relayd.conf (1479B) [raw]
1 # relayd(8) configuration for deploying euchre.live on 2 # OpenBSD alongside a standard webserver running httpd(8) 3 # 4 # In a diagram: 5 # 6 # | 7 # -----> :80 httpd (301 to https) 8 # | :8080 httpd (internal) 9 # | ^ 10 # -----> :443 relayd (tls) 11 # | v 12 # pf| :3000 euchre-live 13 # 14 table <httpd> { 127.0.0.1 } 15 table <euchre> { 127.0.0.1 } 16 17 http protocol "revprox" { 18 return error 19 20 match request header append "X-Forwarded-For" \ 21 value "$REMOTE_ADDR" 22 match request header append "X-Forwarded-By" \ 23 value "$SERVER_ADDR:$SERVER_PORT" 24 25 match request url "euchre.live/" forward to <euchre> 26 # put second so euchre.live/.well-known is hit 27 match path "/.well-known/acme-challenge/*" forward to <httpd> 28 29 # NOTE: relayd(8) had a websockets bug closing connections 30 # on i-Devices prior to OpenBSD 7.1. This patch can be 31 # backported manually: https://marc.info/?l=openbsd-tech&m=163467887702635&w=2 32 http { websockets } 33 tls { no tlsv1.0, ciphers "HIGH" } 34 35 # SNI used to find right .key/.crt combo! 36 tls keypair alexkarle.com 37 tls keypair euchre.live 38 } 39 40 relay "www" { 41 # TLS acceleration/termination used so that euchre.live 42 # is encrypted! 43 listen on 46.23.89.47 port 443 tls 44 protocol "revprox" 45 46 # By default, we want to send traffic to httpd 47 forward to <httpd> port 8080 48 49 session timeout 18000 50 51 # NOTE: these need to be AFTER the 8080 52 forward to <euchre> port 3000 53 }