commit 35ee2652704857261b47594f0ede491133593a7c (patch) parent 84f0d7146b3f223390176883293b9cb250905854 Author: Alex Karle <alex@alexkarle.com> Date: Sun, 19 Feb 2023 12:52:35 -0500 Add relayd.conf(8) for future reference I'll be spinning this down for the foreseeable future, so it'll be good to archive this! Diffstat:
| R | bin/euchre-service.sh -> etc/rc.d/euchre | | | 0 | |
| A | etc/relayd.conf | | | 53 | +++++++++++++++++++++++++++++++++++++++++++++++++++++ |
2 files changed, 53 insertions(+), 0 deletions(-)
diff --git a/bin/euchre-service.sh b/etc/rc.d/euchre diff --git a/etc/relayd.conf b/etc/relayd.conf @@ -0,0 +1,53 @@ +# relayd(8) configuration for deploying euchre.live on +# OpenBSD alongside a standard webserver running httpd(8) +# +# In a diagram: +# +# | +# -----> :80 httpd (301 to https) +# | :8080 httpd (internal) +# | ^ +# -----> :443 relayd (tls) +# | v +# pf| :3000 euchre-live +# +table <httpd> { 127.0.0.1 } +table <euchre> { 127.0.0.1 } + +http protocol "revprox" { + return error + + match request header append "X-Forwarded-For" \ + value "$REMOTE_ADDR" + match request header append "X-Forwarded-By" \ + value "$SERVER_ADDR:$SERVER_PORT" + + match request url "euchre.live/" forward to <euchre> + # put second so euchre.live/.well-known is hit + match path "/.well-known/acme-challenge/*" forward to <httpd> + + # NOTE: relayd(8) had a websockets bug closing connections + # on i-Devices prior to OpenBSD 7.1. This patch can be + # backported manually: https://marc.info/?l=openbsd-tech&m=163467887702635&w=2 + http { websockets } + tls { no tlsv1.0, ciphers "HIGH" } + + # SNI used to find right .key/.crt combo! + tls keypair alexkarle.com + tls keypair euchre.live +} + +relay "www" { + # TLS acceleration/termination used so that euchre.live + # is encrypted! + listen on 46.23.89.47 port 443 tls + protocol "revprox" + + # By default, we want to send traffic to httpd + forward to <httpd> port 8080 + + session timeout 18000 + + # NOTE: these need to be AFTER the 8080 + forward to <euchre> port 3000 +}