# relayd(8) configuration for deploying euchre.live on
# OpenBSD alongside a standard webserver running httpd(8)
#
# In a diagram:
#
#     |
# -----> :80 httpd (301 to https)
#     |  :8080 httpd (internal)
#     |          ^
# -----> :443  relayd (tls)
#     |          v
#   pf|  :3000 euchre-live
#
table <httpd> { 127.0.0.1 }
table <euchre> { 127.0.0.1 }

http protocol "revprox" {
    return error

    match request header append "X-Forwarded-For" \
        value "$REMOTE_ADDR"
    match request header append "X-Forwarded-By" \
        value "$SERVER_ADDR:$SERVER_PORT"

    match request url "euchre.live/" forward to <euchre>
    # put second so euchre.live/.well-known is hit
    match path "/.well-known/acme-challenge/*" forward to <httpd>

    # NOTE: relayd(8) had a websockets bug closing connections
    # on i-Devices prior to OpenBSD 7.1. This patch can be
    # backported manually: https://marc.info/?l=openbsd-tech&m=163467887702635&w=2
    http { websockets }
    tls { no tlsv1.0, ciphers "HIGH" }

    # SNI used to find right .key/.crt combo!
    tls keypair alexkarle.com
    tls keypair euchre.live
}

relay "www" {
    # TLS acceleration/termination used so that euchre.live
    # is encrypted!
    listen on 46.23.89.47 port 443 tls
    protocol "revprox"

    # By default, we want to send traffic to httpd
    forward to <httpd> port 8080

    session timeout 18000

    # NOTE: these need to be AFTER the 8080
    forward to <euchre> port 3000
}