Big thanks to srfsh
egress="[REDACTED IP]"
table <appie1> { 127.0.0.1 }
appie1_port="49195"
table <appie2> { 127.0.0.1 }
appie2_port="33152"
table <appie3> { 127.0.0.1 }
appie3_port="26695"
table <subdomain_appie3> { 127.0.0.1 }
appie4_port="42837"
table <httpd> { 127.0.0.1 }
httpd_port="80"
http protocol "http" {
match request header set "Connection" value "close"
match response header remove "Server"
}
http protocol "https" {
tls { keypair "appie1", keypair "www.appie1" }
tls { keypair "appie2", keypair "www.appie2" }
tls { keypair "appie3", keypair "www.appie3" }
tls { keypair "subdomain_appie3", keypair "www.subdomain_appie3" }
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-Port" value "$REMOTE_PORT"
match request header append "X-Forwaded-By" value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Connection" value "close"
match response header remove "Server"
match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains"
match response header append "X-Frame-Options" value SAMEORIGIN
match response header append "X-XSS-Protection" value "1; mode=block"
match response header append "X-Content-Type-Options" value nosniff
match response header append "Referrer-Policy" value strict-origin
match response header append "Feature-Policy" value "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"
match response header append "Content-Security-Policy" value "default-src https:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'"
pass request header "Host" value "www.appie1.com" forward to <appie1>
pass request header "Host" value "www.appie2.com" forward to <appie2>
pass request header "Host" value "www.appie3.com" forward to <appie3>
pass request header "Host" value "www.subdomain_appie3.com" forward to <subdomain_appie3>
}
relay "http" {
listen on $egress port http
protocol "http"
forward to <httpd> port $httpd_port
}
relay "https" {
listen on $egress port https tls
protocol "https"
forward to <httpd> port $httpd_port
forward to <appie1> port $appie1_port
forward to <appie2> port $appie2_port
forward to <appie3> port $appie3_port
forward to <subdomain_appie3> port $subdomain_appie3_port
}
ext_if="vio0"
server "[REDACTED DOMAIN]" {
listen on 127.0.0.1 port 80
no log
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "*" {
block return 302 "https://www.$HTTP_HOST$REQUEST_URI"
}
}
server "[REDACTED DOMAIN]" {
listen on 127.0.0.1 port 80
no log
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "*" {
block return 302 "https://$HTTP_HOST$REQUEST_URI"
}
}
server "[REDACTED DOMAIN]" {
listen on 127.0.0.1 port 80
no log
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "*" {
block return 302 "https://www.$HTTP_HOST$REQUEST_URI"
}
}
server "www.[REDACTED DOMAIN]" {
listen on 127.0.0.1 port 80
no log
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "*" {
block return 302 "https://$HTTP_HOST$REQUEST_URI"
}
}
server "[REDACTED DOMAIN]" {
listen on 127.0.0.1 port 80
no log
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "*" {
block return 302 "https://www.$HTTP_HOST$REQUEST_URI"
}
}
server "www.[REDACTED DOMAIN]" {
listen on 127.0.0.1 port 80
no log
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "*" {
block return 302 "https://$HTTP_HOST$REQUEST_URI"
}
}
server "[REDACTED DOMAIN]" {
listen on 127.0.0.1 port 80
no log
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "*" {
block return 302 "https://www.$HTTP_HOST$REQUEST_URI"
}
}
server "www.[REDACTED DOMAIN]" {
listen on 127.0.0.1 port 80
no log
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "*" {
block return 302 "https://$HTTP_HOST$REQUEST_URI"
}
}