# managed by Ansible {% import 'macros.j2' as macros with context %} # general log connection errors # hosts table { 127.0.0.1 } {% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} {% set relayd_rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %} table <{{ h.inventory_hostname }}> { {{ relayd_rule_ip }} } {% for rule in h.relayd_rules %} table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd_rule_ip }} } {% endfor %} {%- endcall %} # protocols http protocol "https" { tls ciphers "{{ relayd_tls_ciphers | join(':') }}" tls ecdhe "{{ relayd_tls_elliptic_curves | join(',') }}" tcp { sack, backlog 128 } match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match request header set "Connection" value "close" match request header set "X-Forwarded-Proto" value "https" match request header set "X-Forwarded-Port" value "443" match response header set "Content-Security-Policy" value "upgrade-insecure-requests" match response header set "Referrer-Policy" value "no-referrer" match response header set "X-XSS-Protection" value "1; mode=block" {% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} {% for rule in h.relayd_rules %} tls keypair "{{ rule.domain }}" pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}> {% endfor %} {%- endcall %} block label "{{ relayd_block_msg }}" return error } http protocol "http" { # acme pass request quick path "/.well-known/acme-challenge/*" forward to {% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} {% for rule in h.relayd_rules %} pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}> {% endfor %} {%- endcall %} return error } # relays relay "www" { listen on egress port 80 protocol "http" # assume httpd reverse proxy is running for https redirection forward to port 8888 check icmp } relay "wwwtls" { listen on egress port 443 tls protocol "https" forward to port 80 check http "/" code 200 {% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} {% for rule in h.relayd_rules %} forward to <{{ h.inventory_hostname }}_{{ rule.name }}> port {{ rule.port }} check tcp {% endfor %} {%- endcall %} }