diff options
| author | Paul Buetow <paul@buetow.org> | 2024-11-30 23:52:14 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2024-11-30 23:52:14 +0200 |
| commit | 0e5271d40db1838e715e5e9e81acaa83b3164b31 (patch) | |
| tree | e4c4362344d7fb80623a2e7611f91c5b9621fd7a /frontends | |
| parent | 291b326e289b41207b77fa601203434fc0ab239b (diff) | |
refactor OpenBSD frontends so that relayd always does the TLS termination for httpd
Diffstat (limited to 'frontends')
| -rw-r--r-- | frontends/Rexfile | 5 | ||||
| -rw-r--r-- | frontends/etc/httpd.conf.tpl | 72 | ||||
| -rw-r--r-- | frontends/etc/relayd.conf.tpl | 25 |
3 files changed, 40 insertions, 62 deletions
diff --git a/frontends/Rexfile b/frontends/Rexfile index f7781da..0111489 100644 --- a/frontends/Rexfile +++ b/frontends/Rexfile @@ -17,7 +17,7 @@ use File::Slurp; group frontends => 'blowfish.buetow.org:2', 'fishfinger.buetow.org:2'; our $ircbouncer_server = 'fishfinger.buetow.org:2'; group ircbouncer => $ircbouncer_server; -group openbsd_canary => 'blowfish.buetow.org:2'; +group openbsd_canary => 'fishfinger.buetow.org:2'; user 'rex'; sudo TRUE; @@ -255,7 +255,8 @@ task 'relayd', group => 'frontends', append_if_no_such_line '/etc/rc.conf.local', 'relayd_flags='; file '/etc/relayd.conf', - content => template('./etc/relayd.conf.tpl', ipv6address => $ipv6address), + content => template('./etc/relayd.conf.tpl', + ipv6address => $ipv6address, acme_hosts => \@acme_hosts), owner => 'root', group => 'wheel', mode => '600', diff --git a/frontends/etc/httpd.conf.tpl b/frontends/etc/httpd.conf.tpl index 6f75dfb..2788441 100644 --- a/frontends/etc/httpd.conf.tpl +++ b/frontends/etc/httpd.conf.tpl @@ -31,11 +31,7 @@ server "<%= "$hostname.$domain" %>" { } server "<%= "$hostname.$domain" %>" { - listen on * tls port 443 - tls { - certificate "/etc/ssl/<%= "$hostname.$domain" %>.fullchain.pem" - key "/etc/ssl/private/<%= "$hostname.$domain" %>.key" - } + listen on * port 8080 location * { root "/htdocs/buetow.org/self" directory auto index @@ -46,11 +42,7 @@ server "<%= "$hostname.$domain" %>" { <% for my $host (qw/foo.zone/) { %> <% for my $prefix (@prefixes) { -%> server "<%= $prefix.$host %>" { - listen on * tls port 443 - tls { - certificate "/etc/ssl/<%= $prefix.$host %>.fullchain.pem" - key "/etc/ssl/private/<%= $prefix.$host %>.key" - } + listen on * port 8080 location "/.git*" { block return 302 "https://<%= $prefix.$host %>" } @@ -69,33 +61,21 @@ server "<%= $prefix.$host %>" { # Redirect to paul.buetow.org <% for my $prefix (@prefixes) { -%> server "<%= $prefix %>buetow.org" { - listen on * tls port 443 - tls { - certificate "/etc/ssl/<%= $prefix %>buetow.org.fullchain.pem" - key "/etc/ssl/private/<%= $prefix %>buetow.org.key" - } + listen on * port 8080 location * { block return 302 "https://paul.buetow.org$REQUEST_URI" } } server "<%= $prefix %>snonux.foo" { - listen on * tls port 443 - tls { - certificate "/etc/ssl/<%= $prefix %>snonux.foo.fullchain.pem" - key "/etc/ssl/private/<%= $prefix %>snonux.foo.key" - } + listen on * port 8080 location * { block return 302 "https://foo.zone$REQUEST_URI" } } server "<%= $prefix %>paul.buetow.org" { - listen on * tls port 443 - tls { - certificate "/etc/ssl/<%= $prefix %>paul.buetow.org.fullchain.pem" - key "/etc/ssl/private/<%= $prefix %>paul.buetow.org.key" - } + listen on * port 8080 location * { block return 302 "https://foo.zone/about$REQUEST_URI" } @@ -105,11 +85,7 @@ server "<%= $prefix %>paul.buetow.org" { # Redirect to gitub.dtail.dev <% for my $prefix (@prefixes) { -%> server "<%= $prefix %>dtail.dev" { - listen on * tls port 443 - tls { - certificate "/etc/ssl/<%= $prefix %>dtail.dev.fullchain.pem" - key "/etc/ssl/private/<%= $prefix %>dtail.dev.key" - } + listen on * port 8080 location * { block return 302 "https://github.dtail.dev$REQUEST_URI" } @@ -119,11 +95,7 @@ server "<%= $prefix %>dtail.dev" { # Irregular Ninja special hosts <% for my $prefix (@prefixes) { -%> server "<%= $prefix %>irregular.ninja" { - listen on * tls port 443 - tls { - certificate "/etc/ssl/<%= $prefix %>irregular.ninja.fullchain.pem" - key "/etc/ssl/private/<%= $prefix %>irregular.ninja.key" - } + listen on * port 8080 location * { root "/htdocs/irregular.ninja" directory auto index @@ -133,11 +105,7 @@ server "<%= $prefix %>irregular.ninja" { <% for my $prefix (@prefixes) { -%> server "<%= $prefix %>alt.irregular.ninja" { - listen on * tls port 443 - tls { - certificate "/etc/ssl/<%= $prefix %>alt.irregular.ninja.fullchain.pem" - key "/etc/ssl/private/<%= $prefix %>alt.irregular.ninja.key" - } + listen on * port 8080 location * { root "/htdocs/alt.irregular.ninja" directory auto index @@ -148,11 +116,7 @@ server "<%= $prefix %>alt.irregular.ninja" { # Dory special host <% for my $prefix (@prefixes) { -%> server "<%= $prefix %>dory.buetow.org" { - listen on * tls port 443 - tls { - certificate "/etc/ssl/<%= $prefix %>dory.buetow.org.fullchain.pem" - key "/etc/ssl/private/<%= $prefix %>dory.buetow.org.key" - } + listen on * port 8080 location * { root "/htdocs/joern/dory.buetow.org" directory auto index @@ -162,11 +126,7 @@ server "<%= $prefix %>dory.buetow.org" { <% for my $prefix (@prefixes) { -%> server "<%= $prefix %>solarcat.buetow.org" { - listen on * tls port 443 - tls { - certificate "/etc/ssl/<%= $prefix %>solarcat.buetow.org.fullchain.pem" - key "/etc/ssl/private/<%= $prefix %>solarcat.buetow.org.key" - } + listen on * port 8080 location * { root "/htdocs/joern/solarcat.buetow.org" directory auto index @@ -176,11 +136,7 @@ server "<%= $prefix %>solarcat.buetow.org" { <% for my $prefix (@prefixes) { -%> server "<%= $prefix %>fotos.buetow.org" { - listen on * tls port 443 - tls { - certificate "/etc/ssl/<%= $prefix %>fotos.buetow.org.fullchain.pem" - key "/etc/ssl/private/<%= $prefix %>fotos.buetow.org.key" - } + listen on * port 8080 root "/htdocs/buetow.org/fotos" directory auto index } @@ -193,10 +149,6 @@ server "default" { } server "default" { - listen on * tls port 443 - tls { - certificate "/etc/ssl/foo.zone.fullchain.pem" - key "/etc/ssl/private/foo.zone.key" - } + listen on * port 8080 block return 302 "https://foo.zone$REQUEST_URI" } diff --git a/frontends/etc/relayd.conf.tpl b/frontends/etc/relayd.conf.tpl index f2edf43..e75efa3 100644 --- a/frontends/etc/relayd.conf.tpl +++ b/frontends/etc/relayd.conf.tpl @@ -1,5 +1,30 @@ log connection +<% + our @prefixes = ('', 'www.', 'standby.'); +%> + +tcp protocol "https" { +<% for my $host (@$acme_hosts) { -%> +<% for my $prefix (@prefixes) { -%> + tls keypair <%= $prefix.$host -%> +<% } -%> +<% } -%> + tls keypair <%= $hostname.'.'.$domain -%> +} + +relay "https4" { + listen on <%= $vio0_ip %> port 443 tls + protocol "https" + forward to 127.0.0.1 port 8080 +} + +relay "https6" { + listen on <%= $ipv6address->($hostname) %> port 443 tls + protocol "https" + forward to ::1 port 8080 +} + tcp protocol "gemini" { tls keypair foo.zone tls keypair snonux.foo |