e-minguez/acme-client.conf

## acme-client.conf
authority letsencrypt {
  api url "https://acme-v02.api.letsencrypt.org/directory"
  account key "/etc/acme/letsencrypt-privkey.pem"
}

domain graph.openshift.tips {
    domain key "/etc/ssl/private/graph.openshift.tips:443.key"
    domain full chain certificate "/etc/ssl/graph.openshift.tips:443.crt"
    sign with letsencrypt
}

## httpd.conf
server "graph.openshift.tips" {
    listen on egress port 80
    log style combined
    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
        directory no auto index
    }
    location "*" {
        block return 301 "https://$SERVER_NAME$REQUEST_URI"
    }
}

## references.md

      
    Raw
  

              references.md
            
          
    https://www.alexander-pluhar.de/openbsd-webserver.html
https://www.findelabs.com/post/relayd-using-sni-keypairs/
https://blog.increasinglyadequate.com/posts/letsencrypt_and_openbsd.html

  
## relayd.conf
# set your external IP addresses
external_ipv4 = "46.23.94.141"

# this needs to be the expanded IPv6 address
external_ipv6 = "2a03:6000:6f68:602::141"

http protocol "wwwsecure" {
  # you may want to remove this depending on your use case
  match request header set "Connection" value "close"

  # your web application might need these headers
  match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
  match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"

  # set best practice security headers
  # use https://securityheaders.com to check
  # and modify as needed
  match response header remove "Server"
  match response header set "X-Frame-Options" value "SAMEORIGIN"
  match response header set "X-XSS-Protection" value "1; mode=block"
  match response header set "X-Content-Type-Options" value "nosniff"
  match response header set "Referrer-Policy" value "strict-origin"
  #match response header set "Content-Security-Policy" value "default-src 'self'"
  match response header set "Feature-Policy" value "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"

  # set recommended tcp options
  tcp { nodelay, sack, socket buffer 65536, backlog 100 }

  tls keypair "graph.openshift.tips"
}

# split IPv4 and IPv6 so they can
# be distinguished in the access log
relay "wwwsecure4" {
  listen on $external_ipv4 port 443 tls
  protocol wwwsecure
  forward to 127.0.0.1 port 8080
}

relay "wwwsecure6" {
  listen on $external_ipv6 port 443 tls
  protocol wwwsecure
  forward to 127.0.0.1 port 8080
}
	authority letsencrypt {
	api url "https://acme-v02.api.letsencrypt.org/directory"
	account key "/etc/acme/letsencrypt-privkey.pem"
	}

	domain graph.openshift.tips {
	domain key "/etc/ssl/private/graph.openshift.tips:443.key"
	domain full chain certificate "/etc/ssl/graph.openshift.tips:443.crt"
	sign with letsencrypt
	}
	server "graph.openshift.tips" {
	listen on egress port 80
	log style combined
	location "/.well-known/acme-challenge/*" {
	root "/acme"
	request strip 2
	directory no auto index
	}
	location "*" {
	block return 301 "https://$SERVER_NAME$REQUEST_URI"
	}
	}
	# set your external IP addresses
	external_ipv4 = "46.23.94.141"

	# this needs to be the expanded IPv6 address
	external_ipv6 = "2a03:6000:6f68:602::141"

	http protocol "wwwsecure" {
	# you may want to remove this depending on your use case
	match request header set "Connection" value "close"

	# your web application might need these headers
	match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
	match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"

	# set best practice security headers
	# use https://securityheaders.com to check
	# and modify as needed
	match response header remove "Server"
	match response header set "X-Frame-Options" value "SAMEORIGIN"
	match response header set "X-XSS-Protection" value "1; mode=block"
	match response header set "X-Content-Type-Options" value "nosniff"
	match response header set "Referrer-Policy" value "strict-origin"
	#match response header set "Content-Security-Policy" value "default-src 'self'"
	match response header set "Feature-Policy" value "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"

	# set recommended tcp options
	tcp { nodelay, sack, socket buffer 65536, backlog 100 }

	tls keypair "graph.openshift.tips"
	}

	# split IPv4 and IPv6 so they can
	# be distinguished in the access log
	relay "wwwsecure4" {
	listen on $external_ipv4 port 443 tls
	protocol wwwsecure
	forward to 127.0.0.1 port 8080
	}

	relay "wwwsecure6" {
	listen on $external_ipv6 port 443 tls
	protocol wwwsecure
	forward to 127.0.0.1 port 8080
	}