https://www.alexander-pluhar.de/openbsd-webserver.html https://www.findelabs.com/post/relayd-using-sni-keypairs/ https://blog.increasinglyadequate.com/posts/letsencrypt_and_openbsd.html
Last active
May 16, 2023 11:54
-
-
Save e-minguez/841619c163b6d3b8353395a7ba13a3ba to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| authority letsencrypt { | |
| api url "https://acme-v02.api.letsencrypt.org/directory" | |
| account key "/etc/acme/letsencrypt-privkey.pem" | |
| } | |
| domain graph.openshift.tips { | |
| domain key "/etc/ssl/private/graph.openshift.tips:443.key" | |
| domain full chain certificate "/etc/ssl/graph.openshift.tips:443.crt" | |
| sign with letsencrypt | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server "graph.openshift.tips" { | |
| listen on egress port 80 | |
| log style combined | |
| location "/.well-known/acme-challenge/*" { | |
| root "/acme" | |
| request strip 2 | |
| directory no auto index | |
| } | |
| location "*" { | |
| block return 301 "https://$SERVER_NAME$REQUEST_URI" | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # set your external IP addresses | |
| external_ipv4 = "46.23.94.141" | |
| # this needs to be the expanded IPv6 address | |
| external_ipv6 = "2a03:6000:6f68:602::141" | |
| http protocol "wwwsecure" { | |
| # you may want to remove this depending on your use case | |
| match request header set "Connection" value "close" | |
| # your web application might need these headers | |
| match request header set "X-Forwarded-For" value "$REMOTE_ADDR" | |
| match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" | |
| # set best practice security headers | |
| # use https://securityheaders.com to check | |
| # and modify as needed | |
| match response header remove "Server" | |
| match response header set "X-Frame-Options" value "SAMEORIGIN" | |
| match response header set "X-XSS-Protection" value "1; mode=block" | |
| match response header set "X-Content-Type-Options" value "nosniff" | |
| match response header set "Referrer-Policy" value "strict-origin" | |
| #match response header set "Content-Security-Policy" value "default-src 'self'" | |
| match response header set "Feature-Policy" value "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'" | |
| # set recommended tcp options | |
| tcp { nodelay, sack, socket buffer 65536, backlog 100 } | |
| tls keypair "graph.openshift.tips" | |
| } | |
| # split IPv4 and IPv6 so they can | |
| # be distinguished in the access log | |
| relay "wwwsecure4" { | |
| listen on $external_ipv4 port 443 tls | |
| protocol wwwsecure | |
| forward to 127.0.0.1 port 8080 | |
| } | |
| relay "wwwsecure6" { | |
| listen on $external_ipv6 port 443 tls | |
| protocol wwwsecure | |
| forward to 127.0.0.1 port 8080 | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment