blob: b14e6bf94b8a8e355fabfeb26e1707b2889a6a21 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
# managed by Ansible
{% import 'macros.j2' as macros with context %}
# general
log connection errors
# hosts
table <local> { 127.0.0.1 }
{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
{% set relayd__rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %}
table <{{ h.inventory_hostname }}> { {{ relayd__rule_ip }} }
{% for rule in h.relayd__rules %}
table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd__rule_ip }} }
{% endfor %}
{%- endcall %}
# protocols
http protocol "https" {
tls ciphers "{{ relayd__tls_ciphers | join(':') }}"
tls ecdhe "{{ relayd__tls_elliptic_curves | join(',') }}"
tcp { sack, backlog 128 }
match request header set "X-Forwarded-Proto" value "https"
# match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
# match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-Port" value "$REMOTE_PORT"
match response header set "X-XSS-Protection" value "1; mode=block"
match response header set "X-Content-Type-Options" value "nosniff"
match request header set "Connection" value "close"
match response header set "Content-Security-Policy" value "upgrade-insecure-requests"
match response header set "Referrer-Policy" value "no-referrer"
match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains; preload"
{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
{% for rule in h.relayd__rules %}
tls keypair "{{ rule.domain }}"
pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}>
{% endfor %}
{%- endcall %}
block label "{{ relayd__block_msg }}"
return error
}
http protocol "http" {
# acme
pass request quick path "/.well-known/acme-challenge/*" forward to <local>
{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
{% for rule in h.relayd__rules %}
pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}>
{% endfor %}
{%- endcall %}
return error
}
# relays
relay "www" {
listen on egress port 80
protocol "http"
# assume httpd reverse proxy is running for https redirection
forward to <local> port 8888 check icmp
}
relay "wwwtls" {
listen on egress port 443 tls
protocol "https"
forward to <local> port 80 check http "/" code 200
{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
{% for rule in h.relayd__rules %}
forward to <{{ h.inventory_hostname }}_{{ rule.name }}> port {{ rule.port }} check tcp
{% endfor %}
{%- endcall %}
}
|
