Skip to content

Instantly share code, notes, and snippets.

@my-very-own-account

my-very-own-account/openbsd_relayd_httpd_rails.md

Last active April 20, 2021 10:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save my-very-own-account/0c5295493b95cf7525f4a50f7c007308 to your computer and use it in GitHub Desktop.
Save my-very-own-account/0c5295493b95cf7525f4a50f7c007308 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
openbsd_relayd_httpd_rails.md

OpenBSD relayd/httpd Ruby on Rails

Big thanks to srfsh

/etc/relayd.conf

egress="[REDACTED IP]"

table <appie1> { 127.0.0.1 }
appie1_port="49195"

table <appie2> { 127.0.0.1 }
appie2_port="33152"

table <appie3> { 127.0.0.1 }
appie3_port="26695"

table <subdomain_appie3> { 127.0.0.1 }
appie4_port="42837"

table <httpd> { 127.0.0.1 }
httpd_port="80"

http protocol "http" {
  match request header set "Connection" value "close"
  match response header remove "Server"
}

http protocol "https" {
  tls { keypair "appie1", keypair "www.appie1" }
  tls { keypair "appie2", keypair "www.appie2" }
  tls { keypair "appie3", keypair "www.appie3" }
  tls { keypair "subdomain_appie3", keypair "www.subdomain_appie3" }

  match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
  match request header append "X-Forwarded-Port" value "$REMOTE_PORT"
  match request header append "X-Forwaded-By" value "$SERVER_ADDR:$SERVER_PORT"

  match request header set "Connection" value "close"

  match response header remove "Server"

  match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains"
  match response header append "X-Frame-Options" value SAMEORIGIN
  match response header append "X-XSS-Protection" value "1; mode=block"
  match response header append "X-Content-Type-Options" value nosniff
  match response header append "Referrer-Policy" value strict-origin
  match response header append "Feature-Policy" value "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"
  match response header append "Content-Security-Policy" value "default-src https:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'"

  pass request header "Host" value "www.appie1.com" forward to <appie1>
  pass request header "Host" value "www.appie2.com" forward to <appie2>
  pass request header "Host" value "www.appie3.com" forward to <appie3>
  pass request header "Host" value "www.subdomain_appie3.com" forward to <subdomain_appie3>
}

relay "http" {
  listen on $egress port http
  protocol "http"
  forward to <httpd> port $httpd_port
}

relay "https" {
  listen on $egress port https tls
  protocol "https"
  forward to <httpd> port $httpd_port
  forward to <appie1> port $appie1_port
  forward to <appie2> port $appie2_port
  forward to <appie3> port $appie3_port
  forward to <subdomain_appie3> port $subdomain_appie3_port
}

/etc/httpd.conf

ext_if="vio0"

server "[REDACTED DOMAIN]" {
  listen on 127.0.0.1 port 80
  no log
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location "*" {
    block return 302 "https://www.$HTTP_HOST$REQUEST_URI"
  }
}

server "[REDACTED DOMAIN]" {
  listen on 127.0.0.1 port 80
  no log
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location "*" {
    block return 302 "https://$HTTP_HOST$REQUEST_URI"
  }
}

server "[REDACTED DOMAIN]" {
  listen on 127.0.0.1 port 80
  no log
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location "*" {
    block return 302 "https://www.$HTTP_HOST$REQUEST_URI"
  }
}

server "www.[REDACTED DOMAIN]" {
  listen on 127.0.0.1 port 80
  no log
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location "*" {
    block return 302 "https://$HTTP_HOST$REQUEST_URI"
  }
}

server "[REDACTED DOMAIN]" {
  listen on 127.0.0.1 port 80
  no log
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location "*" {
    block return 302 "https://www.$HTTP_HOST$REQUEST_URI"
  }
}

server "www.[REDACTED DOMAIN]" {
  listen on 127.0.0.1 port 80
  no log
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location "*" {
    block return 302 "https://$HTTP_HOST$REQUEST_URI"
  }
}

server "[REDACTED DOMAIN]" {
  listen on 127.0.0.1 port 80
  no log
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location "*" {
    block return 302 "https://www.$HTTP_HOST$REQUEST_URI"
  }
}

server "www.[REDACTED DOMAIN]" {
  listen on 127.0.0.1 port 80
  no log
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location "*" {
    block return 302 "https://$HTTP_HOST$REQUEST_URI"
  }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment