Rendez-vous sur Arrakis

relayd, headers, cache-control, tls, acme, ipv6

For the record, this is how I set up relayd to :

1. After getting ssl certs with acme client, run :

ln -s key "/etc/ssl/acme/private/chezmoi.tld-privkey.pem" /etc/ssl/private/192.168.1.2:443.key
 ln -s certificate "/etc/ssl/acme/chezmoi.tld-fullchain.pem" /etc/ssl/192.168.1.2:443.crt
 ln -s certificate "/etc/ssl/acme/private/chezmoi.tld-privkey.pem" "/etc/ssl/private/2001:db8:1:1::2:443.key"
 ln -s certificate "/etc/ssl/acme/chezmoi.tld-fullchain.pem" "/etc/ssl/2001:db8:1:1::2:443.crt"

2.In httpd.conf, use these listen directives :

listen on localhost port 80
 listen on localhost port 443
 hsts preload
 

3. In relayd.conf, use :

ext_ip =  192.168.1.2
 ext_ipv6 =  2001:db8:1:1:0:0:0:2 # must be full ipv6
 prefork 5
 
 http protocol "http" {
     include "/etc/relayd.proxy.conf"
     pass
 }
 
 http protocol "https" {
     include "/etc/relayd.proxy.conf"
 
     pass
     tls { \
         cipher-server-preference,\
         no tlsv1.0\
     }
 }
 relay "www" {
     listen on $ext_ip port 80
     protocol "http"
     forward to 127.0.0.1 port 80
 }
 
 relay "wwwipv6" {
     listen on $ext_ipv6 port 80
     protocol "http"
     forward to ::1 port 80
 }
 
 relay "tlsforward" {
     listen on $ext_ip port 443 tls
     protocol "https"
     forward to 127.0.0.1 port 443
 }
 
 relay "tlsforwardipv6" {
     listen on $ext_ipv6 port 443 tls
     protocol "https"
     forward to ::1 port 443
 }
 

In /etc/relayd.proxy.conf

match request header remove "Proxy"
 match response header set "Cache-Control" value "max-age=31536000"
 match response header set "X-Xss-Protection" value "1; mode=block"
 match response header set "Frame-Options" value "SAMEORIGIN"
 match response header set "X-Frame-Options" value "SAMEORIGIN"
 match response header set "X-Robots-Tag" value "index,nofollow"
 match response header set "X-Powered-By" value "Powered with electricity on OpenBSD"
 match response header set "X-Permitted-Cross-Domain-Policies" value "none"
 match response header set "X-Download-Options" value "noopen"
 match response header set "X-Content-Type-Options" value "nosniff"
 
 # if you don't have wordpress
 block quick path "/wp-*" label '<em>Stop scanning for wordpress</em>.'
 
 match header set "X-Forwarded-For" value "$REMOTE_ADDR"
 match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
 match header set "Keep-Alive" value "$TIMEOUT"
 match query hash "sessid"
 
 return error style "body { background: black; color: red; text-align:center } hr {border:0; background-color:grey; color:grey; height:1px; width:30%; margin-top:50px;}"
 

Sadly, I didn’t manage to use the “transparent forward” keyword yet.