Referrer-Policy" value "no-referrer" + match response header set "X-XSS-Protection" value "1; mode=block" + + tls keypair "{{ relayd_domain_name }}" + pass request quick header "Host" value "{{ relayd_domain_name }}" forward to +{% call(h) macros.loop_valid_hosts("servers") -%} +{% for service in h.__services if service.domain is defined %} + {% set domain_name = service.domain ~ "." ~ relayd_domain_name -%} + tls keypair "{{ domain_name }}" + pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ service.domain }}> +{% endfor %} +{%- endcall %} + + block label "{{ relayd_block_msg }}" + return error +} + +http protocol "http" { + + # acme + pass request quick path "/.well-known/acme-challenge/*" forward to + + pass request quick header "Host" value "{{ relayd_domain_name }}" forward to +{% call(h) macros.loop_valid_hosts("servers") -%} +{% for service in h.__services if service.domain is defined %} + {% set domain_name = service.domain ~ "." ~ relayd_domain_name -%} + pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ service.domain }}> +{% endfor %} +{%- endcall %} + + return error +} + +# relays + +relay "www" { + listen on egress port 80 + protocol "http" + # assume httpd reverse proxy is running for https redirection + forward to port 8888 check icmp +} + +relay "wwwtls" { + listen on egress port 443 tls + protocol "https" + forward to port 80 check http "/" code 200 +{% call(h) macros.loop_valid_hosts("servers") -%} +{% for service in h.__services if service.domain is defined %} + forward to <{{ h.inventory_hostname }}_{{ service.domain }}> port {{ service.port }} check tcp +{% endfor %} +{%- endcall %} +} -- cgit v1.2.3