<% our @prefixes = ('', 'www.', 'standby.'); -%> log connection # Wireguard endpoints of the k3s cluster nodes running in FreeBSD bhyve Linux VMs via Wireguard tunnels table { 192.168.2.120 192.168.2.121 192.168.2.122 } # Same backends, separate table for registry service on port 30001 table { 192.168.2.120 192.168.2.121 192.168.2.122 } # Local OpenBSD httpd table { 127.0.0.1 ::1 } http protocol "https" { <% for my $host (@$acme_hosts) { -%> tls keypair <%= $host %> tls keypair standby.<%= $host %> <% } -%> tls keypair <%= $hostname.'.'.$domain -%> match request header set "X-Forwarded-For" value "$REMOTE_ADDR" match request header set "X-Forwarded-Proto" value "https" # WebSocket support for audiobookshelf pass header "Connection" pass header "Upgrade" pass header "Sec-WebSocket-Key" pass header "Sec-WebSocket-Version" pass header "Sec-WebSocket-Extensions" pass header "Sec-WebSocket-Protocol" # Explicitly route non-f3s hosts to localhost to prevent them from trying f3s backends <% for my $host (@$acme_hosts) { next if grep { $_ eq $host } @$f3s_hosts; for my $prefix (@prefixes) { -%> match request header "Host" value "<%= $prefix.$host -%>" forward to <% } } -%> # For f3s hosts: use relay-level failover (f3s -> localhost backup) # Registry is special: needs explicit routing to port 30001 <% for my $host (@$f3s_hosts) { for my $prefix (@prefixes) { if ($host eq 'registry.f3s.buetow.org') { -%> match request header "Host" value "<%= $prefix.$host -%>" forward to <% } } } -%> } relay "https4" { listen on <%= $vio0_ip %> port 443 tls protocol "https" # Primary: f3s cluster (with health checks) - Falls back to localhost when all hosts down forward to port 80 check tcp forward to port 8080 # Registry uses separate port and table forward to port 30001 check tcp } relay "https6" { listen on <%= $ipv6address->($hostname) %> port 443 tls protocol "https" # Primary: f3s cluster (with health checks) - Falls back to localhost when all hosts down forward to port 80 check tcp forward to port 8080 # Registry uses separate port and table forward to port 30001 check tcp } tcp protocol "gemini" { tls keypair foo.zone tls keypair stats.foo.zone tls keypair snonux.foo tls keypair paul.buetow.org tls keypair standby.foo.zone tls keypair standby.stats.foo.zone tls keypair standby.snonux.foo tls keypair standby.paul.buetow.org } relay "gemini4" { listen on <%= $vio0_ip %> port 1965 tls protocol "gemini" forward to 127.0.0.1 port 11965 } relay "gemini6" { listen on <%= $ipv6address->($hostname) %> port 1965 tls protocol "gemini" forward to 127.0.0.1 port 11965 }