From 35ee2652704857261b47594f0ede491133593a7c Mon Sep 17 00:00:00 2001 From: Alex Karle Date: Sun, 19 Feb 2023 12:52:35 -0500 Subject: [PATCH] Add relayd.conf(8) for future reference I'll be spinning this down for the foreseeable future, so it'll be good to archive this! --- bin/euchre-service.sh | 13 ------------- etc/rc.d/euchre | 13 +++++++++++++ etc/relayd.conf | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 66 insertions(+), 13 deletions(-) delete mode 100644 bin/euchre-service.sh create mode 100644 etc/rc.d/euchre create mode 100644 etc/relayd.conf diff --git a/bin/euchre-service.sh b/bin/euchre-service.sh deleted file mode 100644 index b66e643..0000000 --- a/bin/euchre-service.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/ksh -# OpenBSD rc.d service for euchre.live - -# config -INSTALL="/home/_euchre/prod-el" -# end config - -daemon="perl $INSTALL/gloat.pl daemon -m production -l http://127.0.0.1:3000" -daemon_user="_euchre" - -. /etc/rc.d/rc.subr - -rc_cmd "$1" diff --git a/etc/rc.d/euchre b/etc/rc.d/euchre new file mode 100644 index 0000000..b66e643 --- /dev/null +++ b/etc/rc.d/euchre @@ -0,0 +1,13 @@ +#!/bin/ksh +# OpenBSD rc.d service for euchre.live + +# config +INSTALL="/home/_euchre/prod-el" +# end config + +daemon="perl $INSTALL/gloat.pl daemon -m production -l http://127.0.0.1:3000" +daemon_user="_euchre" + +. /etc/rc.d/rc.subr + +rc_cmd "$1" diff --git a/etc/relayd.conf b/etc/relayd.conf new file mode 100644 index 0000000..375e768 --- /dev/null +++ b/etc/relayd.conf @@ -0,0 +1,53 @@ +# relayd(8) configuration for deploying euchre.live on +# OpenBSD alongside a standard webserver running httpd(8) +# +# In a diagram: +# +# | +# -----> :80 httpd (301 to https) +# | :8080 httpd (internal) +# | ^ +# -----> :443 relayd (tls) +# | v +# pf| :3000 euchre-live +# +table { 127.0.0.1 } +table { 127.0.0.1 } + +http protocol "revprox" { + return error + + match request header append "X-Forwarded-For" \ + value "$REMOTE_ADDR" + match request header append "X-Forwarded-By" \ + value "$SERVER_ADDR:$SERVER_PORT" + + match request url "euchre.live/" forward to + # put second so euchre.live/.well-known is hit + match path "/.well-known/acme-challenge/*" forward to + + # NOTE: relayd(8) had a websockets bug closing connections + # on i-Devices prior to OpenBSD 7.1. This patch can be + # backported manually: https://marc.info/?l=openbsd-tech&m=163467887702635&w=2 + http { websockets } + tls { no tlsv1.0, ciphers "HIGH" } + + # SNI used to find right .key/.crt combo! + tls keypair alexkarle.com + tls keypair euchre.live +} + +relay "www" { + # TLS acceleration/termination used so that euchre.live + # is encrypted! + listen on 46.23.89.47 port 443 tls + protocol "revprox" + + # By default, we want to send traffic to httpd + forward to port 8080 + + session timeout 18000 + + # NOTE: these need to be AFTER the 8080 + forward to port 3000 +} -- libgit2 1.1.1