Skip to content

Instantly share code, notes, and snippets.

@morgant
Created October 14, 2023 16:29
Show Gist options
  • Save morgant/f29bef43e6729e29612754a027744fb1 to your computer and use it in GitHub Desktop.
Save morgant/f29bef43e6729e29612754a027744fb1 to your computer and use it in GitHub Desktop.
OpenBSD httpd & relayd reverse proxy configuration
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-privkey.pem"
}
# example.net
domain example.net {
alternative names { www.example.net }
domain key "/etc/ssl/private/example.net.key"
domain certificate "/etc/ssl/example.net.crt"
domain full chain certificate "/etc/ssl/example.net.fullchain.pem"
sign with letsencrypt
}
# moreexamples.com
domain moreexamples.com {
alternative names { www.moreexamples.com }
domain key "/etc/ssl/private/moreexamples.com.key"
domain certificate "/etc/ssl/moreexamples.com.crt"
domain full chain certificate "/etc/ssl/moreexamples.com.fullchain.pem"
sign with letsencrypt
}
# toomanyexamples.com
domain toomanyexamples.com {
alternative names { www.toomanyexampless.com }
domain key "/etc/ssl/private/toomanyexamples.com.key"
domain certificate "/etc/ssl/toomanyexamples.com.crt"
domain full chain certificate "/etc/ssl/toomanyexampless.com.fullchain.pem"
sign with letsencrypt
}
# HTTP-01 challenge for Let's Encrypt
# https://letsencrypt.org/docs/challenge-types/
server "*" {
listen on 127.0.0.1 port 8080
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
# servers
table <acme> { 127.0.0.1 }
table <server1> { 192.168.1.64 }
table <server2> { 192.168.1.65 }
log state changes
log connection
http protocol "http" {
# log some details
match header log "Host"
match header log "X-Forwarded-For"
match header log "User-Agent"
match header log "Referer"
match url log
# update headers passed to the httpd servers
match request header set "X-Forwarded-Proto" value "http"
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Forwarded" value "by=$SERVER_ADDR:$SERVER_PORT;for=$REMOTE_ADDR;host=$HOST;proto=http"
# hijack Let's Encrypt ACME challenge requests and handle them locally
pass request quick path "/.well-known/acme-challenge/*" forward to <acme>
# forward to specific hosts (need matching "forward to" in relay)
# See: https://serverfault.com/questions/856807/openbsd-how-to-use-relayd-and-httpd-for-redirecting-subdomain-requests
# example.org
pass request quick header "Host" value "example.org" forward to <server2>
pass request quick header "Host" value "www.example.org" forward to <server2>
pass request quick header "Host" value "mirrors.example.org" forward to <server2>
pass request quick header "Host" value "tools.example.org" forward to <server2>
pass request quick header "Host" value "svn.example.org" forward to <server2>
# example.net
pass request quick header "Host" value "example.net" forward to <server1>
pass request quick header "Host" value "www.example.net" forward to <server1>
# example.com
pass request quick header "Host" value "example.com" forward to <server1>
pass request quick header "Host" value "www.example.com" forward to <server1>
pass request quick header "Host" value "code.example.com" forward to <server1>
pass request quick header "Host" value "store.example.com" forward to <server1>
# anotherexample.com
pass request quick header "Host" value "anotherexample.com" forward to <server1>
pass request quick header "Host" value "www.anotherexample.com" forward to <server1>
# example.info
pass request quick header "Host" value "example.info" forward to <server1>
pass request quick header "Host" value "www.example.info" forward to <server1>
# moreexamples.com
pass request quick header "Host" value "moreexamples.com" forward to <server1>
pass request quick header "Host" value "www.moreexamples.com" forward to <server1>
# toomanyexamples.com
pass request quick header "Host" value "toomanyexamples.com" forward to <server1>
pass request quick header "Host" value "www.toomanyexamples.com" forward to <server1>
# return error
block request
}
http protocol "https" {
# Let's Encrypt certificates
# example.net
tls keypair "example.net" # example.net, www.example.net
tls keypair "moreexamples.com" # moreexamples.com, www.moreexamples.com
tls keypair "toomanyexampless.com" # toomanyexamples.com, www.toomanyexampless.com
# log some details
match header log "Host"
match header log "X-Forwarded-For"
match header log "User-Agent"
match header log "Referer"
match url log
# update headers passed to the httpd servers
match request header set "X-Forwarded-Proto" value "https"
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Forwarded" value "by=$SERVER_ADDR:$SERVER_PORT;for=$REMOTE_ADDR;host=$HOST;proto=https"
# forward to specific hosts (need matching "forward to" in relay)
# See: https://serverfault.com/questions/856807/openbsd-how-to-use-relayd-and-httpd-for-redirecting-subdomain-requests
# example.net
pass request quick header "Host" value "example.net" forward to <server1>
pass request quick header "Host" value "www.example.net" forward to <server1>
# moreexampless.com
pass request quick header "Host" value "moreexamples.com" forward to <server1>
pass request quick header "Host" value "www.moreexamples.com" forward to <server1>
# toomanyexamples.com
pass request quick header "Host" value "toomanyexamples.com" forward to <server1>
pass request quick header "Host" value "www.toomanyexamples.com" forward to <server1>
# return error
block request
}
relay "http_proxy" {
listen on 192.168.1.32 port 80
protocol "http"
forward to <acme> port 8080
forward to <server2> port 80
forward to <server1> port 80
}
relay "https_proxy" {
listen on 192.168.1.32 port 443 tls
protocol "https"
forward to <server1> port 80
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment