honk expects to be fronted by a TLS terminating reverse proxy

README-EXTRA

httpd(8)
--------

# httpd.conf(5)
server "honk.example.com" {
  listen on * port http
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location "*" {
    block return 302 "https://$HTTP_HOST$REQUEST_URI"
  }
}

honk# rcctl enable httpd
honk# rcctl start httpd

acme-client(1)
--------------

# acme-client.conf(5)
domain honk.example.com {
  domain key "/etc/ssl/private/honk.example.com.key"
  domain full chain certificate "/etc/ssl/honk.example.com.crt"
  sign with letsencrypt
}

honk# acme-client -v honk.example.com
honk# ocspcheck -vNo /etc/ssl/honk.example.com.{ocsp,crt}

relayd(8)
---------

# relayd.conf(5)
ext_ip="203.0.113.4"
ext_ip2="2001:0db8::4"
honk_port="31337"
table <honk> { 127.0.0.1 ::1 }
table <httpd> { 127.0.0.1 ::1 }

http protocol "https" {
  match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
  match request header append "X-Forwarded-By" \
    value "$SERVER_ADDR:$SERVER_PORT"
  match request header set "Connection" value "close"

  match request header "Host" value "honk.*" forward to <honk>
  match request path "/.well-known/acme-challenge/*" forward to <httpd>

  tcp { sack, backlog 128 }
  tls keypair honk.example.com
}
relay "https" {
  listen on $ext_ip port https tls
  protocol "https"
  forward to <httpd> port http check tcp
  forward to <honk> port $honk_port check tcp
}
relay "https2" {
  listen on $ext_ip2 port https tls
  protocol "https"
  forward to <httpd> port http check tcp
  forward to <honk> port $honk_port check tcp
}

honk# rcctl enable relayd
honk# rcctl start relayd

pf(4)
-----

# pf.conf(5)
anchor "relayd/*"