Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-privkey.pem"
}
domain graph.openshift.tips {
domain key "/etc/ssl/private/graph.openshift.tips:443.key"
domain full chain certificate "/etc/ssl/graph.openshift.tips:443.crt"
sign with letsencrypt
}
server "graph.openshift.tips" {
listen on egress port 80
log style combined
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
directory no auto index
}
location "*" {
block return 301 "https://$SERVER_NAME$REQUEST_URI"
}
}
# set your external IP addresses
external_ipv4 = "46.23.94.141"
# this needs to be the expanded IPv6 address
external_ipv6 = "2a03:6000:6f68:602::141"
http protocol "wwwsecure" {
# you may want to remove this depending on your use case
match request header set "Connection" value "close"
# your web application might need these headers
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
# set best practice security headers
# use https://securityheaders.com to check
# and modify as needed
match response header remove "Server"
match response header set "X-Frame-Options" value "SAMEORIGIN"
match response header set "X-XSS-Protection" value "1; mode=block"
match response header set "X-Content-Type-Options" value "nosniff"
match response header set "Referrer-Policy" value "strict-origin"
#match response header set "Content-Security-Policy" value "default-src 'self'"
match response header set "Feature-Policy" value "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"
# set recommended tcp options
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
tls keypair "graph.openshift.tips"
}
# split IPv4 and IPv6 so they can
# be distinguished in the access log
relay "wwwsecure4" {
listen on $external_ipv4 port 443 tls
protocol wwwsecure
forward to 127.0.0.1 port 8080
}
relay "wwwsecure6" {
listen on $external_ipv6 port 443 tls
protocol wwwsecure
forward to 127.0.0.1 port 8080
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment